OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers (backport #3823)

data/templates/openvpn/server.conf.j2

@@ -208,8 +208,8 @@ tls-server
 {%     if encryption.cipher is vyos_defined %}
 cipher {{ encryption.cipher | openvpn_cipher }}
 {%     endif %}
-{%     if encryption.ncp_ciphers is vyos_defined %}
-data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
+{%     if encryption.data_ciphers is vyos_defined %}
+data-ciphers {{ encryption.data_ciphers | openvpn_data_ciphers }}
 {%     endif %}
 {% endif %}
 providers default

interface-definitions/include/version/openvpn-version.xml.i

@@ -1,3 +1,3 @@
 <!-- include start from include/version/openvpn-version.xml.i -->
-<syntaxVersion component='openvpn' version='3'></syntaxVersion>
+<syntaxVersion component='openvpn' version='4'></syntaxVersion>
 <!-- include end -->

interface-definitions/interfaces_openvpn.xml.in

@@ -87,7 +87,7 @@
                   </constraint>
                 </properties>
               </leafNode>
-              <leafNode name="ncp-ciphers">
+              <leafNode name="data-ciphers">
                 <properties>
                   <help>Cipher negotiation list for use in server or client mode</help>
                   <completionHelp>

python/vyos/template.py

@@ -556,8 +556,8 @@ def get_openvpn_cipher(cipher):
         return openvpn_translate[cipher].upper()
     return cipher.upper()
 
-@register_filter('openvpn_ncp_ciphers')
-def get_openvpn_ncp_ciphers(ciphers):
+@register_filter('openvpn_data_ciphers')
+def get_openvpn_data_ciphers(ciphers):
     out = []
     for cipher in ciphers:
         if cipher in openvpn_translate:

smoketest/config-tests/dialup-router-medium-vpn

@@ -39,7 +39,7 @@ set interfaces ethernet eth1 offload sg
 set interfaces ethernet eth1 offload tso
 set interfaces ethernet eth1 speed 'auto'
 set interfaces loopback lo
-set interfaces openvpn vtun0 encryption ncp-ciphers 'aes256'
+set interfaces openvpn vtun0 encryption data-ciphers 'aes256'
 set interfaces openvpn vtun0 hash 'sha512'
 set interfaces openvpn vtun0 ip adjust-mss '1380'
 set interfaces openvpn vtun0 ip source-validation 'strict'
@@ -58,7 +58,7 @@ set interfaces openvpn vtun0 tls ca-certificate 'openvpn_vtun0_2'
 set interfaces openvpn vtun0 tls certificate 'openvpn_vtun0'
 set interfaces openvpn vtun1 authentication password 'vyos1'
 set interfaces openvpn vtun1 authentication username 'vyos1'
-set interfaces openvpn vtun1 encryption ncp-ciphers 'aes256'
+set interfaces openvpn vtun1 encryption data-ciphers 'aes256'
 set interfaces openvpn vtun1 hash 'sha1'
 set interfaces openvpn vtun1 ip adjust-mss '1380'
 set interfaces openvpn vtun1 keep-alive failure-count '3'
@@ -83,7 +83,7 @@ set interfaces openvpn vtun1 tls ca-certificate 'openvpn_vtun1_2'
 set interfaces openvpn vtun2 authentication password 'vyos2'
 set interfaces openvpn vtun2 authentication username 'vyos2'
 set interfaces openvpn vtun2 disable
-set interfaces openvpn vtun2 encryption ncp-ciphers 'aes256'
+set interfaces openvpn vtun2 encryption data-ciphers 'aes256'
 set interfaces openvpn vtun2 hash 'sha512'
 set interfaces openvpn vtun2 ip adjust-mss '1380'
 set interfaces openvpn vtun2 keep-alive failure-count '3'

smoketest/scripts/cli/test_interfaces_openvpn.py

@@ -123,7 +123,7 @@ def test_openvpn_client_verify(self):
         interface = 'vtun2000'
         path = base_path + [interface]
         self.cli_set(path + ['mode', 'client'])
-        self.cli_set(path + ['encryption', 'ncp-ciphers', 'aes192gcm'])
+        self.cli_set(path + ['encryption', 'data-ciphers', 'aes192gcm'])
 
