diff options
Diffstat (limited to 'data/templates/openvpn/server.conf.tmpl')
| -rw-r--r-- | data/templates/openvpn/server.conf.tmpl | 102 |
1 files changed, 49 insertions, 53 deletions
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index fb7ad9e16..f26680fa3 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -3,7 +3,7 @@ # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition # -# {{ description if description is defined and description is not none }} +# {{ description if description is vyos_defined }} # verb 3 @@ -17,35 +17,35 @@ proto tcp-server {% else %} proto udp {% endif %} -{% if local_host is defined and local_host is not none %} +{% if local_host is vyos_defined %} local {{ local_host }} {% endif %} -{% if mode is defined and mode == 'server' and protocol == 'udp' and local_host is not defined %} +{% if mode is vyos_defined('server') and protocol is vyos_defined('udp') and local_host is not vyos_defined %} multihome {% endif %} -{% if local_port is defined and local_port is not none %} +{% if local_port is vyos_defined %} lport {{ local_port }} {% endif %} -{% if remote_port is defined and remote_port is not none %} +{% if remote_port is vyos_defined %} rport {{ remote_port }} {% endif %} -{% if remote_host is defined and remote_host is not none %} +{% if remote_host is vyos_defined %} {% for remote in remote_host %} remote {{ remote }} {% endfor %} {% endif %} -{% if shared_secret_key is defined and shared_secret_key is not none %} +{% if shared_secret_key is vyos_defined %} secret /run/openvpn/{{ ifname }}_shared.key {% endif %} -{% if persistent_tunnel is defined %} +{% if persistent_tunnel is vyos_defined %} persist-tun {% endif %} -{% if replace_default_route is defined and replace_default_route.local is defined %} +{% if replace_default_route.local is vyos_defined %} push "redirect-gateway local def1" -{% elif replace_default_route is defined %} +{% elif replace_default_route is vyos_defined %} push "redirect-gateway def1" {% endif %} -{% if use_lzo_compression is defined %} +{% if use_lzo_compression is vyos_defined %} compress lzo {% endif %} @@ -62,21 +62,21 @@ nobind # mode server tls-server -{% if server is defined and server is not none %} -{% if server.subnet is defined and server.subnet is not none %} -{% if server.topology is defined and server.topology == 'point-to-point' %} +{% if server is vyos_defined %} +{% if server.subnet is vyos_defined %} +{% if server.topology is vyos_defined('point-to-point') %} topology p2p -{% elif server.topology is defined and server.topology is not none %} +{% elif server.topology is vyos_defined %} topology {{ server.topology }} {% endif %} {% for subnet in server.subnet %} {% if subnet | is_ipv4 %} server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool {# First ip address is used as gateway. It's allows to use metrics #} -{% if server.push_route is defined and server.push_route is not none %} +{% if server.push_route is vyos_defined %} {% for route, route_config in server.push_route.items() %} {% if route | is_ipv4 %} -push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}{% if route_config.metric is defined %} {{ subnet | first_host_address }} {{ route_config.metric }}{% endif %}" +push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}{% if route_config.metric is vyos_defined %} {{ subnet | first_host_address }} {{ route_config.metric }}{% endif %}" {% elif route | is_ipv6 %} push "route-ipv6 {{ route }}" {% endif %} @@ -84,7 +84,7 @@ push "route-ipv6 {{ route }}" {% endif %} {# OpenVPN assigns the first IP address to its local interface so the pool used #} {# in net30 topology - where each client receives a /30 must start from the second subnet #} -{% if server.topology is defined and server.topology == 'net30' %} +{% if server.topology is vyos_defined('net30') %} ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }} {% else %} {# OpenVPN assigns the first IP address to its local interface so the pool must #} @@ -97,24 +97,24 @@ server-ipv6 {{ subnet }} {% endfor %} {% endif %} -{% if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %} -ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }} +{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %} +ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }} {% endif %} -{% if server.max_connections is defined and server.max_connections is not none %} +{% if server.max_connections is vyos_defined %} max-clients {{ server.max_connections }} {% endif %} -{% if server.client is defined and server.client is not none %} +{% if server.client is vyos_defined %} client-config-dir /run/openvpn/ccd/{{ ifname }} {% endif %} {% endif %} keepalive {{ keep_alive.interval }} {{ keep_alive.interval|int * keep_alive.failure_count|int }} management /run/openvpn/openvpn-mgmt-intf unix -{% if server is defined and server is not none %} -{% if server.reject_unconfigured_clients is defined %} +{% if server is vyos_defined %} +{% if server.reject_unconfigured_clients is vyos_defined %} ccd-exclusive {% endif %} -{% if server.name_server is defined and server.name_server is not none %} +{% if server.name_server is vyos_defined %} {% for nameserver in server.name_server %} {% if nameserver | is_ipv4 %} push "dhcp-option DNS {{ nameserver }}" @@ -123,14 +123,12 @@ push "dhcp-option DNS6 {{ nameserver }}" {% endif %} {% endfor %} {% endif %} -{% if server.domain_name is defined and server.domain_name is not none %} +{% if server.domain_name is vyos_defined %} push "dhcp-option DOMAIN {{ server.domain_name }}" {% endif %} -{% if server.mfa is defined and server.mfa is not none %} -{% if server.mfa.totp is defined and server.mfa.totp is not none %} -{% set totp_config = server.mfa.totp %} +{% if server.mfa.totp is vyos_defined %} +{% set totp_config = server.mfa.totp %} plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets {{ 'otp_slop=' ~ totp_config.slop }} {{ 'totp_t0=' ~ totp_config.drift }} {{ 'totp_step=' ~ totp_config.step }} {{ 'totp_digits=' ~ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" -{% endif %} {% endif %} {% endif %} {% else %} @@ -141,9 +139,9 @@ ping {{ keep_alive.interval }} ping-restart {{ keep_alive.failure_count }} {% if device_type == 'tap' %} -{% if local_address is defined and local_address is not none %} +{% if local_address is vyos_defined %} {% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} -{% if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %} +{% if laddr_conf.subnet_mask is vyos_defined %} ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }} {% endif %} {% endfor %} @@ -162,67 +160,65 @@ ifconfig-ipv6 {{ laddr }} {{ raddr }} {% endif %} {% endif %} -{% if tls is defined and tls is not none %} +{% if tls is vyos_defined %} # TLS options -{% if tls.ca_certificate is defined and tls.ca_certificate is not none %} +{% if tls.ca_certificate is vyos_defined %} ca /run/openvpn/{{ ifname }}_ca.pem {% endif %} -{% if tls.certificate is defined and tls.certificate is not none %} +{% if tls.certificate is vyos_defined %} cert /run/openvpn/{{ ifname }}_cert.pem {% endif %} -{% if tls.private_key is defined %} +{% if tls.private_key is vyos_defined %} key /run/openvpn/{{ ifname }}_cert.key {% endif %} -{% if tls.crypt_key is defined and tls.crypt_key is not none %} +{% if tls.crypt_key is vyos_defined %} tls-crypt /run/openvpn/{{ ifname }}_crypt.key {% endif %} -{% if tls.crl is defined %} +{% if tls.crl is vyos_defined %} crl-verify /run/openvpn/{{ ifname }}_crl.pem {% endif %} -{% if tls.tls_version_min is defined and tls.tls_version_min is not none %} +{% if tls.tls_version_min is vyos_defined %} tls-version-min {{ tls.tls_version_min }} {% endif %} -{% if tls.dh_params is defined and tls.dh_params is not none %} +{% if tls.dh_params is vyos_defined %} dh /run/openvpn/{{ ifname }}_dh.pem -{% elif mode == 'server' and tls.private_key is defined %} +{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %} dh none {% endif %} -{% if tls.auth_key is defined and tls.auth_key is not none %} +{% if tls.auth_key is vyos_defined %} {% if mode == 'client' %} tls-auth /run/openvpn/{{ ifname }}_auth.key 1 {% elif mode == 'server' %} tls-auth /run/openvpn/{{ ifname }}_auth.key 0 {% endif %} {% endif %} -{% if tls.role is defined and tls.role is not none %} -{% if tls.role == 'active' %} +{% if tls.role is vyos_defined('active') %} tls-client -{% elif tls.role == 'passive' %} +{% elif tls.role is vyos_defined('passive') %} tls-server -{% endif %} {% endif %} {% endif %} # Encryption options -{% if encryption is defined and encryption is not none %} -{% if encryption.cipher is defined and encryption.cipher is not none %} +{% if encryption is vyos_defined %} +{% if encryption.cipher is vyos_defined %} cipher {{ encryption.cipher | openvpn_cipher }} -{% if encryption.cipher == 'bf128' %} +{% if encryption.cipher is vyos_defined('bf128') %} keysize 128 -{% elif encryption.cipher == 'bf256' %} +{% elif encryption.cipher is vyos_defined('bf256') %} keysize 256 {% endif %} {% endif %} -{% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %} +{% if encryption.ncp_ciphers is vyos_defined %} data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }} {% endif %} {% endif %} -{% if hash is defined and hash is not none %} +{% if hash is vyos_defined %} auth {{ hash }} {% endif %} -{% if authentication is defined and authentication is not none %} +{% if authentication is vyos_defined %} auth-user-pass {{ auth_user_pass_file }} auth-retry nointeract {% endif %} |