diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2022-09-15 17:28:11 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-15 17:28:11 +0300 |
| commit | 7a2ad35ec8ecd84d162a3e5dc41b50f31d18dc10 (patch) | |
| tree | 7bc3dcdb730ebba58fb35d170f1496cded6024c2 | |
| parent | d41909874a6a7e2264e0a89928885b491efd9851 (diff) | |
| parent | e5785ff748f93b66879d8bd0393c208c6df574a9 (diff) | |
| download | vyos-1x-7a2ad35ec8ecd84d162a3e5dc41b50f31d18dc10.tar.gz vyos-1x-7a2ad35ec8ecd84d162a3e5dc41b50f31d18dc10.zip | |
Merge pull request #1477 from sempervictus/feature/ocserv_groups
T3896(adjacent): Fix ocserv local user requirement, add groupconfig
| -rw-r--r-- | data/templates/ocserv/ocserv_config.j2 | 16 | ||||
| -rw-r--r-- | interface-definitions/vpn-openconnect.xml.in | 35 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_openconnect.py | 19 |
3 files changed, 60 insertions, 10 deletions
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index e0cad5181..1d105113d 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -7,7 +7,7 @@ run-as-user = nobody run-as-group = daemon {% if "radius" in authentication.mode %} -auth = "radius [config=/run/ocserv/radiusclient.conf]" +auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" {% elif "local" in authentication.mode %} {% if authentication.mode.local == "password-otp" %} auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" @@ -62,6 +62,13 @@ device = sslvpn dns = {{ dns }} {% endfor %} {% endif %} +{% if network_settings.tunnel_all_dns is vyos_defined %} +{% if "yes" in network_settings.tunnel_all_dns %} +tunnel-all-dns = true +{% else %} +tunnel-all-dns = false +{% endif %} +{% endif %} # IPv4 network pool {% if network_settings.client_ip_settings.subnet is vyos_defined %} @@ -85,3 +92,10 @@ route = {{ route }} split-dns = {{ tmp }} {% endfor %} {% endif %} + +{% if authentication.group is vyos_defined %} +# Group settings +{% for grp in authentication.group %} +select-group = {{ grp }} +{% endfor %} +{% endif %}
\ No newline at end of file diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 6309863c5..522465611 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -50,6 +50,16 @@ </leafNode> </children> </node> + <leafNode name="group"> + <properties> + <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help> + <valueHelp> + <format>txt</format> + <description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description> + </valueHelp> + <multi/> + </properties> + </leafNode> #include <include/auth-local-users.xml.i> <node name="local-users"> <children> @@ -144,6 +154,11 @@ </properties> <defaultValue>2</defaultValue> </leafNode> + <leafNode name="groupconfig"> + <properties> + <help>If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from radius.</help> + </properties> + </leafNode> </children> </node> </children> @@ -278,6 +293,26 @@ <multi/> </properties> </leafNode> + <leafNode name="tunnel-all-dns"> + <properties> + <help>If the tunnel-all-dns option is set to yes, tunnel all DNS queries via the VPN. This is the default when a default route is set.</help> + <completionHelp> + <list>yes no</list> + </completionHelp> + <valueHelp> + <format>yes</format> + <description>Enable tunneling of all DNS traffic</description> + </valueHelp> + <valueHelp> + <format>no</format> + <description>Disable tunneling of all DNS traffic</description> + </valueHelp> + <constraint> + <regex>(yes|no)</regex> + </constraint> + </properties> + <defaultValue>no</defaultValue> + </leafNode> </children> </node> </children> diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index 240546817..23b1baf4d 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -58,15 +58,16 @@ def get_config(): default_values = defaults(base) ocserv = dict_merge(default_values, ocserv) - # workaround a "know limitation" - https://phabricator.vyos.net/T2665 - del ocserv['authentication']['local_users']['username']['otp'] - if not ocserv["authentication"]["local_users"]["username"]: - raise ConfigError('openconnect mode local required at least one user') - default_ocserv_usr_values = default_values['authentication']['local_users']['username']['otp'] - for user, params in ocserv['authentication']['local_users']['username'].items(): - # Not every configuration requires OTP settings - if ocserv['authentication']['local_users']['username'][user].get('otp'): - ocserv['authentication']['local_users']['username'][user]['otp'] = dict_merge(default_ocserv_usr_values, ocserv['authentication']['local_users']['username'][user]['otp']) + if "local" in ocserv["authentication"]["mode"]: + # workaround a "know limitation" - https://phabricator.vyos.net/T2665 + del ocserv['authentication']['local_users']['username']['otp'] + if not ocserv["authentication"]["local_users"]["username"]: + raise ConfigError('openconnect mode local required at least one user') + default_ocserv_usr_values = default_values['authentication']['local_users']['username']['otp'] + for user, params in ocserv['authentication']['local_users']['username'].items(): + # Not every configuration requires OTP settings + if ocserv['authentication']['local_users']['username'][user].get('otp'): + ocserv['authentication']['local_users']['username'][user]['otp'] = dict_merge(default_ocserv_usr_values, ocserv['authentication']['local_users']['username'][user]['otp']) if ocserv: ocserv['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), |