         # check validate() - cannot specify local-port in client mode
         self.cli_set(path + ['local-port', '5000'])
@@ -197,7 +197,7 @@ def test_openvpn_client_interfaces(self):
             auth_hash = 'sha1'
 
             self.cli_set(path + ['device-type', 'tun'])
-            self.cli_set(path + ['encryption', 'ncp-ciphers', 'aes256'])
+            self.cli_set(path + ['encryption', 'data-ciphers', 'aes256'])
             self.cli_set(path + ['hash', auth_hash])
             self.cli_set(path + ['mode', 'client'])
             self.cli_set(path + ['persistent-tunnel'])
@@ -371,7 +371,7 @@ def test_openvpn_server_subnet_topology(self):
             port = str(2000 + ii)
 
             self.cli_set(path + ['device-type', 'tun'])
-            self.cli_set(path + ['encryption', 'ncp-ciphers', 'aes192'])
+            self.cli_set(path + ['encryption', 'data-ciphers', 'aes192'])
             self.cli_set(path + ['hash', auth_hash])
             self.cli_set(path + ['mode', 'server'])
             self.cli_set(path + ['local-port', port])
@@ -462,8 +462,8 @@ def test_openvpn_site2site_verify(self):
 
         self.cli_set(path + ['mode', 'site-to-site'])
 
-        # check validate() - encryption ncp-ciphers cannot be specified in site-to-site mode
-        self.cli_set(path + ['encryption', 'ncp-ciphers', 'aes192gcm'])
+        # check validate() - cipher negotiation cannot be enabled in site-to-site mode
+        self.cli_set(path + ['encryption', 'data-ciphers', 'aes192gcm'])
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         self.cli_delete(path + ['encryption'])

src/conf_mode/interfaces_openvpn.py

@@ -322,8 +322,8 @@ def verify(openvpn):
             if v4addr in openvpn['local_address'] and 'subnet_mask' not in openvpn['local_address'][v4addr]:
                 raise ConfigError('Must specify IPv4 "subnet-mask" for local-address')
 
-        if dict_search('encryption.ncp_ciphers', openvpn):
-            raise ConfigError('NCP ciphers can only be used in client or server mode')
+        if dict_search('encryption.data_ciphers', openvpn):
+            raise ConfigError('Cipher negotiation can only be used in client or server mode')
 
     else:
         # checks for client-server or site-to-site bridged
@@ -536,7 +536,7 @@ def verify(openvpn):
 
         if dict_search('encryption.cipher', openvpn):
             raise ConfigError('"encryption cipher" option is deprecated for TLS mode. '
-                              'Use "encryption ncp-ciphers" instead')
+                              'Use "encryption data-ciphers" instead')
 
     if dict_search('encryption.cipher', openvpn) == 'none':
         print('Warning: "encryption none" was specified!')

src/migration-scripts/openvpn/3-to-4

@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+# Copyright 2024 VyOS maintainers and contributors <[email protected]>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+# Renames ncp-ciphers option to data-ciphers
+
+from vyos.configtree import ConfigTree
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(['interfaces', 'openvpn']):
+        # Nothing to do
+        return
+
+    ovpn_intfs = config.list_nodes(['interfaces', 'openvpn'])
+    for i in ovpn_intfs:
+        #Rename 'encryption ncp-ciphers' with 'encryption data-ciphers'
+        ncp_cipher_path = ['interfaces', 'openvpn', i, 'encryption', 'ncp-ciphers']
+        if config.exists(ncp_cipher_path):
+            config.rename(ncp_cipher_path, 'data-ciphers')