1 files changed, 9 insertions, 14 deletions

diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
index 9e4cc6813..7a0470d0e 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -76,7 +76,7 @@ server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
 {%     if server.push_route is defined and server.push_route is not none %}
 {%       for route, route_config in server.push_route.items() %}
 {%         if route | is_ipv4 %}
-push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address }} {{ route_config.metric if route_config.metric is defined else "0" }}"
+push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}{% if route_config.metric is defined %} {{ subnet | first_host_address }} {{ route_config.metric }}{% endif %}"
 {%         elif route | is_ipv6 %}
 push "route-ipv6 {{ route }}"
 {%         endif %}
@@ -126,6 +126,12 @@ push "dhcp-option DNS6 {{ nameserver }}"
 {%     if server.domain_name is defined and server.domain_name is not none %}
 push "dhcp-option DOMAIN {{ server.domain_name }}"
 {%     endif %}
+{%     if server.mfa is defined and server.mfa is not none %}
+{%       if server.mfa.totp is defined and server.mfa.totp is not none %}
+{%         set totp_config = server.mfa.totp %}
+plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets {{ 'otp_slop=' ~ totp_config.slop }} {{ 'totp_t0=' ~ totp_config.drift }} {{ 'totp_step=' ~ totp_config.step }} {{ 'totp_digits=' ~ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}"
+{%       endif %}
+{%     endif %}
 {%   endif %}
 {% else %}
 #
@@ -176,6 +182,8 @@ tls-version-min {{ tls.tls_version_min }}
 {%   endif %}
 {%   if tls.dh_params is defined and tls.dh_params is not none %}
 dh /run/openvpn/{{ ifname }}_dh.pem
+{%   elif mode == 'server' and tls.private_key is defined %}
+dh none
 {%   endif %}
 {%   if tls.auth_key is defined and tls.auth_key is not none %}
 {%     if mode == 'client' %}
@@ -216,16 +224,3 @@ auth {{ hash }}
 auth-user-pass {{ auth_user_pass_file }}
 auth-retry nointeract
 {% endif %}
-
-{% if openvpn_option is defined and openvpn_option is not none %}
-#
-# Custom options added by user (not validated)
-#
-{%   for option in openvpn_option %}
-{%     for argument in option.split('--') %}
-{%       if argument is defined and argument != '' %}
---{{ argument }}
-{%       endif %}
-{%     endfor %}
-{%   endfor %}
-{% endif %}