openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS

dmbaturin · mergify[bot] · commit a3763a233d13 · 2024-05-28T19:56:27.000Z
(cherry picked from commit 380e998)
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py
@@ -260,6 +260,11 @@ def verify(openvpn):
     # OpenVPN site-to-site - VERIFY
     #
     elif openvpn['mode'] == 'site-to-site':
+        # XXX: site-to-site is the only mode that still can work without TLS,
+        # so we need to make sure that if TLS is used, then TLS role is also specified
+        if 'shared_secret_key' not in openvpn['tls'] and 'role' not in openvpn['tls']:
+            raise ConfigError('"tls role" is required for site-to-site OpenVPN with TLS')
+
         if 'local_address' not in openvpn and 'is_bridge_member' not in openvpn:
             raise ConfigError('Must specify "local-address" or add interface to bridge')
 
