summaryrefslogtreecommitdiff
path: root/data/templates/openvpn/server.conf.tmpl
blob: e6dd9fcbc5ac9a3a06f8072fb4882bdcc4f1379b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
# {{ description if description is defined and description is not none }}
#

verb 3
user {{ daemon_user }}
group {{ daemon_group }}
dev-type {{ device_type }}
dev {{ ifname }}
persist-key
{% if protocol == 'tcp-active' %}
proto tcp-client
{% elif protocol == 'tcp-passive' %}
proto tcp-server
{% else %}
proto udp
{% endif %}
{% if local_host is defined and local_host is not none %}
local {{ local_host }}
{% endif %}
{% if mode is defined and mode == 'server' and protocol == 'udp' and local_host is not defined %}
multihome
{% endif %}
{% if local_port is defined and local_port is not none %}
lport {{ local_port }}
{% endif %}
{% if remote_port is defined and remote_port is not none %}
rport {{ remote_port }}
{% endif %}
{% if remote_host is defined and remote_host is not none %}
{%   for remote in remote_host %}
remote {{ remote }}
{%   endfor %}
{% endif %}
{% if shared_secret_key is defined and shared_secret_key is not none %}
secret /run/openvpn/{{ ifname }}_shared.key
{% endif %}
{% if persistent_tunnel is defined %}
persist-tun
{% endif %}
{% if replace_default_route is defined and replace_default_route.local is defined %}
push "redirect-gateway local def1"
{% elif replace_default_route is defined %}
push "redirect-gateway def1"
{% endif %}
{% if use_lzo_compression is defined %}
compress lzo
{% endif %}

{% if mode == 'client' %}
#
# OpenVPN Client mode
#
client
nobind

{% elif mode == 'server' %}
#
# OpenVPN Server mode
#
mode server
tls-server
{%   if server is defined and server is not none %}
{%     if server.subnet is defined and server.subnet is not none %}
{%       if server.topology is defined and server.topology == 'point-to-point' %}
topology p2p
{%       elif server.topology is defined and server.topology is not none %}
topology {{ server.topology }}
{%       endif %}
{%       for subnet in server.subnet %}
{%         if subnet | is_ipv4 %}
server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
{# OpenVPN assigns the first IP address to its local interface so the pool used #}
{# in net30 topology - where each client receives a /30 must start from the second subnet #}
{%           if server.topology is defined and server.topology == 'net30' %}
ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
{%           else %}
{# OpenVPN assigns the first IP address to its local interface so the pool must #}
{# start from the second address and end on the last address #}
ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
{%           endif %}
{%         elif subnet | is_ipv6 %}
server-ipv6 {{ subnet }}
{%         endif %}
{%       endfor %}
{%     endif %}

{%     if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %}
ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }}
{%     endif %}
{%     if server.max_connections is defined and server.max_connections is not none %}
max-clients {{ server.max_connections }}
{%     endif %}
{%     if server.client is defined and server.client is not none %}
client-config-dir /run/openvpn/ccd/{{ ifname }}
{%     endif %}
{%   endif %}
keepalive {{ keep_alive.interval }} {{ keep_alive.interval|int * keep_alive.failure_count|int }}
management /run/openvpn/openvpn-mgmt-intf unix
{%   if server is defined and server is not none %}
{%     if server.reject_unconfigured_clients is defined %}
ccd-exclusive
{%     endif %}

