<?xml version="1.0"?>
<interfaceDefinition>
  <node name="interfaces">
    <children>
      <tagNode name="openvpn" owner="${vyos_conf_scripts_dir}/interfaces-openvpn.py">
        <properties>
          <help>OpenVPN Tunnel Interface</help>
          <priority>460</priority>
          <constraint>
            <regex>vtun[0-9]+$</regex>
          </constraint>
          <constraintErrorMessage>OpenVPN tunnel interface must be named vtunN</constraintErrorMessage>
          <valueHelp>
            <format>vtunN</format>
            <description>OpenVPN interface name</description>
          </valueHelp>
        </properties>
        <children>
          <node name="authentication">
            <properties>
              <help>Authentication options</help>
            </properties>
            <children>
              <leafNode name="password">
                <properties>
                  <help>OpenVPN password used for authentication</help>
                </properties>
              </leafNode>
              <leafNode name="username">
                <properties>
                  <help>OpenVPN username used for authentication</help>
                </properties>
              </leafNode>
            </children>
          </node>
          #include <include/interface-description.xml.i>
          <leafNode name="device-type">
            <properties>
              <help>OpenVPN interface device-type</help>
              <completionHelp>
                <list>tun tap</list>
              </completionHelp>
              <valueHelp>
                <format>tun</format>
                <description>TUN device, required for OSI layer 3</description>
              </valueHelp>
              <valueHelp>
                <format>tap</format>
                <description>TAP device, required for OSI layer 2</description>
              </valueHelp>
              <constraint>
                <regex>(tun|tap)</regex>
              </constraint>
            </properties>
          </leafNode>
          #include <include/interface-disable.xml.i>
          <node name="encryption">
            <properties>
              <help>Data Encryption settings</help>
            </properties>
            <children>
              <leafNode name="cipher">
                <properties>
                  <help>Standard Data Encryption Algorithm</help>
                  <completionHelp>
                    <list>des 3des bf128 bf256 aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list>
                  </completionHelp>
                  <valueHelp>
                    <format>des</format>
                    <description>DES algorithm</description>
                  </valueHelp>
                  <valueHelp>
                    <format>3des</format>
                    <description>DES algorithm with triple encryption</description>
                  </valueHelp>
                  <valueHelp>
                    <format>bf128</format>
                    <description>Blowfish algorithm with 128-bit key</description>
                  </valueHelp>
                  <valueHelp>
                    <format>bf256</format>
                    <description>Blowfish algorithm with 256-bit key</description>
                  </valueHelp>
                  <valueHelp>
                    <format>aes128</format>
                    <description>AES algorithm with 128-bit key CBC</description>
                  </valueHelp>
                  <valueHelp>
                    <format>aes128gcm</format>
                    <description>AES algorithm with 128-bit key GCM</description>
                  </valueHelp>
                  <valueHelp>
                    <format>aes192</format>
                    <description>AES algorithm with 192-bit key CBC</description>
                  </valueHelp>
                  <valueHelp>
                    <format>aes192gcm</format>
                    <description>AES algorithm with 192-bit key GCM</description>
                  </valueHelp>
                  <valueHelp>
                    <format>aes256</format>
                    <description>AES algorithm with 256-bit key CBC</description>
                  </valueHelp>
                  <valueHelp>
                    <format>aes256gcm</format>
                    <description>AES algorithm with 256-bit key GCM</description>
                  </valueHelp>
                  <constraint>
                    <regex>(des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="ncp-ciphers">
                <properties>
                  <help>Cipher negotiation list for use in server or client mode</help>
                  <completionHelp>
                    <list>des 3des aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list>
                  </completionHelp>
                  <valueHelp>
                    <format>des</format>
                    <description>DES algorithm</description>
                  </valueHelp>
                  <valueHelp>
                    <format>3des</format>
                    <description>DES algorithm with triple encryption</description>
                  </valueHelp>
                  <valueHelp>
                    <format>aes128</format>
                    <description>AES algorithm with 128-bit key CBC</description>
                  </valueHelp>
                  <valueHelp>
                    <format>aes128gcm</format>
                    <description>AES algorithm with 128-bit key GCM</description>
                  </valueHelp>
                  <valueHelp>
                    <format>aes192</format>
                    <description>AES algorithm with 192-bit key CBC</description>
                  </valueHelp>
                  <valueHelp>
                    <format>aes192gcm</format>
                    <description>AES algorithm with 192-bit key GCM</description>
