Project

General

Profile

Actions

Bug #12188

open

client export breaks multi remote configurations

Added by Jens Groh 6 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
OpenVPN Client Export
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.5.x
Affected Plus Version:
Affected Architecture:
All

Description

https://forum.netgate.com/topic/165560/1-2-bug-client-export-openvpn-ras-udp-server

Hi,

as stated in above forum post I suggest a change in the way the client exporter currently forces "explicit exit notify" to all OVPN RAS UDP configs. We have quite a few customers that run more complex OVPN setups with TCP backup configurations in a single file (second "remote <peer> tcp 443" statement in the same file) that break with the current exporter, as it writes the "exit notify" into the file that won't work with TCP.

So instead of forcing it via

https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc (line 410++)

    if (stristr($settings['protocol'], "udp")) {
        $conf .= "explicit-exit-notify{$nl}";
    }

I'd use an additional toggle like the "legacy format" or "random local port" one

    /* Use a random local port, otherwise two clients will conflict if they run at the same time.
        May not be supported on older clients (Released before May 2010) */
    if (($randomlocalport != 0) && (substr($expformat, 0, 7) != "yealink") && ($expformat != "snom")) {
        $conf .= "lport 0{$nl}";
    }

and check for the toggle rather than use it on all UDP style VPN services. That way, we can make the toggle on by default but complex setups can disable it and add their additional lines of config in the textbox and save that without generating problems and having to manually edit several dozens of files now.

Cheers
Jens

Actions #1

Updated by Pippin MMD 6 months ago

OpenVPN devs were/are aware of this and is currently being looked at.
Maybe a solution is near :)

Actions #3

Updated by Kris Phillips 4 months ago

Based on reviewing the bug report with OpenVPN there doesn't appear to be anything that needs to be done here. They're adding in a fix for OpenVPN to ignore --explicit-exit-notify if the client is using TCP mode. We will simply need to update the OpenVPN subsystem once this patch is in a release, which should happen on the next major release (assuming it's fixed in upstream first).

Actions

Also available in: Atom PDF