From 3072e507eb1cdc18cfe5429fd0c03d223d2576fe Mon Sep 17 00:00:00 2001
From: Antonio Quartulli <antonio@mandelbit.com>
Date: Tue, 1 Nov 2022 22:35:48 +0100
Subject: openvpn: T3214: allow configuring server with v6 only

Starting with v2.5.0 OpenVPN allows configuring a server with
an IPv6 only tunnel.

For this reason there is no need to depend on the existence of an IPv4
subnet anymore.

Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
---
 src/conf_mode/interfaces-openvpn.py | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 8155f36c2..548ba4449 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -329,9 +329,6 @@ def verify(openvpn):
             if v6_subnets > 1:
                 raise ConfigError('Cannot specify more than 1 IPv6 server subnet')
 
-            if v6_subnets > 0 and v4_subnets == 0:
-                raise ConfigError('IPv6 server requires an IPv4 server subnet')
-
             for subnet in tmp:
                 if is_ipv4(subnet):
                     subnet = IPv4Network(subnet)
-- 
cgit v1.2.3


From 7a0e40ce8df386c0ea2de84bce8fb6c81a0353ce Mon Sep 17 00:00:00 2001
From: Antonio Quartulli <antonio@mandelbit.com>
Date: Tue, 1 Nov 2022 22:43:46 +0100
Subject: openvpn: T3214: warn when setting nopool and server-ipv6 is being
 used

Currently OpenVPN does not allow having an IPv6 subnet if 'nopool'
was specified on the --server directive. For this eason warn if this
specific configuration is being hit.

This is probably something that should be fixed upstream, but for now
we can't allow this combination of parameters.

Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
---
 src/conf_mode/interfaces-openvpn.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 548ba4449..a06154761 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -370,6 +370,10 @@ def verify(openvpn):
                         for v4PoolNet in v4PoolNets:
                             if IPv4Address(client['ip'][0]) in v4PoolNet:
                                 print(f'Warning: Client "{client["name"]}" IP {client["ip"][0]} is in server IP pool, it is not reserved for this client.')
+            # configuring a client_ip_pool will set 'server ... nopool' which is currently incompatible with 'server-ipv6' (probably to be fixed upstream)
+            for subnet in (dict_search('server.subnet', openvpn) or []):
+                if is_ipv6(subnet):
+                    raise ConfigError(f'Setting client-ip-pool is incompatible having an IPv6 server subnet.')
 
         for subnet in (dict_search('server.subnet', openvpn) or []):
             if is_ipv6(subnet):
-- 
cgit v1.2.3


From 0ccbbca01b22232b5cba63d64ab00eb54af7b068 Mon Sep 17 00:00:00 2001
From: Antonio Quartulli <antonio@mandelbit.com>
Date: Tue, 1 Nov 2022 22:52:49 +0100
Subject: openvpn: T3214: specify nopool on --server line only if needed

The --server directive will already create a pool automatically.
For this reason noppol should be used only when an explicit
client-ip-pool was configured by the user.

If that's not the case, then the nopool flag should not be
specified and no manual pool should be configured.

Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
---
 data/templates/openvpn/server.conf.j2 | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index 6dd4ef88d..844a1390b 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -71,7 +71,7 @@ topology {{ server.topology }}
 {%             endif %}
 {%             for subnet in server.subnet %}
 {%                 if subnet | is_ipv4 %}
-server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
+server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} {{ 'nopool' if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined else '' }}
 {# First ip address is used as gateway. It's allows to use metrics #}
 {%                     if server.push_route is vyos_defined %}
 {%                         for route, route_config in server.push_route.items() %}
@@ -82,15 +82,6 @@ push "route-ipv6 {{ route }}"
 {%                             endif %}
 {%                         endfor %}
 {%                     endif %}
-{# OpenVPN assigns the first IP address to its local interface so the pool used #}
-{# in net30 topology - where each client receives a /30 must start from the second subnet #}
-{%                     if server.topology is vyos_defined('net30') %}
-ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
-{%                     else %}
-{# OpenVPN assigns the first IP address to its local interface so the pool must #}
-{# start from the second address and end on the last address #}
-ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
-{%                     endif %}
 {%                 elif subnet | is_ipv6 %}
 server-ipv6 {{ subnet }}
 {%                 endif %}
-- 
cgit v1.2.3