From bb9f99853c723c5100c3fffbc592ba79f3abebfe Mon Sep 17 00:00:00 2001 From: Jernej Jakob Date: Tue, 14 Apr 2020 17:15:58 +0200 Subject: openvpn: T149: IPv6 support - allow configuring IPv6 server addresses and push options - add IPv6 server client IP pool - add IPv6 push dhcp-option DNS6 - allow configuring IPv6 server client addresses - allow configuring IPv6 site-to-site addresses - validate all IPv6 options and addresses - use protos that explicitely open an IPv6 listening socket (tcp6-server, tcp6-client, udp6) as the default on Linux listens on IPv4 only (https://community.openvpn.net/openvpn/ticket/360) - add validator for any IPv6 address, host or network (used by pool) --- data/templates/openvpn/client.conf.tmpl | 21 ++++++++++++++++++++- data/templates/openvpn/server.conf.tmpl | 33 ++++++++++++++++++++++++++++----- 2 files changed, 48 insertions(+), 6 deletions(-) (limited to 'data/templates') diff --git a/data/templates/openvpn/client.conf.tmpl b/data/templates/openvpn/client.conf.tmpl index 3099f2ca7..508d8da94 100644 --- a/data/templates/openvpn/client.conf.tmpl +++ b/data/templates/openvpn/client.conf.tmpl @@ -1,8 +1,9 @@ ### Autogenerated by interfaces-openvpn.py ### {% if ip -%} -ifconfig-push {{ ip }} {{ remote_netmask }} +ifconfig-push {{ ip[0] }} {{ remote_netmask }} {% endif -%} + {% for route in push_route -%} push "route {{ route }}" {% endfor -%} @@ -11,6 +12,24 @@ push "route {{ route }}" iroute {{ net }} {% endfor -%} +{# ipv6_remote is only set when IPv6 server is enabled #} +{% if ipv6_remote -%} +# IPv6 + +{%- if ipv6_ip %} +ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }} +{%- endif %} + +{%- for route6 in ipv6_push_route %} +push "route-ipv6 {{ route6 }}" +{%- endfor %} + +{%- for net6 in ipv6_subnet %} +iroute {{ net6 }} +{%- endfor %} + +{% endif -%} + {% if disable -%} disable {% endif -%} diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index e2f9062a1..0f563dc2b 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -18,7 +18,7 @@ dev {{ intf }} persist-key iproute /usr/libexec/vyos/system/unpriv-ip -proto {% if 'tcp-active' in protocol -%}tcp-client{% elif 'tcp-passive' in protocol -%}tcp-server{% else %}udp{% endif %} +proto {% if 'tcp-active' in protocol -%}tcp6-client{% elif 'tcp-passive' in protocol -%}tcp6-server{% else %}udp6{% endif %} {%- if local_host %} local {{ local_host }} @@ -78,7 +78,7 @@ topology {% if server_topology == 'point-to-point' %}p2p{% else %}{{ server_topo mode server tls-server {%- else %} -server {{ server_subnet }} nopool +server {{ server_subnet[0] }} nopool {%- endif %} {%- if server_pool %} @@ -110,7 +110,26 @@ push "dhcp-option DNS {{ ns }}" {%- if server_domain -%} push "dhcp-option DOMAIN {{ server_domain }}" -{% endif %} +{% endif -%} + +{%- if server_ipv6_local %} +# IPv6 +push "tun-ipv6" +ifconfig-ipv6 {{ server_ipv6_local }}/{{ server_ipv6_prefixlen }} {{ server_ipv6_remote }} + +{%- if server_ipv6_pool %} +ifconfig-ipv6-pool {{ server_ipv6_pool_base }}/{{ server_ipv6_pool_prefixlen }} +{%- endif %} + +{%- for route6 in server_ipv6_push_route %} +push "route-ipv6 {{ route6 }}" +{%- endfor %} + +{%- for ns6 in server_ipv6_dns_nameserver %} +push "dhcp-option DNS6 {{ ns6 }}" +{%- endfor %} + +{%- endif %} {% else -%} # @@ -120,9 +139,13 @@ ping {{ ping_interval }} ping-restart {{ ping_restart }} {% if local_address_subnet -%} -ifconfig {{ local_address }} {{ local_address_subnet }} +ifconfig {{ local_address[0] }} {{ local_address_subnet }} {%- elif remote_address -%} -ifconfig {{ local_address }} {{ remote_address }} +ifconfig {{ local_address[0] }} {{ remote_address[0] }} +{%- endif %} + +{% if ipv6_local_address -%} +ifconfig-ipv6 {{ ipv6_local_address[0] }} {{ ipv6_remote_address[0] }} {%- endif %} {% endif -%} -- cgit v1.2.3