### Autogenerated by interfaces-openvpn.py ### # # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition {% if description -%} # {{ description }} {% endif -%} verb 3 user {{ uid }} group {{ gid }} dev-type {{ type }} dev {{ intf }} persist-key iproute /usr/libexec/vyos/system/unpriv-ip proto {% if 'tcp-active' in protocol -%}tcp6-client{% elif 'tcp-passive' in protocol -%}tcp6-server{% else %}udp6{% endif %} {%- if local_host %} local {{ local_host }} {%- endif %} {%- if mode == 'server' and protocol == 'udp' and not local_host %} multihome {%- endif %} {%- if local_port %} lport {{ local_port }} {%- endif %} {% if remote_port -%} rport {{ remote_port }} {% endif %} {%- if remote_host %} {%- for remote in remote_host -%} remote {{ remote }} {% endfor -%} {% endif -%} {% if shared_secret_file %} secret {{ shared_secret_file }} {%- endif %} {%- if persistent_tunnel %} persist-tun {%- endif %} {%- if redirect_gateway %} push "redirect-gateway {{ redirect_gateway }}" {%- endif %} {%- if compress_lzo %} compress lzo {%- endif %} {% if 'client' in mode -%} # # OpenVPN Client mode # client nobind {% elif 'server' in mode -%} # # OpenVPN Server mode # {%- if server_topology %} topology {% if server_topology == 'point-to-point' %}p2p{% else %}{{ server_topology }}{% endif %} {%- endif %} {%- if bridge_member %} mode server tls-server {%- else %} server {{ server_subnet[0] }} nopool {%- endif %} {%- if server_pool %} ifconfig-pool {{ server_pool_start }} {{ server_pool_stop }}{% if server_pool_netmask %} {{ server_pool_netmask }}{% endif %} {%- endif %} {%- if server_max_conn %} max-clients {{ server_max_conn }} {%- endif %} {%- if client %} client-config-dir /run/openvpn/ccd/{{ intf }} {%- endif %} {%- if server_reject_unconfigured %} ccd-exclusive {%- endif %} keepalive {{ ping_interval }} {{ ping_restart }} management /tmp/openvpn-mgmt-intf unix {% for route in server_push_route -%} push "route {{ route }}" {% endfor -%} {% for ns in server_dns_nameserver -%} push "dhcp-option DNS {{ ns }}" {% endfor -%} {%- if server_domain -%} push "dhcp-option DOMAIN {{ server_domain }}" {% endif -%} {%- if server_ipv6_local %} # IPv6 push "tun-ipv6" ifconfig-ipv6 {{ server_ipv6_local }}/{{ server_ipv6_prefixlen }} {{ server_ipv6_remote }} {%- if server_ipv6_pool %} ifconfig-ipv6-pool {{ server_ipv6_pool_base }}/{{ server_ipv6_pool_prefixlen }} {%- endif %} {%- for route6 in server_ipv6_push_route %} push "route-ipv6 {{ route6 }}" {%- endfor %} {%- for ns6 in server_ipv6_dns_nameserver %} push "dhcp-option DNS6 {{ ns6 }}" {%- endfor %} {%- endif %} {% else -%} # # OpenVPN site-2-site mode # ping {{ ping_interval }} ping-restart {{ ping_restart }} {% if local_address_subnet -%} ifconfig {{ local_address[0] }} {{ local_address_subnet }} {%- elif remote_address -%} ifconfig {{ local_address[0] }} {{ remote_address[0] }} {%- endif %} {% if ipv6_local_address -%} ifconfig-ipv6 {{ ipv6_local_address[0] }} {{ ipv6_remote_address[0] }} {%- endif %} {% endif -%} {% if tls -%} # TLS options {%- if tls_ca_cert %} ca {{ tls_ca_cert }} {%- endif %} {%- if tls_cert %} cert {{ tls_cert }} {%- endif %} {%- if tls_key %} key {{ tls_key }} {%- endif %} {%- if tls_crypt %} tls-crypt {{ tls_crypt }} {%- endif %} {%- if tls_crl %} crl-verify {{ tls_crl }} {%- endif %} {%- if tls_version_min %} tls-version-min {{tls_version_min}} {%- endif %} {%- if tls_dh %} dh {{ tls_dh }} {%- endif %} {%- if tls_auth %} tls-auth {{tls_auth}} {%- endif %} {%- if tls_role %} {%- if 'active' in tls_role %} tls-client {%- elif 'passive' in tls_role %} tls-server {%- endif %} {%- endif %} {%- endif %} # Encryption options {%- if encryption %} {% if encryption == 'des' -%} cipher des-cbc {%- elif encryption == '3des' -%} cipher des-ede3-cbc {%- elif encryption == 'bf128' -%} cipher bf-cbc keysize 128 {%- elif encryption == 'bf256' -%} cipher bf-cbc keysize 25 {%- elif encryption == 'aes128gcm' -%} cipher aes-128-gcm {%- elif encryption == 'aes128' -%} cipher aes-128-cbc {%- elif encryption == 'aes192gcm' -%} cipher aes-192-gcm {%- elif encryption == 'aes192' -%} cipher aes-192-cbc {%- elif encryption == 'aes256gcm' -%} cipher aes-256-gcm {%- elif encryption == 'aes256' -%} cipher aes-256-cbc {%- endif -%} {%- endif %} {%- if ncp_ciphers %} ncp-ciphers {{ncp_ciphers}} {%- endif %} {%- if disable_ncp %} ncp-disable {%- endif %} {% if hash -%} auth {{ hash }} {%- endif -%} {%- if auth %} auth-user-pass {{ auth_user_pass_file }} auth-retry nointeract {%- endif %} # DEPRECATED This option will be removed in OpenVPN 2.5 # Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: # /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com In addition the old # behaviour was to remap any character other than alphanumeric, underscore ('_'), # dash ('-'), dot ('.'), and slash ('/') to underscore ('_'). The X.509 Subject # string as returned by the tls_id environmental variable, could additionally # contain colon (':') or equal ('='). When using the --compat-names option, this # old formatting and remapping will be re-enabled again. This is purely implemented # for compatibility reasons when using older plug-ins or scripts which does not # handle the new formatting or UTF-8 characters. # # See https://phabricator.vyos.net/T1512 compat-names {% if options -%} # # Custom options added by user (not validated) # {% for option in options -%} {{ option }} {% endfor -%} {%- endif %}