### Autogenerated by interfaces-openvpn.py ### # # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition {% if description %} # {{ description }} {% endif %} verb 3 status /opt/vyatta/etc/openvpn/status/{{ intf }}.status 30 writepid /var/run/openvpn/{{ intf }}.pid dev-type {{ type }} dev {{ intf }} user {{ uid }} group {{ gid }} persist-key iproute /usr/libexec/vyos/system/unpriv-ip proto {% if 'tcp-active' in protocol -%}tcp-client{% elif 'tcp-passive' in protocol -%}tcp-server{% else %}udp{% endif %} {%- if local_host %} local {{ local_host }} {% endif %} {%- if mode == 'server' and protocol == 'udp' and not local_host %} multihome {% endif %} {%- if local_port %} lport {{ local_port }} {% endif %} {%- if remote_port %} rport {{ remote_port }} {% endif %} {%- if remote_host %} {% for remote in remote_host -%} remote {{ remote }} {% endfor -%} {% endif %} {%- if shared_secret_file %} secret {{ shared_secret_file }} {% endif %} {%- if persistent_tunnel %} persist-tun {% endif %} {%- if mode %} {%- if 'client' in mode %} # # OpenVPN Client mode # client nobind {%- elif 'server' in mode %} # # OpenVPN Server mode # mode server tls-server keepalive {{ ping_interval }} {{ ping_restart }} management /tmp/openvpn-mgmt-intf unix {%- if server_topology %} topology {% if 'point-to-point' in server_topology %}p2p{% else %}subnet{% endif %} {% endif %} {% for ns in server_dns_nameserver -%} push "dhcp-option DNS {{ ns }}" {% endfor -%} {% for route in server_push_route -%} push "route {{ route }}" {% endfor -%} {%- if server_domain %} push "dhcp-option DOMAIN {{ server_domain }}" {% endif %} {%- if server_max_conn %} max-clients {{ server_max_conn }} {% endif %} {%- if bridge_member %} server-bridge nogw {%- else %} server {{ server_subnet }} {% endif %} {%- if server_reject_unconfigured %} ccd-exclusive {% endif %} {%- else %} # # OpenVPN site-2-site mode # ping {{ ping_interval }} ping-restart {{ ping_restart }} {%- if local_address_subnet %} ifconfig {{ local_address }} {{ local_address_subnet }} {% elif remote_address %} ifconfig {{ local_address }} {{ remote_address }} {% endif %} {% endif %} {% endif %} {%- if tls_ca_cert %} ca {{ tls_ca_cert }} {% endif %} {%- if tls_cert %} cert {{ tls_cert }} {% endif %} {%- if tls_key %} key {{ tls_key }} {% endif %} {%- if tls_crypt %} tls-crypt {{ tls_crypt }} {% endif %} {%- if tls_crl %} crl-verify {{ tls_crl }} {% endif %} {%- if tls_version_min %} tls-version-min {{tls_version_min}} {% endif %} {%- if tls_dh %} dh {{ tls_dh }} {% endif %} {%- if tls_auth %} tls-auth {{tls_auth}} {% endif %} {%- if 'active' in tls_role %} tls-client {%- elif 'passive' in tls_role %} tls-server {% endif %} {%- if redirect_gateway %} push "redirect-gateway {{ redirect_gateway }}" {% endif %} {%- if compress_lzo %} compress lzo {% endif %} {%- if hash %} auth {{ hash }} {% endif %} {%- if encryption %} {%- if 'des' in encryption %} cipher des-cbc {%- elif '3des' in encryption %} cipher des-ede3-cbc {%- elif 'bf128' in encryption %} cipher bf-cbc keysize 128 {%- elif 'bf256' in encryption %} cipher bf-cbc keysize 25 {%- elif 'aes128gcm' in encryption %} cipher aes-128-gcm {%- elif 'aes128' in encryption %} cipher aes-128-cbc {%- elif 'aes192gcm' in encryption %} cipher aes-192-gcm {%- elif 'aes192' in encryption %} cipher aes-192-cbc {%- elif 'aes256gcm' in encryption %} cipher aes-256-gcm {%- elif 'aes256' in encryption %} cipher aes-256-cbc {% endif %} {% endif %} {%- if ncp_ciphers %} ncp-ciphers {{ncp_ciphers}} {% endif %} {%- if disable_ncp %} ncp-disable {% endif %} {%- if auth %} auth-user-pass /tmp/openvpn-{{ intf }}-pw auth-retry nointeract {% endif %} {%- if client %} client-config-dir /opt/vyatta/etc/openvpn/ccd/{{ intf }} {% endif %} # DEPRECATED This option will be removed in OpenVPN 2.5 # Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: # /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com In addition the old # behaviour was to remap any character other than alphanumeric, underscore ('_'), # dash ('-'), dot ('.'), and slash ('/') to underscore ('_'). The X.509 Subject # string as returned by the tls_id environmental variable, could additionally # contain colon (':') or equal ('='). When using the --compat-names option, this # old formatting and remapping will be re-enabled again. This is purely implemented # for compatibility reasons when using older plug-ins or scripts which does not # handle the new formatting or UTF-8 characters. # # See https://phabricator.vyos.net/T1512 compat-names {% for option in options -%} {{ option }} {% endfor -%}