summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Estabrook <jestabro@vyos.io>2023-08-16 09:09:10 -0500
committerGitHub <noreply@github.com>2023-08-16 09:09:10 -0500
commit9cdc76fe5badcf44cf38ea82ed89332b32d9d62b (patch)
tree9bb955c7f2f7b623bb05970f3db3383b04de2f9e
parent3a3e490a198a10b6a05d5a0e2f1487ebfd6551a0 (diff)
parent26d7ab49d92d5c665f5d6bc21375a21e22da33f6 (diff)
downloadvyos-1x-9cdc76fe5badcf44cf38ea82ed89332b32d9d62b.tar.gz
vyos-1x-9cdc76fe5badcf44cf38ea82ed89332b32d9d62b.zip
Merge pull request #2150 from dmbaturin/T5271-openvpn-peer-fingerprint-restrictions
T5271: allow OpenVPN peer-fingerprint to be used instead of a CA in site-to-site mode
-rw-r--r--data/templates/openvpn/server.conf.j26
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py26
2 files changed, 19 insertions, 13 deletions
diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index a9bd45370..f76fbbe79 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -185,7 +185,7 @@ tls-version-min {{ tls.tls_version_min }}
{% endif %}
{% if tls.dh_params is vyos_defined %}
dh /run/openvpn/{{ ifname }}_dh.pem
-{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %}
+{% else %}
dh none
{% endif %}
{% if tls.auth_key is vyos_defined %}
@@ -201,9 +201,9 @@ tls-client
tls-server
{% endif %}
-{% if peer_fingerprint is vyos_defined %}
+{% if tls.peer_fingerprint is vyos_defined %}
<peer-fingerprint>
-{% for fp in peer_fingerprint %}
+{% for fp in tls.peer_fingerprint %}
{{ fp }}
{% endfor %}
</peer-fingerprint>
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 26b217d98..1d0feb56f 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -166,17 +166,23 @@ def verify_pki(openvpn):
raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}')
if tls:
- if 'ca_certificate' not in tls:
- raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface}')
-
- for ca_name in tls['ca_certificate']:
- if ca_name not in pki['ca']:
- raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}')
+ if (mode in ['server', 'client']) and ('ca_certificate' not in tls):
+ raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\
+ it is required in server and client modes')
+ else:
+ if ('ca_certificate' not in tls) and ('peer_fingerprint' not in tls):
+ raise ConfigError('Either "tls ca-certificate" or "tls peer-fingerprint" is required\
+ on openvpn interface {interface} in site-to-site mode')
- if len(tls['ca_certificate']) > 1:
- sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca'])
- if not verify_ca_chain(sorted_chain, pki['ca']):
- raise ConfigError(f'CA certificates are not a valid chain')
+ if 'ca_certificate' in tls:
+ for ca_name in tls['ca_certificate']:
+ if ca_name not in pki['ca']:
+ raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}')
+
+ if len(tls['ca_certificate']) > 1:
+ sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca'])
+ if not verify_ca_chain(sorted_chain, pki['ca']):
+ raise ConfigError(f'CA certificates are not a valid chain')
if mode != 'client' and 'auth_key' not in tls:
if 'certificate' not in tls: