diff options
| author | Marcus Hoff <marcus.hoff@ring2.dk> | 2020-09-22 19:44:24 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-09-22 19:44:24 +0200 |
| commit | b2c61e2127d83cc0a0e27092462b62c2e8e7eaa1 (patch) | |
| tree | 2bcf29142ed12494ecb57af8c72c26a3763e4d43 | |
| parent | e7f8285d670829270a82a3ed7e603a6e8791bfe2 (diff) | |
| download | vyos-1x-b2c61e2127d83cc0a0e27092462b62c2e8e7eaa1.tar.gz vyos-1x-b2c61e2127d83cc0a0e27092462b62c2e8e7eaa1.zip | |
openvpn: T2907: add 'none' encryption option to not encrypt any data
| -rw-r--r-- | data/templates/openvpn/server.conf.tmpl | 4 | ||||
| -rw-r--r-- | interface-definitions/interfaces-openvpn.xml.in | 16 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 8 |
3 files changed, 22 insertions, 6 deletions
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index 401f8e04b..8a1ac6bd8 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -196,7 +196,9 @@ tls-server # Encryption options {%- if encryption %} -{% if encryption == 'des' -%} +{% if encryption == 'none' -%} +cipher none +{%- elif encryption == 'des' -%} cipher des-cbc {%- elif encryption == '3des' -%} cipher des-ede3-cbc diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 905c76507..5675379d5 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -63,9 +63,13 @@ <properties> <help>Standard Data Encryption Algorithm</help> <completionHelp> - <list>des 3des bf128 bf256 aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list> + <list>none des 3des bf128 bf256 aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list> </completionHelp> <valueHelp> + <format>none</format> + <description>Disable encryption</description> + </valueHelp> + <valueHelp> <format>des</format> <description>DES algorithm</description> </valueHelp> @@ -106,7 +110,7 @@ <description>AES algorithm with 256-bit key GCM</description> </valueHelp> <constraint> - <regex>(des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex> + <regex>(none|des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex> </constraint> </properties> </leafNode> @@ -114,9 +118,13 @@ <properties> <help>Cipher negotiation list for use in server or client mode</help> <completionHelp> - <list>des 3des aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list> + <list>none des 3des aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list> </completionHelp> <valueHelp> + <format>none</format> + <description>Disable encryption</description> + </valueHelp> + <valueHelp> <format>des</format> <description>DES algorithm</description> </valueHelp> @@ -149,7 +157,7 @@ <description>AES algorithm with 256-bit key GCM</description> </valueHelp> <constraint> - <regex>(des|3des|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex> + <regex>(none|des|3des|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex> </constraint> <multi/> </properties> diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index f83590209..518dbdc0e 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -257,7 +257,10 @@ def get_config(config=None): if conf.exists('encryption ncp-ciphers'): _ncp_ciphers = [] for enc in conf.return_values('encryption ncp-ciphers'): - if enc == 'des': + if enc == 'none': + _ncp_ciphers.append('none') + _ncp_ciphers.append('NONE') + elif enc == 'des': _ncp_ciphers.append('des-cbc') _ncp_ciphers.append('DES-CBC') elif enc == '3des': @@ -944,6 +947,9 @@ def verify(openvpn): else: print('Diffie-Hellman prime file is unspecified, assuming ECDH') + if openvpn['encryption'] == 'none': + print('Warning: "encryption none" was specified. NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network!') + # # Auth user/pass # |