1 files changed, 17 insertions, 11 deletions

diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
index 66da9c794..a510c3a84 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -13,7 +13,13 @@ dev-type {{ device_type }}
 dev {{ ifname }}
 persist-key
 iproute /usr/libexec/vyos/system/unpriv-ip
-proto {{ protocol }}
+{% if protocol == 'tcp-active' %}
+proto tcp6-client
+{% elif protocol == 'tcp-passive' %}
+proto tcp6-server
+{% else %}
+proto udp6
+{% endif %}
 {% if local_host is defined and local_host is not none %}
 local {{ local_host }}
 {% endif %}
@@ -60,24 +66,24 @@ mode server
 tls-server
 {%   if server is defined and server is not none %}
 {%     if server.subnet is defined and server.subnet is not none %}
-{%       for subnet in server.subnet if subnet | ipv4 %}
+{%     if server.topology is defined and server.topology == 'point-to-point' %}
+topology p2p
+{%     elif server.topology is defined and server.topology is not none %}
+topology {{ server.topology }}
+{%     endif %}
+{%       for subnet in server.subnet if subnet | is_ipv4 %}
 server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
 {# OpenVPN assigns the first IP address to its local interface so the pool used #}
 {# in net30 topology - where each client receives a /30 must start from the second subnet #}
 {%     if server.topology is defined and server.topology == 'net30' %}
-ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
+ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
 {%     else %}
 {# OpenVPN assigns the first IP address to its local interface so the pool must #}
 {# start from the second address and end on the last address #}
-ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
+ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
 {%     endif %}
 {%       endfor %}
 {%     endif %}
-{%     if server.topology is defined and server.topology == 'point-to-point' %}
-topology p2p
-{%     elif server.topology is defined and server.topology is not none %}
-topology {{ server.topology }}
-{%     endif %}
 {%     if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %}
 ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }}
 {%     endif %}
@@ -130,12 +136,12 @@ push "dhcp-option DNS6 {{ ns6 }}"
 ping {{ keep_alive.interval }}
 ping-restart {{ keep_alive.failure_count }}
 
-{%   for laddr, laddr_conf in local_address.items() if laddr | ipv4 %}
+{%   for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
 {%     if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %}
 ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }}
 {%     else %}
 {%       for raddr in remote_address %}
-{%         if raddr | ipv4 %}
+{%         if raddr | is_ipv4 %}
 ifconfig {{ laddr }} {{ raddr }}
 {%         else %}
 ifconfig-ipv6 {{ laddr }} {{ raddr }}