diff options
| author | vindenesen <vindenesen@gmail.com> | 2019-10-01 21:49:35 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2019-11-11 16:29:02 +0100 |
| commit | d13ed0f466f1e150159067c1b335fdc0317b6c20 (patch) | |
| tree | b322805a551e53240cb88a28e987d218f75947fb /src/conf_mode | |
| parent | 3782cfacaa9f6582a3d649bbdb38e0553c67b8c4 (diff) | |
| download | vyos-1x-d13ed0f466f1e150159067c1b335fdc0317b6c20.tar.gz vyos-1x-d13ed0f466f1e150159067c1b335fdc0317b6c20.zip | |
[OpenVPN]: T1704: Added function for ncp-ciphers, and ability to disable it.
[OpenVPN]: T1704: Changed config structure for OpenVPN encryption to support ncp-ciphers.
[OpenVPN]: T1704: Added migration scripts for interface 2-to-3
Diffstat (limited to 'src/conf_mode')
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 48 |
1 files changed, 44 insertions, 4 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index cdd133904..5140cc468 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -220,6 +220,12 @@ cipher aes-256-gcm {%- elif 'aes256' in encryption %} cipher aes-256-cbc {% endif %} +{%- if ncp_ciphers %} +ncp-ciphers {{ncp_ciphers}} +{% endif %} +{% endif %} +{%- if disable_ncp %} +ncp-disable {% endif %} {%- if auth %} @@ -277,6 +283,7 @@ default_config_data = { 'deleted': False, 'description': '', 'disable': False, + 'disable_ncp': False, 'encryption': '', 'hash': '', 'intf': '', @@ -287,6 +294,7 @@ default_config_data = { 'local_host': '', 'local_port': '', 'mode': '', + 'ncp_ciphers': '', 'options': [], 'persistent_tunnel': False, 'protocol': '', @@ -410,10 +418,36 @@ def get_config(): if conf.exists('disable'): openvpn['disable'] = True - # data encryption algorithm - if conf.exists('encryption'): - openvpn['encryption'] = conf.return_value('encryption') - + # data encryption algorithm cipher + if conf.exists('encryption cipher'): + openvpn['encryption'] = conf.return_value('encryption cipher') + + # disable ncp-ciphers support + if conf.exists('encryption disable-ncp'): + openvpn['disable_ncp'] = True + + # data encryption algorithm ncp-list + if conf.exists('encryption ncp-ciphers'): + _ncp_ciphers = [] + for enc in conf.return_values('encryption ncp-ciphers'): + if enc == 'des': + _ncp_ciphers.append('des-cbc') + elif enc == '3des': + _ncp_ciphers.append('des-ede3-cbc') + elif enc == 'aes128': + _ncp_ciphers.append('aes-128-cbc') + elif enc == 'aes128gcm': + _ncp_ciphers.append('aes-128-gcm') + elif enc == 'aes192': + _ncp_ciphers.append('aes-192-cbc') + elif enc == 'aes192gcm': + _ncp_ciphers.append('aes-192-gcm') + elif enc == 'aes256': + _ncp_ciphers.append('aes-256-cbc') + elif enc == 'aes256gcm': + _ncp_ciphers.append('aes-256-gcm') + openvpn['ncp_ciphers'] = ':'.join(_ncp_ciphers) + # hash algorithm if conf.exists('hash'): openvpn['hash'] = conf.return_value('hash') @@ -621,6 +655,9 @@ def verify(openvpn): if openvpn['bridge_member']: raise ConfigError('Can not delete {} as it is a member interface of bridge {}!'.format(openvpn['intf'], bridge)) + # Check if we have disabled ncp and at the same time specified ncp-ciphers + if openvpn['disable_ncp'] and openvpn['ncp_ciphers']: + raise ConfigError('Cannot specify both "encryption disable-ncp" and "encryption ncp-ciphers"') # # OpenVPN client mode - VERIFY # @@ -661,6 +698,9 @@ def verify(openvpn): if openvpn['local_address'] == openvpn['local_host']: raise ConfigError('"local-address" cannot be the same as "local-host"') + if openvpn['ncp_ciphers']: + raise ConfigError('encryption ncp-ciphers cannot be specified in site-to-site mode, only server or client') + else: if openvpn['local_address'] or openvpn['remote_address']: raise ConfigError('Cannot specify "local-address" or "remote-address" in client-server mode') |