<?xml version="1.0"?>
<interfaceDefinition>
  <node name="vpn">
    <children>
      <node name="openconnect" owner="${vyos_conf_scripts_dir}/vpn_openconnect.py">
        <properties>
          <help>SSL VPN OpenConnect, AnyConnect compatible server</help>
          <priority>901</priority>
        </properties>
        <children>
          <node name="accounting">
            <properties>
              <help>Accounting for users OpenConnect VPN Sessions</help>
            </properties>
            <children>
              <node name="mode">
                <properties>
                  <help>Accounting mode used by this server</help>
                </properties>
                <children>
                  <leafNode name="radius">
                    <properties>
                      <help>Use RADIUS server for accounting</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                </children>
              </node>
              #include <include/radius-acct-server-ipv4.xml.i>
            </children>
          </node>
          <node name="authentication">
            <properties>
              <help>Authentication for remote access SSL VPN Server</help>
            </properties>
            <children>
              <node name="mode">
                <properties>
                  <help>Authentication mode used by this server</help>
                </properties>
                <children>
                  <leafNode name="local">
                    <properties>
                      <help>Use local username/password configuration (OTP supported)</help>
                      <valueHelp>
                        <format>password</format>
                        <description>Password-only local authentication</description>
                      </valueHelp>
                      <valueHelp>
                        <format>otp</format>
                        <description>OTP-only local authentication</description>
                      </valueHelp>
                      <valueHelp>
                        <format>password-otp</format>
                        <description>Password (first) + OTP local authentication</description>
                      </valueHelp>
                      <constraint>
                        <regex>(password|otp|password-otp)</regex>
                      </constraint>
                      <constraintErrorMessage>Invalid authentication mode. Must be one of: password, otp or password-otp </constraintErrorMessage>
                      <completionHelp>
                        <list>otp password password-otp</list>
                      </completionHelp>
                    </properties>
                  </leafNode>
                  <leafNode name="radius">
                    <properties>
                      <help>Use RADIUS server for user autentication</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                </children>
              </node>
              <node name="identity-based-config">
                <properties>
                  <help>Include configuration file by username or RADIUS group attribute</help>
                </properties>
                <children>
                  #include <include/generic-disable-node.xml.i>
                  <leafNode name="mode">
                    <properties>
                      <help>Select per user or per group configuration file - ignored if authentication group is configured</help>
                      <completionHelp>
                        <list>user group</list>
                      </completionHelp>
                      <valueHelp>
                        <format>user</format>
                        <description>Match configuration file on username</description>
                      </valueHelp>
                      <valueHelp>
                        <format>group</format>
                        <description>Match RADIUS response class attribute as file name</description>
                      </valueHelp>
                      <constraint>
                        <regex>(user|group)</regex>
                      </constraint>
                      <constraintErrorMessage>Invalid mode, must be either user or group</constraintErrorMessage>
                    </properties>
                  </leafNode>
                  <leafNode name="directory">
                    <properties>
                      <help>Directory to containing configuration files</help>
                      <valueHelp>
                        <format>path</format>
                        <description>Path to configuration directory, must be under /config/auth</description>
                      </valueHelp>
                      <constraint>
                        <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/>
                      </constraint>
                    </properties>
                  </leafNode>
                  <leafNode name="default-config">
                    <properties>
                      <help>Default configuration if discrete config could not be found</help>
                      <valueHelp>
                        <format>filename</format>
                        <description>Default configuration filename, must be under /config/auth</description>
                      </valueHelp>
                      <constraint>
                        <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/>
                      </constraint>
                    </properties>
                  </leafNode>
                </children>
              </node>
              <leafNode name="group">
                <properties>
                  <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help>
                  <valueHelp>
                    <format>txt</format>
                    <description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description>
