diff options
Diffstat (limited to 'src/conf_mode/interfaces-openvpn.py')
-rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 57 |
1 files changed, 53 insertions, 4 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index cdd133904..50d367f2f 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -222,6 +222,13 @@ cipher aes-256-cbc {% endif %} {% endif %} +{%- if ncp_ciphers %} +ncp-ciphers {{ncp_ciphers}} +{% endif %} +{%- if disable_ncp %} +ncp-disable +{% endif %} + {%- if auth %} auth-user-pass /tmp/openvpn-{{ intf }}-pw auth-retry nointeract @@ -277,6 +284,7 @@ default_config_data = { 'deleted': False, 'description': '', 'disable': False, + 'disable_ncp': False, 'encryption': '', 'hash': '', 'intf': '', @@ -287,6 +295,7 @@ default_config_data = { 'local_host': '', 'local_port': '', 'mode': '', + 'ncp_ciphers': '', 'options': [], 'persistent_tunnel': False, 'protocol': '', @@ -410,10 +419,44 @@ def get_config(): if conf.exists('disable'): openvpn['disable'] = True - # data encryption algorithm - if conf.exists('encryption'): - openvpn['encryption'] = conf.return_value('encryption') - + # data encryption algorithm cipher + if conf.exists('encryption cipher'): + openvpn['encryption'] = conf.return_value('encryption cipher') + + # disable ncp-ciphers support + if conf.exists('encryption disable-ncp'): + openvpn['disable_ncp'] = True + + # data encryption algorithm ncp-list + if conf.exists('encryption ncp-ciphers'): + _ncp_ciphers = [] + for enc in conf.return_values('encryption ncp-ciphers'): + if enc == 'des': + _ncp_ciphers.append('des-cbc') + _ncp_ciphers.append('DES-CBC') + elif enc == '3des': + _ncp_ciphers.append('des-ede3-cbc') + _ncp_ciphers.append('DES-EDE3-CBC') + elif enc == 'aes128': + _ncp_ciphers.append('aes-128-cbc') + _ncp_ciphers.append('AES-128-CBC') + elif enc == 'aes128gcm': + _ncp_ciphers.append('aes-128-gcm') + _ncp_ciphers.append('AES-128-GCM') + elif enc == 'aes192': + _ncp_ciphers.append('aes-192-cbc') + _ncp_ciphers.append('AES-192-CBC') + elif enc == 'aes192gcm': + _ncp_ciphers.append('aes-192-gcm') + _ncp_ciphers.append('AES-192-GCM') + elif enc == 'aes256': + _ncp_ciphers.append('aes-256-cbc') + _ncp_ciphers.append('AES-256-CBC') + elif enc == 'aes256gcm': + _ncp_ciphers.append('aes-256-gcm') + _ncp_ciphers.append('AES-256-GCM') + openvpn['ncp_ciphers'] = ':'.join(_ncp_ciphers) + # hash algorithm if conf.exists('hash'): openvpn['hash'] = conf.return_value('hash') @@ -621,6 +664,9 @@ def verify(openvpn): if openvpn['bridge_member']: raise ConfigError('Can not delete {} as it is a member interface of bridge {}!'.format(openvpn['intf'], bridge)) + # Check if we have disabled ncp and at the same time specified ncp-ciphers + if openvpn['disable_ncp'] and openvpn['ncp_ciphers']: + raise ConfigError('Cannot specify both "encryption disable-ncp" and "encryption ncp-ciphers"') # # OpenVPN client mode - VERIFY # @@ -661,6 +707,9 @@ def verify(openvpn): if openvpn['local_address'] == openvpn['local_host']: raise ConfigError('"local-address" cannot be the same as "local-host"') + if openvpn['ncp_ciphers']: + raise ConfigError('encryption ncp-ciphers cannot be specified in site-to-site mode, only server or client') + else: if openvpn['local_address'] or openvpn['remote_address']: raise ConfigError('Cannot specify "local-address" or "remote-address" in client-server mode') |