summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/templates/accel-ppp/pppoe.config.j217
-rw-r--r--data/templates/firewall/nftables-defines.j25
-rw-r--r--data/templates/ipsec/swanctl.conf.j212
-rw-r--r--data/templates/ipsec/swanctl/peer.j224
-rw-r--r--data/templates/ocserv/ocserv_config.j220
5 files changed, 48 insertions, 30 deletions
diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2
index 0a92e2d54..f4129d3e2 100644
--- a/data/templates/accel-ppp/pppoe.config.j2
+++ b/data/templates/accel-ppp/pppoe.config.j2
@@ -105,20 +105,13 @@ ac-name={{ access_concentrator }}
{% if interface is vyos_defined %}
{% for iface, iface_config in interface.items() %}
-{% if iface_config.vlan_id is not vyos_defined and iface_config.vlan_range is not vyos_defined %}
+{% if iface_config.vlan is not vyos_defined %}
interface={{ iface }}
-{% endif %}
-{% if iface_config.vlan_range is vyos_defined %}
-{% for regex in iface_config.regex %}
-interface=re:^{{ iface | replace('.', '\\.') }}\.({{ regex }})$
-{% endfor %}
-vlan-mon={{ iface }},{{ iface_config.vlan_range | join(',') }}
-{% endif %}
-{% if iface_config.vlan_id is vyos_defined %}
-{% for vlan in iface_config.vlan_id %}
-vlan-mon={{ iface }},{{ vlan }}
-interface=re:^{{ iface | replace('.', '\\.') }}\.{{ vlan }}$
+{% else %}
+{% for vlan in iface_config.vlan %}
+interface=re:^{{ iface }}\.{{ vlan | range_to_regex }}$
{% endfor %}
+vlan-mon={{ iface }},{{ iface_config.vlan | join(',') }}
{% endif %}
{% endfor %}
{% endif %}
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index 97fc123d5..5336f7ee6 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -7,6 +7,7 @@
set A_{{ group_name }} {
type {{ ip_type }}
flags interval
+ auto-merge
{% if group_conf.address is vyos_defined or includes %}
elements = { {{ group_conf.address | nft_nested_group(includes, group.address_group, 'address') | join(",") }} }
{% endif %}
@@ -19,6 +20,7 @@
set A6_{{ group_name }} {
type {{ ip_type }}
flags interval
+ auto-merge
{% if group_conf.address is vyos_defined or includes %}
elements = { {{ group_conf.address | nft_nested_group(includes, group.ipv6_address_group, 'address') | join(",") }} }
{% endif %}
@@ -42,6 +44,7 @@
set N_{{ group_name }} {
type {{ ip_type }}
flags interval
+ auto-merge
{% if group_conf.network is vyos_defined or includes %}
elements = { {{ group_conf.network | nft_nested_group(includes, group.network_group, 'network') | join(",") }} }
{% endif %}
@@ -54,6 +57,7 @@
set N6_{{ group_name }} {
type {{ ip_type }}
flags interval
+ auto-merge
{% if group_conf.network is vyos_defined or includes %}
elements = { {{ group_conf.network | nft_nested_group(includes, group.ipv6_network_group, 'network') | join(",") }} }
{% endif %}
@@ -66,6 +70,7 @@
set P_{{ group_name }} {
type inet_service
flags interval
+ auto-merge
{% if group_conf.port is vyos_defined or includes %}
elements = { {{ group_conf.port | nft_nested_group(includes, group.port_group, 'port') | join(",") }} }
{% endif %}
diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2
index bf6b8259c..38d7981c6 100644
--- a/data/templates/ipsec/swanctl.conf.j2
+++ b/data/templates/ipsec/swanctl.conf.j2
@@ -63,9 +63,11 @@ secrets {
{% if peer_conf.local_address is vyos_defined %}
id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
{% endif %}
- id-remote = {{ peer }}
-{% if peer_conf.authentication.id is vyos_defined %}
- id-localid = {{ peer_conf.authentication.id }}
+{% for address in peer_conf.remote_address %}
+ id-remote_{{ address | dot_colon_to_dash }} = {{ address }}
+{% endfor %}
+{% if peer_conf.authentication.local_id is vyos_defined %}
+ id-localid = {{ peer_conf.authentication.local_id }}
{% endif %}
{% if peer_conf.authentication.remote_id is vyos_defined %}
id-remoteid = {{ peer_conf.authentication.remote_id }}
@@ -93,8 +95,8 @@ secrets {
{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %}
{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %}
ike_{{ ra }} {
-{% if ra_conf.authentication.id is vyos_defined %}
- id = "{{ ra_conf.authentication.id }}"
+{% if ra_conf.authentication.local_id is vyos_defined %}
+ id = "{{ ra_conf.authentication.local_id }}"
{% elif ra_conf.local_address is vyos_defined %}
id = "{{ ra_conf.local_address }}"
{% endif %}
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2
index 90d2c774f..d097a04fc 100644
--- a/data/templates/ipsec/swanctl/peer.j2
+++ b/data/templates/ipsec/swanctl/peer.j2
@@ -2,14 +2,14 @@
{% set name = peer.replace("@", "") | dot_colon_to_dash %}
{# peer needs to reference the global IKE configuration for certain values #}
{% set ike = ike_group[peer_conf.ike_group] %}
- peer_{{ name }} {
+ {{ name }} {
