diff options
Diffstat (limited to 'src/conf_mode/interfaces-openvpn.py')
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 68 |
1 files changed, 40 insertions, 28 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index b42765586..435e8a8f0 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -72,14 +72,14 @@ default_config_data = { 'server_domain': '', 'server_max_conn': '', 'server_dns_nameserver': [], - 'server_pool': False, + 'server_pool': True, 'server_pool_start': '', 'server_pool_stop': '', 'server_pool_netmask': '', 'server_push_route': [], 'server_reject_unconfigured': False, 'server_subnet': '', - 'server_topology': 'net30', + 'server_topology': '', 'shared_secret_file': '', 'tls': False, 'tls_auth': '', @@ -124,13 +124,10 @@ def getDefaultServer(network, topology, devtype): Logic from openvpn's src/openvpn/helper.c. Returns a dict with addresses or False if the input parameters were incorrect. """ - if not (topology and devtype): - return False - if not (devtype == 'tun' or devtype == 'tap'): return False - if not network.prefixlen: + if not network.version == 4: return False elif (devtype == 'tun' and network.prefixlen > 29) or (devtype == 'tap' and network.prefixlen > 30): return False @@ -198,6 +195,10 @@ def get_config(): if intf == openvpn['intf']: openvpn['bridge_member'].append(intf) + # bridged server should not have a pool by default (but can be specified manually) + if openvpn['bridge_member']: + openvpn['server_pool'] = False + # set configuration level conf.set_level('interfaces openvpn ' + openvpn['intf']) @@ -345,6 +346,7 @@ def get_config(): openvpn['server_topology'] = conf.return_value('server topology') # Server-mode subnet (from which client IPs are allocated) + server_network = None if conf.exists('server subnet'): # server_network is used later in this function server_network = IPv4Network(conf.return_value('server subnet')) @@ -388,16 +390,22 @@ def get_config(): # Server client IP pool if conf.exists('server client-ip-pool'): - openvpn['server_pool'] = True + conf.set_level('interfaces openvpn ' + openvpn['intf'] + ' server client-ip-pool') + + # enable or disable server_pool where necessary + # default is enabled, or disabled in bridge mode + openvpn['server_pool'] = not conf.exists('disable') - if conf.exists('server client-ip-pool start'): - openvpn['server_pool_start'] = conf.return_value('server client-ip-pool start') + if conf.exists('start'): + openvpn['server_pool_start'] = conf.return_value('start') - if conf.exists('server client-ip-pool stop'): - openvpn['server_pool_stop'] = conf.return_value('server client-ip-pool stop') + if conf.exists('stop'): + openvpn['server_pool_stop'] = conf.return_value('stop') - if conf.exists('server client-ip-pool netmask'): - openvpn['server_pool_netmask'] = conf.return_value('server client-ip-pool netmask') + if conf.exists('netmask'): + openvpn['server_pool_netmask'] = conf.return_value('netmask') + + conf.set_level('interfaces openvpn ' + openvpn['intf']) # DNS suffix to be pushed to all clients if conf.exists('server domain-name'): @@ -476,25 +484,30 @@ def get_config(): if not openvpn['tls_dh'] and openvpn['tls_key'] and checkCertHeader('-----BEGIN EC PRIVATE KEY-----', openvpn['tls_key']): openvpn['tls_dh'] = 'none' + # set default server topology to net30 + if openvpn['mode'] == 'server' and not openvpn['server_topology']: + openvpn['server_topology'] = 'net30' + # Set defaults where necessary. - # If any of the input parameters are missing or wrong, + # If any of the input parameters are wrong, # this will return False and no defaults will be set. - default_server = getDefaultServer(server_network, openvpn['server_topology'], openvpn['type']) - if default_server: - # server-bridge doesn't require a pool so don't set defaults for it - if not openvpn['bridge_member']: - openvpn['server_pool'] = True - if not openvpn['server_pool_start']: - openvpn['server_pool_start'] = default_server['pool_start'] + if server_network and openvpn['server_topology'] and openvpn['type']: + default_server = None + default_server = getDefaultServer(server_network, openvpn['server_topology'], openvpn['type']) + if default_server: + # server-bridge doesn't require a pool so don't set defaults for it + if openvpn['server_pool'] and not openvpn['bridge_member']: + if not openvpn['server_pool_start']: + openvpn['server_pool_start'] = default_server['pool_start'] - if not openvpn['server_pool_stop']: - openvpn['server_pool_stop'] = default_server['pool_stop'] + if not openvpn['server_pool_stop']: + openvpn['server_pool_stop'] = default_server['pool_stop'] - if not openvpn['server_pool_netmask']: - openvpn['server_pool_netmask'] = default_server['pool_netmask'] + if not openvpn['server_pool_netmask']: + openvpn['server_pool_netmask'] = default_server['pool_netmask'] - for client in openvpn['client']: - client['remote_netmask'] = default_server['client_remote_netmask'] + for client in openvpn['client']: + client['remote_netmask'] = default_server['client_remote_netmask'] return openvpn @@ -606,7 +619,6 @@ def verify(openvpn): if not openvpn['bridge_member']: raise ConfigError('Must specify "server subnet" or "bridge member interface" in server mode') - if openvpn['server_pool']: if not (openvpn['server_pool_start'] and openvpn['server_pool_stop']): raise ConfigError('Server client-ip-pool requires both start and stop addresses in bridged mode') |