summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@baturin.org>2023-09-20 15:36:00 +0100
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2023-09-20 18:41:22 +0000
commit398fb266101c259dcfb0e20fe011ac0736522eba (patch)
tree443649062cbab1a22748d29753cd360968d45d3d /src/conf_mode
parent78e07ec57102060ecc6554b1531ae953b061a5dd (diff)
downloadvyos-1x-398fb266101c259dcfb0e20fe011ac0736522eba.tar.gz
vyos-1x-398fb266101c259dcfb0e20fe011ac0736522eba.zip
openvpn: T5269: add a deprecation warning for shared-secret
(cherry picked from commit 4bbbaab60d56bfd6f3a145378027642b4c47adee)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 1d0feb56f..85905fd9a 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -30,6 +30,7 @@ from netifaces import interfaces
from secrets import SystemRandom
from shutil import rmtree
+from vyos.base import DeprecationWarning
from vyos.config import Config
from vyos.configdict import get_interface_dict
from vyos.configdict import is_node_changed
@@ -165,6 +166,11 @@ def verify_pki(openvpn):
if shared_secret_key not in pki['openvpn']['shared_secret']:
raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}')
+ # If PSK settings are correct, warn about its deprecation
+ DeprecationWarning("OpenVPN shared-secret support will be removed in future VyOS versions.\n\
+ Please migrate your site-to-site tunnels to TLS.\n\
+ You can use self-signed certificates with peer fingerprint verification, consult the documentation for details.")
+
if tls:
if (mode in ['server', 'client']) and ('ca_certificate' not in tls):
raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\