diff options
Diffstat (limited to 'data')
23 files changed, 430 insertions, 199 deletions
diff --git a/data/configd-include.json b/data/configd-include.json index a03360bdb..3b4e2925b 100644 --- a/data/configd-include.json +++ b/data/configd-include.json @@ -69,6 +69,5 @@ "vpn_pptp.py", "vpn_sstp.py", "vrf.py", -"vrrp.py", -"vyos_cert.py" +"vrrp.py" ] diff --git a/data/templates/accel-ppp/sstp.config.tmpl b/data/templates/accel-ppp/sstp.config.tmpl index 7ca7b1c1e..fad91d118 100644 --- a/data/templates/accel-ppp/sstp.config.tmpl +++ b/data/templates/accel-ppp/sstp.config.tmpl @@ -29,9 +29,9 @@ disable verbose=1 ifname=sstp%d accept=ssl -ssl-ca-file={{ ssl.ca_cert_file }} -ssl-pemfile={{ ssl.cert_file }} -ssl-keyfile={{ ssl.key_file }} +ssl-ca-file=/run/accel-pppd/sstp-ca.pem +ssl-pemfile=/run/accel-pppd/sstp-cert.pem +ssl-keyfile=/run/accel-pppd/sstp-cert.key {# Common IP pool definitions #} {% include 'accel-ppp/config_ip_pool.j2' %} diff --git a/data/templates/ethernet/wpa_supplicant.conf.tmpl b/data/templates/ethernet/wpa_supplicant.conf.tmpl index fe518ad45..308d777f1 100644 --- a/data/templates/ethernet/wpa_supplicant.conf.tmpl +++ b/data/templates/ethernet/wpa_supplicant.conf.tmpl @@ -32,11 +32,11 @@ fast_reauth=1 network={ {% if eapol is defined and eapol is not none %} -{% if eapol.ca_cert_file is defined and eapol.ca_cert_file is not none %} - ca_cert="{{ eapol.ca_cert_file }}" +{% if eapol.ca_certificate is defined and eapol.ca_certificate is not none %} + ca_cert="/run/wpa_supplicant/{{ ifname }}_ca.pem" {% endif %} - client_cert="{{ eapol.cert_file }}" - private_key="{{ eapol.key_file }}" + client_cert="/run/wpa_supplicant/{{ ifname }}_cert.pem" + private_key="/run/wpa_supplicant/{{ ifname }}_cert.key" {% endif %} # list of accepted authenticated key management protocols diff --git a/data/templates/firewall/nftables-vrf-zones.tmpl b/data/templates/firewall/nftables-vrf-zones.tmpl new file mode 100644 index 000000000..eecf47b78 --- /dev/null +++ b/data/templates/firewall/nftables-vrf-zones.tmpl @@ -0,0 +1,17 @@ +table inet vrf_zones { + # Map of interfaces and connections tracking zones + map ct_iface_map { + typeof iifname : ct zone + } + # Assign unique zones for each VRF + # Chain for inbound traffic + chain vrf_zones_ct_in { + type filter hook prerouting priority raw; policy accept; + counter ct zone set iifname map @ct_iface_map + } + # Chain for locally-generated traffic + chain vrf_zones_ct_out { + type filter hook output priority raw; policy accept; + counter ct zone set oifname map @ct_iface_map + } +} diff --git a/data/templates/frr/bgpd.frr.tmpl b/data/templates/frr/bgpd.frr.tmpl index c21e7f234..aa297876b 100644 --- a/data/templates/frr/bgpd.frr.tmpl +++ b/data/templates/frr/bgpd.frr.tmpl @@ -65,6 +65,9 @@ {% if config.shutdown is defined %} neighbor {{ neighbor }} shutdown {% endif %} +{% if config.solo is defined %} + neighbor {{ neighbor }} solo +{% endif %} {% if config.strict_capability_match is defined %} neighbor {{ neighbor }} strict-capability-match {% endif %} diff --git a/data/templates/frr/isis.frr.tmpl b/data/templates/frr/isisd.frr.tmpl index 1e651898b..6cfa076d0 100644 --- a/data/templates/frr/isis.frr.tmpl +++ b/data/templates/frr/isisd.frr.tmpl @@ -116,18 +116,33 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% endfor %} {% endfor %} {% endif %} -{% if redistribute is defined and redistribute.ipv4 is defined and redistribute.ipv4 is not none %} -{% for protocol in redistribute.ipv4 %} -{% for level, level_config in redistribute.ipv4[protocol].items() %} -{% if level_config.metric is defined and level_config.metric is not none %} +{% if redistribute is defined %} +{% if redistribute.ipv4 is defined and redistribute.ipv4 is not none %} +{% for protocol, protocol_options in redistribute.ipv4.items() %} +{% for level, level_config in protocol_options.items() %} +{% if level_config.metric is defined and level_config.metric is not none %} redistribute ipv4 {{ protocol }} {{ level | replace('_', '-') }} metric {{ level_config.metric }} -{% elif level_config.route_map is defined and level_config.route_map is not none %} +{% elif level_config.route_map is defined and level_config.route_map is not none %} redistribute ipv4 {{ protocol }} {{ level | replace('_', '-') }} route-map {{ level_config.route_map }} -{% else %} +{% else %} redistribute ipv4 {{ protocol }} {{ level | replace('_', '-') }} -{% endif %} +{% endif %} +{% endfor %} {% endfor %} -{% endfor %} +{% endif %} +{% if redistribute.ipv6 is defined and redistribute.ipv6 is not