proposals = {{ ike | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }}
{% if peer_conf.virtual_address is vyos_defined %}
vips = {{ peer_conf.virtual_address | join(', ') }}
{% endif %}
- local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
- remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }}
+ local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%any' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
+ remote_addrs = {{ peer_conf.remote_address | join(",") if peer_conf.remote_address is vyos_defined and 'any' not in peer_conf.remote_address else '%any' }}
{% if peer_conf.authentication.mode is vyos_defined('x509') %}
send_cert = always
{% endif %}
@@ -21,7 +21,7 @@
aggressive = yes
{% endif %}
rekey_time = {{ ike.lifetime }}s
- mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }}
+ mobike = {{ "no" if ike.disable_mobike is defined else "yes" }}
{% if peer[0:1] == '@' %}
keyingtries = 0
reauth_time = 0
@@ -30,12 +30,12 @@
{% elif peer_conf.connection_type is vyos_defined('respond') %}
keyingtries = 1
{% endif %}
-{% if peer_conf.force_encapsulation is vyos_defined('enable') %}
+{% if peer_conf.force_udp_encapsulation is vyos_defined %}
encap = yes
{% endif %}
local {
-{% if peer_conf.authentication.id is vyos_defined %}
- id = "{{ peer_conf.authentication.id }}"
+{% if peer_conf.authentication.local_id is vyos_defined %}
+ id = "{{ peer_conf.authentication.local_id }}"
{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{% if peer_conf.authentication.mode == 'x509' %}
@@ -58,7 +58,7 @@
children {
{% if peer_conf.vti.bind is vyos_defined and peer_conf.tunnel is not vyos_defined %}
{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is vyos_defined else esp_group[ peer_conf.default_esp_group ] %}
- peer_{{ name }}_vti {
+ {{ name }}-vti {
esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }}
{% if vti_esp.life_bytes is vyos_defined %}
life_bytes = {{ vti_esp.life_bytes }}
@@ -75,7 +75,7 @@
{% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %}
if_id_in = {{ if_id }}
if_id_out = {{ if_id }}
- ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined('enable') else 'no' }}
+ ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined else 'no' }}
mode = {{ vti_esp.mode }}
{% if peer[0:1] == '@' %}
start_action = none
@@ -101,7 +101,7 @@
{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %}
{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %}
{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
- peer_{{ name }}_tunnel_{{ tunnel_id }} {
+ {{ name }}-tunnel-{{ tunnel_id }} {
esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }}
{% if tunnel_esp.life_bytes is vyos_defined %}
life_bytes = {{ tunnel_esp.life_bytes }}
@@ -126,7 +126,7 @@
local_ts = {{ peer_conf.local_address }}{{ local_suffix }}
remote_ts = {{ peer }}{{ remote_suffix }}
{% endif %}
- ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined('enable') else 'no' }}
+ ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined else 'no' }}
mode = {{ tunnel_esp.mode }}
{% if peer[0:1] == '@' %}
start_action = none
@@ -152,7 +152,7 @@
{% endif %}
}
{% if tunnel_conf.passthrough is vyos_defined %}
- peer_{{ name }}_tunnel_{{ tunnel_id }}_passthrough {
+ {{ name }}-tunnel-{{ tunnel_id }}-passthrough {
local_ts = {{ tunnel_conf.passthrough | join(",") }}
remote_ts = {{ tunnel_conf.passthrough | join(",") }}
start_action = trap
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index e0cad5181..3194354e6 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -1,5 +1,9 @@
### generated by vpn_openconnect.py ###
+{% if listen_address is vyos_defined %}
+listen-host = {{ listen_address }}
+{% endif %}
+
tcp-port = {{ listen_ports.tcp }}
udp-port = {{ listen_ports.udp }}
@@ -7,7 +11,7 @@ run-as-user = nobody
run-as-group = daemon
{% if "radius" in authentication.mode %}
-auth = "radius [config=/run/ocserv/radiusclient.conf]"
+auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]"
{% elif "local" in authentication.mode %}
{% if authentication.mode.local == "password-otp" %}
auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"
@@ -62,6 +66,13 @@ device = sslvpn
dns = {{ dns }}
{% endfor %}
{% endif %}
+{% if network_settings.tunnel_all_dns is vyos_defined %}
+{% if "yes" in network_settings.tunnel_all_dns %}
+tunnel-all-dns = true
+{% else %}
+tunnel-all-dns = false
+{% endif %}
+{% endif %}
# IPv4 network pool
{% if network_settings.client_ip_settings.subnet is vyos_defined %}
@@ -85,3 +96,10 @@ route = {{ route }}
split-dns = {{ tmp }}
{% endfor %}
{% endif %}
+
+{% if authentication.group is vyos_defined %}
+# Group settings
+{% for grp in authentication.group %}
+select-group = {{ grp }}
+{% endfor %}
+{% endif %} \ No newline at end of file