                  </valueHelp>
                  <multi/>
                </properties>
              </leafNode>
              #include <include/auth-local-users.xml.i>
              <node name="local-users">
                <children>
                  <tagNode name="username">
                    <children>
                        <node name="otp">
                          <properties>
                            <help>2FA OTP authentication parameters</help>
                          </properties>
                          <children>
                            <leafNode name="key">
                              <properties>
                                <help>Token Key Secret key for the token algorithm (see RFC 4226)</help>
                                <valueHelp>
                                  <format>txt</format>
                                  <description>OTP key in hex-encoded format</description>
                                </valueHelp>
                                <constraint>
                                  <regex>[a-fA-F0-9]{20,10000}</regex>
                                </constraint>
                                <constraintErrorMessage>Key name must only include hex characters and be at least 20 characters long</constraintErrorMessage>
                              </properties>
                            </leafNode>
                            <leafNode name="otp-length">
                              <properties>
                                <help>Number of digits in OTP code</help>
                                <valueHelp>
                                  <format>u32:6-8</format>
                                  <description>Number of digits in OTP code</description>
                                </valueHelp>
                                <constraint>
                                  <validator name="numeric" argument="--range 6-8"/>
                                </constraint>
                                <constraintErrorMessage>Number of digits in OTP code must be between 6 and 8</constraintErrorMessage>
                              </properties>
                              <defaultValue>6</defaultValue>
                            </leafNode>
                            <leafNode name="interval">
                              <properties>
                                <help>Time tokens interval in seconds</help>
                                <valueHelp>
                                  <format>u32:5-86400</format>
                                  <description>Time tokens interval in seconds.</description>
                                </valueHelp>
                                <constraint>
                                  <validator name="numeric" argument="--range 5-86400"/>
                                </constraint>
                                <constraintErrorMessage>Time token interval must be between 5 and 86400 seconds</constraintErrorMessage>
                              </properties>
                              <defaultValue>30</defaultValue>
                            </leafNode>
                            <leafNode name="token-type">
                              <properties>
                                <help>Token type</help>
                                <valueHelp>
                                  <format>hotp-time</format>
                                  <description>Time-based OTP algorithm</description>
                                </valueHelp>
                                <valueHelp>
                                  <format>hotp-event</format>
                                  <description>Event-based OTP algorithm</description>
                                </valueHelp>
                                <constraint>
                                  <regex>(hotp-time|hotp-event)</regex>
                                </constraint>
                                <completionHelp>
                                  <list>hotp-time hotp-event</list>
                                </completionHelp>
                              </properties>
                              <defaultValue>hotp-time</defaultValue>
                            </leafNode>
                          </children>
                        </node>
                    </children>
                  </tagNode>
                </children>
              </node>
              #include <include/radius-auth-server-ipv4.xml.i>
              <node name="radius">
                <children>
                  #include <include/radius-timeout.xml.i>
                  <leafNode name="groupconfig">
                    <properties>
                      <help>If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from RADIUS.</help>
                    </properties>
                  </leafNode>
                </children>
              </node>
            </children>
          </node>
          #include <include/listen-address-ipv4-single.xml.i>
          <leafNode name="listen-address">
            <defaultValue>0.0.0.0</defaultValue>
          </leafNode>
          <node name="listen-ports">
            <properties>
              <help>Specify custom ports to use for client connections</help>
            </properties>
            <children>
              <leafNode name="tcp">
                <properties>
                  <help>tcp port number to accept connections</help>
                  <valueHelp>
                    <format>u32:1-65535</format>
                    <description>Numeric IP port</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-65535"/>
                  </constraint>
                </properties>
                <defaultValue>443</defaultValue>
              </leafNode>
              <leafNode name="udp">
