Skip to content

Commit

Permalink
openvpn: T149: IPv6 support
Browse files Browse the repository at this point in the history 
- allow configuring IPv6 server addresses and push options
- add IPv6 server client IP pool
- add IPv6 push dhcp-option DNS6
- allow configuring IPv6 server client addresses
- allow configuring IPv6 site-to-site addresses
- validate all IPv6 options and addresses
- use protos that explicitely open an IPv6 listening socket
  (tcp6-server, tcp6-client, udp6) as the default on Linux listens on
  IPv4 only (https://community.openvpn.net/openvpn/ticket/360)
- add validator for any IPv6 address, host or network (used by pool)
  • Loading branch information
@jjakob
jjakob committed Apr 16, 2020
1 parent f50877b commit bb9f998
Show file tree
Hide file tree
Showing 5 changed files with 320 additions and 61 deletions.
21 changes: 20 additions & 1 deletion data/templates/openvpn/client.conf.tmpl
View file
@@ -1,8 +1,9 @@
### Autogenerated by interfaces-openvpn.py ###

{% if ip -%}
ifconfig-push {{ ip }} {{ remote_netmask }}
ifconfig-push {{ ip[0] }} {{ remote_netmask }}
{% endif -%}

{% for route in push_route -%}
push "route {{ route }}"
{% endfor -%}
Expand All @@ -11,6 +12,24 @@ push "route {{ route }}"
iroute {{ net }}
{% endfor -%}

{# ipv6_remote is only set when IPv6 server is enabled #}
{% if ipv6_remote -%}
# IPv6

{%- if ipv6_ip %}
ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }}
{%- endif %}

{%- for route6 in ipv6_push_route %}
push "route-ipv6 {{ route6 }}"
{%- endfor %}

{%- for net6 in ipv6_subnet %}
iroute {{ net6 }}
{%- endfor %}

{% endif -%}

{% if disable -%}
disable
{% endif -%}
33 changes: 28 additions & 5 deletions data/templates/openvpn/server.conf.tmpl
View file
Expand Up @@ -18,7 +18,7 @@ dev {{ intf }}
persist-key
iproute /usr/libexec/vyos/system/unpriv-ip

proto {% if 'tcp-active' in protocol -%}tcp-client{% elif 'tcp-passive' in protocol -%}tcp-server{% else %}udp{% endif %}
proto {% if 'tcp-active' in protocol -%}tcp6-client{% elif 'tcp-passive' in protocol -%}tcp6-server{% else %}udp6{% endif %}

{%- if local_host %}
local {{ local_host }}
Expand Down Expand Up @@ -78,7 +78,7 @@ topology {% if server_topology == 'point-to-point' %}p2p{% else %}{{ server_topo
mode server
tls-server
{%- else %}
server {{ server_subnet }} nopool
server {{ server_subnet[0] }} nopool
{%- endif %}

{%- if server_pool %}
Expand Down Expand Up @@ -110,7 +110,26 @@ push "dhcp-option DNS {{ ns }}"

{%- if server_domain -%}
push "dhcp-option DOMAIN {{ server_domain }}"
{% endif %}
{% endif -%}

{%- if server_ipv6_local %}
# IPv6
push "tun-ipv6"
ifconfig-ipv6 {{ server_ipv6_local }}/{{ server_ipv6_prefixlen }} {{ server_ipv6_remote }}

{%- if server_ipv6_pool %}
ifconfig-ipv6-pool {{ server_ipv6_pool_base }}/{{ server_ipv6_pool_prefixlen }}
{%- endif %}

{%- for route6 in server_ipv6_push_route %}
push "route-ipv6 {{ route6 }}"
{%- endfor %}

{%- for ns6 in server_ipv6_dns_nameserver %}
push "dhcp-option DNS6 {{ ns6 }}"
{%- endfor %}

{%- endif %}

{% else -%}
#
Expand All @@ -120,9 +139,13 @@ ping {{ ping_interval }}
ping-restart {{ ping_restart }}

{% if local_address_subnet -%}
ifconfig {{ local_address }} {{ local_address_subnet }}
ifconfig {{ local_address[0] }} {{ local_address_subnet }}
{%- elif remote_address -%}
ifconfig {{ local_address }} {{ remote_address }}
ifconfig {{ local_address[0] }} {{ remote_address[0] }}
{%- endif %}

{% if ipv6_local_address -%}
ifconfig-ipv6 {{ ipv6_local_address[0] }} {{ ipv6_remote_address[0] }}
{%- endif %}

