Add further options to the OpenVPN backend

Author: okraits

docs/source/backends/openvpn.rst

@@ -112,6 +112,8 @@ Required properties:
 +--------------------------+---------+--------------+-------------------------------------------------------------+
 | ``key``                  | string  |              | any non whitespace character                                |
 +--------------------------+---------+--------------+-------------------------------------------------------------+
+| ``pkcs12``               | string  |              | any non whitespace character                                |
++--------------------------+---------+--------------+-------------------------------------------------------------+
 | ``ns_cert_type``         | string  |              | ``client``, ``server`` or empty string                      |
 +--------------------------+---------+--------------+-------------------------------------------------------------+
 | ``mtu_disc``             | string  | ``no``       | ``no``, ``maybe`` or ``yes``                                |
@@ -151,6 +153,16 @@ Required properties:
 +--------------------------+---------+--------------+-------------------------------------------------------------+
 | ``secret``               | string  |              | any non whitespace character                                |
 +--------------------------+---------+--------------+-------------------------------------------------------------+
+| ``reneg_sec``            | integer | ``3600``     | any positive integer                                        |
++--------------------------+---------+--------------+-------------------------------------------------------------+
+| ``tls_timeout``          | integer | ``2``        | any positive integer                                        |
++--------------------------+---------+--------------+-------------------------------------------------------------+
+| ``tls_cipher``           | string  |              | any string                                                  |
++--------------------------+---------+--------------+-------------------------------------------------------------+
+| ``remote_cert_tls``      | string  |              | ``client``, ``server`` or empty string                      |
++--------------------------+---------+--------------+-------------------------------------------------------------+
+| ``float``                | boolean | ``False``    |                                                             |
++--------------------------+---------+--------------+-------------------------------------------------------------+
 | ``fast_io``              | boolean | ``False``    |                                                             |
 +--------------------------+---------+--------------+-------------------------------------------------------------+
 | ``log``                  | string  |              | filesystem path                                             |
@@ -179,8 +191,12 @@ Required properties:
 +--------------------------+---------+--------------+-------------------------------------------------------------+
 | ``pull``                 | boolean | ``True``     |                                                             |
 +--------------------------+---------+--------------+-------------------------------------------------------------+
+| ``remote_random``        | boolean | ``False``    |                                                             |
++--------------------------+---------+--------------+-------------------------------------------------------------+
 | ``auth_user_pass``       | string  |              | any non whitespace character                                |
 +--------------------------+---------+--------------+-------------------------------------------------------------+
+| ``auth_retry``           | string  | ``none``     | ``none``, ``nointeract`` or ``interact``                    |
++--------------------------+---------+--------------+-------------------------------------------------------------+
 