                <properties>
                  <help>udp port number to accept connections</help>
                  <valueHelp>
                    <format>u32:1-65535</format>
                    <description>Numeric IP port</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-65535"/>
                  </constraint>
                </properties>
                <defaultValue>443</defaultValue>
              </leafNode>
            </children>
          </node>
          <leafNode name="http-security-headers">
            <properties>
              <help>Enable HTTP security headers</help>
              <valueless/>
            </properties>
          </leafNode>
          #include <include/tls-version-min.xml.i>
          <leafNode name="tls-version-min">
            <defaultValue>1.2</defaultValue>
          </leafNode>
          <node name="ssl">
            <properties>
              <help>SSL Certificate, SSL Key and CA</help>
            </properties>
            <children>
              #include <include/pki/ca-certificate.xml.i>
              #include <include/pki/certificate-key.xml.i>
            </children>
          </node>
          <node name="network-settings">
            <properties>
              <help>Network settings</help>
            </properties>
            <children>
              <leafNode name="push-route">
                <properties>
                  <help>Route to be pushed to the client</help>
                  <valueHelp>
                    <format>ipv4net</format>
                    <description>IPv4 network and prefix length</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ipv6net</format>
                    <description>IPv6 network and prefix length</description>
                  </valueHelp>
                  <constraint>
                    <validator name="ip-prefix"/>
                  </constraint>
                  <multi/>
                </properties>
              </leafNode>
              <node name="client-ip-settings">
                <properties>
                  <help>Client IP pools settings</help>
                </properties>
                <children>
                  <leafNode name="subnet">
                    <properties>
                      <help>Client IP subnet (CIDR notation)</help>
                      <valueHelp>
                        <format>ipv4net</format>
                        <description>IPv4 address and prefix length</description>
                      </valueHelp>
                      <constraint>
                        <validator name="ipv4-prefix"/>
                      </constraint>
                      <constraintErrorMessage>Not a valid CIDR formatted prefix</constraintErrorMessage>
                    </properties>
                  </leafNode>
                </children>
              </node>
              <node name="client-ipv6-pool">
                <properties>
                  <help>Pool of client IPv6 addresses</help>
                </properties>
                <children>
                  <leafNode name="prefix">
                    <properties>
                      <help>Pool of addresses used to assign to clients</help>
                      <valueHelp>
                        <format>ipv6net</format>
                        <description>IPv6 address and prefix length</description>
                      </valueHelp>
                      <constraint>
                        <validator name="ipv6-prefix"/>
                      </constraint>
                    </properties>
                  </leafNode>
                  <leafNode name="mask">
                    <properties>
                      <help>Prefix length used for individual client</help>
                      <valueHelp>
                        <format>u32:48-128</format>
                        <description>Client prefix length</description>
                      </valueHelp>
                      <constraint>
                        <validator name="numeric" argument="--range 48-128"/>
                      </constraint>
                    </properties>
                    <defaultValue>64</defaultValue>
                  </leafNode>
                </children>
              </node>
              #include <include/name-server-ipv4-ipv6.xml.i>
              <leafNode name="split-dns">
                <properties>
                  <help>Domains over which the provided DNS should be used</help>
                  <valueHelp>
                    <format>txt</format>
                    <description>Client prefix length</description>
                  </valueHelp>
                  <constraint>
                    <validator name="fqdn"/>
                  </constraint>
                  <multi/>
                </properties>
              </leafNode>
              <leafNode name="tunnel-all-dns">
                <properties>
                  <help>If the tunnel-all-dns option is set to yes, tunnel all DNS queries via the VPN. This is the default when a default route is set.</help>
                  <completionHelp>
                    <list>yes no</list>
                  </completionHelp>
                  <valueHelp>
                    <format>yes</format>
                    <description>Enable tunneling of all DNS traffic</description>
                  </valueHelp>
                  <valueHelp>
                    <format>no</format>
                    <description>Disable tunneling of all DNS traffic</description>
                  </valueHelp>
                  <constraint>
                    <regex>(yes|no)</regex>
                  </constraint>
                </properties>
                <defaultValue>no</defaultValue>
              </leafNode>
            </children>
          </node>
      </children>
    </node>
  </children>
</node>
</interfaceDefinition>