From 4bc012d2b2418ad3313fe5476b1e18a057cc6b7d Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Tue, 15 Aug 2023 19:47:26 +0100 Subject: T5270: generate 'dh none' unconditionally when dh-params is no present The condition is useless since OpenVPN simply switches to ECDH in all modes when the classic DH prime is not specified --- data/templates/openvpn/server.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 index a9bd45370..cee83077f 100644 --- a/data/templates/openvpn/server.conf.j2 +++ b/data/templates/openvpn/server.conf.j2 @@ -185,7 +185,7 @@ tls-version-min {{ tls.tls_version_min }} {% endif %} {% if tls.dh_params is vyos_defined %} dh /run/openvpn/{{ ifname }}_dh.pem -{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %} +{% else %} dh none {% endif %} {% if tls.auth_key is vyos_defined %} -- cgit v1.2.3 From 1d6180b74cff43ddc73a0f708b348cade5a9f12d Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Tue, 15 Aug 2023 20:11:35 +0100 Subject: T5271: correct dict path in the template for OpenVPN peer fingerprint --- data/templates/openvpn/server.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 index cee83077f..f76fbbe79 100644 --- a/data/templates/openvpn/server.conf.j2 +++ b/data/templates/openvpn/server.conf.j2 @@ -201,9 +201,9 @@ tls-client tls-server {% endif %} -{% if peer_fingerprint is vyos_defined %} +{% if tls.peer_fingerprint is vyos_defined %} -{% for fp in peer_fingerprint %} +{% for fp in tls.peer_fingerprint %} {{ fp }} {% endfor %} -- cgit v1.2.3 From 26d7ab49d92d5c665f5d6bc21375a21e22da33f6 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Tue, 15 Aug 2023 20:13:31 +0100 Subject: T5271: allow the user to specify either CA or peer fingerprint in OpenVPN site-to-site mode --- src/conf_mode/interfaces-openvpn.py | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 26b217d98..1d0feb56f 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -166,17 +166,23 @@ def verify_pki(openvpn): raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}') if tls: - if 'ca_certificate' not in tls: - raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface}') - - for ca_name in tls['ca_certificate']: - if ca_name not in pki['ca']: - raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') + if (mode in ['server', 'client']) and ('ca_certificate' not in tls): + raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\ + it is required in server and client modes') + else: + if ('ca_certificate' not in tls) and ('peer_fingerprint' not in tls): + raise ConfigError('Either "tls ca-certificate" or "tls peer-fingerprint" is required\ + on openvpn interface {interface} in site-to-site mode') - if len(tls['ca_certificate']) > 1: - sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca']) - if not verify_ca_chain(sorted_chain, pki['ca']): - raise ConfigError(f'CA certificates are not a valid chain') + if 'ca_certificate' in tls: + for ca_name in tls['ca_certificate']: + if ca_name not in pki['ca']: + raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') + + if len(tls['ca_certificate']) > 1: + sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca']) + if not verify_ca_chain(sorted_chain, pki['ca']): + raise ConfigError(f'CA certificates are not a valid chain') if mode != 'client' and 'auth_key' not in tls: if 'certificate' not in tls: -- cgit v1.2.3