Bug #12219
closed
Prevent using OpenVPN "Inactive" option with point-to-point modes
100%
Description
By default on current versions we set the OpenVPN server option Inactive to 300 (See #11699) but this should only be done for SSL/TLS in server mode (tunnel network larger than /30)
For point-to-point mode, this option causes the server itself to terminate. This means that once the OpenVPN client tries to re-establish, it fails to do so until the service is manually started back up.
See also #12102 where there is a similar scenario for exit notify.
On clients, we already set Inactive to 0 by default. The recent change to Inactive 300 was only for server instances.
Given the unexpected behavior, we should probably prevent the option from being used on both clients and servers when they are in point-to-point mode.
The GUI option should be hidden when choosing shared key, and if set in the instance it should not be added to the generated OpenVPN configuration.
For SSL/TLS with a /30 or smaller tunnel network it's not so clear. We could add a warning to the option saying it will be ignored, or we could generate an input validation error.
Updated by Jim Pingle over 3 years ago
- Status changed from New to In Progress
- Assignee set to Jim Pingle
Updated by Jim Pingle over 3 years ago
- Status changed from In Progress to Pull Request Review
Updated by Jim Pingle over 3 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 0a70f90aff9cc2fc7fc5f5dc551a708ee349ea07.
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to Resolved
Works as expected on current snapshot.
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01