summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@baturin.org>2024-05-27 15:23:53 +0100
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-05-28 19:56:27 +0000
commita3763a233d130d5d03b7cdc50efdab6c78d3152d (patch)
tree281200e3ead1b13b72a206dcc2e4792325b42344 /src
parent9d0a453c923fe8efd5dafe6230dafe7d267aa9d6 (diff)
downloadvyos-1x-a3763a233d130d5d03b7cdc50efdab6c78d3152d.tar.gz
vyos-1x-a3763a233d130d5d03b7cdc50efdab6c78d3152d.zip
openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS
(cherry picked from commit 380e998b10341b6dd42bb94d00a9d7a462ada27a)
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/interfaces_openvpn.py5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py
index 0ecffd3be..5b9c21757 100755
--- a/src/conf_mode/interfaces_openvpn.py
+++ b/src/conf_mode/interfaces_openvpn.py
@@ -260,6 +260,11 @@ def verify(openvpn):
# OpenVPN site-to-site - VERIFY
#
elif openvpn['mode'] == 'site-to-site':
+ # XXX: site-to-site is the only mode that still can work without TLS,
+ # so we need to make sure that if TLS is used, then TLS role is also specified
+ if 'shared_secret_key' not in openvpn['tls'] and 'role' not in openvpn['tls']:
+ raise ConfigError('"tls role" is required for site-to-site OpenVPN with TLS')
+
if 'local_address' not in openvpn and 'is_bridge_member' not in openvpn:
raise ConfigError('Must specify "local-address" or add interface to bridge')