Merge pull request #2296 from dmbaturin/T5269-deprecate-shared-secret

openvpn: T5269: add a deprecation warning for shared-secret

1 files changed, 6 insertions, 0 deletions

diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 9f4de990c..bdeb44837 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -30,6 +30,7 @@ from netifaces import interfaces
 from secrets import SystemRandom
 from shutil import rmtree
 
+from vyos.base import DeprecationWarning
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configdict import is_node_changed
@@ -165,6 +166,11 @@ def verify_pki(openvpn):
         if shared_secret_key not in pki['openvpn']['shared_secret']:
             raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}')
 
+        # If PSK settings are correct, warn about its deprecation
+        DeprecationWarning("OpenVPN shared-secret support will be removed in future VyOS versions.\n\
+        Please migrate your site-to-site tunnels to TLS.\n\
+        You can use self-signed certificates with peer fingerprint verification, consult the documentation for details.")
+
     if tls:
         if (mode in ['server', 'client']) and ('ca_certificate' not in tls):
             raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\