OpenVPN Backend

The OpenVpn backend allows to generate OpenVPN 2.x.x compatible configurations.

Its schema is limited to a subset of the features available in OpenVPN and it doesn’t recognize interfaces, radios, wireless settings and so on.

The main methods work just like the OpenWrt backend:

  • __init__

  • render

  • generate

  • write

  • json

The main differences are in the resulting configuration and in its schema.

See an example of initialization and rendering below:

from netjsonconfig import OpenVpn

config = OpenVpn(
    {
        "openvpn": [
            {
                "ca": "ca.pem",
                "cert": "cert.pem",
                "dev": "tap0",
                "dev_type": "tap",
                "dh": "dh.pem",
                "key": "key.pem",
                "mode": "server",
                "name": "example-vpn",
                "proto": "udp",
                "tls_server": True,
            }
        ]
    }
)
print(config.render())

Will return the following output:

# openvpn config: test-no-status

ca ca.pem
cert cert.pem
dev tap0
dev-type tap
dh dh.pem
key key.pem
mode server
proto udp
tls-server

OpenVPN backend schema

The OpenVpn backend schema is limited, it only recognizes an openvpn key with a list of dictionaries representing vpn instances. The structure of these dictionaries is described below.

Alternatively you may also want to take a look at the OpenVPN JSON-Schema source code.

According to the NetJSON spec, any unrecognized property will be ignored.

General settings (valid both for client and server)

Required properties:

  • name

  • mode

  • proto

  • dev

key name

type

default

allowed values

name

string

2 to 24 alphanumeric characters, dashes and underscores

mode

string

p2p or server

proto

string

udp, tcp-client, tcp-server

port

integer

1194

integers

data_ciphers

list

list of dicts, each dict need to have cipher and optional, see cipher property source code for the allowed ciphers

data_ciphers_fallback

string

see cipher property source code

dev_type

string

tun, tap

dev

string

any non-whitespace character (max length: 15)

local

string

any string

comp_lzo

string

adaptive

yes, no or adaptive

auth

string

SHA1

see auth property source code

cipher

string

BF-CBC

see cipher property source code

engine

string

bsd, rsax, dynamic or empty string

ca

string

any non whitespace character

cert

string

any non whitespace character

key

string

any non whitespace character

pkcs12

string

any non whitespace character

tls_auth

string

string containing TLS Auth key

ns_cert_type

string

client, server or empty string

mtu_disc

string

no

no, maybe or yes

mtu_test

boolean

False

fragment

integer

0

any positive integer

mssfix

integer

1450

any positive integer

keepalive

string

two numbers separated by one space

persist_tun

boolean

False

persist_key

boolean

False

up

string

any non whitespace character

up_delay

integer

0

any positive integer

down

string

any non whitespace character

script_security

integer

1

0, 1, 2, 3

user

string

any string

group

string

any string

mute

integer

0

any positive integer

status

string

string and number separated by space, eg: /var/log/openvpn.status 10

status_version

integer

1

1, 2, 3

mute_replay_warnings

boolean

False

secret

string

any non whitespace character

reneg_sec

integer

3600

any positive integer

tls_timeout

integer

2

any positive integer

tls_cipher

string

any string

remote_cert_tls

string

client, server or empty string

float

boolean

False

auth_nocache

boolean

False

fast_io

boolean

False

log

string

filesystem path

verb

integer

1

from 0 (disabled) to 11 (very verbose)

Client specific settings

Required properties:

  • remote

key name

type

default

allowed values

remote

list

[]

list of dictionaries containing host (str) and port (str). Must contain at least one element

nobind

boolean

True

resolv_retry

boolean

True

tls_client

boolean

True

pull

boolean

True

remote_random

boolean

False

auth_user_pass

string

any non whitespace character

auth_retry

string

none

none, nointeract or interact

Server specific settings

key name

type

default

allowed values

tls_server

boolean

True

dh

string

any non whitespace character

crl_verify

string

any non whitespace character

duplicate_cn

boolean

False

client_to_client

boolean

False

client_cert_not_required

boolean

False

username_as_common_name

boolean

False

auth_user_pass_verify

string

any non whitespace character

Working around schema limitations

The schema does not include all the possible OpenVPN settings, but it can render appropiately any property not included in the schema as long as its type is one the following:

  • boolean

  • integer

  • strings

  • lists

For a list of all the OpenVPN configuration settings, refer to the OpenVPN 2.3 manual.

Automatic generation of clients

classmethod OpenVpn.auto_client(host, server, ca_path=None, ca_contents=None, cert_path=None, cert_contents=None, key_path=None, key_contents=None)[source]

Returns a configuration dictionary representing an OpenVPN client configuration that is compatible with the passed server configuration.

Parameters:
  • host – remote VPN server

  • server – dictionary representing a single OpenVPN server configuration

  • ca_path – optional string representing path to CA, will consequently add a file in the resulting configuration dictionary

  • ca_contents – optional string representing contents of CA file

  • cert_path – optional string representing path to certificate, will consequently add a file in the resulting configuration dictionary

  • cert_contents – optional string representing contents of cert file

  • key_path – optional string representing path to key, will consequently add a file in the resulting configuration dictionary

  • key_contents – optional string representing contents of key file

Returns:

dictionary representing a single OpenVPN client configuration

Example:

from netjsonconfig import OpenVpn

server_config = {
    "ca": "ca.pem",
    "cert": "cert.pem",
    "dev": "tap0",
    "dev_type": "tap",
    "dh": "dh.pem",
    "key": "key.pem",
    "mode": "server",
    "name": "example-vpn",
    "proto": "udp",
    "tls_server": True,
}
dummy_contents = "------ EXAMPLE ------"
client_config = OpenVpn.auto_client(
    "vpn1.test.com",
    server=server_config,
    ca_path="ca.pem",
    ca_contents=dummy_contents,
    cert_path="cert.pem",
    cert_contents=dummy_contents,
    key_path="key.pem",
    key_contents=dummy_contents,
)
client = OpenVpn(client_config)
print(client.render())

Will be rendered as:

# openvpn config: example-vpn

ca ca.pem
cert cert.pem
dev tap0
dev-type tap
key key.pem
mode p2p
nobind
proto udp
remote vpn1.test.com 1195
resolv-retry
tls-client

# ---------- files ---------- #

# path: ca.pem
# mode: 0644

------ EXAMPLE ------

# path: cert.pem
# mode: 0644

------ EXAMPLE ------

# path: key.pem
# mode: 0644

------ EXAMPLE ------