### Autogenerated by interfaces-openvpn.py ### # # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition # # {{ description if description is defined and description is not none }} # verb 3 user {{ daemon_user }} group {{ daemon_group }} dev-type {{ device_type }} dev {{ ifname }} persist-key iproute /usr/libexec/vyos/system/unpriv-ip proto {{ protocol }} {% if local_host is defined and local_host is not none %} local {{ local_host }} {% endif %} {% if mode is defined and mode == 'server' and protocol == 'udp' and local_host is not defined %} multihome {% endif %} {% if local_port is defined and local_port is not none %} lport {{ local_port }} {% endif %} {% if remote_port is defined and remote_port is not none %} rport {{ remote_port }} {% endif %} {% if remote_host is defined and remote_host is not none %} {% for remote in remote_host %} remote {{ remote }} {% endfor %} {% endif %} {% if shared_secret_key_file is defined and shared_secret_key_file is not none %} secret {{ shared_secret_key_file }} {% endif %} {% if persistent_tunnel is defined %} persist-tun {% endif %} {% if replace_default_route is defined and replace_default_route.local is defined %} push "redirect-gateway local def1" {% elif replace_default_route is defined %} push "redirect-gateway def1" {% endif %} {% if use_lzo_compression is defined %} compress lzo {% endif %} {% if 'client' in mode %} # # OpenVPN Client mode # client nobind {% elif 'server' in mode %} # # OpenVPN Server mode # mode server tls-server {% if server is defined and server is not none %} {% if server.subnet_v4 is defined and server.subnet_v4 is not none %} server {{ server.subnet_v4[0] | address_from_cidr }} {{ server.subnet_v4[0] | netmask_from_cidr }} {% endif %} {% if server.topology is defined and server.topology == 'point-to-point' %} topology p2p {% elif server.topology is defined and server.topology is not none %} topology {{ server.topology }} {% endif %} {% if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %} ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }} {% endif %} {% if server.max_connections is defined and server.max_connections is not none %} max-clients {{ server.max_connections }} {% endif %} {% if server.client is defined and server.client is not none %} client-config-dir /run/openvpn/ccd/{{ ifname }} {% endif %} {% endif %} keepalive {{ keep_alive.interval }} {{ keep_alive.failure_count }} management /run/openvpn/openvpn-mgmt-intf unix {% if server is defined and server is not none %} {% if server.reject_unconfigured_clients is defined %} ccd-exclusive {% endif %} {% if server.push_route is defined and server.push_route is not none %} {% for route in server.push_route %} push "route {{ route }}" {% endfor %} {% endif %} {% if server.name_server is defined and server.name_server is not none %} {% for nameserver in server.name_server %} push "dhcp-option DNS {{ nameserver }}" {% endfor %} {% endif %} {% if server.domain_name is defined and server.domain_name is not none %} push "dhcp-option DOMAIN {{ server.domain_name }}" {% endif %} {% endif %} {% if subnet_v6 is defined and subnet_v6 is not none %} # IPv6 push "tun-ipv6" ifconfig-ipv6 {{ server_ipv6_local }}/{{ server_ipv6_prefixlen }} {{ server_ipv6_remote }} {% if server_ipv6_pool %} ifconfig-ipv6-pool {{ server_ipv6_pool_base }}/{{ server_ipv6_pool_prefixlen }} {% endif %} {% for route6 in server_ipv6_push_route %} push "route-ipv6 {{ route6 }}" {% endfor %} {% for ns6 in server_ipv6_dns_nameserver %} push "dhcp-option DNS6 {{ ns6 }}" {% endfor %} {% endif %} {% else %} # # OpenVPN site-2-site mode # ping {{ keep_alive.interval }} ping-restart {{ keep_alive.failure_count }} {% if local_address_v4_netmask is defined and local_address_v4_netmask is not none %} ifconfig {{ local_address_v4[0] }} {{ local_address_v4_netmask[0] }} {% elif remote_address_v4 is defined and remote_address_v4 is not none %} ifconfig {{ local_address_v4[0] }} {{ remote_address_v4[0] }} {% endif %} {% if local_address_v6 is defined and remote_address_v6 is defined and local_address_v6 is not none and remote_address_v6 is not none %} ifconfig-ipv6 {{ local_address_v6[0] }} {{ remote_address_v6[0] }} {% endif %} {% endif %} {% if tls is defined and tls is not none %} # TLS options {% if tls.ca_cert_file is defined and tls.ca_cert_file is not none %} ca {{ tls.ca_cert_file }} {% endif %} {% if tls.cert_file is defined and tls.cert_file is not none %} cert {{ tls.cert_file }} {% endif %} {% if tls.key_file is defined and tls.key_file is not none %} key {{ tls.key_file }} {% endif %} {% if tls.crypt_file is defined and tls.crypt_file is not none %} tls-crypt {{ tls.crypt_file }} {% endif %} {% if tls.crl_file is defined and tls.crl_file is not none %} crl-verify {{ tls.crl_file }} {% endif %} {% if tls.tls_version_min is defined and tls.tls_version_min is not none %} tls-version-min {{ tls.tls_version_min }} {% endif %} {% if tls.dh_file is defined and tls.dh_file is not none %} dh {{ tls.dh_file }} {% endif %} {% if tls.auth_file is defined and tls.auth_file is not none %} {% if mode == 'client' %} tls-auth {{ tls.auth_file }} 1 {% elif mode == 'server' %} tls-auth {{ tls.auth_file }} 0 {% endif %} {% endif %} {% if tls.role is defined and tls.role is not none %} {% if tls.role == 'active' %} tls-client {% elif tls.role == 'passive' %} tls-server {% endif %} {% endif %} {% endif %} # Encryption options {% if encryption is defined and encryption is not none %} {% if encryption.cipher is defined and encryption.cipher is not none %} {% if encryption.cipher == 'none' %} cipher none {% elif encryption.cipher == 'des' %} cipher des-cbc {% elif encryption.cipher == '3des' %} cipher des-ede3-cbc {% elif encryption.cipher == 'bf128' %} cipher bf-cbc keysize 128 {% elif encryption.cipher == 'bf256' %} cipher bf-cbc keysize 25 {% elif encryption.cipher == 'aes128gcm' %} cipher aes-128-gcm {% elif encryption.cipher == 'aes128' %} cipher aes-128-cbc {% elif encryption.cipher == 'aes192gcm' %} cipher aes-192-gcm {% elif encryption.cipher == 'aes192' %} cipher aes-192-cbc {% elif encryption.cipher == 'aes256gcm' %} cipher aes-256-gcm {% elif encryption.cipher == 'aes256' %} cipher aes-256-cbc {% endif %} {% endif %} {% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %} ncp-ciphers {{ encryption.ncp_ciphers | join(':') }} {% elif encryption.disable_ncp is defined %} ncp-disable {% endif %} {% endif %} {% if hash is defined and hash is not none %} auth {{ hash }} {% endif %} {% if authentication is defined and authentication is not none %} auth-user-pass {{ auth_user_pass_file }} auth-retry nointeract {% endif %} # DEPRECATED This option will be removed in OpenVPN 2.5 # Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: # /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com In addition the old # behaviour was to remap any character other than alphanumeric, underscore ('_'), # dash ('-'), dot ('.'), and slash ('/') to underscore ('_'). The X.509 Subject # string as returned by the tls_id environmental variable, could additionally # contain colon (':') or equal ('='). When using the --compat-names option, this # old formatting and remapping will be re-enabled again. This is purely implemented # for compatibility reasons when using older plug-ins or scripts which does not # handle the new formatting or UTF-8 characters. # # See https://phabricator.vyos.net/T1512 compat-names {% if openvpn_option is defined and openvpn_option is not none %} # # Custom options added by user (not validated) # {% for option in openvpn_option %} {{ option }} {% endfor %} {% endif %}