Prevent using OpenVPN "Exit Notify" option with point-to-point modes
When establishing an OpenVPN client/server site to site in 21.05, if the OpenVPN client (on another box) makes any changes that causes a link down/up event, the OpenVPN server (on 21.05) service has to be restarted in a Peer to Peer Shared Key mode because the link down event shuts down the service with a SIGTERM.
Jul 3 16:48:38 openvpn 85989 /usr/local/sbin/ovpn-linkdown ovpns2 1500 1572 192.168.250.1 192.168.250.2 init
Jul 3 16:48:38 openvpn 85989 SIGTERM[soft,exit-with-notification] received, process exiting
This means that once the OpenVPN client tries to re-establish, it fails to do so until the service is manually started back up. This can be worked around by setting up Service Watchdog to automatically "kick" the service back on, but I don't think this is intentional.
Updated by Kris Phillips 10 months ago
Jim Pingle wrote:
What is "Exit Notify" set to on both ends when this happens? From the log, that is why it terminated. Odds are the settings in place on both ends aren't ideal for this situation.
If the Exit Notify setting should be different, we probably should update that field when a user selects Site to Site like we do for the other fields. I used the default settings for Exit Notify when I built the Site to Site tunnel.
Updated by Jim Pingle 10 months ago
- Subject changed from Changes on OpenVPN Client in Peer to Peer Shared Key shuts down OpenVPN server on 21.05 to Prevent using OpenVPN Exit Notify option with point-to-point modes
- Status changed from Feedback to Confirmed
Was just looking at this on a forum thread and this is not site-to-site vs RA but point-to-multipoint (client/server) vs point-to-point, so Shared Key or SSL/TLS with a /30 subnet. Exit notify doesn't work as users expect with point-to-point mode so it should be prevented there.
Using Exit Notify with SSL/TLS as either RA or Site-to-Site is fine so long as it uses a tunnel network larger than /30.
So we need to:
- Hide the GUI option for shared key entirely
- Fire off an input validation warning if someone tries to set it on a /30 or smaller SSL/TLS setup
- Prevent the option from being added to the OpenVPN config in both these cases for users who already have the setting on a tunnel
- Probably a good idea to detect this case and strip it out in upgrade code, too
Updated by Jim Pingle 9 months ago
- Status changed from In Progress to Pull Request Review