interfaces-openvpn.xml.in
No OneTemporary
Actions

Size

33 KB

Referenced Files

None

Subscribers

None

interfaces-openvpn.xml.in
View Options

	<?xml version="1.0"?>
	<interfaceDefinition>
	<node name="interfaces">
	<children>
	<tagNode name="openvpn" owner="${vyos_conf_scripts_dir}/interfaces-openvpn.py">
	<properties>
	<help>OpenVPN Tunnel Interface</help>
	<priority>460</priority>
	<constraint>
	<regex>vtun[0-9]+</regex>
	</constraint>
	<constraintErrorMessage>OpenVPN tunnel interface must be named vtunN</constraintErrorMessage>
	<valueHelp>
	<format>vtunN</format>
	<description>OpenVPN interface name</description>
	</valueHelp>
	</properties>
	<children>
	<node name="authentication">
	<properties>
	<help>Authentication options</help>
	</properties>
	<children>
	<leafNode name="password">
	<properties>
	<help>OpenVPN password used for authentication</help>
	</properties>
	</leafNode>
	<leafNode name="username">
	<properties>
	<help>OpenVPN username used for authentication</help>
	</properties>
	</leafNode>
	</children>
	</node>
	#include <include/interface/description.xml.i>
	<leafNode name="device-type">
	<properties>
	<help>OpenVPN interface device-type</help>
	<completionHelp>
	<list>tun tap</list>
	</completionHelp>
	<valueHelp>
	<format>tun</format>
	<description>TUN device, required for OSI layer 3</description>
	</valueHelp>
	<valueHelp>
	<format>tap</format>
	<description>TAP device, required for OSI layer 2</description>
	</valueHelp>
	<constraint>
	<regex>(tun\|tap)</regex>
	</constraint>
	</properties>
	<defaultValue>tun</defaultValue>
	</leafNode>
	#include <include/interface/disable.xml.i>
	<node name="encryption">
	<properties>
	<help>Data Encryption settings</help>
	</properties>
	<children>
	<leafNode name="cipher">
	<properties>
	<help>Standard Data Encryption Algorithm</help>
	<completionHelp>
	<list>none des 3des bf128 bf256 aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list>
	</completionHelp>
	<valueHelp>
	<format>none</format>
	<description>Disable encryption</description>
	</valueHelp>
	<valueHelp>
	<format>des</format>
	<description>DES algorithm</description>
	</valueHelp>
	<valueHelp>
	<format>3des</format>
	<description>DES algorithm with triple encryption</description>
	</valueHelp>
	<valueHelp>
	<format>bf128</format>
	<description>Blowfish algorithm with 128-bit key</description>
	</valueHelp>
	<valueHelp>
	<format>bf256</format>
	<description>Blowfish algorithm with 256-bit key</description>
	</valueHelp>
	<valueHelp>
	<format>aes128</format>
	<description>AES algorithm with 128-bit key CBC</description>
	</valueHelp>
	<valueHelp>
	<format>aes128gcm</format>
	<description>AES algorithm with 128-bit key GCM</description>
	</valueHelp>
	<valueHelp>
	<format>aes192</format>
	<description>AES algorithm with 192-bit key CBC</description>
	</valueHelp>
	<valueHelp>
	<format>aes192gcm</format>
	<description>AES algorithm with 192-bit key GCM</description>
	</valueHelp>
	<valueHelp>
	<format>aes256</format>
	<description>AES algorithm with 256-bit key CBC</description>
	</valueHelp>
	<valueHelp>
	<format>aes256gcm</format>
	<description>AES algorithm with 256-bit key GCM</description>
	</valueHelp>
	<constraint>
	<regex>(none\|des\|3des\|bf128\|bf256\|aes128\|aes128gcm\|aes192\|aes192gcm\|aes256\|aes256gcm)</regex>
	</constraint>
	</properties>
	</leafNode>
	<leafNode name="ncp-ciphers">
	<properties>
	<help>Cipher negotiation list for use in server or client mode</help>
	<completionHelp>
	<list>none des 3des aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list>
	</completionHelp>
	<valueHelp>
