diff options
author | Daniil Baturin <daniil@baturin.org> | 2023-09-20 15:36:00 +0100 |
---|---|---|
committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2023-09-20 18:41:22 +0000 |
commit | 398fb266101c259dcfb0e20fe011ac0736522eba (patch) | |
tree | 443649062cbab1a22748d29753cd360968d45d3d /src/conf_mode | |
parent | 78e07ec57102060ecc6554b1531ae953b061a5dd (diff) | |
download | vyos-1x-398fb266101c259dcfb0e20fe011ac0736522eba.tar.gz vyos-1x-398fb266101c259dcfb0e20fe011ac0736522eba.zip |
openvpn: T5269: add a deprecation warning for shared-secret
(cherry picked from commit 4bbbaab60d56bfd6f3a145378027642b4c47adee)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 1d0feb56f..85905fd9a 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -30,6 +30,7 @@ from netifaces import interfaces from secrets import SystemRandom from shutil import rmtree +from vyos.base import DeprecationWarning from vyos.config import Config from vyos.configdict import get_interface_dict from vyos.configdict import is_node_changed @@ -165,6 +166,11 @@ def verify_pki(openvpn): if shared_secret_key not in pki['openvpn']['shared_secret']: raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}') + # If PSK settings are correct, warn about its deprecation + DeprecationWarning("OpenVPN shared-secret support will be removed in future VyOS versions.\n\ + Please migrate your site-to-site tunnels to TLS.\n\ + You can use self-signed certificates with peer fingerprint verification, consult the documentation for details.") + if tls: if (mode in ['server', 'client']) and ('ca_certificate' not in tls): raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\ |