Project

General

Profile

Actions

Bug #12188

open

client export breaks multi remote configurations

Added by Jens Groh over 2 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
OpenVPN Client Export
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.5.x
Affected Plus Version:
Affected Architecture:
All

Description

https://forum.netgate.com/topic/165560/1-2-bug-client-export-openvpn-ras-udp-server

Hi,

as stated in above forum post I suggest a change in the way the client exporter currently forces "explicit exit notify" to all OVPN RAS UDP configs. We have quite a few customers that run more complex OVPN setups with TCP backup configurations in a single file (second "remote <peer> tcp 443" statement in the same file) that break with the current exporter, as it writes the "exit notify" into the file that won't work with TCP.

So instead of forcing it via

https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc (line 410++)

    if (stristr($settings['protocol'], "udp")) {
        $conf .= "explicit-exit-notify{$nl}";
    }

I'd use an additional toggle like the "legacy format" or "random local port" one

    /* Use a random local port, otherwise two clients will conflict if they run at the same time.
        May not be supported on older clients (Released before May 2010) */
    if (($randomlocalport != 0) && (substr($expformat, 0, 7) != "yealink") && ($expformat != "snom")) {
        $conf .= "lport 0{$nl}";
    }

and check for the toggle rather than use it on all UDP style VPN services. That way, we can make the toggle on by default but complex setups can disable it and add their additional lines of config in the textbox and save that without generating problems and having to manually edit several dozens of files now.

Cheers
Jens

Actions

Also available in: Atom PDF