	<format>none</format>
	<description>Disable encryption</description>
	</valueHelp>
	<valueHelp>
	<format>des</format>
	<description>DES algorithm</description>
	</valueHelp>
	<valueHelp>
	<format>3des</format>
	<description>DES algorithm with triple encryption</description>
	</valueHelp>
	<valueHelp>
	<format>aes128</format>
	<description>AES algorithm with 128-bit key CBC</description>
	</valueHelp>
	<valueHelp>
	<format>aes128gcm</format>
	<description>AES algorithm with 128-bit key GCM</description>
	</valueHelp>
	<valueHelp>
	<format>aes192</format>
	<description>AES algorithm with 192-bit key CBC</description>
	</valueHelp>
	<valueHelp>
	<format>aes192gcm</format>
	<description>AES algorithm with 192-bit key GCM</description>
	</valueHelp>
	<valueHelp>
	<format>aes256</format>
	<description>AES algorithm with 256-bit key CBC</description>
	</valueHelp>
	<valueHelp>
	<format>aes256gcm</format>
	<description>AES algorithm with 256-bit key GCM</description>
	</valueHelp>
	<constraint>
	<regex>(none\|des\|3des\|aes128\|aes128gcm\|aes192\|aes192gcm\|aes256\|aes256gcm)</regex>
	</constraint>
	<multi/>
	</properties>
	</leafNode>
	</children>
	</node>
	#include <include/interface/ipv4-options.xml.i>
	#include <include/interface/ipv6-options.xml.i>
	#include <include/interface/mirror.xml.i>
	<leafNode name="hash">
	<properties>
	<help>Hashing Algorithm</help>
	<completionHelp>
	<list>md5 sha1 sha256 sha384 sha512</list>
	</completionHelp>
	<valueHelp>
	<format>md5</format>
	<description>MD5 algorithm</description>
	</valueHelp>
	<valueHelp>
	<format>sha1</format>
	<description>SHA-1 algorithm</description>
	</valueHelp>
	<valueHelp>
	<format>sha256</format>
	<description>SHA-256 algorithm</description>
	</valueHelp>
	<valueHelp>
	<format>sha384</format>
	<description>SHA-384 algorithm</description>
	</valueHelp>
	<valueHelp>
	<format>sha512</format>
	<description>SHA-512 algorithm</description>
	</valueHelp>
	<constraint>
	<regex>(md5\|sha1\|sha256\|sha384\|sha512)</regex>
	</constraint>
	</properties>
	</leafNode>
	<node name="keep-alive">
	<properties>
	<help>Keepalive helper options</help>
	</properties>
	<children>
	<leafNode name="failure-count">
	<properties>
	<help>Maximum number of keepalive packet failures</help>
	<valueHelp>
	<format>u32:0-1000</format>
	<description>Maximum number of keepalive packet failures</description>
	</valueHelp>
	<constraint>
	<validator name="numeric" argument="--range 0-1000"/>
	</constraint>
	</properties>
	<defaultValue>60</defaultValue>
	</leafNode>
	<leafNode name="interval">
	<properties>
	<help>Keepalive packet interval in seconds</help>
	<valueHelp>
	<format>u32:0-600</format>
	<description>Keepalive packet interval (seconds)</description>
	</valueHelp>
	<constraint>
	<validator name="numeric" argument="--range 0-600"/>
	</constraint>
	</properties>
	<defaultValue>10</defaultValue>
	</leafNode>
	</children>
	</node>
	<tagNode name="local-address">
	<properties>
	<help>Local IP address of tunnel (IPv4 or IPv6)</help>
	<constraint>
	<validator name="ip-address"/>
	</constraint>
	</properties>
	<children>
	<leafNode name="subnet-mask">
	<properties>
	<help>Subnet-mask for local IP address of tunnel (IPv4 only)</help>
	<constraint>
	<validator name="ipv4-address"/>
	</constraint>
	</properties>
	</leafNode>
	</children>
	</tagNode>
	<leafNode name="local-host">
	<properties>
	<help>Local IP address to accept connections (all if not set)</help>
	<valueHelp>
	<format>ipv4</format>
	<description>Local IPv4 address</description>
	</valueHelp>
	<valueHelp>
	<format>ipv6</format>
	<description>Local IPv6 address</description>
