summaryrefslogtreecommitdiff
path: root/src/conf_mode/interfaces_openvpn.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode/interfaces_openvpn.py')
-rwxr-xr-xsrc/conf_mode/interfaces_openvpn.py13
1 files changed, 8 insertions, 5 deletions
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py
index 5b9c21757..627cc90ba 100755
--- a/src/conf_mode/interfaces_openvpn.py
+++ b/src/conf_mode/interfaces_openvpn.py
@@ -168,6 +168,14 @@ def verify_pki(openvpn):
'verification, consult the documentation for details.')
if tls:
+ if mode == 'site-to-site':
+ # XXX: site-to-site with PSKs is the only mode that can work without TLS,
+ # so 'tls role' is not mandatory for it,
+ # but we need to check that if it uses peer certificate fingerprints rather than PSKs,
+ # then the TLS role is set
+ if ('shared_secret_key' not in tls) and ('role' not in tls):
+ raise ConfigError('"tls role" is required for site-to-site OpenVPN with TLS')
+
if (mode in ['server', 'client']) and ('ca_certificate' not in tls):
raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\
it is required in server and client modes')
@@ -260,11 +268,6 @@ def verify(openvpn):
# OpenVPN site-to-site - VERIFY
#
elif openvpn['mode'] == 'site-to-site':
- # XXX: site-to-site is the only mode that still can work without TLS,
- # so we need to make sure that if TLS is used, then TLS role is also specified
- if 'shared_secret_key' not in openvpn['tls'] and 'role' not in openvpn['tls']:
- raise ConfigError('"tls role" is required for site-to-site OpenVPN with TLS')
-
if 'local_address' not in openvpn and 'is_bridge_member' not in openvpn:
raise ConfigError('Must specify "local-address" or add interface to bridge')