diff options
| author | Christian Poessinger <christian@poessinger.com> | 2020-12-31 11:01:43 +0100 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2020-12-31 11:02:01 +0100 |
| commit | 215ddbe0bc51417b7ba66298764810754b204082 (patch) | |
| tree | 6ed633f29024ed9186a99435cd2b5546598b5a27 | |
| parent | 4e63a3966b352a0ada8444fa80ec6bee97b45213 (diff) | |
| download | vyos-1x-215ddbe0bc51417b7ba66298764810754b204082.tar.gz vyos-1x-215ddbe0bc51417b7ba66298764810754b204082.zip | |
openvpn: T2994: fix ipv6 server mode
| -rw-r--r-- | data/templates/openvpn/server.conf.tmpl | 44 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 13 |
2 files changed, 21 insertions, 36 deletions
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index 462d73c02..b3b0c936a 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -67,24 +67,29 @@ mode server tls-server {% if server is defined and server is not none %} {% if server.subnet is defined and server.subnet is not none %} -{% if server.topology is defined and server.topology == 'point-to-point' %} +{% if server.topology is defined and server.topology == 'point-to-point' %} topology p2p -{% elif server.topology is defined and server.topology is not none %} +{% elif server.topology is defined and server.topology is not none %} topology {{ server.topology }} -{% endif %} -{% for subnet in server.subnet if subnet | is_ipv4 %} +{% endif %} +{% for subnet in server.subnet %} +{% if subnet | is_ipv4 %} server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool {# OpenVPN assigns the first IP address to its local interface so the pool used #} {# in net30 topology - where each client receives a /30 must start from the second subnet #} -{% if server.topology is defined and server.topology == 'net30' %} +{% if server.topology is defined and server.topology == 'net30' %} ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }} -{% else %} +{% else %} {# OpenVPN assigns the first IP address to its local interface so the pool must #} {# start from the second address and end on the last address #} ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }} -{% endif %} +{% endif %} +{% elif subnet | is_ipv6 %} +server-ipv6 {{ subnet }} +{% endif %} {% endfor %} {% endif %} + {% if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %} ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }} {% endif %} @@ -101,36 +106,29 @@ management /run/openvpn/openvpn-mgmt-intf unix {% if server.reject_unconfigured_clients is defined %} ccd-exclusive {% endif %} + {% if server.push_route is defined and server.push_route is not none %} {% for route in server.push_route %} +{% if route | is_ipv4 %} push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}" +{% elif route | is_ipv6 %} +push "route-ipv6 {{ route }}" +{% endif %} {% endfor %} {% endif %} {% if server.name_server is defined and server.name_server is not none %} {% for nameserver in server.name_server %} +{% if nameserver | is_ipv4 %} push "dhcp-option DNS {{ nameserver }}" +{% elif nameserver | is_ipv6 %} +push "dhcp-option DNS6 {{ nameserver }}" +{% endif %} {% endfor %} {% endif %} {% if server.domain_name is defined and server.domain_name is not none %} push "dhcp-option DOMAIN {{ server.domain_name }}" {% endif %} {% endif %} - -{% if subnet_v6 is defined and subnet_v6 is not none %} -# IPv6 -push "tun-ipv6" -ifconfig-ipv6 {{ server_ipv6_local }}/{{ server_ipv6_prefixlen }} {{ server_ipv6_remote }} -{% if server_ipv6_pool %} -ifconfig-ipv6-pool {{ server_ipv6_pool_base }}/{{ server_ipv6_pool_prefixlen }} -{% endif %} -{% for route6 in server_ipv6_push_route %} -push "route-ipv6 {{ route6 }}" -{% endfor %} -{% for ns6 in server_ipv6_dns_nameserver %} -push "dhcp-option DNS6 {{ ns6 }}" -{% endfor %} -{% endif %} - {% else %} # # OpenVPN site-2-site mode diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 25920f893..e4a6a5ec1 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -284,19 +284,6 @@ def verify(openvpn): if IPv6Address(client['ipv6_ip'][0]) in v6PoolNet: print(f'Warning: Client "{client["name"]}" IP {client["ipv6_ip"][0]} is in server IP pool, it is not reserved for this client.') - else: - for route in (dict_search('server.push_route', openvpn) or []): - if is_ipv6(route): - raise ConfigError('IPv6 push-route requires an IPv6 server subnet') - - #for client in openvpn ['client']: - # if client['ipv6_ip']: - # raise ConfigError(f'Server client "{client["name"]}" IPv6 IP requires an IPv6 server subnet') - # if client['ipv6_push_route']: - # raise ConfigError(f'Server client "{client["name"]} IPv6 push-route requires an IPv6 server subnet"') - # if client['ipv6_subnet']: - # raise ConfigError(f'Server client "{client["name"]} IPv6 subnet requires an IPv6 server subnet"') - else: # checks for both client and site-to-site go here if dict_search('server.reject_unconfigured_clients', openvpn): |