### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition

{% if description %}
# {{ description }}
{% endif %}

verb 3
status /opt/vyatta/etc/openvpn/status/{{ intf }}.status 30
writepid /var/run/openvpn/{{ intf }}.pid

dev-type {{ type }}
dev {{ intf }}
user {{ uid }}
group {{ gid }}
persist-key
iproute /usr/libexec/vyos/system/unpriv-ip

proto {% if 'tcp-active' in protocol -%}tcp-client{% elif 'tcp-passive' in protocol -%}tcp-server{% else %}udp{% endif %}

{%- if local_host %}
local {{ local_host }}
{% endif %}

{%- if mode == 'server' and protocol == 'udp' and not local_host %}
multihome
{% endif %}

{%- if local_port %}
lport {{ local_port }}
{% endif %}

{%- if remote_port %}
rport {{ remote_port }}
{% endif %}

{%- if remote_host %}
{% for remote in remote_host -%}
remote {{ remote }}
{% endfor -%}
{% endif %}

{%- if shared_secret_file %}
secret {{ shared_secret_file }}
{% endif %}

{%- if persistent_tunnel %}
persist-tun
{% endif %}

{%- if mode %}
{%- if 'client' in mode %}
#
# OpenVPN Client mode
#
client
nobind
{%- elif 'server' in mode %}
#
# OpenVPN Server mode
#
mode server
tls-server
keepalive {{ ping_interval }} {{ ping_restart }}
management /tmp/openvpn-mgmt-intf unix

{%- if server_topology %}
topology {% if 'point-to-point' in server_topology %}p2p{% else %}subnet{% endif %}
{% endif %}

{% for ns in server_dns_nameserver -%}
push "dhcp-option DNS {{ ns }}"
{% endfor -%}

{% for route in server_push_route -%}
push "route {{ route }}"
{% endfor -%}

{%- if server_domain %}
push "dhcp-option DOMAIN {{ server_domain }}"
{% endif %}

{%- if server_max_conn %}
max-clients {{ server_max_conn }}
{% endif %}

{%- if bridge_member %}
server-bridge nogw
{%- else %}
server {{ server_subnet }}
{% endif %}

{%- if server_reject_unconfigured %}
ccd-exclusive
{% endif %}

{%- else %}
#
# OpenVPN site-2-site mode
#
ping {{ ping_interval }}
ping-restart {{ ping_restart }}

{%- if local_address_subnet %}
ifconfig {{ local_address }} {{ local_address_subnet }}
{% elif remote_address %}
ifconfig {{ local_address }} {{ remote_address }}
{% endif %}

{% endif %}
{% endif %}

{%- if tls_ca_cert %}
ca {{ tls_ca_cert }}
{% endif %}

{%- if tls_cert %}
cert {{ tls_cert }}
{% endif %}

{%- if tls_key %}
key {{ tls_key }}
{% endif %}

{%- if tls_crypt %}
tls-crypt {{ tls_crypt }}
{% endif %}

{%- if tls_crl %}
crl-verify {{ tls_crl }}
{% endif %}

{%- if tls_version_min %}
tls-version-min {{tls_version_min}}
{% endif %}

{%- if tls_dh %}
dh {{ tls_dh }}
{% endif %}

{%- if tls_auth %}
tls-auth {{tls_auth}}
{% endif %}

{%- if 'active' in tls_role %}
tls-client
{%- elif 'passive' in tls_role %}
tls-server
{% endif %}

{%- if redirect_gateway %}
push "redirect-gateway {{ redirect_gateway }}"
{% endif %}

{%- if compress_lzo %}
compress lzo
{% endif %}

{%- if hash %}
auth {{ hash }}
{% endif %}

{%- if encryption %}
{%- if 'des' in encryption %}
cipher des-cbc
{%- elif '3des' in encryption %}
cipher des-ede3-cbc
{%- elif 'bf128' in encryption %}
cipher bf-cbc
keysize 128
{%- elif 'bf256' in encryption %}
cipher bf-cbc
keysize 25
{%- elif 'aes128gcm' in encryption %}
cipher aes-128-gcm
{%- elif 'aes128' in encryption %}
cipher aes-128-cbc
{%- elif 'aes192gcm' in encryption %}
cipher aes-192-gcm
{%- elif 'aes192' in encryption %}
cipher aes-192-cbc
{%- elif 'aes256gcm' in encryption %}
cipher aes-256-gcm
{%- elif 'aes256' in encryption %}
cipher aes-256-cbc
{% endif %}
{% endif %}

{%- if ncp_ciphers %}
ncp-ciphers {{ncp_ciphers}}
{% endif %}
{%- if disable_ncp %}
ncp-disable
{% endif %}

{%- if auth %}
auth-user-pass /tmp/openvpn-{{ intf }}-pw
auth-retry nointeract
{% endif %}

{%- if client %}
client-config-dir /opt/vyatta/etc/openvpn/ccd/{{ intf }}
{% endif %}

# DEPRECATED This option will be removed in OpenVPN 2.5
# Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this:
# /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com In addition the old
# behaviour was to remap any character other than alphanumeric, underscore ('_'),
# dash ('-'), dot ('.'), and slash ('/') to underscore ('_'). The X.509 Subject
# string as returned by the tls_id environmental variable, could additionally
# contain colon (':') or equal ('='). When using the --compat-names option, this
# old formatting and remapping will be re-enabled again. This is purely implemented
# for compatibility reasons when using older plug-ins or scripts which does not
# handle the new formatting or UTF-8 characters.
#
# See https://phabricator.vyos.net/T1512
compat-names

{% for option in options -%}
{{ option }}
{% endfor -%}