T6357: create test repository to validate setup

4 files changed, 279 insertions, 0 deletions

diff --git a/data/templates/openvpn/auth.pw.j2 b/data/templates/openvpn/auth.pw.j2
new file mode 100644
index 0000000..9f9b31e
--- /dev/null
+++ b/data/templates/openvpn/auth.pw.j2
@@ -0,0 +1,5 @@
+{# Autogenerated by interfaces_openvpn.py #}
+{% if authentication is vyos_defined %}
+{{ authentication.username }}
+{{ authentication.password }}
+{% endif %}
diff --git a/data/templates/openvpn/client.conf.j2 b/data/templates/openvpn/client.conf.j2
new file mode 100644
index 0000000..9edcdc8
--- /dev/null
+++ b/data/templates/openvpn/client.conf.j2
@@ -0,0 +1,31 @@
+### Autogenerated by interfaces_openvpn.py ###
+
+{% if ip is vyos_defined %}
+ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }}
+{% endif %}
+{% if push_route is vyos_defined %}
+{%     for route in push_route %}
+push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}"
+{%     endfor %}
+{% endif %}
+{% if subnet is vyos_defined %}
+{%     for network in subnet %}
+iroute {{ network | address_from_cidr }} {{ network | netmask_from_cidr }}
+{%     endfor %}
+{% endif %}
+{# ipv6_remote is only set when IPv6 server is enabled #}
+{% if ipv6_remote is vyos_defined %}
+# IPv6
+{%     if ipv6_ip is vyos_defined %}
+ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }}
+{%     endif %}
+{%     for route6 in ipv6_push_route %}
+push "route-ipv6 {{ route6 }}"
+{%     endfor %}
+{%     for net6 in ipv6_subnet %}
+iroute-ipv6 {{ net6 }}
+{%     endfor %}
+{% endif %}
+{% if disable is vyos_defined %}
+disable
+{% endif %}
diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
new file mode 100644
index 0000000..6ac5254
--- /dev/null
+++ b/data/templates/openvpn/server.conf.j2
@@ -0,0 +1,222 @@
+### Autogenerated by interfaces_openvpn.py ###
+#
+# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+# for individual keyword definition
+#
+# {{ description if description is vyos_defined }}
+#
+
+verb 3
+dev-type {{ device_type }}
+dev {{ ifname }}
+persist-key
+{% if protocol is vyos_defined('tcp-active') %}
+proto tcp-client
+{% elif protocol is vyos_defined('tcp-passive') %}
+proto tcp-server
+{% else %}
+proto udp
+{% endif %}
+{% if local_host is vyos_defined %}
+local {{ local_host }}
+{% endif %}
+{% if mode is vyos_defined('server') and protocol is vyos_defined('udp') and local_host is not vyos_defined %}
+multihome
+{% endif %}
+{% if local_port is vyos_defined %}
+lport {{ local_port }}
+{% endif %}
+{% if remote_port is vyos_defined %}
+rport {{ remote_port }}
+{% endif %}
+{% if remote_host is vyos_defined %}
+{%     for remote in remote_host %}
+remote {{ remote }}
+{%     endfor %}
+{% endif %}
+{% if shared_secret_key is vyos_defined %}
+secret /run/openvpn/{{ ifname }}_shared.key
+{% endif %}
+{% if persistent_tunnel is vyos_defined %}
+persist-tun
+{% endif %}
+{% if replace_default_route.local is vyos_defined %}
+push "redirect-gateway local def1"
+{% elif replace_default_route is vyos_defined %}
+push "redirect-gateway def1"
+{% endif %}
+{% if use_lzo_compression is vyos_defined %}
+compress lzo
+{% endif %}
+{% if offload.dco is not vyos_defined %}
+disable-dco
+{% endif %}
+
+{% if mode is vyos_defined('client') %}
+#
+# OpenVPN Client mode
+#
+client
+nobind
+
+{% elif mode is vyos_defined('server') %}
+#
+# OpenVPN Server mode
+#
+mode server
+tls-server
+{%     if server is vyos_defined %}
+{%         if server.subnet is vyos_defined %}
+{%             if server.topology is vyos_defined('point-to-point') %}
+topology p2p
+{%             elif server.topology is vyos_defined %}
+topology {{ server.topology }}
+{%             endif %}
+{%             for subnet in server.subnet %}
+{%                 if subnet | is_ipv4 %}
+server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} {{ 'nopool' if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined else '' }}
+{# First ip address is used as gateway. It's allows to use metrics #}
+{%                     if server.push_route is vyos_defined %}
+{%                         for route, route_config in server.push_route.items() %}
+{%                             if route | is_ipv4 %}
+push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ 'vpn_gateway' ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
+{%                             elif route | is_ipv6 %}
+push "route-ipv6 {{ route }}"
+{%                             endif %}
+{%                         endfor %}
+{%                     endif %}
+{%                 elif subnet | is_ipv6 %}
+server-ipv6 {{ subnet }}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+
+{%         if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %}
+ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }} {{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }}
+{%         endif %}
+{%         if server.max_connections is vyos_defined %}
+max-clients {{ server.max_connections }}
+{%         endif %}
+{%         if server.client is vyos_defined %}
+client-config-dir /run/openvpn/ccd/{{ ifname }}
+{%         endif %}
+{%     endif %}