 Server specific settings
 ~~~~~~~~~~~~~~~~~~~~~~~~

netjsonconfig/backends/openvpn/openvpn.py

@@ -83,15 +83,21 @@ def auto_client(cls, host, server, ca_path=None, ca_contents=None,
         if 'tls_server' not in server or not server['tls_server']:
             client['tls_client'] = False
         # ns_cert_type
-        if not server.get('ns_cert_type'):
-            client['ns_cert_type'] = ''
-        elif server.get('ns_cert_type') == 'client':
-            client['ns_cert_type'] = 'server'
+        ns_cert_type = {None: '',
+                        '': '',
+                        'client': 'server'}
+        client['ns_cert_type'] = ns_cert_type[server.get('ns_cert_type')]
+        # remote_cert_tls
+        remote_cert_tls = {None: '',
+                           '': '',
+                           'client': 'server'}
+        client['remote_cert_tls'] = remote_cert_tls[server.get('remote_cert_tls')]
         copy_keys = ['name', 'dev_type', 'dev', 'comp_lzo', 'auth',
-                     'cipher', 'ca', 'cert', 'key', 'mtu_disc', 'mtu_test',
+                     'cipher', 'ca', 'cert', 'key', 'pkcs12', 'mtu_disc', 'mtu_test',
                      'fragment', 'mssfix', 'keepalive', 'persist_tun', 'mute',
                      'persist_key', 'script_security', 'user', 'group', 'log',
-                     'mute_replay_warnings', 'secret', 'fast_io', 'verb']
+                     'mute_replay_warnings', 'secret', 'reneg_sec', 'tls_timeout',
+                     'tls_cipher', 'float', 'fast_io', 'verb']
         for key in copy_keys:
             if key in server:
                 client[key] = server[key]

netjsonconfig/backends/openvpn/schema.py

@@ -143,6 +143,14 @@
                     "pattern": "^(\\S*)$",
                     "propertyOrder": 16,
                 },
+                "pkcs12": {
+                    "title": "PKCS #12",
+                    "description": "Path to a PKCS #12 file containing local private key, "
+                                   "local certificate, and root CA certificate",
+                    "type": "string",
+                    "pattern": "^(\\S*)$",
+                    "propertyOrder": 17,
+                },
                 "ns_cert_type": {
                     "title": "NS cert type",
                     "type": "string",
@@ -319,6 +327,42 @@
                     "pattern": "^(\\S*)$",
                     "propertyOrder": 38,
                 },
+                "reneg_sec": {
+                    "title": "reneg_sec",
+                    "description": "Renegotiate data channel key after n seconds",
+                    "type": "integer",
+                    "default": 3600,
+                    "propertyOrder": 39,
+                },
+                "tls_timeout": {
+                    "title": "TLS timeout",
+                    "description": "Packet retransmit timeout on TLS control channel if no "
+                                   "acknowledgment from remote within n seconds",
+                    "type": "integer",
+                    "default": 2,
+                    "propertyOrder": 40,
+                },
+                "tls_cipher": {
+                    "title": "TLS cipher",
+                    "description": "A list of allowable TLS ciphers delimited by a colon (':')",
+                    "type": "string",
+                    "propertyOrder": 41,
+                },
+                "remote_cert_tls": {
+                    "title": "Remote certificate TLS",
+                    "type": "string",
+                    "default": "",
+                    "propertyOrder": 42
+                },
+                "float": {
+                    "title": "float",
+                    "description": "Allow remote peer to change its IP address and/or port number, "
+                                   "such as due to DHCP",
+                    "type": "boolean",
+                    "default": False,
+                    "format": "checkbox",
+                    "propertyOrder": 43,
+                },
                 "fast_io": {
                     "title": "fast IO",
                     "description": "(Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a "
@@ -441,6 +485,16 @@
                             "format": "checkbox",
                             "propertyOrder": 11,
                         },
+                        "remote_random": {
+                            "title": "random remote",
+                            "description": "When multiple remote address/ports are specified, or if "
+                                           "connection profiles are being used, initially randomize "
+                                           "the order of the list as a basic load-balancing measure",
+                            "type": "boolean",
+                            "default": False,
+                            "format": "checkbox",
+                            "propertyOrder": 12,
+                        },
                         "ns_cert_type": {
                             "description": "Require that peer certificate was signed with an explicit "
                                            "nsCertType designation of \"server\"",
@@ -454,6 +508,23 @@
                             "type": "string",
                             "pattern": "^(\\S*)$",
                             "propertyOrder": 40,
+                        },
+                        "auth_retry": {
+                            "title": "auth retry",
+                            "description": "Controls how OpenVPN responds to username/password "
+                                           "verification errors such as the client-side response "
+                                           "to an AUTH_FAILED message from the server or "
+                                           "verification failure of the private key password",
+                            "type": "string",
+                            "enum": ["none", "nointeract", "interact"],
+                            "default": "none",
+                            "propertyOrder": 41,
+                        },
+                        "remote_cert_tls": {
+                            "description": "Require that peer certificate was signed with an explicit "
+                                           "key usage and extended key usage based on RFC3280 TLS rules",
+                            "enum": ["", "server"],
+                            "options": {"enum_titles": ["disabled", "server"]}
                         }
                     }
                 }
@@ -549,6 +620,12 @@
                     "type": "string",
                     "pattern": "^((\\S*) (\\S*)|)$",
                     "propertyOrder": 45,
+                },
+                "remote_cert_tls": {
+                    "description": "Require that peer certificate was signed with an explicit "
+                                   "key usage and extended key usage based on RFC3280 TLS rules",
+                    "enum": ["", "client"],
+                    "options": {"enum_titles": ["disabled", "client"]}
                 }
             }
         },