summaryrefslogtreecommitdiff
path: root/data/templates/openvpn/server.conf.j2
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/openvpn/server.conf.j2')
-rw-r--r--data/templates/openvpn/server.conf.j218
1 files changed, 16 insertions, 2 deletions
diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index 6dd4ef88d..f76fbbe79 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -48,6 +48,9 @@ push "redirect-gateway def1"
{% if use_lzo_compression is vyos_defined %}
compress lzo
{% endif %}
+{% if offload.dco is not vyos_defined %}
+disable-dco
+{% endif %}
{% if mode is vyos_defined('client') %}
#
@@ -98,7 +101,7 @@ server-ipv6 {{ subnet }}
{% endif %}
{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %}
-ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }}
+ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }} {{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }}
{% endif %}
{% if server.max_connections is vyos_defined %}
max-clients {{ server.max_connections }}
@@ -182,7 +185,7 @@ tls-version-min {{ tls.tls_version_min }}
{% endif %}
{% if tls.dh_params is vyos_defined %}
dh /run/openvpn/{{ ifname }}_dh.pem
-{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %}
+{% else %}
dh none
{% endif %}
{% if tls.auth_key is vyos_defined %}
@@ -197,6 +200,14 @@ tls-client
{% elif tls.role is vyos_defined('passive') %}
tls-server
{% endif %}
+
+{% if tls.peer_fingerprint is vyos_defined %}
+<peer-fingerprint>
+{% for fp in tls.peer_fingerprint %}
+{{ fp }}
+{% endfor %}
+</peer-fingerprint>
+{% endif %}
{% endif %}
# Encryption options
@@ -213,6 +224,9 @@ keysize 256
data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
{% endif %}
{% endif %}
+# https://vyos.dev/T5027
+# Required to support BF-CBC (default ciphername when none given)
+providers legacy default
{% if hash is vyos_defined %}
auth {{ hash }}
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-30 03:43:10 +0000