	</valueHelp>
	<constraint>
	<validator name="ip-address"/>
	</constraint>
	</properties>
	</leafNode>
	<leafNode name="local-port">
	<properties>
	<help>Local port number to accept connections</help>
	<valueHelp>
	<format>u32:1-65535</format>
	<description>Numeric IP port</description>
	</valueHelp>
	<constraint>
	<validator name="numeric" argument="--range 1-65535"/>
	</constraint>
	</properties>
	</leafNode>
	<leafNode name="mode">
	<properties>
	<help>OpenVPN mode of operation</help>
	<completionHelp>
	<list>site-to-site client server</list>
	</completionHelp>
	<valueHelp>
	<format>site-to-site</format>
	<description>Site-to-site mode</description>
	</valueHelp>
	<valueHelp>
	<format>client</format>
	<description>Client in client-server mode</description>
	</valueHelp>
	<valueHelp>
	<format>server</format>
	<description>Server in client-server mode</description>
	</valueHelp>
	<constraint>
	<regex>(site-to-site\|client\|server)</regex>
	</constraint>
	</properties>
	</leafNode>
	<leafNode name="openvpn-option">
	<properties>
	<help>Additional OpenVPN options. You must use the syntax of openvpn.conf in this text-field. Using this without proper knowledge may result in a crashed OpenVPN server. Check system log to look for errors.</help>
	<multi/>
	</properties>
	</leafNode>
	<leafNode name="persistent-tunnel">
	<properties>
	<help>Do not close and reopen interface (TUN/TAP device) on client restarts</help>
	<valueless/>
	</properties>
	</leafNode>
	<leafNode name="protocol">
	<properties>
	<help>OpenVPN communication protocol</help>
	<completionHelp>
	<list>udp tcp-passive tcp-active</list>
	</completionHelp>
	<valueHelp>
	<format>udp</format>
	<description>UDP</description>
	</valueHelp>
	<valueHelp>
	<format>tcp-passive</format>
	<description>TCP and accepts connections passively</description>
	</valueHelp>
	<valueHelp>
	<format>tcp-active</format>
	<description>TCP and initiates connections actively</description>
	</valueHelp>
	<constraint>
	<regex>(udp\|tcp-passive\|tcp-active)</regex>
	</constraint>
	</properties>
	<defaultValue>udp</defaultValue>
	</leafNode>
	<leafNode name="remote-address">
	<properties>
	<help>IP address of remote end of tunnel</help>
	<valueHelp>
	<format>ipv4</format>
	<description>Remote end IPv4 address</description>
	</valueHelp>
	<valueHelp>
	<format>ipv6</format>
	<description>Remote end IPv6 address</description>
	</valueHelp>
	<constraint>
	<validator name="ipv4-address"/>
	<validator name="ipv6-address"/>
	</constraint>
	<multi/>
	</properties>
	</leafNode>
	<leafNode name="remote-host">
	<properties>
	<help>Remote host to connect to (dynamic if not set)</help>
	<valueHelp>
	<format>ipv4</format>
	<description>IPv4 address of remote host</description>
	</valueHelp>
	<valueHelp>
	<format>ipv6</format>
	<description>IPv6 address of remote host</description>
	</valueHelp>
	<valueHelp>
	<format>txt</format>
	<description>Hostname of remote host</description>
	</valueHelp>
	<multi/>
	</properties>
	</leafNode>
	<leafNode name="remote-port">
	<properties>
	<help>Remote port number to connect to</help>
	<valueHelp>
	<format>u32:1-65535</format>
	<description>Numeric IP port</description>
	</valueHelp>
	<constraint>
	<validator name="numeric" argument="--range 1-65535"/>
	</constraint>
	</properties>
	</leafNode>
	<node name="replace-default-route">
	<properties>
	<help>OpenVPN tunnel to be used as the default route</help>
	</properties>
	<children>
	<leafNode name="local">
	<properties>
	<help>Tunnel endpoints are on the same subnet</help>
	</properties>
	</leafNode>
	</children>
	</node>
	<node name="server">
