summaryrefslogtreecommitdiff
path: root/src/conf_mode/interfaces-openvpn.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode/interfaces-openvpn.py')
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py21
1 files changed, 19 insertions, 2 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 3a7bc6611..622543b58 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -51,7 +51,6 @@ config_tmpl = """
verb 3
status /opt/vyatta/etc/openvpn/status/{{ intf }}.status 30
writepid /var/run/openvpn/{{ intf }}.pid
-daemon openvpn-{{ intf }}
dev-type {{ type }}
dev {{ intf }}
@@ -162,6 +161,10 @@ cert {{ tls_cert }}
key {{ tls_key }}
{% endif %}
+{%- if tls_crypt %}
+tls-crypt {{ tls_crypt }}
+{% endif %}
+
{%- if tls_crl %}
crl-verify {{ tls_crl }}
{% endif %}
@@ -224,7 +227,7 @@ cipher aes-256-cbc
{%- if ncp_ciphers %}
ncp-ciphers {{ncp_ciphers}}
-{% endif %}
+{% endif %}
{%- if disable_ncp %}
ncp-disable
{% endif %}
@@ -319,6 +322,7 @@ default_config_data = {
'tls_crl': '',
'tls_dh': '',
'tls_key': '',
+ 'tls_crypt': '',
'tls_role': '',
'tls_version_min': '',
'type': 'tun',
@@ -634,6 +638,11 @@ def get_config():
openvpn['tls_key'] = conf.return_value('tls key-file')
openvpn['tls'] = True
+ # File containing key to encrypt control channel packets
+ if conf.exists('tls crypt-file'):
+ openvpn['tls_crypt'] = conf.return_value('tls crypt-file')
+ openvpn['tls'] = True
+
# Role in TLS negotiation
if conf.exists('tls role'):
openvpn['tls_role'] = conf.return_value('tls role')
@@ -801,6 +810,9 @@ def verify(openvpn):
if not openvpn['tls_key']:
raise ConfigError('Must specify "tls key-file"')
+ if openvpn['tls_auth'] and openvpn['tls_crypt']:
+ raise ConfigError('TLS auth and crypt are mutually exclusive')
+
if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_ca_cert']):
raise ConfigError('Specified ca-cert-file "{}" is invalid'.format(openvpn['tls_ca_cert']))
@@ -816,6 +828,10 @@ def verify(openvpn):
if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']):
raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key']))
+ if openvpn['tls_crypt']:
+ if not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', openvpn['tls_crypt']):
+ raise ConfigError('Specified TLS crypt-file "{}" is invalid'.format(openvpn['tls_crypt']))
+
if openvpn['tls_crl']:
if not checkCertHeader('-----BEGIN X509 CRL-----', openvpn['tls_crl']):
raise ConfigError('Specified crl-file "{} not valid'.format(openvpn['tls_crl']))
@@ -968,6 +984,7 @@ def apply(openvpn):
cmd += ' --exec /usr/sbin/openvpn'
# now pass arguments to openvpn binary
cmd += ' --'
+ cmd += ' --daemon openvpn-' + openvpn['intf']
cmd += ' --config ' + get_config_name(openvpn['intf'])
# execute assembled command
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-22 19:48:18 +0000