diff options
| author | John Estabrook <jestabro@vyos.io> | 2023-08-16 09:09:10 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-16 09:09:10 -0500 |
| commit | 9cdc76fe5badcf44cf38ea82ed89332b32d9d62b (patch) | |
| tree | 9bb955c7f2f7b623bb05970f3db3383b04de2f9e | |
| parent | 3a3e490a198a10b6a05d5a0e2f1487ebfd6551a0 (diff) | |
| parent | 26d7ab49d92d5c665f5d6bc21375a21e22da33f6 (diff) | |
| download | vyos-1x-9cdc76fe5badcf44cf38ea82ed89332b32d9d62b.tar.gz vyos-1x-9cdc76fe5badcf44cf38ea82ed89332b32d9d62b.zip | |
Merge pull request #2150 from dmbaturin/T5271-openvpn-peer-fingerprint-restrictions
T5271: allow OpenVPN peer-fingerprint to be used instead of a CA in site-to-site mode
| -rw-r--r-- | data/templates/openvpn/server.conf.j2 | 6 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 26 |
2 files changed, 19 insertions, 13 deletions
diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 index a9bd45370..f76fbbe79 100644 --- a/data/templates/openvpn/server.conf.j2 +++ b/data/templates/openvpn/server.conf.j2 @@ -185,7 +185,7 @@ tls-version-min {{ tls.tls_version_min }} {% endif %} {% if tls.dh_params is vyos_defined %} dh /run/openvpn/{{ ifname }}_dh.pem -{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %} +{% else %} dh none {% endif %} {% if tls.auth_key is vyos_defined %} @@ -201,9 +201,9 @@ tls-client tls-server {% endif %} -{% if peer_fingerprint is vyos_defined %} +{% if tls.peer_fingerprint is vyos_defined %} <peer-fingerprint> -{% for fp in peer_fingerprint %} +{% for fp in tls.peer_fingerprint %} {{ fp }} {% endfor %} </peer-fingerprint> diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 26b217d98..1d0feb56f 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -166,17 +166,23 @@ def verify_pki(openvpn): raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}') if tls: - if 'ca_certificate' not in tls: - raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface}') - - for ca_name in tls['ca_certificate']: - if ca_name not in pki['ca']: - raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') + if (mode in ['server', 'client']) and ('ca_certificate' not in tls): + raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\ + it is required in server and client modes') + else: + if ('ca_certificate' not in tls) and ('peer_fingerprint' not in tls): + raise ConfigError('Either "tls ca-certificate" or "tls peer-fingerprint" is required\ + on openvpn interface {interface} in site-to-site mode') - if len(tls['ca_certificate']) > 1: - sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca']) - if not verify_ca_chain(sorted_chain, pki['ca']): - raise ConfigError(f'CA certificates are not a valid chain') + if 'ca_certificate' in tls: + for ca_name in tls['ca_certificate']: + if ca_name not in pki['ca']: + raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') + + if len(tls['ca_certificate']) > 1: + sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca']) + if not verify_ca_chain(sorted_chain, pki['ca']): + raise ConfigError(f'CA certificates are not a valid chain') if mode != 'client' and 'auth_key' not in tls: if 'certificate' not in tls: |