none %} +{% for protocol, protocol_options in redistribute.ipv6.items() %} +{% for level, level_config in protocol_options.items() %} +{% if level_config.metric is defined and level_config.metric is not none %} + redistribute ipv6 {{ protocol }} {{ level | replace('_', '-') }} metric {{ level_config.metric }} +{% elif level_config.route_map is defined and level_config.route_map is not none %} + redistribute ipv6 {{ protocol }} {{ level | replace('_', '-') }} route-map {{ level_config.route_map }} +{% else %} + redistribute ipv6 {{ protocol }} {{ level | replace('_', '-') }} +{% endif %} +{% endfor %} +{% endfor %} +{% endif %} {% endif %} {% if level is defined and level is not none %} {% if level == 'level-2' %} @@ -180,4 +195,4 @@ interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% endif %} {% endfor %} {% endif %} -! +!
\ No newline at end of file diff --git a/data/templates/https/nginx.default.tmpl b/data/templates/https/nginx.default.tmpl index 916764410..2f8aa06c2 100644 --- a/data/templates/https/nginx.default.tmpl +++ b/data/templates/https/nginx.default.tmpl @@ -17,7 +17,7 @@ server { listen {{ server.port }} ssl; listen [::]:{{ server.port }} ssl; {% else %} - listen {{ server.address }}:{{ server.port }} ssl; + listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl; {% endif %} {% for name in server.name %} @@ -30,7 +30,8 @@ server { include {{ server.certbot_dir }}/options-ssl-nginx.conf; ssl_dhparam {{ server.certbot_dir }}/ssl-dhparams.pem; {% elif server.vyos_cert %} - include {{ server.vyos_cert.conf }}; + ssl_certificate {{ server.vyos_cert.crt }}; + ssl_certificate_key {{ server.vyos_cert.key }}; {% else %} # # Self signed certs generated by the ssl-cert package @@ -40,7 +41,7 @@ server { {% endif %} # proxy settings for HTTP API, if enabled; 503, if not - location ~ /(retrieve|configure|config-file|image|generate|show|docs|openapi.json|redoc) { + location ~ /(retrieve|configure|config-file|image|generate|show|docs|openapi.json|redoc|graphql) { {% if server.api %} proxy_pass http://localhost:{{ server.api.port }}; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.tmpl index 2879550a8..92774b275 100644 --- a/data/templates/ipsec/charon/dhcp.conf.tmpl +++ b/data/templates/ipsec/charon/dhcp.conf.tmpl @@ -1,12 +1,11 @@ dhcp { load = yes - -{% if options is defined and options.remote_access is defined and options.remote_access.dhcp_pool is defined %} -{% if options.remote_access.dhcp_pool.interface is defined %} - interface = {{ options.remote_access.dhcp_pool.interface }} +{% if remote_access is defined and remote_access.dhcp is defined %} +{% if remote_access.dhcp.interface is defined %} + interface = {{ remote_access.dhcp.interface }} {% endif %} -{% if options.remote_access.dhcp_pool.server is defined %} - server = {{ options.remote_access.dhcp_pool.server }} +{% if remote_access.dhcp.server is defined %} + server = {{ remote_access.dhcp.server }} {% endif %} {% endif %} diff --git a/data/templates/ipsec/charon/eap-radius.conf.tmpl b/data/templates/ipsec/charon/eap-radius.conf.tmpl new file mode 100644 index 000000000..5ec35c988 --- /dev/null +++ b/data/templates/ipsec/charon/eap-radius.conf.tmpl @@ -0,0 +1,115 @@ +eap-radius { + # Send RADIUS accounting information to RADIUS servers. + # accounting = no + + # Close the IKE_SA if there is a timeout during interim RADIUS accounting + # updates. + # accounting_close_on_timeout = yes + + # Interval in seconds for interim RADIUS accounting updates, if not + # specified by the RADIUS server in the Access-Accept message. + # accounting_interval = 0 + + # If enabled, accounting is disabled unless an IKE_SA has at least one + # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary. + # accounting_requires_vip = no + + # If enabled, adds the Class attributes received in Access-Accept message to + # the RADIUS accounting messages. + # accounting_send_class = no + + # Use class attributes in Access-Accept messages as group membership + # information. + # class_group = no + + # Closes all IKE_SAs if communication with the RADIUS server times out. If + # it is not set only the current IKE_SA is closed. + # close_all_on_timeout = no + + # Send EAP-Start instead of EAP-Identity to start RADIUS conversation. + # eap_start = no + + # Use filter_id attribute as group membership information. + # filter_id = no + + # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the + # EAP method. + # id_prefix = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # NAS-Identifier to include in RADIUS messages. + nas_identifier = {{ remote_access.radius.nas_identifier if remote_access is defined and remote_access.radius is defined and remote_access.radius.nas_identifier is defined else 'strongSwan' }} + + # Port of RADIUS server (authentication). + # port = 1812 + + # Base to use for calculating exponential back off. + # retransmit_base = 1.4 + + # Timeout in seconds before sending first retransmit. + # retransmit_timeout = 2.0 + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 4 + + # Shared secret between RADIUS and NAS. If set, make sure to adjust the + # permissions of the config file accordingly. + # secret = + + # IP/Hostname of RADIUS server. + # server = + + # Number of sockets (ports) to use, increase for high load. + # sockets = 1 + + # Whether to include the UDP port in the Called- and Calling-Station-Id + # RADIUS attributes. + # station_id_with_port = yes + + dae { + # Enables support for the Dynamic Authorization Extension (RFC 5176). + # enable = no + + # Address to listen for DAE messages from the RADIUS server. + # listen = 0.0.0.0 + + # Port to listen for DAE requests. + # port = 3799 + + # Shared secret used to verify/sign DAE messages. If set, make sure to + # adjust the permissions of the config file accordingly. + # secret = + } + + forward { + # RADIUS attributes to be forwarded from IKEv2 to RADIUS. + # ike_to_radius = + + # Same as ike_to_radius but from RADIUS to IKEv2. + # radius_to_ike = + } + + # Section to specify multiple RADIUS servers. + servers { +{% if remote_access is defined and remote_access.radius is defined and remote_access.radius.server is defined %} +{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not defined %} + {{ server | replace('.', '-') }} { + address = {{ server }} + secret = {{ server_options.key }} + auth_port = {{ server_options.port }} +{% if server_options.disable_accounting is not defined %} + acct_port = {{ server_options.port | int +1 }} +{% endif %} + sockets = 20 + } +{% endfor %} +{% endif %} + } + + # Section to configure multiple XAuth authentication rounds via RADIUS. + xauth { + } +} diff --git a/data/templates/ipsec/interfaces_use.conf.tmpl b/data/templates/ipsec/interfaces_use.conf.tmpl index 3d285b9be..a77102396 100644 --- a/data/templates/ipsec/interfaces_use.conf.tmpl +++ b/data/templates/ipsec/interfaces_use.conf.tmpl @@ -1,6 +1,5 @@ -{% if ipsec_interfaces is defined and 'interface' in ipsec_interfaces %} -{% set interfaces = ipsec_interfaces['interface'] %} +{% if interface is defined %} charon { - interfaces_use = {{ ', '.join(interfaces) if interfaces is not string else interfaces }} + interfaces_use = {{ ', '.join(interface) }} } {% endif %}
\ No newline at end of file diff --git a/data/templates/ipsec/ios_profile.tmpl b/data/templates/ipsec/ios_profile.tmpl new file mode 100644 index 000000000..af6c79d6e --- /dev/null +++ b/data/templates/ipsec/ios_profile.tmpl @@ -0,0 +1,104 @@ +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <!-- Set the name to whatever you like, it is used in the profile list on the device --> + <key>PayloadDisplayName</key> + <string>{{ profile_name }}</string> + <!-- This is a reverse-DNS style unique identifier used to detect duplicate profiles --> + <key>PayloadIdentifier</key> + <string>{{ rfqdn }}</string> + <!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it --> + <key>PayloadUUID</key> + <string>{{ '' | get_uuid }}</string> + <key>PayloadType</key> + <string>Configuration</string> + <key>PayloadVersion</key> + <integer>1</integer> + <key>PayloadContent</key> + <array> + <!-- It is possible to add multiple VPN payloads with different identifiers/UUIDs and names --> + <dict> + <!-- This is an extension of the identifier given above --> + <key>PayloadIdentifier</key> + <string>{{ rfqdn }}.conf1</string> + <!-- A globally unique identifier for this payload --> + <key>PayloadUUID</key> + <string>{{ '' | get_uuid }}</string> + <key>PayloadType</key> + <string>com.apple.vpn.managed</string> + <key>PayloadVersion</key> + <integer>1</integer> + <!-- This is the name of the VPN connection as seen in the VPN application later --> + <key>UserDefinedName</key> + <string>{{ vpn_name }}</string> + <key>VPNType</key> + <string>IKEv2</string> + <key>IKEv2</key> + <dict> + <!-- Hostname or IP address of the VPN server --> + <key>RemoteAddress</key> + <string>{{ remote }}</string> + <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty. + IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN --> + <key>RemoteIdentifier</key> + <string>{{ authentication.id if authentication.id is defined else 'fooo' }}</string> + <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used --> + <key>LocalIdentifier</key> + <string></string> + <!