OpenVPN 2.3 Backend

The OpenVpn backend allows to generate OpenVPN 2.3.x compatible configurations.

Its schema is limited to a subset of the features available in OpenVPN and it doesn’t recognize interfaces, radios, wireless settings and so on.

The main methods work just like the OpenWRT backend:

  • __init__
  • render
  • generate
  • write
  • json

The main differences are in the resulting configuration and in its schema.

See an example of initialization and rendering below:

from netjsonconfig import OpenVpn

config = OpenVpn({
    "openvpn": [
        {
            "ca": "ca.pem",
            "cert": "cert.pem",
            "dev": "tap0",
            "dev_type": "tap",
            "dh": "dh.pem",
            "key": "key.pem",
            "mode": "server",
            "name": "example-vpn",
            "proto": "udp",
            "tls_server": True
        }
    ]
})
print(config.render())

Will return the following output:

# openvpn config: test-no-status

ca ca.pem
cert cert.pem
dev tap0
dev-type tap
dh dh.pem
key key.pem
mode server
proto udp
tls-server

OpenVPN backend schema

The OpenVpn backend schema is limited, it only recognizes an openvpn key with a list of dictionaries representing vpn instances. The structure of these dictionaries is described below.

Alternatively you may also want to take a look at the OpenVPN JSON-Schema source code.

According to the NetJSON spec, any unrecognized property will be ignored.

General settings (valid both for client and server)

Required properties:

  • name
  • mode
  • proto
  • dev
key name type default allowed values
name string   2 to 24 alphanumeric characters, dashes and underscores
mode string   client or server
proto string   udp, tcp-client, tcp-server
port integer 1194 integers
dev_type string   tun, tap
dev string   any non-whitespace character (max length: 15)
local string   any string
comp_lzo string adaptive yes, no or adaptive
auth string SHA1 see auth property source code
cipher string BF-CBC see cipher property source code
engine string   bsd, rsax, dynamic or empty string
ca string   any non whitespace character
cert string   any non whitespace character
key string   any non whitespace character
ns_cert_type string   client, server or empty string
mtu_disc string no no, maybe or yes
mtu_test boolean False  
fragment integer 0 any positive integer
mssfix integer 1450 any positive integer
keepalive string   two numbers separated by one space
persist_tun boolean False  
persist_key boolean False  
up string   any non whitespace character
up_delay integer 0 any positive integer
down string   any non whitespace character
script_security integer 1 0, 1, 2, 3
user string   any string
group string   any string
mute integer 0 any positive integer
status string   string and number separated by space, eg: /var/log/openvpn.status 10
status_version integer 1 1, 2, 3
mute_replay_warnings boolean False  
secret string   any non whitespace character
fast_io boolean False  
log string   filesystem path
verb integer 1 from 0 (disabled) to 11 (very verbose)

Client specific settings

Required properties:

  • remote
key name type default allowed values
remote list [] list of dictionaries containing host (str) and port (str). Must contain at least one element
nobind boolean True  
resolv_retry boolean True  
tls_client boolean True  
auth_user_pass string   any non whitespace character

Server specific settings

key name type default allowed values
tls_server boolean True  
dh string   any non whitespace character
crl_verify string   any non whitespace character
duplicate_cn boolean False  
client_to_client boolean False  
client_cert_not_required boolean False  
username_as_common_name boolean False  
auth_user_pass_verify string   any non whitespace character

Working around schema limitations

The schema does not include all the possible OpenVPN settings, but it can render appropiately any property not included in the schema as long as its type is one the following:

  • boolean
  • integer
  • strings
  • lists

For a list of all the OpenVPN configuration settings, refer to the OpenVPN 2.3 manual.

Automatic generation of clients

classmethod OpenVpn.auto_client(host, server, ca_path=None, ca_contents=None, cert_path=None, cert_contents=None, key_path=None, key_contents=None)[source]

Returns a configuration dictionary representing an OpenVPN client configuration that is compatible with the passed server configuration.

Parameters:
  • host – remote VPN server
  • server – dictionary representing a single OpenVPN server configuration
  • ca_path – optional string representing path to CA, will consequently add a file in the resulting configuration dictionary
  • ca_contents – optional string representing contents of CA file
  • cert_path – optional string representing path to certificate, will consequently add a file in the resulting configuration dictionary
  • cert_contents – optional string representing contents of cert file
  • key_path – optional string representing path to key, will consequently add a file in the resulting configuration dictionary
  • key_contents – optional string representing contents of key file
Returns:

dictionary representing a single OpenVPN client configuration

Example:

from netjsonconfig import OpenVpn

server_config = {
    "ca": "ca.pem",
    "cert": "cert.pem",
    "dev": "tap0",
    "dev_type": "tap",
    "dh": "dh.pem",
    "key": "key.pem",
    "mode": "server",
    "name": "example-vpn",
    "proto": "udp",
    "tls_server": True
}
dummy_contents = '------ EXAMPLE ------'
client_config = OpenVpn.auto_client('vpn1.test.com',
                                    server=server_config,
                                    ca_path='ca.pem',
                                    ca_contents=dummy_contents,
                                    cert_path='cert.pem',
                                    cert_contents=dummy_contents,
                                    key_path='key.pem',
                                    key_contents=dummy_contents)
client = OpenVpn(client_config)
print(client.render())

Will be rendered as:

# openvpn config: example-vpn

ca ca.pem
cert cert.pem
dev tap0
dev-type tap
key key.pem
mode client
nobind
proto udp
remote vpn1.test.com 1195
resolv-retry
tls-client

# ---------- files ---------- #

# path: ca.pem
# mode: 0644

------ EXAMPLE ------

# path: cert.pem
# mode: 0644

------ EXAMPLE ------

# path: key.pem
# mode: 0644

------ EXAMPLE ------