diff options
Diffstat (limited to 'data')
| -rw-r--r-- | data/templates/frr/bgp.frr.tmpl | 175 | ||||
| -rw-r--r-- | data/templates/https/nginx.default.tmpl | 2 | ||||
| -rw-r--r-- | data/templates/openvpn/client.conf.tmpl | 48 | ||||
| -rw-r--r-- | data/templates/openvpn/server.conf.tmpl | 357 |
4 files changed, 307 insertions, 275 deletions
diff --git a/data/templates/frr/bgp.frr.tmpl b/data/templates/frr/bgp.frr.tmpl index 02bac3bf7..d0857ac2c 100644 --- a/data/templates/frr/bgp.frr.tmpl +++ b/data/templates/frr/bgp.frr.tmpl @@ -14,10 +14,9 @@ router bgp {{ asn }} {%- if type == "ipv4_unicast" %} ! address-family ipv4 unicast -{#- need to check #} {%- if 'aggregate_address' in bgp_afi[type] %} {%- for ip in bgp_afi[type].aggregate_address %} -{%- if ( ('as_set' and 'summary_only') in bgp_afi[type].aggregate_address[ip] ) %} +{%- if ( ('as_set' in bgp_afi[type].aggregate_address[ip]) and ('summary_only' in bgp_afi[type].aggregate_address[ip] ) ) %} aggregate-address {{ ip }} as-set summary-only {%- elif 'as_set' in bgp_afi[type].aggregate_address[ip] %} aggregate-address {{ ip }} as-set @@ -28,23 +27,20 @@ router bgp {{ asn }} {%- endif %} {%- endfor %} {%- endif %} -{# END aggregate address#} -{#- redistribute #} -{# need to check. dont work. - 'metric' and 'route_map' match also only 'route_map' - 'table' parameter also include in protocol, its not what I want #} +{#- END aggregate address ipv4 #} + +{#- redistribute afi ipv4 #} {%- if 'redistribute' in bgp_afi[type] %} -{%- if 'table' in bgp_afi[type].redistribute %} - redistribute table {{bgp_afi[type].redistribute.table}} -{%- endif %} {%- for protocol in bgp_afi[type].redistribute %} -{%- if ( ('metric' and 'route_map') in bgp_afi[type].redistribute[protocol] ) %} +{%- if ( ('route_map' in bgp_afi[type].redistribute[protocol]) and ('metric' in bgp_afi[type].redistribute[protocol] ) ) %} redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} route-map {{bgp_afi[type].redistribute[protocol].route_map}} {%- elif 'metric' in bgp_afi[type].redistribute[protocol] %} - redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} + redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} {%- elif 'route_map' in bgp_afi[type].redistribute[protocol] %} redistribute {{protocol}} route-map {{bgp_afi[type].redistribute[protocol].route_map}} -{%- else %} +{%- elif 'table' in bgp_afi[type].redistribute %} + redistribute table {{bgp_afi[type].redistribute.table}} +{%- else %} redistribute {{protocol}} {%- endif %} {%- endfor %} @@ -65,7 +61,7 @@ router bgp {{ asn }} address-family ipv6 unicast {%- if 'aggregate_address' in bgp_afi[type] %} {%- for ip in bgp_afi[type].aggregate_address %} -{%- if ( ('as_set' and 'summary_only') in bgp_afi[type].aggregate_address[ip] ) %} +{%- if ( ('as_set' in bgp_afi[type].aggregate_address[ip]) and ('summary_only' in bgp_afi[type].aggregate_address[ip] ) ) %} aggregate-address {{ ip }} as-set summary-only {%- elif 'as_set' in bgp_afi[type].aggregate_address[ip] %} aggregate-address {{ ip }} as-set @@ -76,22 +72,20 @@ router bgp {{ asn }} {%- endif %} {%- endfor %} {%- endif %} -{# END aggregate address#} +{#- END aggregate address ipv6 #} -{#- redistribute #} -{# need to check. doesn't work. 'metric' and 'route_map' match also only 'route_map' #} +{#- redistribute afi ipv6 #} {%- if 'redistribute' in bgp_afi[type] %} -{%- if 'table' in bgp_afi[type].redistribute %} - redistribute table {{bgp_afi[type].redistribute.table}} -{%- endif %} {%- for protocol in bgp_afi[type].redistribute %} -{%- if ( ('metric' and 'route_map') in bgp_afi[type].redistribute[protocol] ) %} +{%- if ( ('route_map' in bgp_afi[type].redistribute[protocol]) and ('metric' in bgp_afi[type].redistribute[protocol] ) ) %} redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} route-map {{bgp_afi[type].redistribute[protocol].route_map}} {%- elif 'metric' in bgp_afi[type].redistribute[protocol] %} - redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} + redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} {%- elif 'route_map' in bgp_afi[type].redistribute[protocol] %} redistribute {{protocol}} route-map {{bgp_afi[type].redistribute[protocol].route_map}} -{%- else %} +{%- elif 'table' in bgp_afi[type].redistribute %} + redistribute table {{bgp_afi[type].redistribute.table}} +{%- else %} redistribute {{protocol}} {%- endif %} {%- endfor %} @@ -206,7 +200,7 @@ router bgp {{ asn }} neighbor {{ pr_group }} update-source {{ conf_peer_group.update_source }} {%- endif %} -{# START peer-group afi; set protocols bgp xxx peer-group FOO address-family #} +{#- START peer-group afi; set protocols bgp xxx peer-group FOO address-family #} {%- if 'address_family' in conf_peer_group %} {%- for afi in conf_peer_group.address_family %} {%- if afi == "ipv4_unicast" %} @@ -236,10 +230,19 @@ router bgp {{ asn }} {%- endif %} {#- END single params for peer-group #} -{#- Checks need to be done as-path|med|next-hop #} {%- if 'attribute_unchanged' in conf_peer_group.address_family.ipv4_unicast %} -{%- if 'as_path' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged %} +{%- if ( ('as_path' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) and ('med' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) ) %} + neighbor {{ pr_group }} attribute-unchanged as-path med +{%- elif ( ('as_path' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) and ('next_hop' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) ) %} + neighbor {{ pr_group }} attribute-unchanged as-path next-hop +{%- elif ( ('med' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) and ('next_hop' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) ) %} + neighbor {{ pr_group }} attribute-unchanged med next-hop +{%- elif 'as_path' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged %} neighbor {{ pr_group }} attribute-unchanged as-path +{%- elif 'med' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged %} + neighbor {{ pr_group }} attribute-unchanged med +{%- elif 'next_hop' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged %} + neighbor {{ pr_group }} attribute-unchanged next-hop {%- else %} neighbor {{ pr_group }} attribute-unchanged as-path next-hop med {%- endif %} @@ -247,11 +250,13 @@ router bgp {{ asn }} {#- END attribute-unchanged #} {%- if 'capability' in conf_peer_group.address_family.ipv4_unicast %} -{%- if 'receive' in conf_peer_group.address_family.ipv4_unicast.capability.orf.prefix_list %} +{%- if 'orf' in conf_peer_group.address_family.ipv4_unicast.capability %} +{%- if 'receive' in conf_peer_group.address_family.ipv4_unicast.capability.orf.prefix_list %} neighbor {{ pr_group }} capability orf prefix-list receive -{%- endif %} -{%- if 'send' in conf_peer_group.address_family.ipv4_unicast.capability.orf.prefix_list %} +{%- endif %} +{%- if 'send' in conf_peer_group.address_family.ipv4_unicast.capability.orf.prefix_list %} neighbor {{ pr_group }} capability orf prefix-list send +{%- endif %} {%- endif %} {%- endif %} @@ -322,7 +327,6 @@ router bgp {{ asn }} {%- endif %} {%- endif %} -{#- Need to check. https://phabricator.vyos.net/T2387#73900 #} {%- if 'unsuppress_map' in conf_peer_group.address_family.ipv4_unicast %} neighbor {{ pr_group }} unsuppress-map {{conf_peer_group.address_family.ipv4_unicast.unsuppress_map}} {%- endif %} @@ -357,21 +361,39 @@ router bgp {{ asn }} {%- endif %} {#- END single params for peer-group afi6 #} -{#- Checks need to be done as-path|med|next-hop #} {%- if 'attribute_unchanged' in conf_peer_group.address_family.ipv6_unicast %} -{%- if 'as_path' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged %} +{%- if ( ('as_path' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) and ('med' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) ) %} + neighbor {{ pr_group }} attribute-unchanged as-path med +{%- elif ( ('as_path' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) and ('next_hop' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) ) %} + neighbor {{ pr_group }} attribute-unchanged as-path next-hop +{%- elif ( ('med' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) and ('next_hop' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) ) %} + neighbor {{ pr_group }} attribute-unchanged med next-hop +{%- elif 'as_path' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged %} neighbor {{ pr_group }} attribute-unchanged as-path +{%- elif 'med' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged %} + neighbor {{ pr_group }} attribute-unchanged med +{%- elif 'next_hop' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged %} + neighbor {{ pr_group }} attribute-unchanged next-hop {%- else %} neighbor {{ pr_group }} attribute-unchanged as-path next-hop med {%- endif %} {%- endif %} +{#- END attribute-unchanged ipv6 #} {%- if 'capability' in conf_peer_group.address_family.ipv6_unicast %} -{%- if 'receive' in conf_peer_group.address_family.ipv6_unicast.capability.orf.prefix_list %} +{%- if 'dynamic' in conf_peer_group.address_family.ipv6_unicast.capability %} +{#- exit from afi ipv6 unicast because 'dynamic' its a global parameter for peer-group in afi6. Other checks are ongoing in afi6. Also related T3037 #} + exit-address-family + neighbor {{ pr_group }} capability dynamic + address-family ipv6 unicast +{%- endif %} +{%- if 'orf' in conf_peer_group.address_family.ipv6_unicast.capability %} +{%- if 'receive' in conf_peer_group.address_family.ipv6_unicast.capability.orf.prefix_list %} neighbor {{ pr_group }} capability orf prefix-list receive {%- endif %} -{%- if 'send' in conf_peer_group.address_family.ipv6_unicast.capability.orf.prefix_list %} +{%- if 'send' in conf_peer_group.address_family.ipv6_unicast.capability.orf.prefix_list %} neighbor {{ pr_group }} capability orf prefix-list send +{%- endif %} {%- endif %} {%- endif %} @@ -442,7 +464,6 @@ router bgp {{ asn }} {%- endif %} {%- endif %} -{#- Checks need to be done. https://phabricator.vyos.net/T2387#73900 #} {%- if 'unsuppress_map' in conf_peer_group.address_family.ipv6_unicast %} neighbor {{ pr_group }} unsuppress-map {{conf_peer_group.address_family.ipv6_unicast.unsuppress_map}} {%- endif %} @@ -453,7 +474,7 @@ router bgp {{ asn }} {%- endfor %} {%- endif %} -{# END peer-group afi; set protocols bgp xxx peer-group FOO address-family #} +{#- END peer-group afi; set protocols bgp xxx peer-group FOO address-family #} {%- endfor %} {%- endif %} @@ -464,7 +485,7 @@ router bgp {{ asn }} {#- set peer-group as conf_peer #} {%- set conf_peer = conf_bgp[asn].neighbor[peer] %} -{#- First parameter for peer-group - remote-as #} +{#- First parameter for peer neighbor - remote-as #} {%- if 'remote_as' in conf_peer %} neighbor {{ peer }} remote-as {{ conf_peer.remote_as }} {%- endif %} @@ -491,10 +512,6 @@ router bgp {{ asn }} {%- endif %} {%- endif %} -{%- if 'description' in conf_peer %} - neighbor {{ peer }} description {{ conf_peer.description }} -{%- endif %} - {%- if 'disable_capability_negotiation' in conf_peer %} neighbor {{ peer }} disable-capability-negotiation {%- endif %} @@ -564,17 +581,21 @@ router bgp {{ asn }} neighbor {{ peer }} strict-capability-match {%- endif %} -{#- Need to check #} +{#- set protocols bgp xxx neighbor x.x.x.x timers #} {%- if 'timers' in conf_peer %} -{%- if ( ('connect' and 'holdtime' and 'keepalive') in conf_peer.timers ) %} +{%- if ( ('connect' in conf_peer.timers) and ('holdtime' in conf_peer.timers) and ('keepalive' in conf_peer.timers ) ) %} neighbor {{ peer }} timers {{conf_peer.timers.keepalive}} {{conf_peer.timers.holdtime}} - neighbor {{ peer }} timers connect {{conf_peer.timers.connect}} + neighbor {{ peer }} timers connect {{conf_peer.timers.connect}} +{%- elif ( ('holdtime' in conf_peer.timers) and ('keepalive' in conf_peer.timers ) ) %} + neighbor {{ peer }} timers {{conf_peer.timers.keepalive}} {{conf_peer.timers.holdtime}} +{%- elif 'connect' in conf_peer.timers %} + neighbor {{ peer }} timers connect {{conf_peer.timers.connect}} {%- endif %} {%- endif %} {%- if 'ttl_security' in conf_peer %} {%- if 'hops' in conf_peer.ttl_security %} - neighbor {{ peer }} ttl-security hops {{conf_peer.ttl_security.hops}} + neighbor {{ peer }} ttl-security hops {{conf_peer.ttl_security.hops}} {%- endif %} {%- endif %} @@ -582,6 +603,10 @@ router bgp {{ asn }} neighbor {{ peer }} update-source {{ conf_peer.update_source }} {%- endif %} +{%- if 'description' in conf_peer %} + neighbor {{ peer }} description {{ conf_peer.description }} +{%- endif %} + {#- START address