summaryrefslogtreecommitdiff
path: root/data/templates/openvpn/server.conf.j2
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/openvpn/server.conf.j2')
-rw-r--r--data/templates/openvpn/server.conf.j218
1 files changed, 16 insertions, 2 deletions
diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index 844a1390b..2eb9416fe 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -48,6 +48,9 @@ push "redirect-gateway def1"
{% if use_lzo_compression is vyos_defined %}
compress lzo
{% endif %}
+{% if offload.dco is not vyos_defined %}
+disable-dco
+{% endif %}
{% if mode is vyos_defined('client') %}
#
@@ -89,7 +92,7 @@ server-ipv6 {{ subnet }}
{% endif %}
{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %}
-ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }}
+ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }} {{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }}
{% endif %}
{% if server.max_connections is vyos_defined %}
max-clients {{ server.max_connections }}
@@ -173,7 +176,7 @@ tls-version-min {{ tls.tls_version_min }}
{% endif %}
{% if tls.dh_params is vyos_defined %}
dh /run/openvpn/{{ ifname }}_dh.pem
-{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %}
+{% else %}
dh none
{% endif %}
{% if tls.auth_key is vyos_defined %}
@@ -188,6 +191,14 @@ tls-client
{% elif tls.role is vyos_defined('passive') %}
tls-server
{% endif %}
+
+{% if tls.peer_fingerprint is vyos_defined %}
+<peer-fingerprint>
+{% for fp in tls.peer_fingerprint %}
+{{ fp }}
+{% endfor %}
+</peer-fingerprint>
+{% endif %}
{% endif %}
# Encryption options
@@ -204,6 +215,9 @@ keysize 256
data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
{% endif %}
{% endif %}
+# https://vyos.dev/T5027
+# Required to support BF-CBC (default ciphername when none given)
+providers legacy default
{% if hash is vyos_defined %}
auth {{ hash }}
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-03 11:26:17 +0000