summaryrefslogtreecommitdiff
path: root/data/templates/openvpn/server.conf.tmpl
blob: 79288e40f06e38c74ac2d27e0d9eb1e0996bc779 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
# {{ description if description is defined and description is not none }}
#

verb 3
user {{ daemon_user }}
group {{ daemon_group }}
dev-type {{ device_type }}
dev {{ ifname }}
persist-key
iproute /usr/libexec/vyos/system/unpriv-ip
{% if protocol == 'tcp-active' %}
proto tcp-client
{% elif protocol == 'tcp-passive' %}
proto tcp-server
{% else %}
proto udp
{% endif %}
{% if local_host is defined and local_host is not none %}
local {{ local_host }}
{% endif %}
{% if mode is defined and mode == 'server' and protocol == 'udp' and local_host is not defined %}
multihome
{% endif %}
{% if local_port is defined and local_port is not none %}
lport {{ local_port }}
{% endif %}
{% if remote_port is defined and remote_port is not none %}
rport {{ remote_port }}
{% endif %}
{% if remote_host is defined and remote_host is not none %}
{%   for remote in remote_host %}
remote {{ remote }}
{%   endfor %}
{% endif %}
{% if shared_secret_key_file is defined and shared_secret_key_file is not none %}
secret {{ shared_secret_key_file }}
{% endif %}
{% if persistent_tunnel is defined %}
persist-tun
{% endif %}
{% if replace_default_route is defined and replace_default_route.local is defined %}
push "redirect-gateway local def1"
{% elif replace_default_route is defined %}
push "redirect-gateway def1"
{% endif %}
{% if use_lzo_compression is defined %}
compress lzo
{% endif %}

{% if mode == 'client' %}
#
# OpenVPN Client mode
#
client
nobind

{% elif mode == 'server' %}
#
# OpenVPN Server mode
#
mode server
tls-server
{%   if server is defined and server is not none %}
{%     if server.subnet is defined and server.subnet is not none %}
{%       if server.topology is defined and server.topology == 'point-to-point' %}
topology p2p
{%       elif server.topology is defined and server.topology is not none %}
topology {{ server.topology }}
{%       endif %}
{%       for subnet in server.subnet %}
{%         if subnet | is_ipv4 %}
server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
{# OpenVPN assigns the first IP address to its local interface so the pool used #}
{# in net30 topology - where each client receives a /30 must start from the second subnet #}
{%           if server.topology is defined and server.topology == 'net30' %}
ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
{%           else %}
{# OpenVPN assigns the first IP address to its local interface so the pool must #}
{# start from the second address and end on the last address #}
ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
{%           endif %}
{%         elif subnet | is_ipv6 %}
server-ipv6 {{ subnet }}
{%         endif %}
{%       endfor %}
{%     endif %}

{%     if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %}
ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }}
{%     endif %}
{%     if server.max_connections is defined and server.max_connections is not none %}
max-clients {{ server.max_connections }}
{%     endif %}
{%     if server.client is defined and server.client is not none %}
client-config-dir /run/openvpn/ccd/{{ ifname }}
{%     endif %}
{%   endif %}
keepalive {{ keep_alive.interval }} {{ keep_alive.interval|int * keep_alive.failure_count|int }}
management /run/openvpn/openvpn-mgmt-intf unix
{%   if server is defined and server is not none %}
{%     if server.reject_unconfigured_clients is defined %}
ccd-exclusive
{%     endif %}

{%     if server.push_route is defined and server.push_route is not none %}
{%       for route in server.push_route %}
{%         if route | is_ipv4 %}
push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}"
{%         elif route | is_ipv6 %}
push "route-ipv6 {{ route }}"
{%         endif %}
{%       endfor %}
{%     endif %}
{%     if server.name_server is defined and server.name_server is not none %}
{%       for nameserver in server.name_server %}
{%         if nameserver | is_ipv4 %}
push "dhcp-option DNS {{ nameserver }}"
{%         elif nameserver | is_ipv6 %}
push "dhcp-option DNS6 {{ nameserver }}"
{%         endif %}
{%       endfor %}
{%     endif %}
{%     if server.domain_name is defined and server.domain_name is not none %}
push "dhcp-option DOMAIN {{ server.domain_name }}"
{%     endif %}
{%   endif %}
{% else %}
#
# OpenVPN site-2-site mode
#
ping {{ keep_alive.interval }}
ping-restart {{ keep_alive.failure_count }}

{%   if device_type == 'tap' %}
{%     for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
{%       if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %}
ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }}
{%       endif %}
{%     endfor %}
{%   else %}
{%     for laddr in local_address if laddr | is_ipv4 %}
{%       for raddr in remote_address if raddr | is_ipv4 %}
ifconfig {{ laddr }} {{ raddr }}
{%       endfor %}
{%     endfor %}
{%     for laddr in local_address if laddr | is_ipv6 %}
{%       for raddr in remote_address if raddr | is_ipv6 %}
ifconfig-ipv6 {{ laddr }} {{ raddr }}
{%       endfor %}
{%     endfor %}
{%   endif %}
{% endif %}