{%     if server.push_route is defined and server.push_route is not none %}
{%       for route in server.push_route %}
{%         if route | is_ipv4 %}
push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}"
{%         elif route | is_ipv6 %}
push "route-ipv6 {{ route }}"
{%         endif %}
{%       endfor %}
{%     endif %}
{%     if server.name_server is defined and server.name_server is not none %}
{%       for nameserver in server.name_server %}
{%         if nameserver | is_ipv4 %}
push "dhcp-option DNS {{ nameserver }}"
{%         elif nameserver | is_ipv6 %}
push "dhcp-option DNS6 {{ nameserver }}"
{%         endif %}
{%       endfor %}
{%     endif %}
{%     if server.domain_name is defined and server.domain_name is not none %}
push "dhcp-option DOMAIN {{ server.domain_name }}"
{%     endif %}
{%     if server['2fa']['totp'] is defined and server['2fa']['totp'] is not none %}
plugin "/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-otp.so" "otp_secrets=/config/otp-secrets otp_slop=
{{- server['2fa']['totp']['slop']|default(180) }} totp_t0=
{{- server['2fa']['totp']['t0']|default(0) }} totp_step=
{{- server['2fa']['totp']['step']|default(30) }} totp_digits=
{{- server['2fa']['totp']['digits']|default(6)}} password_is_cr=
{%-if server['2fa']['totp']['challenge']|default('enable') == 'enable' %}1{% else %}0{% endif %}"
{%     endif %}
{%   endif %}
{% else %}
#
# OpenVPN site-2-site mode
#
ping {{ keep_alive.interval }}
ping-restart {{ keep_alive.failure_count }}

{%   if device_type == 'tap' %}
{%     for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
{%       if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %}
ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }}
{%       endif %}
{%     endfor %}
{%   else %}
{%     for laddr in local_address if laddr | is_ipv4 %}
{%       for raddr in remote_address if raddr | is_ipv4 %}
ifconfig {{ laddr }} {{ raddr }}
{%       endfor %}
{%     endfor %}
{%     for laddr in local_address if laddr | is_ipv6 %}
{%       for raddr in remote_address if raddr | is_ipv6 %}
ifconfig-ipv6 {{ laddr }} {{ raddr }}
{%       endfor %}
{%     endfor %}
{%   endif %}
{% endif %}

{% if tls is defined and tls is not none %}
# TLS options
{%   if tls.ca_certificate is defined and tls.ca_certificate is not none %}
ca /run/openvpn/{{ ifname }}_ca.pem
{%   endif %}
{%   if tls.certificate is defined and tls.certificate is not none %}
cert /run/openvpn/{{ ifname }}_cert.pem
{%   endif %}
{%   if tls.private_key is defined %}
key /run/openvpn/{{ ifname }}_cert.key
{%   endif %}
{%   if tls.crypt_key is defined and tls.crypt_key is not none %}
tls-crypt /run/openvpn/{{ ifname }}_crypt.key
{%   endif %}
{%   if tls.crl is defined %}
crl-verify /run/openvpn/{{ ifname }}_crl.pem
{%   endif %}
{%   if tls.tls_version_min is defined and tls.tls_version_min is not none %}
tls-version-min {{ tls.tls_version_min }}
{%   endif %}
{%   if tls.dh_params is defined and tls.dh_params is not none %}
dh /run/openvpn/{{ ifname }}_dh.pem
{%   endif %}
{%   if tls.auth_key is defined and tls.auth_key is not none %}
{%     if mode == 'client' %}
tls-auth /run/openvpn/{{ ifname }}_auth.key 1
{%     elif mode == 'server' %}
tls-auth /run/openvpn/{{ ifname }}_auth.key 0
{%     endif %}
{%   endif %}
{%   if tls.role is defined and tls.role is not none %}
{%     if tls.role == 'active' %}
tls-client
{%     elif tls.role == 'passive' %}
tls-server
{%     endif %}
{%   endif %}
{% endif %}

# Encryption options
{% if encryption is defined and encryption is not none %}
{%   if encryption.cipher is defined and encryption.cipher is not none %}
cipher {{ encryption.cipher | openvpn_cipher }}
{%     if encryption.cipher == 'bf128' %}
keysize 128
{%     elif encryption.cipher == 'bf256' %}
keysize 256
{%     endif %}
{%   endif %}
{%   if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %}
data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
{%   endif %}
{% endif %}

{% if hash is defined and hash is not none %}
auth {{ hash }}
{% endif %}

{% if authentication is defined and authentication is not none %}
auth-user-pass {{ auth_user_pass_file }}
auth-retry nointeract
{% endif %}

{% if openvpn_option is defined and openvpn_option is not none %}
#
# Custom options added by user (not validated)
#
{%   for option in openvpn_option %}
{%     for argument in option.split('--') %}
{%       if argument is defined and argument != '' %}
{{ argument }}
{%       endif %}
{%     endfor %}
{%   endfor %}
{% endif %}