<?xml version="1.0"?> <interfaceDefinition> <node name="vpn"> <children> <node name="openconnect" owner="${vyos_conf_scripts_dir}/vpn_openconnect.py"> <properties> <help>SSL VPN OpenConnect, AnyConnect compatible server</help> <priority>901</priority> </properties> <children> <node name="accounting"> <properties> <help>Accounting for users OpenConnect VPN Sessions</help> </properties> <children> <node name="mode"> <properties> <help>Accounting mode used by this server</help> </properties> <children> <leafNode name="radius"> <properties> <help>Use RADIUS server for accounting</help> <valueless/> </properties> </leafNode> </children> </node> #include <include/radius-acct-server-ipv4.xml.i> </children> </node> <node name="authentication"> <properties> <help>Authentication for remote access SSL VPN Server</help> </properties> <children> <node name="mode"> <properties> <help>Authentication mode used by this server</help> </properties> <children> <leafNode name="local"> <properties> <help>Use local username/password configuration (OTP supported)</help> <valueHelp> <format>password</format> <description>Password-only local authentication</description> </valueHelp> <valueHelp> <format>otp</format> <description>OTP-only local authentication</description> </valueHelp> <valueHelp> <format>password-otp</format> <description>Password (first) + OTP local authentication</description> </valueHelp> <constraint> <regex>(password|otp|password-otp)</regex> </constraint> <constraintErrorMessage>Invalid authentication mode. Must be one of: password, otp or password-otp </constraintErrorMessage> <completionHelp> <list>otp password password-otp</list> </completionHelp> </properties> </leafNode> <leafNode name="radius"> <properties> <help>Use RADIUS server for user autentication</help> <valueless/> </properties> </leafNode> </children> </node> <node name="identity-based-config"> <properties> <help>Include configuration file by username or RADIUS group attribute</help> </properties> <children> #include <include/generic-disable-node.xml.i> <leafNode name="mode"> <properties> <help>Select per user or per group configuration file - ignored if authentication group is configured</help> <completionHelp> <list>user group</list> </completionHelp> <valueHelp> <format>user</format> <description>Match configuration file on username</description> </valueHelp> <valueHelp> <format>group</format> <description>Match RADIUS response class attribute as file name</description> </valueHelp> <constraint> <regex>(user|group)</regex> </constraint> <constraintErrorMessage>Invalid mode, must be either user or group</constraintErrorMessage> </properties> </leafNode> <leafNode name="directory"> <properties> <help>Directory to containing configuration files</help> <valueHelp> <format>path</format> <description>Path to configuration directory, must be under /config/auth</description> </valueHelp> <constraint> <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/> </constraint> </properties> </leafNode> <leafNode name="default-config"> <properties> <help>Default configuration if discrete config could not be found</help> <valueHelp> <format>filename</format> <description>Default configuration filename, must be under /config/auth</description> </valueHelp> <constraint> <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/> </constraint> </properties> </leafNode> </children> </node> <leafNode name="group"> <properties> <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help> <valueHelp> <format>txt</format> <description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description> </valueHelp> <multi/> </properties> </leafNode> #include <include/auth-local-users.xml.i> <node name="local-users"> <children> <tagNode name="username"> <children> <node name="otp"> <properties> <help>2FA OTP authentication parameters</help> </properties> <children> <leafNode name="key"> <properties> <help>Token Key Secret key for the token algorithm (see RFC 4226)</help> <valueHelp> <format>txt</format> <description>OTP key in hex-encoded format</description> </valueHelp> <constraint> <regex>[a-fA-F0-9]{20,10000}</regex> </constraint> <constraintErrorMessage>Key name must only include hex characters and be at least 20 characters long</constraintErrorMessage> </properties> </leafNode> <leafNode name="otp-length"> <properties> <help>Number of digits in OTP code</help> <valueHelp> <format>u32:6-8</format> <description>Number of digits in OTP code</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 6-8"/> </constraint> <constraintErrorMessage>Number of digits in OTP code must be between 6 and 8</constraintErrorMessage> </properties> <defaultValue>6</defaultValue> </leafNode> <leafNode name="interval"> <properties> <help>Time tokens interval in seconds</help> <valueHelp> <format>u32:5-86400</format> <description>Time tokens interval in seconds.