summaryrefslogtreecommitdiff
path: root/src/conf_mode/interfaces-openvpn.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode/interfaces-openvpn.py')
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py57
1 files changed, 53 insertions, 4 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index cdd133904..50d367f2f 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -222,6 +222,13 @@ cipher aes-256-cbc
{% endif %}
{% endif %}
+{%- if ncp_ciphers %}
+ncp-ciphers {{ncp_ciphers}}
+{% endif %}
+{%- if disable_ncp %}
+ncp-disable
+{% endif %}
+
{%- if auth %}
auth-user-pass /tmp/openvpn-{{ intf }}-pw
auth-retry nointeract
@@ -277,6 +284,7 @@ default_config_data = {
'deleted': False,
'description': '',
'disable': False,
+ 'disable_ncp': False,
'encryption': '',
'hash': '',
'intf': '',
@@ -287,6 +295,7 @@ default_config_data = {
'local_host': '',
'local_port': '',
'mode': '',
+ 'ncp_ciphers': '',
'options': [],
'persistent_tunnel': False,
'protocol': '',
@@ -410,10 +419,44 @@ def get_config():
if conf.exists('disable'):
openvpn['disable'] = True
- # data encryption algorithm
- if conf.exists('encryption'):
- openvpn['encryption'] = conf.return_value('encryption')
-
+ # data encryption algorithm cipher
+ if conf.exists('encryption cipher'):
+ openvpn['encryption'] = conf.return_value('encryption cipher')
+
+ # disable ncp-ciphers support
+ if conf.exists('encryption disable-ncp'):
+ openvpn['disable_ncp'] = True
+
+ # data encryption algorithm ncp-list
+ if conf.exists('encryption ncp-ciphers'):
+ _ncp_ciphers = []
+ for enc in conf.return_values('encryption ncp-ciphers'):
+ if enc == 'des':
+ _ncp_ciphers.append('des-cbc')
+ _ncp_ciphers.append('DES-CBC')
+ elif enc == '3des':
+ _ncp_ciphers.append('des-ede3-cbc')
+ _ncp_ciphers.append('DES-EDE3-CBC')
+ elif enc == 'aes128':
+ _ncp_ciphers.append('aes-128-cbc')
+ _ncp_ciphers.append('AES-128-CBC')
+ elif enc == 'aes128gcm':
+ _ncp_ciphers.append('aes-128-gcm')
+ _ncp_ciphers.append('AES-128-GCM')
+ elif enc == 'aes192':
+ _ncp_ciphers.append('aes-192-cbc')
+ _ncp_ciphers.append('AES-192-CBC')
+ elif enc == 'aes192gcm':
+ _ncp_ciphers.append('aes-192-gcm')
+ _ncp_ciphers.append('AES-192-GCM')
+ elif enc == 'aes256':
+ _ncp_ciphers.append('aes-256-cbc')
+ _ncp_ciphers.append('AES-256-CBC')
+ elif enc == 'aes256gcm':
+ _ncp_ciphers.append('aes-256-gcm')
+ _ncp_ciphers.append('AES-256-GCM')
+ openvpn['ncp_ciphers'] = ':'.join(_ncp_ciphers)
+
# hash algorithm
if conf.exists('hash'):
openvpn['hash'] = conf.return_value('hash')
@@ -621,6 +664,9 @@ def verify(openvpn):
if openvpn['bridge_member']:
raise ConfigError('Can not delete {} as it is a member interface of bridge {}!'.format(openvpn['intf'], bridge))
+ # Check if we have disabled ncp and at the same time specified ncp-ciphers
+ if openvpn['disable_ncp'] and openvpn['ncp_ciphers']:
+ raise ConfigError('Cannot specify both "encryption disable-ncp" and "encryption ncp-ciphers"')
#
# OpenVPN client mode - VERIFY
#
@@ -661,6 +707,9 @@ def verify(openvpn):
if openvpn['local_address'] == openvpn['local_host']:
raise ConfigError('"local-address" cannot be the same as "local-host"')
+ if openvpn['ncp_ciphers']:
+ raise ConfigError('encryption ncp-ciphers cannot be specified in site-to-site mode, only server or client')
+
else:
if openvpn['local_address'] or openvpn['remote_address']:
raise ConfigError('Cannot specify "local-address" or "remote-address" in client-server mode')