### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
# {{ description if description is defined and description is not none }}
#

verb 3
user {{ daemon_user }}
group {{ daemon_group }}
dev-type {{ device_type }}
dev {{ ifname }}
persist-key
iproute /usr/libexec/vyos/system/unpriv-ip
{% if protocol == 'tcp-active' %}
proto tcp-client
{% elif protocol == 'tcp-passive' %}
proto tcp-server
{% else %}
proto udp
{% endif %}
{% if local_host is defined and local_host is not none %}
local {{ local_host }}
{% endif %}
{% if mode is defined and mode == 'server' and protocol == 'udp' and local_host is not defined %}
multihome
{% endif %}
{% if local_port is defined and local_port is not none %}
lport {{ local_port }}
{% endif %}
{% if remote_port is defined and remote_port is not none %}
rport {{ remote_port }}
{% endif %}
{% if remote_host is defined and remote_host is not none %}
{%   for remote in remote_host %}
remote {{ remote }}
{%   endfor %}
{% endif %}
{% if shared_secret_key_file is defined and shared_secret_key_file is not none %}
secret {{ shared_secret_key_file }}
{% endif %}
{% if persistent_tunnel is defined %}
persist-tun
{% endif %}
{% if replace_default_route is defined and replace_default_route.local is defined %}
push "redirect-gateway local def1"
{% elif replace_default_route is defined %}
push "redirect-gateway def1"
{% endif %}
{% if use_lzo_compression is defined %}
compress lzo
{% endif %}

{% if mode == 'client' %}
#
# OpenVPN Client mode
#
client
nobind

{% elif mode == 'server' %}
#
# OpenVPN Server mode
#
mode server
tls-server
{%   if server is defined and server is not none %}
{%     if server.subnet is defined and server.subnet is not none %}
{%     if server.topology is defined and server.topology == 'point-to-point' %}
topology p2p
{%     elif server.topology is defined and server.topology is not none %}
topology {{ server.topology }}
{%     endif %}
{%       for subnet in server.subnet if subnet | is_ipv4 %}
server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
{# OpenVPN assigns the first IP address to its local interface so the pool used #}
{# in net30 topology - where each client receives a /30 must start from the second subnet #}
{%     if server.topology is defined and server.topology == 'net30' %}
ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
{%     else %}
{# OpenVPN assigns the first IP address to its local interface so the pool must #}
{# start from the second address and end on the last address #}
ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
{%     endif %}
{%       endfor %}
{%     endif %}
{%     if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %}
ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }}
{%     endif %}
{%     if server.max_connections is defined and server.max_connections is not none %}
max-clients {{ server.max_connections }}
{%     endif %}
{%     if server.client is defined and server.client is not none %}
client-config-dir /run/openvpn/ccd/{{ ifname }}
{%     endif %}
{%   endif %}
keepalive {{ keep_alive.interval }} {{ keep_alive.interval|int * keep_alive.failure_count|int }}
management /run/openvpn/openvpn-mgmt-intf unix
{%   if server is defined and server is not none %}
{%     if server.reject_unconfigured_clients is defined %}
ccd-exclusive
{%     endif %}
{%     if server.push_route is defined and server.push_route is not none %}
{%       for route in server.push_route %}
push "route {{ route }}"
{%       endfor %}
{%     endif %}
{%     if server.name_server is defined and server.name_server is not none %}
{%       for nameserver in server.name_server %}
push "dhcp-option DNS {{ nameserver }}"
{%       endfor %}
{%     endif %}
{%     if server.domain_name is defined and server.domain_name is not none %}
push "dhcp-option DOMAIN {{ server.domain_name }}"
{%     endif %}
{%   endif %}

{%   if subnet_v6 is defined and subnet_v6 is not none %}
# IPv6
push "tun-ipv6"
ifconfig-ipv6 {{ server_ipv6_local }}/{{ server_ipv6_prefixlen }} {{ server_ipv6_remote }}
{%     if server_ipv6_pool %}
ifconfig-ipv6-pool {{ server_ipv6_pool_base }}/{{ server_ipv6_pool_prefixlen }}
{%     endif %}
{%     for route6 in server_ipv6_push_route %}
push "route-ipv6 {{ route6 }}"
{%     endfor %}
{%     for ns6 in server_ipv6_dns_nameserver %}
push "dhcp-option DNS6 {{ ns6 }}"
{%     endfor %}
{%   endif %}

{% else %}
#
# OpenVPN site-2-site mode
#
ping {{ keep_alive.interval }}
ping-restart {{ keep_alive.failure_count }}