family for peer; set protocols bgp xxx neighbor x.x.x.x address-family ipvX-unicast #} {%- if 'address_family' in conf_peer %} {%- for afi in conf_peer.address_family %} @@ -615,10 +640,19 @@ router bgp {{ asn }} {%- endif %} {#- END single params for neighbor #} -{#- Checks need to be done as-path|med|next-hop #} {%- if 'attribute_unchanged' in conf_peer.address_family.ipv4_unicast %} -{%- if 'as_path' in conf_peer.address_family.ipv4_unicast.attribute_unchanged %} +{%- if ( ('as_path' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) and ('med' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) ) %} + neighbor {{ peer }} attribute-unchanged as-path med +{%- elif ( ('as_path' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) and ('next_hop' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) ) %} + neighbor {{ peer }} attribute-unchanged as-path next-hop +{%- elif ( ('med' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) and ('next_hop' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) ) %} + neighbor {{ peer }} attribute-unchanged med next-hop +{%- elif 'as_path' in conf_peer.address_family.ipv4_unicast.attribute_unchanged %} neighbor {{ peer }} attribute-unchanged as-path +{%- elif 'med' in conf_peer.address_family.ipv4_unicast.attribute_unchanged %} + neighbor {{ peer }} attribute-unchanged med +{%- elif 'next_hop' in conf_peer.address_family.ipv4_unicast.attribute_unchanged %} + neighbor {{ peer }} attribute-unchanged next-hop {%- else %} neighbor {{ peer }} attribute-unchanged as-path next-hop med {%- endif %} @@ -626,11 +660,13 @@ router bgp {{ asn }} {#- END attribute-unchanged #} {%- if 'capability' in conf_peer.address_family.ipv4_unicast %} -{%- if 'receive' in conf_peer.address_family.ipv4_unicast.capability.orf.prefix_list %} +{%- if 'orf' in conf_peer.address_family.ipv4_unicast.capability %} +{%- if 'receive' in conf_peer.address_family.ipv4_unicast.capability.orf.prefix_list %} neighbor {{ peer }} capability orf prefix-list receive -{%- endif %} -{%- if 'send' in conf_peer.address_family.ipv4_unicast.capability.orf.prefix_list %} +{%- endif %} +{%- if 'send' in conf_peer.address_family.ipv4_unicast.capability.orf.prefix_list %} neighbor {{ peer }} capability orf prefix-list send +{%- endif %} {%- endif %} {%- endif %} @@ -701,7 +737,6 @@ router bgp {{ asn }} {%- endif %} {%- endif %} -{#- Checks need to be done. https://phabricator.vyos.net/T2387#73900 #} {%- if 'unsuppress_map' in conf_peer.address_family.ipv4_unicast %} neighbor {{ peer }} unsuppress-map {{conf_peer.address_family.ipv4_unicast.unsuppress_map}} {%- endif %} @@ -740,10 +775,19 @@ router bgp {{ asn }} {%- endif %} {#- END single params for neighbor #} -{#- Checks need to be done as-path|med|next-hop #} {%- if 'attribute_unchanged' in conf_peer.address_family.ipv6_unicast %} -{%- if 'as_path' in conf_peer.address_family.ipv6_unicast.attribute_unchanged %} +{%- if ( ('as_path' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) and ('med' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) ) %} + neighbor {{ peer }} attribute-unchanged as-path med +{%- elif ( ('as_path' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) and ('next_hop' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) ) %} + neighbor {{ peer }} attribute-unchanged as-path next-hop +{%- elif ( ('med' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) and ('next_hop' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) ) %} + neighbor {{ peer }} attribute-unchanged med next-hop +{%- elif 'as_path' in conf_peer.address_family.ipv6_unicast.attribute_unchanged %} neighbor {{ peer }} attribute-unchanged as-path +{%- elif 'med' in conf_peer.address_family.ipv6_unicast.attribute_unchanged %} + neighbor {{ peer }} attribute-unchanged med +{%- elif 'next_hop' in conf_peer.address_family.ipv6_unicast.attribute_unchanged %} + neighbor {{ peer }} attribute-unchanged next-hop {%- else %} neighbor {{ peer }} attribute-unchanged as-path next-hop med {%- endif %} @@ -751,11 +795,13 @@ router bgp {{ asn }} {#- END attribute-unchanged #} {%- if 'capability' in conf_peer.address_family.ipv6_unicast %} -{%- if 