Skip to content

Commit

Permalink
Merge pull request #3829 from vyos/mergify/bp/circinus/pr-3825
Browse files Browse the repository at this point in the history
openvpn: T6591: deprecate OpenVPN server net30 topology (backport #3825)
  • Loading branch information
c-po authored Jul 19, 2024
2 parents a64e2ce + 3b9e283 commit 623d773
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 7 deletions.
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
<!-- include start from include/version/openvpn-version.xml.i -->
<syntaxVersion component='openvpn' version='2'></syntaxVersion>
<syntaxVersion component='openvpn' version='3'></syntaxVersion>
<!-- include end -->
12 changes: 6 additions & 6 deletions interface-definitions/interfaces_openvpn.xml.in
Original file line number Diff line number Diff line change
Expand Up @@ -589,25 +589,25 @@
<properties>
<help>Topology for clients</help>
<completionHelp>
<list>net30 point-to-point subnet</list>
<list>subnet point-to-point net30</list>
</completionHelp>
<valueHelp>
<format>net30</format>
<description>net30 topology</description>
<format>subnet</format>
<description>Subnet topology (recommended)</description>
</valueHelp>
<valueHelp>
<format>point-to-point</format>
<description>Point-to-point topology</description>
</valueHelp>
<valueHelp>
<format>subnet</format>
<description>Subnet topology</description>
<format>net30</format>
<description>net30 topology (deprecated)</description>
</valueHelp>
<constraint>
<regex>(subnet|point-to-point|net30)</regex>
</constraint>
</properties>
<defaultValue>net30</defaultValue>
<defaultValue>subnet</defaultValue>
</leafNode>
<node name="mfa">
<properties>
Expand Down
7 changes: 7 additions & 0 deletions src/conf_mode/interfaces_openvpn.py
Original file line number Diff line number Diff line change
Expand Up @@ -432,6 +432,13 @@ def verify(openvpn):
if IPv6Address(client['ipv6_ip'][0]) in v6PoolNet:
print(f'Warning: Client "{client["name"]}" IP {client["ipv6_ip"][0]} is in server IP pool, it is not reserved for this client.')

if 'topology' in openvpn['server']:
if openvpn['server']['topology'] == 'net30':
DeprecationWarning('Topology net30 is deprecated '\
'and will be removed in future VyOS versions. '\
'Switch to "subnet" or "p2p"'
)

# add mfa users to the file the mfa plugin uses
if dict_search('server.mfa.totp', openvpn):
user_data = ''
Expand Down
43 changes: 43 additions & 0 deletions src/migration-scripts/openvpn/2-to-3
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#!/usr/bin/env python3
#
# Copyright (C) 2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Adds an explicit old default for 'server topology'
# to keep old configs working as before even though the default has changed.

from vyos.configtree import ConfigTree

def migrate(config: ConfigTree) -> None:
if not config.exists(['interfaces', 'openvpn']):
# Nothing to do
return

ovpn_intfs = config.list_nodes(['interfaces', 'openvpn'])
for i in ovpn_intfs:
mode = config.return_value(['interfaces', 'openvpn', i, 'mode'])
if mode != 'server':
# If it's a client or a site-to-site OpenVPN interface,
# the topology setting is not applicable
# and will cause commit errors on load,
# so we must not change such interfaces.
continue
else:
# The default OpenVPN server topology was changed from net30 to subnet
# because net30 is deprecated and causes problems with Windows clients.
# We add 'net30' to old configs if topology is not set there
# to ensure that if anyone relies on net30, their configs work as before.
topology_path = ['interfaces', 'openvpn', i, 'server', 'topology']
if not config.exists(topology_path):
config.set(topology_path, value='net30', replace=False)

0 comments on commit 623d773

Please sign in to comment.