summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorKim Hagen <kim@sentrium.io>2021-10-07 08:44:00 -0500
committerKim Hagen <kim@sentrium.io>2021-10-07 08:44:00 -0500
commitba8630da96396f09c638fccdc9cfe6a3ee70fd58 (patch)
treea4bedef0d677fa8179dd76c7c8d314476f3683cd /src/conf_mode
parenteb7f8904076e749e18c10b6374bf363dfa009c19 (diff)
downloadvyos-1x-ba8630da96396f09c638fccdc9cfe6a3ee70fd58.tar.gz
vyos-1x-ba8630da96396f09c638fccdc9cfe6a3ee70fd58.zip
pull request fixes
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py18
1 files changed, 16 insertions, 2 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 365d0982e..220c4f157 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -80,6 +80,11 @@ def get_config(config=None):
tmp_pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
get_first_key=True, no_tag_node_value_mangle=True)
+ # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict'
+ # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there.
+ tmp_openvpn = conf.get_config_dict(base + [os.environ['VYOS_TAGNODE_VALUE']], key_mangling=('-', '_'),
+ get_first_key=True, no_tag_node_value_mangle=True)
+
openvpn = get_interface_dict(conf, base)
if 'deleted' not in openvpn:
@@ -89,6 +94,14 @@ def get_config(config=None):
openvpn['daemon_user'] = user
openvpn['daemon_group'] = group
+ # We have to cleanup the config dict, as default values could enable features
+ # which are not explicitly enabled on the CLI. Example: server mfa totp
+ # originate comes with defaults, which will enable the
+ # totp plugin, even when not set via CLI so we
+ # need to check this first and drop those keys
+ if 'totp' not in tmp_openvpn['server']:
+ del openvpn['server']['mfa']['totp']
+
return openvpn
def is_ec_private_key(pki, cert_name):
@@ -369,8 +382,8 @@ def verify(openvpn):
if IPv6Address(client['ipv6_ip'][0]) in v6PoolNet:
print(f'Warning: Client "{client["name"]}" IP {client["ipv6_ip"][0]} is in server IP pool, it is not reserved for this client.')
- # add 2fa users to the file the 2fa plugin uses
- if dict_search('server.2fa.totp', openvpn):
+ # add mfa users to the file the mfa plugin uses
+ if dict_search('server.mfa.totp', openvpn):
if not Path(otp_file.format(**openvpn)).is_file():
Path(otp_path).mkdir(parents=True, exist_ok=True)
Path(otp_file.format(**openvpn)).touch()
@@ -590,6 +603,7 @@ def generate_pki_files(openvpn):
def generate(openvpn):
interface = openvpn['ifname']
directory = os.path.dirname(cfg_file.format(**openvpn))
+ plugin_dir = '/usr/lib/openvpn'
# we can't know in advance which clients have been removed,
# thus all client configs will be removed and re-added on demand