{%   if device_type == 'tap' %}
{%     for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
{%       if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %}
ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }}
{%       endif %}
{%     endfor %}
{%   else %}
{%     for laddr in local_address if laddr | is_ipv4 %}
{%       for raddr in remote_address if raddr | is_ipv4 %}
ifconfig {{ laddr }} {{ raddr }}
{%       endfor %}
{%     endfor %}
{%     for laddr in local_address if laddr | is_ipv6 %}
{%       for raddr in remote_address if raddr | is_ipv6 %}
ifconfig-ipv6 {{ laddr }} {{ raddr }}
{%       endfor %}
{%     endfor %}
{%   endif %}
{% endif %}

{% if tls is defined and tls is not none %}
# TLS options
{%   if tls.ca_cert_file is defined and tls.ca_cert_file is not none %}
ca {{ tls.ca_cert_file }}
{%   endif %}
{%   if tls.cert_file is defined and tls.cert_file is not none %}
cert {{ tls.cert_file }}
{%   endif %}
{%   if tls.key_file is defined and tls.key_file is not none %}
key {{ tls.key_file }}
{%   endif %}
{%   if tls.crypt_file is defined and tls.crypt_file is not none %}
tls-crypt {{ tls.crypt_file }}
{%   endif %}
{%   if tls.crl_file is defined and tls.crl_file is not none %}
crl-verify {{ tls.crl_file }}
{%   endif %}
{%   if tls.tls_version_min is defined and tls.tls_version_min is not none %}
tls-version-min {{ tls.tls_version_min }}
{%   endif %}
{%   if tls.dh_file is defined and tls.dh_file is not none %}
dh {{ tls.dh_file }}
{%   endif %}
{%   if tls.auth_file is defined and tls.auth_file is not none %}
{%     if mode == 'client' %}
tls-auth {{ tls.auth_file }} 1
{%     elif mode == 'server' %}
tls-auth {{ tls.auth_file }} 0
{%     endif %}
{%   endif %}
{%   if tls.role is defined and tls.role is not none %}
{%     if tls.role == 'active' %}
tls-client
{%     elif tls.role == 'passive' %}
tls-server
{%     endif %}
{%   endif %}
{% endif %}

# Encryption options
{% if encryption is defined and encryption is not none %}
{%   if encryption.cipher is defined and encryption.cipher is not none %}
{%     if encryption.cipher == 'none' %}
cipher none
{%     elif encryption.cipher == 'des' %}
cipher des-cbc
{%     elif encryption.cipher == '3des' %}
cipher des-ede3-cbc
{%     elif encryption.cipher == 'bf128' %}
cipher bf-cbc
keysize 128
{%     elif encryption.cipher == 'bf256' %}
cipher bf-cbc
keysize 25
{%     elif encryption.cipher == 'aes128gcm' %}
cipher aes-128-gcm
{%     elif encryption.cipher == 'aes128' %}
cipher aes-128-cbc
{%     elif encryption.cipher == 'aes192gcm' %}
cipher aes-192-gcm
{%     elif encryption.cipher == 'aes192' %}
cipher aes-192-cbc
{%     elif encryption.cipher == 'aes256gcm' %}
cipher aes-256-gcm
{%     elif encryption.cipher == 'aes256' %}
cipher aes-256-cbc
{%     endif %}
{%   endif %}
{%   if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %}
ncp-ciphers {{ encryption.ncp_ciphers | join(':') }}
{%   elif encryption.disable_ncp is defined %}
ncp-disable
{%   endif %}
{% endif %}

{% if hash is defined and hash is not none %}
auth {{ hash }}
{% endif %}

{% if authentication is defined and authentication is not none %}
auth-user-pass {{ auth_user_pass_file }}
auth-retry nointeract
{% endif %}

# DEPRECATED This option will be removed in OpenVPN 2.5
# Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this:
# /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com In addition the old
# behaviour was to remap any character other than alphanumeric, underscore ('_'),
# dash ('-'), dot ('.'), and slash ('/') to underscore ('_'). The X.509 Subject
# string as returned by the tls_id environmental variable, could additionally
# contain colon (':') or equal ('='). When using the --compat-names option, this
# old formatting and remapping will be re-enabled again. This is purely implemented
# for compatibility reasons when using older plug-ins or scripts which does not
# handle the new formatting or UTF-8 characters.
#
# See https://phabricator.vyos.net/T1512
compat-names

{% if openvpn_option is defined and openvpn_option is not none %}
#
# Custom options added by user (not validated)
#
{%   for option in openvpn_option %}
{{ option }}
{%   endfor %}
{% endif %}