+keepalive {{ keep_alive.interval }} {{ keep_alive.interval | int * keep_alive.failure_count | int }}
+management /run/openvpn/openvpn-mgmt-intf unix
+{%     if server is vyos_defined %}
+{%         if server.reject_unconfigured_clients is vyos_defined %}
+ccd-exclusive
+{%         endif %}
+
+{%         if server.name_server is vyos_defined %}
+{%             for nameserver in server.name_server %}
+{%                 if nameserver | is_ipv4 %}
+push "dhcp-option DNS {{ nameserver }}"
+{%                 elif nameserver | is_ipv6 %}
+push "dhcp-option DNS6 {{ nameserver }}"
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+{%         if server.domain_name is vyos_defined %}
+push "dhcp-option DOMAIN {{ server.domain_name }}"
+{%         endif %}
+{%         if server.mfa.totp is vyos_defined %}
+{%             set totp_config = server.mfa.totp %}
+plugin "{{ plugin_dir }}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop={{ totp_config.slop }} totp_t0={{ totp_config.drift }} totp_step={{ totp_config.step }} totp_digits={{ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}"
+{%         endif %}
+{%     endif %}
+{% else %}
+#
+# OpenVPN site-2-site mode
+#
+ping {{ keep_alive.interval }}
+ping-restart {{ keep_alive.failure_count }}
+
+{%     if device_type == 'tap' %}
+{%         if local_address is vyos_defined %}
+{%             for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
+{%                 if laddr_conf.subnet_mask is vyos_defined %}
+ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+{%     else %}
+{%         for laddr in local_address if laddr | is_ipv4 %}
+{%             for raddr in remote_address if raddr | is_ipv4 %}
+ifconfig {{ laddr }} {{ raddr }}
+{%             endfor %}
+{%         endfor %}
+{%         for laddr in local_address if laddr | is_ipv6 %}
+{%             for raddr in remote_address if raddr | is_ipv6 %}
+ifconfig-ipv6 {{ laddr }} {{ raddr }}
+{%             endfor %}
+{%         endfor %}
+{%     endif %}
+{% endif %}
+
+{% if tls is vyos_defined %}
+# TLS options
+{%     if tls.ca_certificate is vyos_defined %}
+ca /run/openvpn/{{ ifname }}_ca.pem
+{%     endif %}
+{%     if tls.certificate is vyos_defined %}
+cert /run/openvpn/{{ ifname }}_cert.pem
+{%     endif %}
+{%     if tls.private_key is vyos_defined %}
+key /run/openvpn/{{ ifname }}_cert.key
+{%     endif %}
+{%     if tls.crypt_key is vyos_defined %}
+tls-crypt /run/openvpn/{{ ifname }}_crypt.key
+{%     endif %}
+{%     if tls.crl is vyos_defined %}
+crl-verify /run/openvpn/{{ ifname }}_crl.pem
+{%     endif %}
+{%     if tls.tls_version_min is vyos_defined %}
+tls-version-min {{ tls.tls_version_min }}
+{%     endif %}
+{%     if tls.dh_params is vyos_defined %}
+dh /run/openvpn/{{ ifname }}_dh.pem
+{%     else %}
+dh none
+{%     endif %}
+{%     if tls.auth_key is vyos_defined %}
+{%         if mode == 'client' %}
+tls-auth /run/openvpn/{{ ifname }}_auth.key 1
+{%         elif mode == 'server' %}
+tls-auth /run/openvpn/{{ ifname }}_auth.key 0
+{%         endif %}
+{%     endif %}
+{%     if tls.role is vyos_defined('active') %}
+tls-client
+{%     elif tls.role is vyos_defined('passive') %}
+tls-server
+{%     endif %}
+
+{%     if tls.peer_fingerprint is vyos_defined %}
+<peer-fingerprint>
+{%         for fp in tls.peer_fingerprint %}
+{{ fp }}
+{%         endfor %}
+</peer-fingerprint>
+{%     endif %}
+{% endif %}
+
+# Encryption options
+{% if encryption is vyos_defined %}
+{%     if encryption.cipher is vyos_defined %}
+cipher {{ encryption.cipher | openvpn_cipher }}
+{%     endif %}
+{%     if encryption.ncp_ciphers is vyos_defined %}
+data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
+{%     endif %}
+{% endif %}
+providers default
+
+{% if hash is vyos_defined %}
+auth {{ hash }}
+{% endif %}
+
+{% if authentication is vyos_defined %}
+auth-user-pass {{ auth_user_pass_file }}
+auth-retry nointeract
+{% endif %}
diff --git a/data/templates/openvpn/service-override.conf.j2 b/data/templates/openvpn/service-override.conf.j2
new file mode 100644
index 0000000..616ba3b
--- /dev/null
+++ b/data/templates/openvpn/service-override.conf.j2
@@ -0,0 +1,21 @@
+{% set options = namespace(value='') %}
+{% if openvpn_option is vyos_defined %}
+{%     for option in openvpn_option %}
+{#         Remove the '--' prefix from variable if it is presented #}
+{%         if option.startswith('--') %}
+{%             set option = option.split('--', maxsplit=1)[1] %}
+{%         endif %}
+{#         Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #}
+{#         But now it stopped doing this, so we need to add them for compatibility #}
+{#         HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #}
+{#         Using 'openvpn-option' you take all responsibility for compatibility for yourself. #}
+{%         if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %}
+{%             set option = 'push \"%s\"' | format(option.split('push ', maxsplit=1)[1]) %}
+{%         endif %}
+{%         set options.value = options.value ~ ' --' ~ option %}
+{%     endfor %}
+{% endif %}
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid {{ options.value }}
+