Age | Commit message (Collapse) | Author |
|
Commit bb9f998 introduced a bug where openvpn fails to start if
'local-host' is an IPv4 address due to 'proto' wanting a IPv6 socket.
This adds a conditional check and uses normal proto if it's IPv4.
|
|
|
|
This reverts commit 26adfd6d0d03af44a03f327478199f3009f2ad3c.
|
|
Unused means disabled or even deleted - there should be no secrets left-over.
|
|
Bug introduced in commit b36e6e6 ("openvpn: T2273: migrate from SysVinit to
systemd") as not all relevant configuration files have been re-rendered
into /run/openvpn
|
|
|
|
- allow configuring IPv6 server addresses and push options
- add IPv6 server client IP pool
- add IPv6 push dhcp-option DNS6
- allow configuring IPv6 server client addresses
- allow configuring IPv6 site-to-site addresses
- validate all IPv6 options and addresses
- use protos that explicitely open an IPv6 listening socket
(tcp6-server, tcp6-client, udp6) as the default on Linux listens on
IPv4 only (https://community.openvpn.net/openvpn/ticket/360)
- add validator for any IPv6 address, host or network (used by pool)
|
|
|
|
2nd part of this fix, first commit 9b6a369 didn't fix it.
|
|
Commit bb36bde introduced a bug when server subnet is unset, this fixes
it.
|
|
openvpn: T2235: add custom server pool handling
|
|
- add config options and logic for server client-ip-pool
- add function for determining default IPs for the server in different
configurations
- verify for pool IPs and maximum subnet prefix length
- move remote netmask logic for client ifconfig-push to use new function
- add topology 'net30' , set it as default (as it already was)
- replace generic ip_* with IPv4* where necessary
- print warning to console when server client IP is in server pool
- fix server subnet help field
|
|
|
|
Commit a457c9d2 moved the config directory to /run/openvpn but didn't move
the client-config-dir in the template.
|
|
convert all call to jinja to use template.render
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- rearranged options to put them in logical groups separated by blank
lines
- removed unnecessary blank lines (whitespace)
- fixed encryption if-else comparison logic that caused 3des to be
ignored
- set tls if tls-version-min is set
|
|
Interfaces enslaved to a bridge are not allowed to be deleted. If an interface
is deleted from the config but it is still enslaved to a bridge will cause a
configuration error on the subsequent boot.
|
|
|
|
|
|
If configured with protocol udp and no local-host, openvpn needs
the 'multihome' option to correctly work on all addresses.
|
|
OpenVPN, WIFI, SSTP all had the same boiler plate copied about checking if a
process associated with a pidfile is running or not. This has been migrated to
the common library function vyos.util.process_running().
|
|
|
|
Autoconfigure addresses using Prefix Information in Router Advertisements.
|
|
|
|
... to new XML and Python based frontend/backend.
|
|
The Interface get_state/set_state were not clear about
if they edited the admin or operational state.
functions are now using admin_state and oper_state
for clarity.
|
|
|
|
ifconfig: T2057: break down DHCP, add register, STP and VLAN as adapters
|
|
|
|
Previously old client configs for clients that were deleted from
the server stayed in the ccd directory, causing them to still be
used. As we can't know which clients were deleted, this deletes
all the client configs as they are recreated shortly later.
|
|
|
|
|
|
T2139: openvpn: allow unset dh-file when using EC keys
|
|
|
|
This function returned True even if no match in the certificate file
was found, causing all checks using it to erroneously pass.
|
|
os.environ['VYOS_TAGNODE_VALUE']
This has been only a theoretical problem but then the error condition was
triggered - only an error has been printed instead of raising an Exception.
|
|
Encrypt and authenticate all control channel packets with the key from keyfile.
Encrypting (and authenticating) control channel packets:
* provides more privacy by hiding the certificate used for the TLS connection
* makes it harder to identify OpenVPN traffic as such
* provides "poor-man's" post-quantum security, against attackers who will
never know the pre-shared key (i.e. no forward secrecy)
|
|
|
|
|
|
to be a bug in OpenVPN client when comparing pushed cipher with local ncp cipher list
|
|
|
|
[OpenVPN]: T1704: Changed config structure for OpenVPN encryption to support ncp-ciphers.
[OpenVPN]: T1704: Added migration scripts for interface 2-to-3
|
|
|