Merge pull request #3536 from vyos/mergify/bp/sagitta/pr-3528

openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS (backport #3528)
author: Christian Breunig <christian@breunig.cc> 2024-05-28 22:57:17 +0200
committer: GitHub <noreply@github.com> 2024-05-28 22:57:17 +0200
commit: fbf12867c4baebfaf85c90b72139b507f582279b (patch)
tree: 281200e3ead1b13b72a206dcc2e4792325b42344
parent: 9d0a453c923fe8efd5dafe6230dafe7d267aa9d6 (diff)
parent: a3763a233d130d5d03b7cdc50efdab6c78d3152d (diff)
download: vyos-1x-fbf12867c4baebfaf85c90b72139b507f582279b.tar.gz
vyos-1x-fbf12867c4baebfaf85c90b72139b507f582279b.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py
index 0ecffd3be..5b9c21757 100755
--- a/src/conf_mode/interfaces_openvpn.py
+++ b/src/conf_mode/interfaces_openvpn.py
@@ -260,6 +260,11 @@ def verify(openvpn):
     # OpenVPN site-to-site - VERIFY
     #
     elif openvpn['mode'] == 'site-to-site':
+        # XXX: site-to-site is the only mode that still can work without TLS,
+        # so we need to make sure that if TLS is used, then TLS role is also specified
+        if 'shared_secret_key' not in openvpn['tls'] and 'role' not in openvpn['tls']:
+            raise ConfigError('"tls role" is required for site-to-site OpenVPN with TLS')
+
         if 'local_address' not in openvpn and 'is_bridge_member' not in openvpn:
             raise ConfigError('Must specify "local-address" or add interface to bridge')
author	Christian Breunig <christian@breunig.cc>	2024-05-28 22:57:17 +0200
committer	GitHub <noreply@github.com>	2024-05-28 22:57:17 +0200
commit	fbf12867c4baebfaf85c90b72139b507f582279b (patch)
tree	281200e3ead1b13b72a206dcc2e4792325b42344
parent	9d0a453c923fe8efd5dafe6230dafe7d267aa9d6 (diff)
parent	a3763a233d130d5d03b7cdc50efdab6c78d3152d (diff)
download	vyos-1x-fbf12867c4baebfaf85c90b72139b507f582279b.tar.gz vyos-1x-fbf12867c4baebfaf85c90b72139b507f582279b.zip