{% if tls is defined and tls is not none %}
# TLS options
{%   if tls.ca_cert_file is defined and tls.ca_cert_file is not none %}
ca {{ tls.ca_cert_file }}
{%   endif %}
{%   if tls.cert_file is defined and tls.cert_file is not none %}
cert {{ tls.cert_file }}
{%   endif %}
{%   if tls.key_file is defined and tls.key_file is not none %}
key {{ tls.key_file }}
{%   endif %}
{%   if tls.crypt_file is defined and tls.crypt_file is not none %}
tls-crypt {{ tls.crypt_file }}
{%   endif %}
{%   if tls.crl_file is defined and tls.crl_file is not none %}
crl-verify {{ tls.crl_file }}
{%   endif %}
{%   if tls.tls_version_min is defined and tls.tls_version_min is not none %}
tls-version-min {{ tls.tls_version_min }}
{%   endif %}
{%   if tls.dh_file is defined and tls.dh_file is not none %}
dh {{ tls.dh_file }}
{%   endif %}
{%   if tls.auth_file is defined and tls.auth_file is not none %}
{%     if mode == 'client' %}
tls-auth {{ tls.auth_file }} 1
{%     elif mode == 'server' %}
tls-auth {{ tls.auth_file }} 0
{%     endif %}
{%   endif %}
{%   if tls.role is defined and tls.role is not none %}
{%     if tls.role == 'active' %}
tls-client
{%     elif tls.role == 'passive' %}
tls-server
{%     endif %}
{%   endif %}
{% endif %}

# Encryption options
{% if encryption is defined and encryption is not none %}
{%   if encryption.cipher is defined and encryption.cipher is not none %}
{%     if encryption.cipher == 'none' %}
cipher none
{%     elif encryption.cipher == 'des' %}
cipher des-cbc
{%     elif encryption.cipher == '3des' %}
cipher des-ede3-cbc
{%     elif encryption.cipher == 'bf128' %}
cipher bf-cbc
keysize 128
{%     elif encryption.cipher == 'bf256' %}
cipher bf-cbc
keysize 25
{%     elif encryption.cipher == 'aes128gcm' %}
cipher aes-128-gcm
{%     elif encryption.cipher == 'aes128' %}
cipher aes-128-cbc
{%     elif encryption.cipher == 'aes192gcm' %}
cipher aes-192-gcm
{%     elif encryption.cipher == 'aes192' %}
cipher aes-192-cbc
{%     elif encryption.cipher == 'aes256gcm' %}
cipher aes-256-gcm
{%     elif encryption.cipher == 'aes256' %}
cipher aes-256-cbc
{%     endif %}
{%   endif %}
{%   if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %}
{%     set cipher_list = [] %}
{%     for cipher in encryption.ncp_ciphers %}
{%       if cipher == 'none' %}
{%         set cipher_list = cipher_list.append('none') %}
{%       elif cipher == 'des' %}
{%         set cipher_list = cipher_list.append('des-cbc') %}
{%       elif cipher == '3des' %}
{%         set cipher_list = cipher_list.append('des-ede3-cbc') %}
{%       elif cipher == 'aes128' %}
{%         set cipher_list = cipher_list.append('aes-128-cbc') %}
{%       elif cipher == 'aes128gcm' %}
{%         set cipher_list = cipher_list.append('aes-128-gcm') %}
{%       elif cipher == 'aes192' %}
{%         set cipher_list = cipher_list.append('aes-192-cbc') %}
{%       elif cipher == 'aes192gcm' %}
{%         set cipher_list = cipher_list.append('aes-192-gcm') %}
{%       elif cipher == 'aes256' %}
{%         set cipher_list = cipher_list.append('aes-256-cbc') %}
{%       elif cipher == 'aes256gcm' %}
{%         set cipher_list = cipher_list.append('aes-256-gcm') %}
{%       endif %}
{%     endfor %}
ncp-ciphers {{ cipher_list | join(':') }}:{{ cipher_list | join(':') | upper }}
{%   elif encryption.disable_ncp is defined %}
ncp-disable
{%   endif %}
{% endif %}

{% if hash is defined and hash is not none %}
auth {{ hash }}
{% endif %}

{% if authentication is defined and authentication is not none %}
auth-user-pass {{ auth_user_pass_file }}
auth-retry nointeract
{% endif %}

# DEPRECATED This option will be removed in OpenVPN 2.5
# Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this:
# /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com In addition the old
# behaviour was to remap any character other than alphanumeric, underscore ('_'),
# dash ('-'), dot ('.'), and slash ('/') to underscore ('_'). The X.509 Subject
# string as returned by the tls_id environmental variable, could additionally
# contain colon (':') or equal ('='). When using the --compat-names option, this
# old formatting and remapping will be re-enabled again. This is purely implemented
# for compatibility reasons when using older plug-ins or scripts which does not
# handle the new formatting or UTF-8 characters.
#
# See https://phabricator.vyos.net/T1512
compat-names

{% if openvpn_option is defined and openvpn_option is not none %}
#
# Custom options added by user (not validated)
#
{%   for option in openvpn_option %}
{%     for argument in option.split('--') %}
{%       if argument is defined and argument != '' %}
--{{ argument }}
{%       endif %}
{%     endfor %}
{%   endfor %}
{% endif %}