{% endif -%}
Expand Down
94 changes: 79 additions & 15 deletions interface-definitions/interfaces-openvpn.xml.in
View file
Expand Up @@ -233,15 +233,15 @@
</node>
<tagNode name="local-address">
<properties>
<help>Local IP address of tunnel</help>
<help>Local IP address of tunnel (IPv4 or IPv6)</help>
<constraint>
<validator name="ipv4-address"/>
<validator name="ip-address"/>
</constraint>
</properties>
<children>
<leafNode name="subnet-mask">
<properties>
<help>Subnet-mask for local IP address of tunnel</help>
<help>Subnet-mask for local IP address of tunnel (IPv4 only)</help>
<constraint>
<validator name="ipv4-address"/>
</constraint>
Expand All @@ -256,8 +256,12 @@
<format>ipv4</format>
<description>Local IPv4 address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Local IPv6 address</description>
</valueHelp>
<constraint>
<validator name="ipv4-address"/>
<validator name="ip-address"/>
</constraint>
</properties>
</leafNode>
Expand Down Expand Up @@ -341,17 +345,26 @@
<format>ipv4</format>
<description>Remote end IPv4 address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Remote end IPv6 address</description>
</valueHelp>
<constraint>
<validator name="ipv4-address"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="remote-host">
<properties>
<help>Remote host to connect to (dynamic if not set)</help>
<valueHelp>
<format>ipv4</format>
<description>IP address of remote host</description>
<description>IPv4 address of remote host</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address of remote host</description>
</valueHelp>
<valueHelp>
<format>txt</format>
Expand Down Expand Up @@ -411,9 +424,14 @@
<format>ipv4</format>
<description>Client IPv4 address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Client IPv6 address</description>
</valueHelp>
<constraint>
<validator name="ipv4-address"/>
<validator name="ip-address"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="push-route">
Expand All @@ -423,21 +441,29 @@
<format>ipv4net</format>
<description>IPv4 network and prefix length</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 network and prefix length</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ip-prefix"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="subnet">
<properties>
<help>Subnet belonging to the client</help>
<help>Subnet belonging to the client (iroute)</help>
<valueHelp>
<format>ipv4net</format>
<description>IPv4 network and prefix length belonging to the client</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 network and prefix length belonging to the client</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ip-prefix"/>
</constraint>
<multi/>
</properties>
Expand All @@ -446,7 +472,7 @@
</tagNode>
<node name="client-ip-pool">
<properties>
<help>Pool of client IP addresses</help>
<help>Pool of client IPv4 addresses</help>
</properties>
<children>
<leafNode name="disable">
Expand Down Expand Up @@ -496,6 +522,31 @@
</leafNode>
</children>
</node>
<node name="client-ipv6-pool">
<properties>
<help>Pool of client IPv6 addresses</help>
</properties>
<children>
<leafNode name="base">
<properties>
<help>Client IPv6 pool base address with optional prefix length</help>
<valueHelp>
<format>ipv6net</format>
<description>Client IPv6 pool base address with optional prefix length (defaults: base = server subnet + 0x1000, prefix length = server prefix length)</description>
</valueHelp>
<constraint>
<validator name="ipv6"/>
</constraint>
</properties>
</leafNode>
<leafNode name="disable">
<properties>
<help>Disable client IPv6 pool</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
<leafNode name="domain-name">
<properties>
<help>DNS suffix to be pushed to all clients</help>
Expand Down Expand Up @@ -524,8 +575,12 @@
<format>ipv4</format>
<description>DNS server IPv4 address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>DNS server IPv6 address</description>
</valueHelp>
<constraint>
<validator name="ipv4-address"/>
<validator name="ip-address"/>
</constraint>
<multi/>
</properties>
Expand All @@ -537,8 +592,12 @@
<format>ipv4net</format>
<description>IPv4 network and prefix length</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 network and prefix length</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ip-prefix"/>
</constraint>
<multi/>
</properties>
Expand All @@ -555,9 +614,14 @@
<format>ipv4net</format>
<description>IPv4 network and prefix length</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 network and prefix length</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ip-prefix"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="topology">
Expand All @@ -568,7 +632,7 @@
</completionHelp>
<valueHelp>
<format>net30</format>
<description>net30 topology</description>
<description>net30 topology (default)</description>
</valueHelp>
<valueHelp>
<format>point-to-point</format>
Expand All @@ -579,7 +643,7 @@
<description>Subnet topology</description>
</valueHelp>
<constraint>
<regex>(subnet|point-to-point)</regex>
<regex>(subnet|point-to-point|net30)</regex>
</constraint>
</properties>
</leafNode>
Expand Down

0 comments on commit bb9f998

Please sign in to comment.