summaryrefslogtreecommitdiff
path: root/data/templates/openvpn/server.conf.j2
blob: d7d4a586161e67df378f9eb67f1121803a4e4b41 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
# {{ description if description is vyos_defined }}
#

verb 3
dev-type {{ device_type }}
dev {{ ifname }}
persist-key
{% if protocol is vyos_defined('tcp-active') %}
proto tcp-client
{% elif protocol is vyos_defined('tcp-passive') %}
proto tcp-server
{% else %}
proto udp
{% endif %}
{% if local_host is vyos_defined %}
local {{ local_host }}
{% endif %}
{% if mode is vyos_defined('server') and protocol is vyos_defined('udp') and local_host is not vyos_defined %}
multihome
{% endif %}
{% if local_port is vyos_defined %}
lport {{ local_port }}
{% endif %}
{% if remote_port is vyos_defined %}
rport {{ remote_port }}
{% endif %}
{% if remote_host is vyos_defined %}
{%     for remote in remote_host %}
remote {{ remote }}
{%     endfor %}
{% endif %}
{% if shared_secret_key is vyos_defined %}
secret /run/openvpn/{{ ifname }}_shared.key
{% endif %}
{% if persistent_tunnel is vyos_defined %}
persist-tun
{% endif %}
{% if replace_default_route.local is vyos_defined %}
push "redirect-gateway local def1"
{% elif replace_default_route is vyos_defined %}
push "redirect-gateway def1"
{% endif %}
{% if use_lzo_compression is vyos_defined %}
compress lzo
{% endif %}
{% if offload.dco is not vyos_defined %}
disable-dco
{% endif %}

{% if mode is vyos_defined('client') %}
#
# OpenVPN Client mode
#
client
nobind

{% elif mode is vyos_defined('server') %}
#
# OpenVPN Server mode
#
mode server
tls-server
{%     if server is vyos_defined %}
{%         if server.subnet is vyos_defined %}
{%             if server.topology is vyos_defined('point-to-point') %}
topology p2p
{%             elif server.topology is vyos_defined %}
topology {{ server.topology }}
{%             endif %}
{%             for subnet in server.subnet %}
{%                 if subnet | is_ipv4 %}
server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
{# First ip address is used as gateway. It's allows to use metrics #}
{%                     if server.push_route is vyos_defined %}
{%                         for route, route_config in server.push_route.items() %}
{%                             if route | is_ipv4 %}
push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ 'vpn_gateway' ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
{%                             elif route | is_ipv6 %}
push "route-ipv6 {{ route }}"
{%                             endif %}
{%                         endfor %}
{%                     endif %}
{# OpenVPN assigns the first IP address to its local interface so the pool used #}
{# in net30 topology - where each client receives a /30 must start from the second subnet #}
{%                     if server.topology is vyos_defined('net30') %}
ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
{%                     else %}
{# OpenVPN assigns the first IP address to its local interface so the pool must #}
{# start from the second address and end on the last address #}
ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
{%                     endif %}
{%                 elif subnet | is_ipv6 %}
server-ipv6 {{ subnet }}
{%                 endif %}
{%             endfor %}
{%         endif %}

{%         if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %}
ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }} {{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }}
{%         endif %}
{%         if server.max_connections is vyos_defined %}
max-clients {{ server.max_connections }}
{%         endif %}
{%         if server.client is vyos_defined %}
client-config-dir /run/openvpn/ccd/{{ ifname }}
{%         endif %}
{%     endif %}
keepalive {{ keep_alive.interval }} {{ keep_alive.interval | int * keep_alive.failure_count | int }}
management /run/openvpn/openvpn-mgmt-intf unix
{%     if server is vyos_defined %}
{%         if server.reject_unconfigured_clients is vyos_defined %}
ccd-exclusive
{%         endif %}