	<properties>
	<help>Server-mode options</help>
	</properties>
	<children>
	<tagNode name="client">
	<properties>
	<help>Client-specific settings</help>
	<valueHelp>
	<format>name</format>
	<description>Client common-name in the certificate</description>
	</valueHelp>
	</properties>
	<children>
	#include <include/generic-disable-node.xml.i>
	<leafNode name="ip">
	<properties>
	<help>IP address of the client</help>
	<valueHelp>
	<format>ipv4</format>
	<description>Client IPv4 address</description>
	</valueHelp>
	<valueHelp>
	<format>ipv6</format>
	<description>Client IPv6 address</description>
	</valueHelp>
	<constraint>
	<validator name="ip-address"/>
	</constraint>
	<multi/>
	</properties>
	</leafNode>
	<leafNode name="push-route">
	<properties>
	<help>Route to be pushed to the client</help>
	<valueHelp>
	<format>ipv4net</format>
	<description>IPv4 network and prefix length</description>
	</valueHelp>
	<valueHelp>
	<format>ipv6net</format>
	<description>IPv6 network and prefix length</description>
	</valueHelp>
	<constraint>
	<validator name="ip-prefix"/>
	</constraint>
	<multi/>
	</properties>
	</leafNode>
	<leafNode name="subnet">
	<properties>
	<help>Subnet belonging to the client (iroute)</help>
	<valueHelp>
	<format>ipv4net</format>
	<description>IPv4 network and prefix length belonging to the client</description>
	</valueHelp>
	<valueHelp>
	<format>ipv6net</format>
	<description>IPv6 network and prefix length belonging to the client</description>
	</valueHelp>
	<constraint>
	<validator name="ip-prefix"/>
	</constraint>
	<multi/>
	</properties>
	</leafNode>
	</children>
	</tagNode>
	<node name="client-ip-pool">
	<properties>
	<help>Pool of client IPv4 addresses</help>
	</properties>
	<children>
	#include <include/generic-disable-node.xml.i>
	<leafNode name="start">
	<properties>
	<help>First IP address in the pool</help>
	<constraint>
	<validator name="ipv4-address"/>
	</constraint>
	<valueHelp>
	<format>ipv4</format>
	<description>IPv4 address</description>
	</valueHelp>
	</properties>
	</leafNode>
	<leafNode name="stop">
	<properties>
	<help>Last IP address in the pool</help>
	<constraint>
	<validator name="ipv4-address"/>
	</constraint>
	<valueHelp>
	<format>ipv4</format>
	<description>IPv4 address</description>
	</valueHelp>
	</properties>
	</leafNode>
	<leafNode name="subnet-mask">
	<properties>
	<help>Subnet mask pushed to dynamic clients. If not set the server subnet mask will be used. Only used with topology subnet or device type tap. Not used with bridged interfaces.</help>
	<constraint>
	<validator name="ipv4-address"/>
	</constraint>
	<valueHelp>
	<format>ipv4</format>
	<description>IPv4 subnet mask</description>
	</valueHelp>
	</properties>
	</leafNode>
	</children>
	</node>
	<node name="client-ipv6-pool">
	<properties>
	<help>Pool of client IPv6 addresses</help>
	</properties>
	<children>
	<leafNode name="base">
	<properties>
	<help>Client IPv6 pool base address with optional prefix length</help>
	<valueHelp>
	<format>ipv6net</format>
	<description>Client IPv6 pool base address with optional prefix length (defaults: base = server subnet + 0x1000, prefix length = server prefix length)</description>
	</valueHelp>
	<constraint>
	<validator name="ipv6"/>
	</constraint>
	</properties>
	</leafNode>
	#include <include/generic-disable-node.xml.i>
	</children>
	</node>
	<leafNode name="domain-name">
	<properties>
	<help>DNS suffix to be pushed to all clients</help>
	<valueHelp>
	<format>txt</format>
	<description>Domain Name Server suffix</description>
	</valueHelp>
	</properties>
	</leafNode>
	<leafNode name="max-connections">