-- Optional, if it matches the CN of the root CA certificate (not the full subject DN) a certificate request will be sent + NOTE: If this is not configured make sure to configure leftsendcert=always on the server, otherwise it won't send its certificate --> + <key>ServerCertificateIssuerCommonName</key> + <string>{{ ca_cn }}</string> + <!-- Optional, the CN or one of the subjectAltNames of the server certificate to verify it, if not set RemoteIdentifier will be used --> + <key>ServerCertificateCommonName</key> + <string>{{ cert_cn }}</string> + <!-- The server is authenticated using a certificate --> + <key>AuthenticationMethod</key> + <string>Certificate</string> + <!-- The client uses EAP to authenticate --> + <key>ExtendedAuthEnabled</key> + <integer>1</integer> + <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES. + IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration --> + <key>IKESecurityAssociationParameters</key> + <dict> + <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2encryptionalgorithm --> + <key>EncryptionAlgorithm</key> + <string>{{ ike_encryption.encryption }}</string> + <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2integrityalgorithm --> + <key>IntegrityAlgorithm</key> + <string>{{ ike_encryption.hash }}</string> + <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2diffiehellmangroup --> + <key>DiffieHellmanGroup</key> + <integer>{{ ike_encryption.dh_group }}</integer> + </dict> + <key>ChildSecurityAssociationParameters</key> + <dict> + <key>EncryptionAlgorithm</key> + <string>{{ esp_encryption.encryption }}</string> + <key>IntegrityAlgorithm</key> + <string>{{ esp_encryption.hash }}</string> + <key>DiffieHellmanGroup</key> + <integer>{{ ike_encryption.dh_group }}</integer> + </dict> + </dict> + </dict> + <!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration --> + <dict> + <key>PayloadIdentifier</key> + <string>org.example.ca</string> + <key>PayloadUUID</key> + <string>{{ '' | get_uuid }}</string> + <key>PayloadType</key> + <string>com.apple.security.root</string> + <key>PayloadVersion</key> + <integer>1</integer> + <!-- This is the Base64 (PEM) encoded CA certificate --> + <key>PayloadContent</key> + <data> + {{ ca_cert }} + </data> + </dict> + </array> +</dict> +</plist> diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl index a9ea1aac7..1cb531e76 100644 --- a/data/templates/ipsec/ipsec.conf.tmpl +++ b/data/templates/ipsec/ipsec.conf.tmpl @@ -16,9 +16,3 @@ config setup {% if include_ipsec_conf is defined %} include {{ include_ipsec_conf }} {% endif %} - -{% if delim_ipsec_l2tp_begin is defined %} -{{delim_ipsec_l2tp_begin}} -include {{ipsec_ra_conn_file}} -{{delim_ipsec_l2tp_end}} -{% endif %} diff --git a/data/templates/ipsec/ipsec.secrets.tmpl b/data/templates/ipsec/ipsec.secrets.tmpl index 43b5fe0d2..057e291ed 100644 --- a/data/templates/ipsec/ipsec.secrets.tmpl +++ b/data/templates/ipsec/ipsec.secrets.tmpl @@ -3,13 +3,3 @@ {% if include_ipsec_secrets is defined %} include {{ include_ipsec_secrets }} {% endif %} - -{% if delim_ipsec_l2tp_begin is defined %} -{{delim_ipsec_l2tp_begin}} -{% if ipsec_l2tp_auth_mode == 'pre-shared-secret' %} -{{outside_addr}} %any : PSK "{{ipsec_l2tp_secret}}" -{% elif ipsec_l2tp_auth_mode == 'x509' %} -: RSA {{server_key_file_copied}} -{% endif %} -{{delim_ipsec_l2tp_end}} -{% endif %} diff --git a/data/templates/ipsec/remote-access.tmpl b/data/templates/ipsec/remote-access.tmpl deleted file mode 100644 index fae48232f..000000000 --- a/data/templates/ipsec/remote-access.tmpl +++ /dev/null @@ -1,28 +0,0 @@ -{{delim_ipsec_l2tp_begin}} -conn {{ra_conn_name}} - type=transport - left={{outside_addr}} - leftsubnet=%dynamic[/1701] - rightsubnet=%dynamic - mark_in=%unique - auto=add - ike=aes256-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024! - dpddelay=15 - dpdtimeout=45 - dpdaction=clear - esp=aes256-sha1,3des-sha1! - rekey=no -{% if ipsec_l2tp_auth_mode == 'pre-shared-secret' %} - authby=secret - leftauth=psk - rightauth=psk -{% elif ipsec_l2tp_auth_mode == 'x509' %} - authby=rsasig - leftrsasigkey=%cert - rightrsasigkey=%cert - rightca=%same - leftcert={{server_cert_file_copied}} -{% endif %} - ikelifetime={{ipsec_l2tp_ike_lifetime}} - keylife={{ipsec_l2tp_lifetime}} -{{delim_ipsec_l2tp_end}} diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index a6ab73cc2..161f19f95 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -1,4 +1,5 @@ ### Autogenerated by vpn_ipsec.py ### +{% import 'ipsec/swanctl/l2tp.tmpl' as l2tp_tmpl %} {% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %} {% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %} {% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %} @@ -14,21 +15,28 @@ connections { {{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} {% endfor %} {% endif %} -{% if remote_access is defined and remote_access is not none %} -{% for rw, rw_conf in remote_access.items() if rw_conf.disable is not defined %} +{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %} +{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not defined %} {{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }} {% endfor %} {% endif %} +{% if l2tp %} +{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }} +{% endif %} } pools { -{% if remote_access is defined %} -{% for ra, ra_conf in remote_access.items() if ra_conf.pool.dhcp_enable is not defined %} - ra-{{ ra }} { - addrs = {{ ra_conf.pool.prefix }} - dns = {{ ra_conf.pool.name_server | join(",") }} -{% if ra_conf.pool.exclude is defined %} - split_exclude = {{ ra_conf.pool.exclude | join(",") }} +{% if remote_access is defined and remote_access.pool is defined and remote_access.pool is not none %} +{% for pool, pool_config in remote_access.pool.items() %} + {{ pool }} { +{% if pool_config.prefix is defined and pool_config.prefix is not none %} + addrs = {{ pool_config.prefix }} +{% endif %} +{% if pool_config.name_server is defined and pool_config.name_server is not none %} + dns = {{ pool_config.name_server | join(',') }} +{% endif %} +{% if pool_config.exclude is defined and pool_config.exclude is not none %} + split_exclude = {{ pool_config.exclude | join(',') }} {% endif %} } {% endfor %} @@ -81,8 +89,8 @@ secrets { {% endif %} {% endfor %} {% endif %} -{% if remote_access is defined %} -{% for ra, ra_conf in remote_access.items() if remote_access is defined %} +{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %} +{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not defined %} {% if ra_conf.authentication.server_mode == 'pre-shared-secret' %} ike_{{ ra }} { {% if ra_conf.authentication.id is defined %} @@ -103,5 +111,21 @@ secrets { {% endif %} {% endfor %} {% endif %} +{% if l2tp %} +{% if l2tp.authentication.mode == 'pre-shared-secret' %} + ike_l2tp_remote_access { + id = "{{ l2tp_outside_address }}" + secret = "{{ l2tp.authentication.pre_shared_secret }}" + } +{% elif l2tp.authentication.mode == 'x509' %} + private_l2tp_remote_access { + id = "{{ l2tp_outside_address }}" + file = {{ l2tp.authentication.x509.certificate }}.pem +{% if l2tp.authentication.x509.passphrase is defined %} + secret = "{{ l2tp.authentication.x509.passphrase }}" +{% endif %} + } +{% endif %} +{% endif %} } diff --git a/data/templates/ipsec/swanctl/l2tp.tmpl b/data/templates/ipsec/swanctl/l2tp.tmpl new file mode 100644 index 000000000..2df5c2a4d --- /dev/null +++ b/data/templates/ipsec/swanctl/l2tp.tmpl @@ -0,0 +1,30 @@ +{% macro conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) %} +{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is defined else None %} +{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is defined else None %} + l2tp_remote_access { + proposals = {{ l2tp_ike | get_esp_ike_cipher | join(',') if l2tp_ike else l2tp_ike_default }} + local_addrs = {{ l2tp_outside_address }} + dpd_delay = 15s + dpd_timeout = 45s + rekey_time = {{ l2tp_ike.lifetime if l2tp_ike else l2tp.ike_lifetime }}s + reauth_time = 0 + local { + auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }} +{% if l2tp.authentication.mode == 'x509' %} + certs = {{ l2tp.authentication.x509.certificate }}.pem +{% endif %} + } + remote { + auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }} + } + children { + l2tp_remote_access_esp { + mode = transport + esp_proposals = {{ l2tp_esp | get_esp_ike_cipher | join(',') if l2tp_esp else l2tp_esp_default }} + life_time = {{ l2tp_esp.lifetime if l2tp_esp else l2tp.lifetime }}s + local_ts = dynamic[/1701] + remote_ts = dynamic + } + } + } +{% endmacro %} diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index 8e46e8892..dd29ea7d4 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -54,7 +54,7 @@ } children { {% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %} -{% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %} +{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %} peer_{{ name }}_vti { esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }} local_ts = 0.0.0.0/0,::/0 @@ -86,7 +86,7 @@ {% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %} {% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} peer_{{ name }}_tunnel_{{ tunnel_id }} { - esp_proposals = {{ esp_group[peer_conf.default_esp_group] | get_esp_ike_cipher | join(',') }} + esp_proposals = {{ tunnel_esp | get_esp_ike_cipher | join(',') }} {% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} {% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %} {% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl index 95f2108fb..456842488 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -10,10 +10,9 @@ send_certreq = no rekey_time = {{ ike.lifetime }}s keyingtries = 0 -{% if rw_conf.pool.dhcp_enable is defined %} - pools = dhcp -{% else %} - pools = ra-{{ name }} + unique = {{ rw_conf.unique }} +{% if rw_conf.pool is defined and rw_conf.pool is not none %} + pools = {{ rw_conf.pool | join(',') }} {% endif %} local { {% if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} @@ -34,7 +33,7 @@ } children { ikev2-vpn { - esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }} + esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }} rekey_time = {{ esp.lifetime }}s rand_time = 540s dpd_action = clear diff --git a/data/templates/ipsec/windows_profile.tmpl b/data/templates/ipsec/windows_profile.tmpl new file mode 100644 index 000000000..8c26944be --- /dev/null +++ b/data/templates/ipsec/windows_profile.tmpl @@ -0,0 +1,4 @@ +Remove-VpnConnection -Name "{{ vpn_name }}" -Force -PassThru + +Add-VpnConnection -Name "{{ vpn_name }}" -ServerAddress "{{ remote }}" -TunnelType "Ikev2" +Set-VpnConnectionIPsecConfiguration -ConnectionName "{{ vpn_name }}" -AuthenticationTransformConstants {{ ike_encryption.encryption }} -CipherTransformConstants {{ ike_encryption.encryption }} -EncryptionMethod {{ esp_encryption.encryption }} -IntegrityCheckMethod {{ esp_encryption.hash }} -PfsGroup None -DHGroup "Group{{ ike_encryption.dh_group }}" -PassThru -Force diff --git a/data/templates/ocserv/ocserv_config.tmpl b/data/templates/ocserv/ocserv_config.tmpl index 328af0c0d..0be805235 100644 --- a/data/templates/ocserv/ocserv_config.tmpl +++ b/data/templates/ocserv/ocserv_config.tmpl @@ -12,16 +12,16 @@ auth = "radius [config=/run/ocserv/radiusclient.conf]" auth = "plain[/run/ocserv/ocpasswd]" {% endif %} -{% if ssl.cert_file %} -server-cert = {{ ssl.cert_file }} +{% if ssl.certificate is defined %} +server-cert = /run/ocserv/cert.pem +server-key = /run/ocserv/cert.key +{% if ssl.passphrase is defined %} +key-pin = {{ ssl.passphrase }} {% endif %} - -{% if ssl.key_file %} -server-key = {{ ssl.key_file }} {% endif %} -{% if ssl.ca_cert_file %} -ca-cert = {{ ssl.ca_cert_file }} +{% if ssl.ca_certificate is defined %} +ca-cert = /run/ocserv/ca.pem {% endif %} socket-file = /run/ocserv/ocserv.socket diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index c5d665c0b..d9f01310e 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -36,8 +36,8 @@ rport {{ remote_port }} remote {{ remote }} {% endfor %} {% endif %} -{% if shared_secret_key_file is defined and shared_secret_key_file is not none %} -secret {{ shared_secret_key_file }} +{% if shared_secret_key is defined and shared_secret_key is not none %} +secret /run/openvpn/{{ ifname }}_shared.key {% endif %} {% if persistent_tunnel is defined %} persist-tun @@ -157,32 +157,32 @@ ifconfig-ipv6 {{ laddr }} {{ raddr }} {% if tls is defined and tls is not none %} # TLS options -{% if tls.ca_cert_file is defined and tls.ca_cert_file is not none %} -ca {{ tls.ca_cert_file }} +{% if tls.ca_certificate is defined and tls.ca_certificate is not none %} +ca /run/openvpn/{{ ifname }}_ca.pem {% endif %} -{% if tls.cert_file is defined and tls.cert_file is not none %} -cert {{ tls.cert_file }} +{% if tls.certificate is defined and tls.certificate is not none %} +cert /run/openvpn/{{ ifname }}_cert.pem {% endif %} -{% if tls.key_file is defined and tls.key_file is not none %} -key {{ tls.key_file }} +{% if tls.private_key is defined %} +key /run/openvpn/{{ ifname }}_cert.key {% endif %} -{% if tls.crypt_file is defined and tls.crypt_file is not none %} -tls-crypt {{ tls.crypt_file }} +{% if tls.crypt_key is defined and tls.crypt_key is not none %} +tls-crypt /run/openvpn/{{ ifname }}_crypt.key {% endif %} -{% if tls.crl_file is defined and tls.crl_file is not none %} -crl-verify {{ tls.crl_file }} +{% if tls.crl is defined %} +crl-verify /run/openvpn/{{ ifname }}_crl.pem {% endif %} {% if tls.tls_version_min is defined and tls.tls_version_min is