{%         if server.name_server is vyos_defined %}
{%             for nameserver in server.name_server %}
{%                 if nameserver | is_ipv4 %}
push "dhcp-option DNS {{ nameserver }}"
{%                 elif nameserver | is_ipv6 %}
push "dhcp-option DNS6 {{ nameserver }}"
{%                 endif %}
{%             endfor %}
{%         endif %}
{%         if server.domain_name is vyos_defined %}
push "dhcp-option DOMAIN {{ server.domain_name }}"
{%         endif %}
{%         if server.mfa.totp is vyos_defined %}
{%             set totp_config = server.mfa.totp %}
plugin "{{ plugin_dir }}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop={{ totp_config.slop }} totp_t0={{ totp_config.drift }} totp_step={{ totp_config.step }} totp_digits={{ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}"
{%         endif %}
{%     endif %}
{% else %}
#
# OpenVPN site-2-site mode
#
ping {{ keep_alive.interval }}
ping-restart {{ keep_alive.failure_count }}

{%     if device_type == 'tap' %}
{%         if local_address is vyos_defined %}
{%             for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
{%                 if laddr_conf.subnet_mask is vyos_defined %}
ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }}
{%                 endif %}
{%             endfor %}
{%         endif %}
{%     else %}
{%         for laddr in local_address if laddr | is_ipv4 %}
{%             for raddr in remote_address if raddr | is_ipv4 %}
ifconfig {{ laddr }} {{ raddr }}
{%             endfor %}
{%         endfor %}
{%         for laddr in local_address if laddr | is_ipv6 %}
{%             for raddr in remote_address if raddr | is_ipv6 %}
ifconfig-ipv6 {{ laddr }} {{ raddr }}
{%             endfor %}
{%         endfor %}
{%     endif %}
{% endif %}

{% if tls is vyos_defined %}
# TLS options
{%     if tls.ca_certificate is vyos_defined %}
ca /run/openvpn/{{ ifname }}_ca.pem
{%     endif %}
{%     if tls.certificate is vyos_defined %}
cert /run/openvpn/{{ ifname }}_cert.pem
{%     endif %}
{%     if tls.private_key is vyos_defined %}
key /run/openvpn/{{ ifname }}_cert.key
{%     endif %}
{%     if tls.crypt_key is vyos_defined %}
tls-crypt /run/openvpn/{{ ifname }}_crypt.key
{%     endif %}
{%     if tls.crl is vyos_defined %}
crl-verify /run/openvpn/{{ ifname }}_crl.pem
{%     endif %}
{%     if tls.tls_version_min is vyos_defined %}
tls-version-min {{ tls.tls_version_min }}
{%     endif %}
{%     if tls.dh_params is vyos_defined %}
dh /run/openvpn/{{ ifname }}_dh.pem
{%     else %}
dh none
{%     endif %}
{%     if tls.auth_key is vyos_defined %}
{%         if mode == 'client' %}
tls-auth /run/openvpn/{{ ifname }}_auth.key 1
{%         elif mode == 'server' %}
tls-auth /run/openvpn/{{ ifname }}_auth.key 0
{%         endif %}
{%     endif %}
{%     if tls.role is vyos_defined('active') %}
tls-client
{%     elif tls.role is vyos_defined('passive') %}
tls-server
{%     endif %}

{%     if tls.peer_fingerprint is vyos_defined %}
<peer-fingerprint>
{%         for fp in tls.peer_fingerprint %}
{{ fp }}
{%         endfor %}
</peer-fingerprint>
{%     endif %}
{% endif %}

# Encryption options
{% if encryption is vyos_defined %}
{%     if encryption.cipher is vyos_defined %}
cipher {{ encryption.cipher | openvpn_cipher }}
{%         if encryption.cipher is vyos_defined('bf128') %}
keysize 128
{%         elif encryption.cipher is vyos_defined('bf256') %}
keysize 256
{%         endif %}
{%     endif %}
{%     if encryption.ncp_ciphers is vyos_defined %}
data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
{%     endif %}
{% endif %}
# https://vyos.dev/T5027
# Required to support BF-CBC (default ciphername when none given)
providers legacy default

{% if hash is vyos_defined %}
auth {{ hash }}
{% endif %}

{% if authentication is vyos_defined %}
auth-user-pass {{ auth_user_pass_file }}
auth-retry nointeract
{% endif %}