	<properties>
	<help>Number of maximum client connections</help>
	<valueHelp>
	<format>u32:1-4096</format>
	<description>Number of concurrent clients</description>
	</valueHelp>
	<constraint>
	<validator name="numeric" argument="--range 1-4096"/>
	</constraint>
	</properties>
	</leafNode>
	#include <include/name-server-ipv4-ipv6.xml.i>
	<tagNode name="push-route">
	<properties>
	<help>Route to be pushed to all clients</help>
	<valueHelp>
	<format>ipv4net</format>
	<description>IPv4 network and prefix length</description>
	</valueHelp>
	<valueHelp>
	<format>ipv6net</format>
	<description>IPv6 network and prefix length</description>
	</valueHelp>
	<constraint>
	<validator name="ip-prefix"/>
	</constraint>
	</properties>
	<children>
	<leafNode name="metric">
	<properties>
	<help>Set metric for this route</help>
	<valueHelp>
	<format>u32:0-4294967295</format>
	<description>Metric for this route</description>
	</valueHelp>
	<constraint>
	<validator name="numeric" argument="--range 0-4294967295"/>
	</constraint>
	</properties>
	<defaultValue>0</defaultValue>
	</leafNode>
	</children>
	</tagNode>
	<leafNode name="reject-unconfigured-clients">
	<properties>
	<help>Reject connections from clients that are not explicitly configured</help>
	<valueless/>
	</properties>
	</leafNode>
	<leafNode name="subnet">
	<properties>
	<help>Server-mode subnet (from which client IPs are allocated)</help>
	<valueHelp>
	<format>ipv4net</format>
	<description>IPv4 network and prefix length</description>
	</valueHelp>
	<valueHelp>
	<format>ipv6net</format>
	<description>IPv6 network and prefix length</description>
	</valueHelp>
	<constraint>
	<validator name="ip-prefix"/>
	</constraint>
	<multi/>
	</properties>
	</leafNode>
	<leafNode name="topology">
	<properties>
	<help>Topology for clients</help>
	<completionHelp>
	<list>net30 point-to-point subnet</list>
	</completionHelp>
	<valueHelp>
	<format>net30</format>
	<description>net30 topology</description>
	</valueHelp>
	<valueHelp>
	<format>point-to-point</format>
	<description>Point-to-point topology</description>
	</valueHelp>
	<valueHelp>
	<format>subnet</format>
	<description>Subnet topology</description>
	</valueHelp>
	<constraint>
	<regex>(subnet\|point-to-point\|net30)</regex>
	</constraint>
	</properties>
	<defaultValue>net30</defaultValue>
	</leafNode>
	<node name="mfa">
	<properties>
	<help>multi-factor authentication</help>
	</properties>
	<children>
	<node name="totp">
	<properties>
	<help>Time-based one-time passwords</help>
	</properties>
	<children>
	<leafNode name="slop">
	<properties>
	<help>Maximum allowed clock slop in seconds</help>
	<valueHelp>
	<format>1-65535</format>
	<description>Seconds</description>
	</valueHelp>
	<constraint>
	<validator name="numeric" argument="--range 1-65535"/>
	</constraint>
	</properties>
	<defaultValue>180</defaultValue>
	</leafNode>
	<leafNode name="drift">
	<properties>
	<help>Time drift in seconds</help>
	<valueHelp>
	<format>1-65535</format>
	<description>Seconds</description>
	</valueHelp>
	<constraint>
	<validator name="numeric" argument="--range 1-65535"/>
	</constraint>
	</properties>
	<defaultValue>0</defaultValue>
	</leafNode>
	<leafNode name="step">
	<properties>
	<help>Step value for totp in seconds</help>
	<valueHelp>
	<format>1-65535</format>
	<description>Seconds</description>
	</valueHelp>
	<constraint>
	<validator name="numeric" argument="--range 1-65535"/>
	</constraint>
	</properties>
	<defaultValue>30</defaultValue>
	</leafNode>
	<leafNode name="digits">
	<properties>
	<help>Number of digits to use for totp hash</help>
	<valueHelp>
	<format>1-65535</format>