not none %} tls-version-min {{ tls.tls_version_min }} {% endif %} -{% if tls.dh_file is defined and tls.dh_file is not none %} -dh {{ tls.dh_file }} +{% if tls.dh_params is defined and tls.dh_params is not none %} +dh /run/openvpn/{{ ifname }}_dh.pem {% endif %} -{% if tls.auth_file is defined and tls.auth_file is not none %} +{% if tls.auth_key is defined and tls.auth_key is not none %} {% if mode == 'client' %} -tls-auth {{ tls.auth_file }} 1 +tls-auth /run/openvpn/{{ ifname }}_auth.key 1 {% elif mode == 'server' %} -tls-auth {{ tls.auth_file }} 0 +tls-auth /run/openvpn/{{ ifname }}_auth.key 0 {% endif %} {% endif %} {% if tls.role is defined and tls.role is not none %} @@ -197,56 +197,15 @@ tls-server # Encryption options {% if encryption is defined and encryption is not none %} {% if encryption.cipher is defined and encryption.cipher is not none %} -{% if encryption.cipher == 'none' %} -cipher none -{% elif encryption.cipher == 'des' %} -cipher des-cbc -{% elif encryption.cipher == '3des' %} -cipher des-ede3-cbc -{% elif encryption.cipher == 'bf128' %} -cipher bf-cbc +cipher {{ encryption.cipher | openvpn_cipher }} +{% if encryption.cipher == 'bf128' %} keysize 128 {% elif encryption.cipher == 'bf256' %} -cipher bf-cbc -keysize 25 -{% elif encryption.cipher == 'aes128gcm' %} -cipher aes-128-gcm -{% elif encryption.cipher == 'aes128' %} -cipher aes-128-cbc -{% elif encryption.cipher == 'aes192gcm' %} -cipher aes-192-gcm -{% elif encryption.cipher == 'aes192' %} -cipher aes-192-cbc -{% elif encryption.cipher == 'aes256gcm' %} -cipher aes-256-gcm -{% elif encryption.cipher == 'aes256' %} -cipher aes-256-cbc +keysize 256 {% endif %} {% endif %} {% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %} -{% set cipher_list = [] %} -{% for cipher in encryption.ncp_ciphers %} -{% if cipher == 'none' %} -{% set cipher_list = cipher_list.append('none') %} -{% elif cipher == 'des' %} -{% set cipher_list = cipher_list.append('des-cbc') %} -{% elif cipher == '3des' %} -{% set cipher_list = cipher_list.append('des-ede3-cbc') %} -{% elif cipher == 'aes128' %} -{% set cipher_list = cipher_list.append('aes-128-cbc') %} -{% elif cipher == 'aes128gcm' %} -{% set cipher_list = cipher_list.append('aes-128-gcm') %} -{% elif cipher == 'aes192' %} -{% set cipher_list = cipher_list.append('aes-192-cbc') %} -{% elif cipher == 'aes192gcm' %} -{% set cipher_list = cipher_list.append('aes-192-gcm') %} -{% elif cipher == 'aes256' %} -{% set cipher_list = cipher_list.append('aes-256-cbc') %} -{% elif cipher == 'aes256gcm' %} -{% set cipher_list = cipher_list.append('aes-256-gcm') %} -{% endif %} -{% endfor %} -ncp-ciphers {{ cipher_list | join(':') }}:{{ cipher_list | join(':') | upper }} +data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }} {% endif %} {% endif %} diff --git a/data/templates/router-advert/radvd.conf.tmpl b/data/templates/router-advert/radvd.conf.tmpl index 9cc237512..88d066491 100644 --- a/data/templates/router-advert/radvd.conf.tmpl +++ b/data/templates/router-advert/radvd.conf.tmpl @@ -1,58 +1,64 @@ ### Autogenerated by service_router-advert.py ### {% if interface is defined and interface is not none %} -{% for iface in interface %} +{% for iface, iface_config in interface.items() %} interface {{ iface }} { IgnoreIfMissing on; -{% if interface[iface].default_preference is defined and interface[iface].default_preference is not none %} - AdvDefaultPreference {{ interface[iface].default_preference }}; +{% if iface_config.default_preference is defined and iface_config.default_preference is not none %} + AdvDefaultPreference {{ iface_config.default_preference }}; {% endif %} -{% if interface[iface].managed_flag is defined and interface[iface].managed_flag is not none %} - AdvManagedFlag {{ 'on' if interface[iface].managed_flag is defined else 'off' }}; +{% if iface_config.managed_flag is defined and iface_config.managed_flag is not none %} + AdvManagedFlag {{ 'on' if iface_config.managed_flag is defined else 'off' }}; {% endif %} -{% if interface[iface].interval.max is defined and interface[iface].interval.max is not none %} - MaxRtrAdvInterval {{ interface[iface].interval.max }}; +{% if iface_config.interval.max is defined and iface_config.interval.max is not none %} + MaxRtrAdvInterval {{ iface_config.interval.max }}; {% endif %} -{% if interface[iface].interval.min is defined and interface[iface].interval.min is not none %} - MinRtrAdvInterval {{ interface[iface].interval.min }}; +{% if iface_config.interval.min is defined and iface_config.interval.min is not none %} + MinRtrAdvInterval {{ iface_config.interval.min }}; {% endif %} -{% if interface[iface].reachable_time is defined and interface[iface].reachable_time is not none %} - AdvReachableTime {{ interface[iface].reachable_time }}; +{% if iface_config.reachable_time is defined and iface_config.reachable_time is not none %} + AdvReachableTime {{ iface_config.reachable_time }}; {% endif %} - AdvIntervalOpt {{ 'off' if interface[iface].no_send_advert is defined else 'on' }}; - AdvSendAdvert {{ 'off' if interface[iface].no_send_advert is defined else 'on' }}; -{% if interface[iface].default_lifetime is defined %} - AdvDefaultLifetime {{ interface[iface].default_lifetime }}; -{% endif %} -{% if interface[iface].link_mtu is defined %} - AdvLinkMTU {{ interface[iface].link_mtu }}; -{% endif %} - AdvOtherConfigFlag {{ 'on' if interface[iface].other_config_flag is defined else 'off' }}; - AdvRetransTimer {{ interface[iface].retrans_timer }}; - AdvCurHopLimit {{ interface[iface].hop_limit }}; -{% if interface[iface].route is defined %} -{% for route in interface[iface].route %} + AdvIntervalOpt {{ 'off' if iface_config.no_send_advert is defined else 'on' }}; + AdvSendAdvert {{ 'off' if iface_config.no_send_advert is defined else 'on' }}; +{% if iface_config.default_lifetime is defined %} + AdvDefaultLifetime {{ iface_config.default_lifetime }}; +{% endif %} +{% if iface_config.link_mtu is defined %} + AdvLinkMTU {{ iface_config.link_mtu }}; +{% endif %} + AdvOtherConfigFlag {{ 'on' if iface_config.other_config_flag is defined else 'off' }}; + AdvRetransTimer {{ iface_config.retrans_timer }}; + AdvCurHopLimit {{ iface_config.hop_limit }}; +{% if iface_config.route is defined %} +{% for route, route_options in iface_config.route.items() %} route {{ route }} { -{% if interface[iface].route[route].valid_lifetime is defined %} - AdvRouteLifetime {{ interface[iface].route[route].valid_lifetime }}; +{% if route_options.valid_lifetime is defined %} + AdvRouteLifetime {{ route_options.valid_lifetime }}; {% endif %} -{% if interface[iface].route[route].route_preference is defined %} - AdvRoutePreference {{ interface[iface].route[route].route_preference }}; +{% if route_options.route_preference is defined %} + AdvRoutePreference {{ route_options.route_preference }}; {% endif %} - RemoveRoute {{ 'off' if interface[iface].route[route].no_remove_route is defined else 'on' }}; + RemoveRoute {{ 'off' if route_options.no_remove_route is defined else 'on' }}; }; {% endfor %} {% endif %} -{% for prefix in interface[iface].prefix %} +{% if iface_config.prefix is defined and iface_config.prefix is not none %} +{% for prefix, prefix_options in iface_config.prefix.items() %} prefix {{ prefix }} { - AdvAutonomous {{ 'off' if interface[iface].prefix[prefix].no_autonomous_flag is defined else 'on' }}; - AdvValidLifetime {{ interface[iface].prefix[prefix].valid_lifetime }}; - AdvOnLink {{ 'off' if interface[iface].prefix[prefix].no_on_link_flag is defined else 'on' }}; - AdvPreferredLifetime {{ interface[iface].prefix[prefix].preferred_lifetime }}; + AdvAutonomous {{ 'off' if prefix_options.no_autonomous_flag is defined else 'on' }}; + AdvValidLifetime {{ prefix_options.valid_lifetime }}; + AdvOnLink {{ 'off' if prefix_options.no_on_link_flag is defined else 'on' }}; + AdvPreferredLifetime {{ prefix_options.preferred_lifetime }}; + }; +{% endfor %} +{% endif %} +{% if iface_config.name_server is defined %} + RDNSS {{ iface_config.name_server | join(" ") }} { }; -{% endfor %} -{% if interface[iface].name_server is defined %} - RDNSS {{ interface[iface].name_server | join(" ") }} { +{% endif %} +{% if iface_config.dnssl is defined %} + DNSSL {{ iface_config.dnssl | join(" ") }} { }; {% endif %} }; diff --git a/data/templates/snmp/override.conf.tmpl b/data/templates/snmp/override.conf.tmpl index 90c294ed0..2ac45a89f 100644 --- a/data/templates/snmp/override.conf.tmpl +++ b/data/templates/snmp/override.conf.tmpl @@ -1,4 +1,5 @@ {% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +{% set oid_route_table = ' ' if route_table is sameas true else '-I -ipCidrRouteTable,inetCidrRouteTable' %} [Unit] StartLimitIntervalSec=0 After=vyos-router.service @@ -7,7 +8,7 @@ After=vyos-router.service Environment= Environment="MIBDIRS=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/vyos/mibs" ExecStart= -ExecStart={{vrf_command}}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid +ExecStart={{vrf_command}}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp {{oid_route_table}} -f -p /run/snmpd.pid Restart=always RestartSec=10 |