                  </valueHelp>
                  <valueHelp>
                    <format>aes256</format>
                    <description>AES algorithm with 256-bit key CBC</description>
                  </valueHelp>
                  <valueHelp>
                    <format>aes256gcm</format>
                    <description>AES algorithm with 256-bit key GCM</description>
                  </valueHelp>
                  <constraint>
                    <regex>(des|3des|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex>
                  </constraint>
                  <multi/>
                </properties>
              </leafNode>
              <leafNode name="disable-ncp">
                <properties>
                  <help>Disable support for ncp-ciphers</help>
                  <valueless/>
                </properties>
              </leafNode>
            </children>
          </node>
          <leafNode name="hash">
            <properties>
              <help>Hashing Algorithm</help>
              <completionHelp>
                <list>md5 sha1 sha256 sha384 sha512</list>
              </completionHelp>
              <valueHelp>
                <format>md5</format>
                <description>MD5 algorithm</description>
              </valueHelp>
              <valueHelp>
                <format>sha1</format>
                <description>SHA-1 algorithm</description>
              </valueHelp>
              <valueHelp>
                <format>sha256</format>
                <description>SHA-256 algorithm</description>
              </valueHelp>
              <valueHelp>
                <format>sha384</format>
                <description>SHA-384 algorithm</description>
              </valueHelp>
              <valueHelp>
                <format>sha512</format>
                <description>SHA-512 algorithm</description>
              </valueHelp>
              <constraint>
                <regex>(md5|sha1|sha256|sha384|sha512)</regex>
              </constraint>
            </properties>
          </leafNode>
          <node name="keep-alive">
            <properties>
              <help>Keepalive helper options</help>
            </properties>
            <children>
              <leafNode name="failure-count">
                <properties>
                  <help>Maximum number of keepalive packet failures [default 6]</help>
                  <valueHelp>
                    <format>0-1000</format>
                    <description>Maximum number of keepalive packet failures</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 0-1000"/>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="interval">
                <properties>
                  <help>Keepalive packet interval (seconds) [default 10]</help>
                  <valueHelp>
                    <format>0-600</format>
                    <description>Keepalive packet interval (seconds)</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 0-600"/>
                  </constraint>
                </properties>
              </leafNode>
            </children>
          </node>
          <tagNode name="local-address">
            <properties>
              <help>Local IP address of tunnel</help>
              <constraint>
                <validator name="ipv4-address"/>
              </constraint>
            </properties>
            <children>
              <leafNode name="subnet-mask">
                <properties>
                  <help>Subnet-mask for local IP address of tunnel</help>
                  <constraint>
                    <validator name="ipv4-address"/>
                  </constraint>
                </properties>
              </leafNode>
            </children>
          </tagNode>
          <leafNode name="local-host">
            <properties>
              <help>Local IP address to accept connections (all if not set)</help>
              <valueHelp>
                <format>ipv4</format>
                <description>Local IPv4 address</description>
              </valueHelp>
              <constraint>
                <validator name="ipv4-address"/>
              </constraint>
            </properties>
          </leafNode>
          <leafNode name="local-port">
            <properties>
              <help>Local port number to accept connections</help>
              <valueHelp>
                <format>1-65535</format>
                <description>Numeric IP port</description>
              </valueHelp>
              <constraint>
                <validator name="numeric" argument="--range 1-65535"/>
              </constraint>
            </properties>
          </leafNode>
          <leafNode name="mode">
            <properties>
              <help>OpenVPN mode of operation</help>
              <completionHelp>
                <list>site-to-site client server</list>
              </completionHelp>
              <valueHelp>
                <format>site-to-site</format>
                <description>Site-to-site mode</description>
              </valueHelp>
              <valueHelp>
                <format>client</format>
                <description>Client in client-server mode</description>
              </valueHelp>
              <valueHelp>
                <format>server</format>
                <description>Server in client-server mode</description>
              </valueHelp>
              <constraint>
                <regex>(site-to-site|client|server)</regex>
              </constraint>
            </properties>
          </leafNode>
          <leafNode name="openvpn-option">
            <properties>
              <help>Additional OpenVPN options. You must
                use the syntax of openvpn.conf in this text-field. Using this
                without proper knowledge may result in a crashed OpenVPN server.