'receive' in conf_peer.address_family.ipv6_unicast.capability.orf.prefix_list %} +{%- if 'orf' in conf_peer.address_family.ipv6_unicast.capability %} +{%- if 'receive' in conf_peer.address_family.ipv6_unicast.capability.orf.prefix_list %} neighbor {{ peer }} capability orf prefix-list receive -{%- endif %} -{%- if 'send' in conf_peer.address_family.ipv6_unicast.capability.orf.prefix_list %} - neighbor {{ peer }} capability orf prefix-list send +{%- endif %} +{%- if 'send' in conf_peer.address_family.ipv6_unicast.capability.orf.prefix_list %} + neighbor {{ peer }} capability orf prefix-list send +{%- endif %} {%- endif %} {%- endif %} @@ -826,7 +872,6 @@ router bgp {{ asn }} {%- endif %} {%- endif %} -{#- Checks need to be done. https://phabricator.vyos.net/T2387#73900 #} {%- if 'unsuppress_map' in conf_peer.address_family.ipv6_unicast %} neighbor {{ peer }} unsuppress-map {{conf_peer.address_family.ipv6_unicast.unsuppress_map}} {%- endif %} @@ -863,7 +908,7 @@ router bgp {{ asn }} {%- endif %} {%- endif %} {%- if 'med' in bgp_params.bestpath %} -{%- if ( ('confed' and 'missing_as_worst') in bgp_params.bestpath.med ) %} +{%- if ( ('confed' in bgp_params.bestpath.med) and ('missing_as_worst' in bgp_params.bestpath.med ) ) %} bgp bestpath med confed missing-as-worst {%- elif 'confed' in bgp_params.bestpath.med %} bgp bestpath med confed @@ -886,9 +931,9 @@ router bgp {{ asn }} {%- endif %} {%- endif %} -{#- Doesn't work in current FRR configuration (bgp dampening 16 751 2001 61) #} +{#- Doesn't work in current FRR configuration; vtysh (bgp dampening 16 751 2001 61) #} {%- if 'dampening' in bgp_params %} -{%- if ( ('half_life' and 'max_suppress_time' and 're_use' and 'start_suppress_time') in bgp_params.dampening ) %} +{%- if ( ('half_life' in bgp_params.dampening) and ('max_suppress_time' in bgp_params.dampening) and ('re_use' in bgp_params.dampening) and ('start_suppress_time' in bgp_params.dampening ) ) %} bgp dampening {{ bgp_params.dampening.half_life }} {{ bgp_params.dampening.re_use }} {{ bgp_params.dampening.start_suppress_time }} {{ bgp_params.dampening.max_suppress_time }} {%- endif %} {%- endif %} @@ -909,7 +954,7 @@ router bgp {{ asn }} {%- if 'distance' in bgp_params %} {%- if 'global' in bgp_params.distance %} -{%- if ( ('external' and 'internal' and 'local') in bgp_params.distance.global ) %} +{%- if ( ('external' in bgp_params.distance.global) and ('internal' in bgp_params.distance.global) and ('local' in bgp_params.distance.global ) ) %} ! address-family ipv4 unicast distance bgp {{ bgp_params.distance.global.external }} {{ bgp_params.distance.global.internal }} {{ bgp_params.distance.global.local }} @@ -950,10 +995,14 @@ router bgp {{ asn }} no bgp fast-external-failover {%- endif %} +{%- if 'router_id' in bgp_params %} + bgp router-id {{ bgp_params.router_id }} +{%- endif %} + {#- END parameters; set protocols bgp xxx parameters #} {%- if 'timers' in conf_bgp[asn] %} -{%- if ( ('holdtime' and 'keepalive') in conf_bgp[asn].timers ) %} +{%- if ( ('holdtime' in conf_bgp[asn].timers) and ('keepalive' in conf_bgp[asn].timers ) ) %} timers bgp {{conf_bgp[asn].timers.keepalive}} {{conf_bgp[asn].timers.holdtime}} {%- endif %} {%- endif %} diff --git a/data/templates/https/nginx.default.tmpl b/data/templates/https/nginx.default.tmpl index a20be45ae..855ebff4f 100644 --- a/data/templates/https/nginx.default.tmpl +++ b/data/templates/https/nginx.default.tmpl @@ -5,7 +5,7 @@ server { listen 80 default_server; listen [::]:80 default_server; server_name _; - return 301 https://$server_name$request_uri; + return 301 https://$host$request_uri; } {% for server in server_block_list %} diff --git a/data/templates/openvpn/client.conf.tmpl b/data/templates/openvpn/client.conf.tmpl index 508d8da94..b57c45ce5 100644 --- a/data/templates/openvpn/client.conf.tmpl +++ b/data/templates/openvpn/client.conf.tmpl @@ -1,35 +1,33 @@ ### Autogenerated by interfaces-openvpn.py ### -{% if ip -%} -ifconfig-push {{ ip[0] }} {{ remote_netmask }} -{% endif -%} - -{% for route in push_route -%} -push "route {{ route }}" -{% endfor -%} - -{% for net in subnet -%} -iroute {{ net }} -{% endfor -%} +{% if