The OpenVpn backend allows to generate OpenVPN 2.x.x compatible configurations.
Its schema is limited to a subset of the features available in OpenVPN and it doesn't recognize interfaces, radios, wireless settings and so on.
The main methods work just like the OpenWRT backend </backends/openwrt>:
__init__rendergeneratewritejson
The main differences are in the resulting configuration and in its schema.
See an example of initialization and rendering below:
from netjsonconfig import OpenVpn
config = OpenVpn({
"openvpn": [
{
"ca": "ca.pem",
"cert": "cert.pem",
"dev": "tap0",
"dev_type": "tap",
"dh": "dh.pem",
"key": "key.pem",
"mode": "server",
"name": "example-vpn",
"proto": "udp",
"tls_server": True
}
]
})
print(config.render())Will return the following output:
# openvpn config: test-no-status
ca ca.pem
cert cert.pem
dev tap0
dev-type tap
dh dh.pem
key key.pem
mode server
proto udp
tls-serverThe OpenVpn backend schema is limited, it only recognizes an openvpn key with a list of dictionaries representing vpn instances. The structure of these dictionaries is described below.
Alternatively you may also want to take a look at the OpenVPN JSON-Schema source code.
According to the NetJSON spec, any unrecognized property will be ignored.
Required properties:
- name
- mode
- proto
- dev
| key name | type | default | allowed values |
|---|---|---|---|
name |
string | 2 to 24 alphanumeric characters, dashes and underscores | |
mode |
string | p2p or server |
|
proto |
string | udp, tcp-client, tcp-server |
|
port |
integer | 1194 |
integers |
dev_type |
string | tun, tap |
|
dev |
string | any non-whitespace character (max length: 15) | |
local |
string | any string | |
comp_lzo |
string | adaptive |
yes, no or adaptive |
auth |
string | SHA1 |
see auth property source code |
cipher |
string | BF-CBC |
see cipher property source code |
engine |
string | bsd, rsax, dynamic or empty string |
|
ca |
string | any non whitespace character | |
cert |
string | any non whitespace character | |
key |
string | any non whitespace character | |
pkcs12 |
string | any non whitespace character | |
tls_auth |
string | string containing TLS Auth key | |
ns_cert_type |
string | client, server or empty string |
|
mtu_disc |
string | no |
no, maybe or yes |
mtu_test |
boolean | False |
|
fragment |
integer | 0 |
any positive integer |
mssfix |
integer | 1450 |
any positive integer |
keepalive |
string | two numbers separated by one space | |
persist_tun |
boolean | False |
|
persist_key |
boolean | False |
|
up |
string | any non whitespace character | |
up_delay |
integer | 0 |
any positive integer |
down |
string | any non whitespace character | |
script_security |
integer | 1 |
0, 1, 2, 3 |
user |
string | any string | |
group |
string | any string | |
mute |
integer | 0 |
any positive integer |
status |
string | string and number separated by space, eg: /var/log/openvpn.status 10 |
|
status_version |
integer | 1 |
1, 2, 3 |
mute_replay_warnings |
boolean | False |
|
secret |
string | any non whitespace character | |
reneg_sec |
integer | 3600 |
any positive integer |
tls_timeout |
integer | 2 |
any positive integer |
tls_cipher |
string | any string | |
remote_cert_tls |
string | client, server or empty string |
|
float |
boolean | False |
|
auth_nocache |
boolean | False |
|
fast_io |
boolean | False |
|
log |
string | filesystem path | |
verb |
integer | 1 |
from 0 (disabled) to 11 (very verbose) |
Required properties:
- remote
| key name | type | default | allowed values |
|---|---|---|---|
remote |
list | [] |
list of dictionaries containing host (str) and port (str). Must contain at least one element |
nobind |
boolean | True |
|
resolv_retry |
boolean | True |
|
tls_client |
boolean | True |
|
pull |
boolean | True |
|
remote_random |
boolean | False |
|
auth_user_pass |
string | any non whitespace character | |
auth_retry |
string | none |
none, nointeract or interact |
| key name | type | default | allowed values |
|---|---|---|---|
tls_server |
boolean | True |
|
dh |
string | any non whitespace character | |
crl_verify |
string | any non whitespace character | |
duplicate_cn |
boolean | False |
|
client_to_client |
boolean | False |
|
client_cert_not_required |
boolean | False |
|
username_as_common_name |
boolean | False |
|
auth_user_pass_verify |
string | any non whitespace character |
The schema does not include all the possible OpenVPN settings, but it can render appropiately any property not included in the schema as long as its type is one the following:
- boolean
- integer
- strings
- lists
For a list of all the OpenVPN configuration settings, refer to the OpenVPN 2.3 manual.
netjsonconfig.OpenVpn.auto_client
Example:
from netjsonconfig import OpenVpn
server_config = {
"ca": "ca.pem",
"cert": "cert.pem",
"dev": "tap0",
"dev_type": "tap",
"dh": "dh.pem",
"key": "key.pem",
"mode": "server",
"name": "example-vpn",
"proto": "udp",
"tls_server": True
}
dummy_contents = '------ EXAMPLE ------'
client_config = OpenVpn.auto_client('vpn1.test.com',
server=server_config,
ca_path='ca.pem',
ca_contents=dummy_contents,
cert_path='cert.pem',
cert_contents=dummy_contents,
key_path='key.pem',
key_contents=dummy_contents)
client = OpenVpn(client_config)
print(client.render())Will be rendered as:
# openvpn config: example-vpn
ca ca.pem
cert cert.pem
dev tap0
dev-type tap
key key.pem
mode p2p
nobind
proto udp
remote vpn1.test.com 1195
resolv-retry
tls-client
# ---------- files ---------- #
# path: ca.pem
# mode: 0644
------ EXAMPLE ------
# path: cert.pem
# mode: 0644
------ EXAMPLE ------
# path: key.pem
# mode: 0644
------ EXAMPLE ------