                Check system log to look for errors.</help>
              <multi/>
            </properties>
          </leafNode>
          <leafNode name="persistent-tunnel">
            <properties>
              <help>Do not close and reopen interface (TUN/TAP device) on client restarts</help>
              <valueless/>
            </properties>
          </leafNode>
          <leafNode name="protocol">
            <properties>
              <help>OpenVPN communication protocol</help>
              <completionHelp>
                <list>udp tcp-passive tcp-active</list>
              </completionHelp>
              <valueHelp>
                <format>udp</format>
                <description>Site-to-site mode</description>
              </valueHelp>
              <valueHelp>
                <format>tcp-passive</format>
                <description>TCP and accepts connections passively</description>
              </valueHelp>
              <valueHelp>
                <format>tcp-active</format>
                <description>TCP and initiates connections actively</description>
              </valueHelp>
              <constraint>
                <regex>(udp|tcp-passive|tcp-active)</regex>
              </constraint>
            </properties>
          </leafNode>
          <leafNode name="remote-address">
            <properties>
              <help>IP address of remote end of tunnel</help>
              <valueHelp>
                <format>ipv4</format>
                <description>Remote end IPv4 address</description>
              </valueHelp>
              <constraint>
                <validator name="ipv4-address"/>
              </constraint>
            </properties>
          </leafNode>
          <leafNode name="remote-host">
            <properties>
              <help>Remote host to connect to (dynamic if not set)</help>
              <valueHelp>
                <format>ipv4</format>
                <description>IP address of remote host</description>
              </valueHelp>
              <valueHelp>
                <format>txt</format>
                <description>Hostname of remote host</description>
              </valueHelp>
              <multi/>
            </properties>
          </leafNode>
          <leafNode name="remote-port">
            <properties>
              <help>Remote port number to connect to</help>
              <valueHelp>
                <format>1-65535</format>
                <description>Numeric IP port</description>
              </valueHelp>
              <constraint>
                <validator name="numeric" argument="--range 1-65535"/>
              </constraint>
            </properties>
          </leafNode>
          <node name="replace-default-route">
            <properties>
              <help>OpenVPN tunnel to be used as the default route</help>
            </properties>
            <children>
              <leafNode name="local">
                <properties>
                  <help>Tunnel endpoints are on the same subnet</help>
                </properties>
              </leafNode>
            </children>
          </node>
          <node name="server">
            <properties>
              <help>Server-mode options</help>
            </properties>
            <children>
              <tagNode name="client">
                <properties>
                  <help>Client-specific settings</help>
                  <valueHelp>
                    <format>name</format>
                    <description>Client common-name in the certificate</description>
                  </valueHelp>
                </properties>
                <children>
                  <leafNode name="disable">
                    <properties>
                      <help>Option to disable client connection</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                  <leafNode name="ip">
                    <properties>
                      <help>IP address of the client</help>
                      <valueHelp>
                        <format>ipv4</format>
                        <description>Client IPv4 address</description>
                      </valueHelp>
                      <constraint>
                        <validator name="ipv4-address"/>
                      </constraint>
                    </properties>
                  </leafNode>
                  <leafNode name="push-route">
                    <properties>
                      <help>Route to be pushed to the client</help>
                      <valueHelp>
                        <format>ipv4net</format>
                        <description>IPv4 network and prefix length</description>
                      </valueHelp>
                      <constraint>
                        <validator name="ipv4-prefix"/>
                      </constraint>
                      <multi/>
                    </properties>
                  </leafNode>
                  <leafNode name="subnet">
                    <properties>
                      <help>Subnet belonging to the client</help>
                      <valueHelp>
                        <format>ipv4net</format>
                        <description>IPv4 network and prefix length belonging to the client</description>
                      </valueHelp>
                      <constraint>
                        <validator name="ipv4-prefix"/>
                      </constraint>
                      <multi/>
                    </properties>
                  </leafNode>
                </children>
              </tagNode>
              <leafNode name="domain-name">
                <properties>
                  <help>DNS suffix to be pushed to all clients</help>
                  <valueHelp>
                    <format>txt</format>
                    <description>Domain Name Server suffix</description>
                  </valueHelp>
                </properties>
              </leafNode>
              <leafNode name="max-connections">
                <properties>
                  <help>Number of maximum client connections</help>
                  <valueHelp>
                    <format>1-4096</format>
                    <description>Number of concurrent clients</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-4096"/>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="name-server">
                <properties>
                  <help>Domain Name Server (DNS)</help>
                  <valueHelp>
                    <format>ipv4</format>
                    <description>DNS server IPv4 address</description>
                  </valueHelp>
                  <constraint>
                    <validator name="ipv4-address"/>
                  </constraint>
                  <multi/>
                </properties>
              </leafNode>
              <leafNode name="push-route">
                <properties>
                  <help>Route to be pushed to all clients</help>
                  <valueHelp>
                    <format>ipv4net</format>
                    <description>IPv4 network and prefix length</description>
                  </valueHelp>
                  <constraint>