ip %} +ifconfig-push {{ ip[0] }} {{ subnet[0] | netmask_from_cidr }} +{% endif %} +{% if push_route is defined and push_route is not none %} +{% for route in push_route %} +push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}" +{% endfor %} +{% endif %} +{% if subnet is defined and subnet is not none %} +{% for network in subnet %} +iroute {{ network | address_from_cidr }} {{ network | netmask_from_cidr }} +{% endfor %} +{% endif %} {# ipv6_remote is only set when IPv6 server is enabled #} -{% if ipv6_remote -%} +{% if ipv6_remote %} # IPv6 - -{%- if ipv6_ip %} +{% if ipv6_ip %} ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }} -{%- endif %} - -{%- for route6 in ipv6_push_route %} +{% endif %} +{% for route6 in ipv6_push_route %} push "route-ipv6 {{ route6 }}" -{%- endfor %} - -{%- for net6 in ipv6_subnet %} +{% endfor %} +{% for net6 in ipv6_subnet %} iroute {{ net6 }} -{%- endfor %} - -{% endif -%} +{% endfor %} +{% endif %} -{% if disable -%} +{% if disable is defined %} disable -{% endif -%} +{% endif %} diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index fea310236..66da9c794 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -2,246 +2,232 @@ # # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition - -{% if description -%} -# {{ description }} - -{% endif -%} +# +# {{ description if description is defined and description is not none }} +# verb 3 - -user {{ uid }} -group {{ gid }} - -dev-type {{ type }} -dev {{ intf }} +user {{ daemon_user }} +group {{ daemon_group }} +dev-type {{ device_type }} +dev {{ ifname }} persist-key iproute /usr/libexec/vyos/system/unpriv-ip - -proto {{ protocol_real }} - -{%- if local_host %} +proto {{ protocol }} +{% if local_host is defined and local_host is not none %} local {{ local_host }} -{%- endif %} - -{%- if mode == 'server' and protocol == 'udp' and not local_host %} +{% endif %} +{% if mode is defined and mode == 'server' and protocol == 'udp' and local_host is not defined %} multihome -{%- endif %} - -{%- if local_port %} +{% endif %} +{% if local_port is defined and local_port is not none %} lport {{ local_port }} -{%- endif %} - -{% if remote_port -%} +{% endif %} +{% if remote_port is defined and remote_port is not none %} rport {{ remote_port }} {% endif %} - -{%- if remote_host %} -{%- for remote in remote_host -%} +{% if remote_host is defined and remote_host is not none %} +{% for remote in remote_host %} remote {{ remote }} -{% endfor -%} -{% endif -%} - -{% if shared_secret_file %} -secret {{ shared_secret_file }} -{%- endif %} - -{%- if persistent_tunnel %} +{% endfor %} +{% endif %} +{% if shared_secret_key_file is defined and shared_secret_key_file is not none %} +secret {{ shared_secret_key_file }} +{% endif %} +{% if persistent_tunnel is defined %} persist-tun -{%- endif %} - -{%- if redirect_gateway %} -push "redirect-gateway {{ redirect_gateway }}" -{%- endif %} - -{%- if compress_lzo %} +{% endif %} +{% if replace_default_route is defined and replace_default_route.local is defined %} +push "redirect-gateway local def1" +{% elif replace_default_route is defined %} +push "redirect-gateway def1" +{% endif %} +{% if use_lzo_compression is defined %} compress lzo -{%- endif %} +{% endif %} -{% if 'client' in mode -%} +{% if 'client' in mode %} # # OpenVPN Client mode # client nobind - -{% elif 'server' in mode -%} +{% elif 'server' in mode %} # # OpenVPN Server mode # - -{%- if server_topology %} -topology {% if server_topology == 'point-to-point' %}p2p{% else %}{{ server_topology }}{% endif %} -{%- endif %} - -{%- if is_bridge_member %} mode server tls-server -{%- else %} -server {{ server_subnet[0] }} nopool -{%- endif %} - -{%- if server_pool %} -ifconfig-pool {{ server_pool_start }} {{ server_pool_stop }}{% if server_pool_netmask %} {{ server_pool_netmask }}{% endif %} -{%- endif %} - -{%- if server_max_conn %} -max-clients {{ server_max_conn }} -{%- endif %} - -{%- if client %} -client-config-dir /run/openvpn/ccd/{{ intf }} -{%- endif %} - -{%- if server_reject_unconfigured %} -ccd-exclusive -{%- endif %} - -keepalive {{ ping_interval }} {{ ping_restart }} +{% if server is defined and server