</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 5-86400"/> </constraint> <constraintErrorMessage>Time token interval must be between 5 and 86400 seconds</constraintErrorMessage> </properties> <defaultValue>30</defaultValue> </leafNode> <leafNode name="token-type"> <properties> <help>Token type</help> <valueHelp> <format>hotp-time</format> <description>Time-based OTP algorithm</description> </valueHelp> <valueHelp> <format>hotp-event</format> <description>Event-based OTP algorithm</description> </valueHelp> <constraint> <regex>(hotp-time|hotp-event)</regex> </constraint> <completionHelp> <list>hotp-time hotp-event</list> </completionHelp> </properties> <defaultValue>hotp-time</defaultValue> </leafNode> </children> </node> </children> </tagNode> </children> </node> #include <include/radius-auth-server-ipv4.xml.i> <node name="radius"> <children> #include <include/radius-timeout.xml.i> <leafNode name="groupconfig"> <properties> <help>If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from RADIUS.</help> </properties> </leafNode> </children> </node> </children> </node> #include <include/listen-address-ipv4-single.xml.i> <leafNode name="listen-address"> <defaultValue>0.0.0.0</defaultValue> </leafNode> <node name="listen-ports"> <properties> <help>Specify custom ports to use for client connections</help> </properties> <children> <leafNode name="tcp"> <properties> <help>tcp port number to accept connections</help> <valueHelp> <format>u32:1-65535</format> <description>Numeric IP port</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-65535"/> </constraint> </properties> <defaultValue>443</defaultValue> </leafNode> <leafNode name="udp"> <properties> <help>udp port number to accept connections</help> <valueHelp> <format>u32:1-65535</format> <description>Numeric IP port</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-65535"/> </constraint> </properties> <defaultValue>443</defaultValue> </leafNode> </children> </node> <leafNode name="http-security-headers"> <properties> <help>Enable HTTP security headers</help> <valueless/> </properties> </leafNode> #include <include/tls-version-min.xml.i> <leafNode name="tls-version-min"> <defaultValue>1.2</defaultValue> </leafNode> <node name="ssl"> <properties> <help>SSL Certificate, SSL Key and CA</help> </properties> <children> #include <include/pki/ca-certificate.xml.i> #include <include/pki/certificate-key.xml.i> </children> </node> <node name="network-settings"> <properties> <help>Network settings</help> </properties> <children> <leafNode name="push-route"> <properties> <help>Route to be pushed to the client</help> <valueHelp> <format>ipv4net</format> <description>IPv4 network and prefix length</description> </valueHelp> <valueHelp> <format>ipv6net</format> <description>IPv6 network and prefix length</description> </valueHelp> <constraint> <validator name="ip-prefix"/> </constraint> <multi/> </properties> </leafNode> <node name="client-ip-settings"> <properties> <help>Client IP pools settings</help> </properties> <children> <leafNode name="subnet"> <properties> <help>Client IP subnet (CIDR notation)</help> <valueHelp> <format>ipv4net</format> <description>IPv4 address and prefix length</description> </valueHelp> <constraint> <validator name="ipv4-prefix"/> </constraint> <constraintErrorMessage>Not a valid CIDR formatted prefix</constraintErrorMessage> </properties> </leafNode> </children> </node> <node name="client-ipv6-pool"> <properties> <help>Pool of client IPv6 addresses</help> </properties> <children> <leafNode name="prefix"> <properties> <help>Pool of addresses used to assign to clients</help> <valueHelp> <format>ipv6net</format> <description>IPv6 address and prefix length</description> </valueHelp> <constraint> <validator name="ipv6-prefix"/> </constraint> </properties> </leafNode> <leafNode name="mask"> <properties> <help>Prefix length used for individual client</help> <valueHelp> <format>u32:48-128</format> <description>Client prefix length</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 48-128"/> </constraint> </properties> <defaultValue>64</defaultValue> </leafNode> </children> </node> #include <include/name-server-ipv4-ipv6.xml.i> <leafNode name="split-dns"> <properties> <help>Domains over which the provided DNS should be used</help> <valueHelp> <format>txt</format> <description>Client prefix length</description> </valueHelp> <constraint> <validator name="fqdn"/> </constraint> <multi/> </properties> </leafNode> <leafNode name="tunnel-all-dns"> <properties> <help>If the tunnel-all-dns option is set to yes, tunnel all DNS queries via the VPN. This is the default when a default route is set.</help> <completionHelp> <list>yes no</list> </completionHelp> <valueHelp> <format>yes</format> <description>Enable tunneling of all DNS traffic</description> </valueHelp> <valueHelp> <format>no</format> <description>Disable tunneling of all DNS traffic</description> </valueHelp> <constraint> <regex>(yes|no)</regex> </constraint> </properties> <defaultValue>no</defaultValue> </leafNode> </children> </node> </children> </node> </children> </node> </interfaceDefinition>