                    <validator name="ipv4-prefix"/>
                  </constraint>
                  <multi/>
                </properties>
              </leafNode>
              <leafNode name="reject-unconfigured-clients">
                <properties>
                  <help>Reject connections from clients that are not explicitly configured</help>
                </properties>
              </leafNode>
              <leafNode name="subnet">
                <properties>
                  <help>Server-mode subnet (from which client IPs are allocated)</help>
                  <valueHelp>
                    <format>ipv4net</format>
                    <description>IPv4 address and prefix length</description>
                  </valueHelp>
                  <constraint>
                    <validator name="ipv4-prefix"/>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="topology">
                <properties>
                  <help>Topology for clients</help>
                  <completionHelp>
                    <list>point-to-point subnet</list>
                  </completionHelp>
                  <valueHelp>
                    <format>point-to-point</format>
                    <description>Point-to-point topology</description>
                  </valueHelp>
                  <valueHelp>
                    <format>subnet</format>
                    <description>Subnet topology</description>
                  </valueHelp>
                  <constraint>
                    <regex>(subnet|point-to-point)</regex>
                  </constraint>
                </properties>
              </leafNode>
            </children>
          </node>
          <leafNode name="shared-secret-key-file">
            <properties>
              <help>File containing the secret key shared with remote end of tunnel</help>
              <valueHelp>
                <format>file</format>
                <description>File in /config/auth directory</description>
              </valueHelp>
              <constraint>
                <validator name="file-exists" argument="--directory /config/auth"/>
              </constraint>
            </properties>
          </leafNode>
          <node name="tls">
            <properties>
              <help>Transport Layer Security (TLS) options</help>
            </properties>
            <children>
              <leafNode name="auth-file">
                <properties>
                  <help>File containing tls static key for tls-auth</help>
                  <valueHelp>
                    <format>file</format>
                    <description>File in /config/auth directory</description>
                  </valueHelp>
                  <constraint>
                    <validator name="file-exists" argument="--directory /config/auth"/>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="ca-cert-file">
                <properties>
                  <help>File containing certificate for Certificate Authority (CA)</help>
                  <valueHelp>
                    <format>file</format>
                    <description>File in /config/auth directory</description>
                  </valueHelp>
                  <constraint>
                    <validator name="file-exists" argument="--directory /config/auth"/>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="cert-file">
                <properties>
                  <help>File containing certificate for this host</help>
                  <valueHelp>
                    <format>file</format>
                    <description>File in /config/auth directory</description>
                  </valueHelp>
                  <constraint>
                    <validator name="file-exists" argument="--directory /config/auth"/>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="crl-file">
                <properties>
                  <help>File containing certificate revocation list (CRL) for this host</help>
                  <valueHelp>
                    <format>file</format>
                    <description>File in /config/auth directory</description>
                  </valueHelp>
                  <constraint>
                    <validator name="file-exists" argument="--directory /config/auth"/>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="dh-file">
                <properties>
                  <help>File containing Diffie Hellman parameters (server only)</help>
                  <valueHelp>
                    <format>file</format>
                    <description>File in /config/auth directory</description>
                  </valueHelp>
                  <constraint>
                    <validator name="file-exists" argument="--directory /config/auth"/>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="key-file">
                <properties>
                  <help>Private key for this host</help>
                  <valueHelp>
                    <format>file</format>
                    <description>File in /config/auth directory</description>
                  </valueHelp>
                  <constraint>
                    <validator name="file-exists" argument="--directory /config/auth"/>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="tls-version-min">
                <properties>
                  <help>Specify the minimum required TLS version</help>
                  <completionHelp>
                    <list>1.0 1.1 1.2</list>
                  </completionHelp>
                  <valueHelp>
                    <format>1.0</format>
                    <description>TLS v1.0</description>
                  </valueHelp>
                  <valueHelp>
                    <format>1.1</format>
                    <description>TLS v1.1</description>
                  </valueHelp>
                  <valueHelp>
                    <format>1.2</format>
                    <description>TLS v1.2</description>
                  </valueHelp>
                  <constraint>
                    <regex>(1.0|1.1|1.2)</regex>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="role">
                <properties>
                  <help>Private key for this host</help>
                  <completionHelp>
                    <list>active passive</list>
                  </completionHelp>
                  <valueHelp>
                    <format>active</format>
                    <description>Initiate TLS negotiation actively</description>
                  </valueHelp>
                  <valueHelp>
                    <format>passive</format>
                    <description>Waiting for TLS connections passively</description>
                  </valueHelp>
                  <constraint>
                    <regex>(active|passive)</regex>
                  </constraint>
                </properties>
              </leafNode>
            </children>
          </node>
          <leafNode name="use-lzo-compression">
            <properties>
              <help>Use fast LZO compression on this TUN/TAP interface</help>
              <valueless/>
            </properties>
          </leafNode>
        </children>
      </tagNode>
    </children>
  </node>
</interfaceDefinition>