	<description>Seconds</description>
	</valueHelp>
	<constraint>
	<validator name="numeric" argument="--range 1-65535"/>
	</constraint>
	</properties>
	<defaultValue>6</defaultValue>
	</leafNode>
	<leafNode name="challenge">
	<properties>
	<help>Expect password as result of a challenge response protocol</help>
	<completionHelp>
	<list>disable enable</list>
	</completionHelp>
	<valueHelp>
	<format>disable</format>
	<description>Disable challenge-response</description>
	</valueHelp>
	<valueHelp>
	<format>enable</format>
	<description>Enable chalenge-response</description>
	</valueHelp>
	<constraint>
	<regex>(disable\|enable)</regex>
	</constraint>
	</properties>
	<defaultValue>enable</defaultValue>
	</leafNode>
	</children>
	</node>
	</children>
	</node>
	</children>
	</node>
	<leafNode name="shared-secret-key">
	<properties>
	<help>Secret key shared with remote end of tunnel</help>
	<completionHelp>
	<path>pki openvpn shared-secret</path>
	</completionHelp>
	</properties>
	</leafNode>
	<node name="tls">
	<properties>
	<help>Transport Layer Security (TLS) options</help>
	</properties>
	<children>
	<leafNode name="auth-key">
	<properties>
	<help>TLS shared secret key for tls-auth</help>
	<completionHelp>
	<path>pki openvpn shared-secret</path>
	</completionHelp>
	</properties>
	</leafNode>
	#include <include/pki/certificate.xml.i>
	#include <include/pki/ca-certificate-multi.xml.i>
	<leafNode name="dh-params">
	<properties>
	<help>Diffie Hellman parameters (server only)</help>
	<completionHelp>
	<path>pki dh</path>
	</completionHelp>
	</properties>
	</leafNode>
	<leafNode name="crypt-key">
	<properties>
	<help>Static key to use to authenticate control channel</help>
	<completionHelp>
	<path>pki openvpn shared-secret</path>
	</completionHelp>
	</properties>
	</leafNode>
	<leafNode name="tls-version-min">
	<properties>
	<help>Specify the minimum required TLS version</help>
	<completionHelp>
	<list>1.0 1.1 1.2 1.3</list>
	</completionHelp>
	<valueHelp>
	<format>1.0</format>
	<description>TLS v1.0</description>
	</valueHelp>
	<valueHelp>
	<format>1.1</format>
	<description>TLS v1.1</description>
	</valueHelp>
	<valueHelp>
	<format>1.2</format>
	<description>TLS v1.2</description>
	</valueHelp>
	<valueHelp>
	<format>1.3</format>
	<description>TLS v1.3</description>
	</valueHelp>
	<constraint>
	<regex>(1.0\|1.1\|1.2\|1.3)</regex>
	</constraint>
	</properties>
	</leafNode>
	<leafNode name="role">
	<properties>
	<help>TLS negotiation role</help>
	<completionHelp>
	<list>active passive</list>
	</completionHelp>
	<valueHelp>
	<format>active</format>
	<description>Initiate TLS negotiation actively</description>
	</valueHelp>
	<valueHelp>
	<format>passive</format>
	<description>Wait for incoming TLS connection</description>
	</valueHelp>
	<constraint>
	<regex>(active\|passive)</regex>
	</constraint>
	</properties>
	</leafNode>
	</children>
	</node>
	<leafNode name="use-lzo-compression">
	<properties>
	<help>Use fast LZO compression on this TUN/TAP interface</help>
	<valueless/>
	</properties>
	</leafNode>
	#include <include/interface/redirect.xml.i>
	#include <include/interface/vrf.xml.i>
	</children>
	</tagNode>
	</children>
	</node>
	</interfaceDefinition>

File Metadata

Mime Type: text/xml
Expires: Mon, Dec 15, 9:09 PM (1 d, 2 h)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 3069246
Default Alt Text: interfaces-openvpn.xml.in (33 KB)

interfaces-openvpn.xml.inNo OneTemporaryActions

interfaces-openvpn.xml.inView Options

File Metadata

Event Timeline

interfaces-openvpn.xml.in
No OneTemporary
Actions

interfaces-openvpn.xml.in
View Options