[pfsense_openvpn_client/server] TLS fixes

- pfsense_openvpn_client/server - apply `tls` setting to config (fixes #132) - pfsense_openvpn_client - add `tls_type` parameter - add some basic valied to complain if `tls` is used with `p2p_shared_key`
pfsensible · Jan 27, 2025 · 9fa194f · 9fa194f
1 parent 3a08e91
commit 9fa194f
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 5 deletions.
diff --git a/changelogs/fragments/openvpn_tls.yml b/changelogs/fragments/openvpn_tls.yml
@@ -0,0 +1,3 @@
+bugfixes:
+  - pfsense_openvpn_client/server - apply ``tls`` setting to config (https://github.com/pfsensible/core/issues/132)
+  - pfsense_openvpn_client - add ``tls_type`` parameter
diff --git a/plugins/module_utils/openvpn_client.py b/plugins/module_utils/openvpn_client.py
@@ -25,6 +25,7 @@
     protocol=dict(default='UDP4', required=False, choices=['UDP4', 'TCP4']),
     dev_mode=dict(default='tun', required=False, choices=['tun', 'tap']),
     tls=dict(required=False, type='str'),
+    tls_type=dict(default='auth', required=False, choices=['auth', 'crypt']),
     ca=dict(required=False, type='str'),
     crl=dict(required=False, type='str'),
     cert=dict(required=False, type='str'),
@@ -160,6 +161,10 @@ def _params_to_obj(self):
                         self.module.fail_json(msg='%s is not a valid certificate' % (self.params['cert']))
                     obj['certref'] = cert_elt.find('refid').text
 
+            if self.params['tls'] is not None:
+                obj['tls'] = self.params['tls']
+                obj['tls_type'] = self.params['tls_type']
+
             if self.params['mode'] == 'p2p_shared_key':
                 obj['shared_key'] = self.params['shared_key']
 
@@ -175,6 +180,10 @@ def _validate_params(self):
         if params['state'] == 'absent':
             return True
 
+        # tls is not valid for p2p_shared_key
+        if params['mode'] == 'p2p_shared_key' and params['tls'] is not None:
+            self.module.fail_json(msg='tls parameter is not valied with p2p_shared_key mode.')
+
         # check tunnel_networks - can be network alias or non-strict IP CIDR network
         self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network'), 'ipv4')
         self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network6'), 'ipv6')

diff --git a/plugins/module_utils/openvpn_server.py b/plugins/module_utils/openvpn_server.py
@@ -24,7 +24,7 @@
     protocol=dict(default='UDP4', required=False, choices=['UDP4', 'TCP4']),
     dev_mode=dict(default='tun', required=False, choices=['tun', 'tap']),
     tls=dict(required=False, type='str'),
-    tls_type=dict(required=False, choices=['auth', 'crypt']),
+    tls_type=dict(default='auth', required=False, choices=['auth', 'crypt']),
     ca=dict(required=False, type='str'),
     crl=dict(required=False, type='str'),
     cert=dict(required=False, type='str'),
@@ -180,7 +180,8 @@ def _params_to_obj(self):
                 obj['ecdh_curve'] = self.params['ecdh_curve']
                 self._get_ansible_param(obj, 'tls')
 
-            if 'server_tls' in self.params['mode']:
+            if self.params['tls'] is not None:
+                obj['tls'] = self.params['tls']
                 obj['tls_type'] = self.params['tls_type']
 
             if 'server' in self.params['mode']:
@@ -205,6 +206,10 @@ def _validate_params(self):
         if params['state'] == 'absent':
             return True
 
+        # tls is not valid for p2p_shared_key
+        if params['mode'] == 'p2p_shared_key' and params['tls'] is not None:
+            self.module.fail_json(msg='tls parameter is not valied with p2p_shared_key mode.')
+
         # check tunnel_networks - can be network alias or non-strict IP CIDR network
         self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network'), 'ipv4')
         self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network6'), 'ipv6')

diff --git a/plugins/modules/pfsense_openvpn_client.py b/plugins/modules/pfsense_openvpn_client.py
@@ -66,8 +66,15 @@
     choices: [ 'tun', 'tap' ]
     type: str
   tls:
-    description: TLS Key.  If set to 'generate' it will create a key if one does not already exist.
+    description: TLS Key.  If set to 'generate' it will create a key if one does not already exist.  Not valid with p2p_shared_key mode.
     type: str
+  tls_type:
+    description: Use TLS for authentication ('auth') or encyprtion and authentication ('crypt').  Only used when tls is set.
+    default: 'auth'
+    required: false
+    choices: ["auth", "crypt"]
+    type: str
+    version_added: 0.6.2
   ca:
     description: Certificate Authority name.
     type: str

diff --git a/plugins/modules/pfsense_openvpn_server.py b/plugins/modules/pfsense_openvpn_server.py
@@ -66,10 +66,11 @@
     choices: ['tun', 'tap']
     type: str
   tls:
-    description: TLS Key.  If set to 'generate' it will create a key if one does not already exist.
+    description: TLS Key.  If set to 'generate' it will create a key if one does not already exist.  Not valid with p2p_shared_key mode.
     type: str
   tls_type:
-    description: Use TLS for authentication ('auth') or encyprtion and authentication ('crypt').
+    description: Use TLS for authentication ('auth') or encyprtion and authentication ('crypt').  Only used when tls is set.
+    default: 'auth'
     required: false
     choices: ["auth", "crypt"]
     type: str

diff --git a/tests/unit/plugins/modules/test_pfsense_openvpn_server.py b/tests/unit/plugins/modules/test_pfsense_openvpn_server.py
@@ -109,6 +109,7 @@ def check_target_elt(self, obj, target_elt):
             obj['shared_key'] = TLSKEY
         if 'tls' in obj and obj['tls'] == 'generate':
             obj['tls'] = TLSKEY
+            obj['tls_type'] = 'auth'
 
         self.check_param_equal(obj, target_elt, 'name', xml_field='description')
         self.check_param_equal(obj, target_elt, 'custom_options')