#
# {{ netname }} / {{ network_config.get ('_desc', '') }} (Salt managed)
#

{%- set mode = config.get ('mode', 'client') %}
{%- if 'server' in mode %}
local   {{ network_config.get ('server_ip') }}
port    {{ network_config.get ('port') }}

tls-server
{%- elif 'client' in mode %}
remote	{{ config.get ('remote', config.get ('server_ip')) }} {{ network_config.get ('port') }}

tls-client
nobind
{%- endif %}

{%- if 'bind_dev' in config %}
bind-dev	{{ config.get ('bind_dev') }}
{%- endif %}

proto   {{ network_config.get ('proto', 'udp') }}

dev-type {{ network_config.get ('dev-type', 'tap') }}
dev {{ config.get ('interface') }}

{%- if mode == 'server' %}
mode server

client-config-dir /etc/openvpn/{{ netname }}
ccd-exclusive

push "route remote_host  255.255.255.255 net_gateway"
{%- endif %}

ca      /etc/ssl/certs/ffho-cacert.pem
cert    /etc/ssl/certs/{{ host_config.get ('cert_cn', grains['id']) }}.cert.pem
key     /etc/ssl/private/{{ host_config.get ('cert_cn', grains['id']) }}.key.pem
dh      /etc/ssl/dhparam.pem

script-security 2
up      /etc/openvpn/ifup
down    /etc/openvpn/ifdown

keepalive 10 30
{%- if 'server' in mode %}
connect-retry 1 1
{%- endif %}

comp-lzo

persist-key
persist-tun

status /var/log/openvpn/openvpn-status-{{ netname }}.log

verb 1