summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorhagbard-01 <39653662+hagbard-01@users.noreply.github.com>2019-09-19 13:24:01 -0700
committerGitHub <noreply@github.com>2019-09-19 13:24:01 -0700
commit4cc3cda1fac559578add593a14a2fa04bd7167a3 (patch)
tree27700e2b306ea6cb0884f61e1c76b117c296d69a
parent6e21be23be126af259f07bb23e4893470b5cb2fb (diff)
parent61f59ee0e8a50fc15f0899fda828d9d0ea0b0ad6 (diff)
downloadvyos-1x-4cc3cda1fac559578add593a14a2fa04bd7167a3.tar.gz
vyos-1x-4cc3cda1fac559578add593a14a2fa04bd7167a3.zip
Merge pull request #131 from vindenesen/T1670
[OpenVPN] T1670: Added setting for tls-auth. Added check for if tls_cert and tls_key w…
-rw-r--r--interface-definitions/interfaces-openvpn.xml5
-rwxr-xr-xsrc/conf_mode/interface-openvpn.py27
2 files changed, 27 insertions, 5 deletions
diff --git a/interface-definitions/interfaces-openvpn.xml b/interface-definitions/interfaces-openvpn.xml
index d282a8773..05970f2d9 100644
--- a/interface-definitions/interfaces-openvpn.xml
+++ b/interface-definitions/interfaces-openvpn.xml
@@ -518,6 +518,11 @@
<help>Transport Layer Security (TLS) options</help>
</properties>
<children>
+ <leafNode name="auth-file">
+ <properties>
+ <help>File containing tls static key for tls-auth</help>
+ </properties>
+ </leafNode>
<leafNode name="ca-cert-file">
<properties>
<help>File containing certificate for Certificate Authority (CA)</help>
diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py
index 34c094862..7b3e57d7d 100755
--- a/src/conf_mode/interface-openvpn.py
+++ b/src/conf_mode/interface-openvpn.py
@@ -171,6 +171,10 @@ crl-verify {{ tls_crl }}
dh {{ tls_dh }}
{% endif %}
+{%- if tls_auth %}
+tls-auth {{tls_auth}}
+{% endif %}
+
{%- if 'active' in tls_role %}
tls-client
{%- elif 'passive' in tls_role %}
@@ -277,6 +281,7 @@ default_config_data = {
'server_topology': '',
'shared_secret_file': '',
'tls': False,
+ 'tls_auth': '',
'tls_ca_cert': '',
'tls_cert': '',
'tls_crl': '',
@@ -532,6 +537,11 @@ def get_config():
if conf.exists('server reject-unconfigured-clients'):
openvpn['server_reject_unconfigured'] = True
+ # File containing TLS auth static key
+ if conf.exists('tls auth-file'):
+ openvpn['tls_auth'] = conf.return_value('tls auth-file')
+ openvpn['tls'] = True
+
# File containing certificate for Certificate Authority (CA)
if conf.exists('tls ca-cert-file'):
openvpn['tls_ca_cert'] = conf.return_value('tls ca-cert-file')
@@ -714,11 +724,17 @@ def verify(openvpn):
if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_ca_cert']):
raise ConfigError('Specified ca-cert-file "{}" is invalid'.format(openvpn['tls_ca_cert']))
- if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_cert']):
- raise ConfigError('Specified cert-file "{}" is invalid'.format(openvpn['tls_cert']))
+ if openvpn['tls_auth']:
+ if not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', openvpn['tls_auth']):
+ raise ConfigError('Specified auth-file "{}" is invalid'.format(openvpn['tls_auth']))
+
+ if openvpn['tls_cert']:
+ if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_cert']):
+ raise ConfigError('Specified cert-file "{}" is invalid'.format(openvpn['tls_cert']))
- if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']):
- raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key']))
+ if openvpn['tls_key']:
+ if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']):
+ raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key']))
if openvpn['tls_crl']:
if not checkCertHeader('-----BEGIN X509 CRL-----', openvpn['tls_crl']):
@@ -730,7 +746,8 @@ def verify(openvpn):
if openvpn['tls_role']:
if openvpn['mode'] in ['client', 'server']:
- raise ConfigError('Cannot specify "tls role" in client-server mode')
+ if not openvpn['tls_auth']:
+ raise ConfigError('Cannot specify "tls role" in client-server mode')
if openvpn['tls_role'] == 'active':
if openvpn['protocol'] == 'tcp-passive':