summaryrefslogtreecommitdiff
path: root/interface-definitions
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-02-27 18:44:12 +0100
committerChristian Poessinger <christian@poessinger.com>2020-02-27 18:44:12 +0100
commit93d33b06b59a514485467ced5a48dc997a235c6c (patch)
tree13a6226c14463ecbefaec6d96f92f87e4c9a926d /interface-definitions
parente054dee8b8ab81f7f85bb93bd25110affa38fcd0 (diff)
downloadvyos-1x-93d33b06b59a514485467ced5a48dc997a235c6c.tar.gz
vyos-1x-93d33b06b59a514485467ced5a48dc997a235c6c.zip
openvpn: T2075: add support for OpenVPN tls-crypt file option
Encrypt and authenticate all control channel packets with the key from keyfile. Encrypting (and authenticating) control channel packets: * provides more privacy by hiding the certificate used for the TLS connection * makes it harder to identify OpenVPN traffic as such * provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy)
Diffstat (limited to 'interface-definitions')
-rw-r--r--interface-definitions/interfaces-openvpn.xml.in12
1 files changed, 12 insertions, 0 deletions
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index bc1a159a9..cac0ee417 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -611,6 +611,18 @@
</constraint>
</properties>
</leafNode>
+ <leafNode name="crypt-file">
+ <properties>
+ <help>File containing encryption key to authenticate control channel</help>
+ <valueHelp>
+ <format>file</format>
+ <description>File in /config/auth directory</description>
+ </valueHelp>
+ <constraint>
+ <validator name="file-exists" argument="--directory /config/auth"/>
+ </constraint>
+ </properties>
+ </leafNode>
<leafNode name="tls-version-min">
<properties>
<help>Specify the minimum required TLS version</help>