summaryrefslogtreecommitdiff
path: root/data/templates/openvpn/server.conf.j2
blob: 844a1390bf055ed7fa559906e3bc026d224a284e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
# {{ description if description is vyos_defined }}
#

verb 3
dev-type {{ device_type }}
dev {{ ifname }}
persist-key
{% if protocol is vyos_defined('tcp-active') %}
proto tcp-client
{% elif protocol is vyos_defined('tcp-passive') %}
proto tcp-server
{% else %}
proto udp
{% endif %}
{% if local_host is vyos_defined %}
local {{ local_host }}
{% endif %}
{% if mode is vyos_defined('server') and protocol is vyos_defined('udp') and local_host is not vyos_defined %}
multihome
{% endif %}
{% if local_port is vyos_defined %}
lport {{ local_port }}
{% endif %}
{% if remote_port is vyos_defined %}
rport {{ remote_port }}
{% endif %}
{% if remote_host is vyos_defined %}
{%     for remote in remote_host %}
remote {{ remote }}
{%     endfor %}
{% endif %}
{% if shared_secret_key is vyos_defined %}
secret /run/openvpn/{{ ifname }}_shared.key
{% endif %}
{% if persistent_tunnel is vyos_defined %}
persist-tun
{% endif %}
{% if replace_default_route.local is vyos_defined %}
push "redirect-gateway local def1"
{% elif replace_default_route is vyos_defined %}
push "redirect-gateway def1"
{% endif %}
{% if use_lzo_compression is vyos_defined %}
compress lzo
{% endif %}

{% if mode is vyos_defined('client') %}
#
# OpenVPN Client mode
#
client
nobind

{% elif mode is vyos_defined('server') %}
#
# OpenVPN Server mode
#
mode server
tls-server
{%     if server is vyos_defined %}
{%         if server.subnet is vyos_defined %}
{%             if server.topology is vyos_defined('point-to-point') %}
topology p2p
{%             elif server.topology is vyos_defined %}
topology {{ server.topology }}
{%             endif %}
{%             for subnet in server.subnet %}
{%                 if subnet | is_ipv4 %}
server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} {{ 'nopool' if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined else '' }}
{# First ip address is used as gateway. It's allows to use metrics #}
{%                     if server.push_route is vyos_defined %}
{%                         for route, route_config in server.push_route.items() %}
{%                             if route | is_ipv4 %}
push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
{%                             elif route | is_ipv6 %}
push "route-ipv6 {{ route }}"
{%                             endif %}
{%                         endfor %}
{%                     endif %}
{%                 elif subnet | is_ipv6 %}
server-ipv6 {{ subnet }}
{%                 endif %}
{%             endfor %}
{%         endif %}

{%         if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %}
ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }}
{%         endif %}
{%         if server.max_connections is vyos_defined %}
max-clients {{ server.max_connections }}
{%         endif %}
{%         if server.client is vyos_defined %}
client-config-dir /run/openvpn/ccd/{{ ifname }}
{%         endif %}
{%     endif %}
keepalive {{ keep_alive.interval }} {{ keep_alive.interval | int * keep_alive.failure_count | int }}
management /run/openvpn/openvpn-mgmt-intf unix
{%     if server is vyos_defined %}
{%         if server.reject_unconfigured_clients is vyos_defined %}
ccd-exclusive
{%         endif %}

{%         if server.name_server is vyos_defined %}
{%             for nameserver in server.name_server %}
{%                 if nameserver | is_ipv4 %}
push "dhcp-option DNS {{ nameserver }}"
{%                 elif nameserver | is_ipv6 %}
push "dhcp-option DNS6 {{ nameserver }}"
{%                 endif %}
{%             endfor %}
{%         endif %}
{%         if server.domain_name is vyos_defined %}
push "dhcp-option DOMAIN {{ server.domain_name }}"
{%         endif %}
{%         if server.mfa.totp is vyos_defined %}
{%             set totp_config = server.mfa.totp %}
plugin "{{ plugin_dir }}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop={{ totp_config.slop }} totp_t0={{ totp_config.drift }} totp_step={{ totp_config.step }} totp_digits={{ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}"
{%         endif %}
{%     endif %}
{% else %}
#
# OpenVPN site-2-site mode
#
ping {{ keep_alive.interval }}
ping-restart {{ keep_alive.failure_count }}

{%     if device_type == 'tap' %}
{%         if local_address is vyos_defined %}
{%             for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
{%                 if laddr_conf.subnet_mask is vyos_defined %}
ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }}
{%                 endif %}
{%             endfor %}
{%         endif %}
{%     else %}
{%         for laddr in local_address if laddr | is_ipv4 %}
{%             for raddr in remote_address if raddr | is_ipv4 %}
ifconfig {{ laddr }} {{ raddr }}
{%             endfor %}
{%         endfor %}
{%         for laddr in local_address if laddr | is_ipv6 %}
{%             for raddr in remote_address if raddr | is_ipv6 %}
ifconfig-ipv6 {{ laddr }} {{ raddr }}
{%             endfor %}
{%         endfor %}
{%     endif %}
{% endif %}

{% if tls is vyos_defined %}
# TLS options
{%     if tls.ca_certificate is vyos_defined %}
ca /run/openvpn/{{ ifname }}_ca.pem
{%     endif %}
{%     if tls.certificate is vyos_defined %}
cert /run/openvpn/{{ ifname }}_cert.pem
{%     endif %}
{%     if tls.private_key is vyos_defined %}
key /run/openvpn/{{ ifname }}_cert.key
{%     endif %}
{%     if tls.crypt_key is vyos_defined %}
tls-crypt /run/openvpn/{{ ifname }}_crypt.key
{%     endif %}
{%     if tls.crl is vyos_defined %}
crl-verify /run/openvpn/{{ ifname }}_crl.pem
{%     endif %}
{%     if tls.tls_version_min is vyos_defined %}
tls-version-min {{ tls.tls_version_min }}
{%     endif %}
{%     if tls.dh_params is vyos_defined %}
dh /run/openvpn/{{ ifname }}_dh.pem
{%     elif mode is vyos_defined('server') and tls.private_key is vyos_defined %}
dh none
{%     endif %}
{%     if tls.auth_key is vyos_defined %}
{%         if mode == 'client' %}
tls-auth /run/openvpn/{{ ifname }}_auth.key 1
{%         elif mode == 'server' %}
tls-auth /run/openvpn/{{ ifname }}_auth.key 0
{%         endif %}
{%     endif %}
{%     if tls.role is vyos_defined('active') %}
tls-client
{%     elif tls.role is vyos_defined('passive') %}
tls-server
{%     endif %}
{% endif %}

# Encryption options
{% if encryption is vyos_defined %}
{%     if encryption.cipher is vyos_defined %}
cipher {{ encryption.cipher | openvpn_cipher }}
{%         if encryption.cipher is vyos_defined('bf128') %}
keysize 128
{%         elif encryption.cipher is vyos_defined('bf256') %}
keysize 256
{%         endif %}
{%     endif %}
{%     if encryption.ncp_ciphers is vyos_defined %}
data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
{%     endif %}
{% endif %}

{% if hash is vyos_defined %}
auth {{ hash }}
{% endif %}

{% if authentication is vyos_defined %}
auth-user-pass {{ auth_user_pass_file }}
auth-retry nointeract
{% endif %}