is not none %} +{% if server.subnet is defined and server.subnet is not none %} +{% for subnet in server.subnet if subnet | ipv4 %} +server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool +{# OpenVPN assigns the first IP address to its local interface so the pool used #} +{# in net30 topology - where each client receives a /30 must start from the second subnet #} +{% if server.topology is defined and server.topology == 'net30' %} +ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }} +{% else %} +{# OpenVPN assigns the first IP address to its local interface so the pool must #} +{# start from the second address and end on the last address #} +ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }} +{% endif %} +{% endfor %} +{% endif %} +{% if server.topology is defined and server.topology == 'point-to-point' %} +topology p2p +{% elif server.topology is defined and server.topology is not none %} +topology {{ server.topology }} +{% endif %} +{% if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %} +ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }} +{% endif %} +{% if server.max_connections is defined and server.max_connections is not none %} +max-clients {{ server.max_connections }} +{% endif %} +{% if server.client is defined and server.client is not none %} +client-config-dir /run/openvpn/ccd/{{ ifname }} +{% endif %} +{% endif %} +keepalive {{ keep_alive.interval }} {{ keep_alive.failure_count }} management /run/openvpn/openvpn-mgmt-intf unix - -{% for route in server_push_route -%} +{% if server is defined and server is not none %} +{% if server.reject_unconfigured_clients is defined %} +ccd-exclusive +{% endif %} +{% if server.push_route is defined and server.push_route is not none %} +{% for route in server.push_route %} push "route {{ route }}" -{% endfor -%} - -{% for ns in server_dns_nameserver -%} -push "dhcp-option DNS {{ ns }}" -{% endfor -%} - -{%- if server_domain -%} -push "dhcp-option DOMAIN {{ server_domain }}" -{% endif -%} - -{%- if server_ipv6_local %} +{% endfor %} +{% endif %} +{% if server.name_server is defined and server.name_server is not none %} +{% for nameserver in server.name_server %} +push "dhcp-option DNS {{ nameserver }}" +{% endfor %} +{% endif %} +{% if server.domain_name is defined and server.domain_name is not none %} +push "dhcp-option DOMAIN {{ server.domain_name }}" +{% endif %} +{% endif %} + +{% if subnet_v6 is defined and subnet_v6 is not none %} # IPv6 push "tun-ipv6" ifconfig-ipv6 {{ server_ipv6_local }}/{{ server_ipv6_prefixlen }} {{ server_ipv6_remote }} - -{%- if server_ipv6_pool %} +{% if server_ipv6_pool %} ifconfig-ipv6-pool {{ server_ipv6_pool_base }}/{{ server_ipv6_pool_prefixlen }} -{%- endif %} - -{%- for route6 in server_ipv6_push_route %} +{% endif %} +{% for route6 in server_ipv6_push_route %} push "route-ipv6 {{ route6 }}" -{%- endfor %} - -{%- for ns6 in server_ipv6_dns_nameserver %} +{% endfor %} +{% for ns6 in server_ipv6_dns_nameserver %} push "dhcp-option DNS6 {{ ns6 }}" -{%- endfor %} - -{%- endif %} - -{% else -%} +{% endfor %} +{% endif %} +{% else %} # # OpenVPN site-2-site mode # -ping {{ ping_interval }} -ping-restart {{ ping_restart }} - -{% if local_address_subnet -%} -ifconfig {{ local_address[0] }} {{ local_address_subnet }} -{%- elif remote_address -%} -ifconfig {{ local_address[0] }} {{ remote_address[0] }} -{%- endif %} - -{% if ipv6_local_address -%} -ifconfig-ipv6 {{ ipv6_local_address[0] }} {{ ipv6_remote_address[0] }} -{%- endif %} - -{% endif -%} +ping {{ keep_alive.interval }} +ping-restart {{ keep_alive.failure_count }} + +{% for laddr, laddr_conf in local_address.items() if laddr | ipv4 %} +{% if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %} +ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }} +{% else %} +{% for raddr in remote_address %} +{% if raddr | ipv4 %} +ifconfig {{ laddr }} {{ raddr }} +{% else %} +ifconfig-ipv6 {{ laddr }} {{ raddr }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} -{% if tls -%} +{% if tls is defined and tls is not none %} # TLS options -{%- if tls_ca_cert %} -ca {{ tls_ca_cert }} -{%- endif %} - -{%- if tls_cert %} -cert {{ tls_cert }} -{%- endif %} - -{%- if tls_key %} -key {{ tls_key }} -{%- endif %} - -{%- if tls_crypt %} -tls-crypt {{ tls_crypt }} -{%- endif %} - -{%- if tls_crl %} -crl-verify {{ tls_crl }} -{%- endif %} - -{%- if tls_version_min %} -tls-version-min {{tls_version_min}} -{%- endif %} - -{%- if tls_dh %} -dh {{ tls_dh }} -{%- endif %} - -{%- if tls_auth %} -{%- if mode == 'client' %} -tls-auth {{tls_auth}} 1 -{%- elif mode == 'server' %} -tls-auth {{tls_auth}} 0 -{%- endif %} -{%- endif %} - -{%- if tls_role %} -{%- if 'active' in tls_role %} +{% if tls.ca_cert_file is defined and tls.ca_cert_file is not none %} +ca {{ tls.ca_cert_file }} +{% endif %} +{% if tls.cert_file is defined and tls.cert_file is not none %} +cert {{ tls.cert_file }} +{% endif %} +{% if tls.key_file is defined and tls.key_file is not none %} +key {{ tls.key_file }} +{% endif %} +{% if tls.crypt_file is defined and tls.crypt_file is not none %} +tls-crypt {{ tls.crypt_file }} +{% endif %} +{% if tls.crl_file is defined and tls.crl_file is not none %} +crl-verify {{ tls.crl_file }} +{% endif %} +{% if tls.tls_version_min is defined and tls.tls_version_min is not none %} +tls-version-min {{ tls.tls_version_min }} +{% endif %} +{% if tls.dh_file is defined and tls.dh_file is not none %} +dh {{ tls.dh_file }} +{% endif %} +{% if tls.auth_file is defined and tls.auth_file is not none %} +{% if mode == 'client' %} +tls-auth {{ tls.auth_file }} 1 +{% elif mode == 'server' %} +tls-auth {{ tls.auth_file }} 0 +{% endif %} +{% endif %} +{% if tls.role is defined and tls.role is not none %} +{% if tls.role == 'active' %} tls-client -{%- elif 'passive' in tls_role %} +{% elif tls.role == 'passive' %} tls-server -{%- endif %} -{%- endif %} - -{%- endif %} +{% endif %} +{% endif %} +{% endif %} # Encryption options -{%- if encryption %} -{% if encryption == 'none' -%} +{% if encryption is defined and encryption is not none %} +{% if encryption.cipher is defined and encryption.cipher is not none %} +{% if encryption.cipher == 'none' %} cipher none -{%- elif encryption == 'des' -%} +{% elif encryption.cipher == 'des' %} cipher des-cbc -{%- elif encryption == '3des' -%} +{% elif encryption.cipher == '3des' %} cipher des-ede3-cbc -{%- elif encryption == 'bf128' -%} +{% elif encryption.cipher == 'bf128' %} cipher bf-cbc keysize 128 -{%- elif encryption == 'bf256' -%} +{% elif encryption.cipher == 'bf256' %} cipher bf-cbc keysize 25 -{%- elif encryption == 'aes128gcm' -%} +{% elif encryption.cipher == 'aes128gcm' %} cipher aes-128-gcm -{%- elif encryption == 'aes128' -%} +{% elif encryption.cipher == 'aes128' %} cipher aes-128-cbc -{%- elif encryption == 'aes192gcm' -%} +{% elif encryption.cipher == 'aes192gcm' %} cipher aes-192-gcm -{%- elif encryption == 'aes192' -%} +{% elif encryption.cipher == 'aes192' %} cipher aes-192-cbc -{%- elif encryption == 'aes256gcm' -%} +{% elif encryption.cipher == 'aes256gcm' %} cipher aes-256-gcm -{%- elif encryption == 'aes256' -%} +{% elif encryption.cipher == 'aes256' %} cipher aes-256-cbc -{%- endif -%} -{%- endif %} - -{%- if ncp_ciphers %} -ncp-ciphers {{ncp_ciphers}} -{%- endif %} -{%- if disable_ncp %} +{% endif %} +{% endif %} +{% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %} +ncp-ciphers {{ encryption.ncp_ciphers | join(':') }} +{% elif encryption.disable_ncp is defined %} ncp-disable -{%- endif %} +{% endif %} +{% endif %} -{% if hash -%} +{% if hash is defined and hash is not none %} auth {{ hash }} -{%- endif -%} +{% endif %} -{%- if auth %} +{% if authentication is defined and authentication is not none %} auth-user-pass {{ auth_user_pass_file }} auth-retry nointeract -{%- endif %} +{% endif %} # DEPRECATED This option will be removed in OpenVPN 2.5 # Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: @@ -257,12 +243,11 @@ auth-retry nointeract # See https://phabricator.vyos.net/T1512 compat-names -{% if options -%} +{% if openvpn_option is defined and openvpn_option is not none %} # # Custom options added by user (not validated) # - -{% for option in options -%} +{% for option in openvpn_option %} {{ option }} -{% endfor -%} -{%- endif %} +{% endfor %} +{% endif %} |