pfSense

Notes:
Maybe one option would be to add an option "Client setting override server defined client options"
This option would do a "push-remove" for any override defined option, mainly the DNS options because there is currently no way o override them without a "push-reset" triggered by "Prevent this client from receiving any server-defined client settings."
The relevant code is here:
https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/vpn_openvpn_csc.php#L458

Or like I wrote above, after the triggered push-reset, properly push the topology and gateway route

Also, maybe when we check "Prevent this client from receiving any server-defined routes without removing any other options.", it seems to cause a "push-remove route":
https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/vpn_openvpn_csc.php#L465
We should either warn that the gateway is unspecified or better offer a field to specify the gateway

Jim Pingle wrote in #note-2:

It's doing exactly what it says. Normally the client configuration would include the topology rather than having it pushed. People who use that option now typically want what it does exactly, they don't want anything pushed from the server and want to manage it all themselves, which is what it currently does.

It sounds like what you want is more like pull-filter on the clients.

This could still be a potential new feature in the future (or set of new features) but it's not a bug since it's operating as designed.

The bug part is this:
When that option is checked, the DNS Settings and any custom available option we set in the Client-Specific Override page is properly pushed to the client when we set it in the GUI, except the topology !

Basically, here are some of the GUI options pushed properly from Client Specific Overrides:
+ IPv4 Tunnel Network: ifconfig-push client_ip mask
+ Redirect gateway: push "redirect-gateway def1"
+ DNS server: push "dhcp-option DNS ip"
+ NTP server: push "dhcp-option NTP ip"

However, the "IPv4 Tunnel Network" help tip in GUI says:

The virtual IPv4 network used for private communications between this client and the server expressed using CIDR (e.g. 10.0.8.5/24).
With subnet topology, enter the client IP address and the subnet mask must match the IPv4 Tunnel Network on the server.
With net30 topology, the first network address of the /30 is assumed to be the server address and the second network address will be assigned to the client.

We first understand that setting IP/24 should push topology subnet and setting IP/30 should push the net30 topology, which is not the case.

The overrides pages is full of options except two of the mandatory ones to make the connection work: push topology and push route-gateway
Maybe it would be more functional and user friendly to:
- add the gateway option in overrides page
- push the proper topology as the help tip states when we set the "IPv4 Tunnel Network" field
- or add the topology field in the overrides if you want to separate it from "IPv4 Tunnel Network"

A last note if the features are revised added/once:
The title of the tab is "Client-Specific Override". I never expected when defining some DNS entries that they are pushed at the bottom of the dns list after the dns servers were pushed. I expected the dns entries here properly override the server dns entries.
Maybe the help tips should get improved, or adding a check box "override server options" that will do a push-remove for the specified overrides in this tab

Also, adding a tip to specify what the existing checkboxes actually do: push-reset, push-remove...
Thank you for looking at it and best regards

Phil Wardt wrote in #note-3:

Jim Pingle wrote in #note-2:
The bug part is this:
When that option is checked, the DNS Settings and any custom available option we set in the Client-Specific Override page is properly pushed to the client when we set it in the GUI, except the topology !

Yes, that's exactly expected. When you check it, nothing from the server is pushed, only the settings from the override. There is no setting on the override for toplogy.

However, the "IPv4 Tunnel Network" help tip in GUI says:
[...]
We first understand that setting IP/24 should push topology subnet and setting IP/30 should push the net30 topology, which is not the case.

You have that backward, it's saying your value here must match the topology used on the server. It does not control the topology sent to the client.

The overrides pages is full of options except two of the mandatory ones to make the connection work: push topology and push route-gateway
Maybe it would be more functional and user friendly to:
- add the gateway option in overrides page
- push the proper topology as the help tip states when we set the "IPv4 Tunnel Network" field
- or add the topology field in the overrides if you want to separate it from "IPv4 Tunnel Network"

Adding new fields for those two is possible, but it's not a bug, it's a feature request. I would not automatically push a topology to a client by guessing based on the subnet mask, it should be a drop-down selection. If it were to copy the value from the server there would need to be additional validation forcing the user to make the override active only on a single server instance, which would add more complexity and room for error.

Jim Pingle wrote in #note-5:

Yes, that's exactly expected. When you check it, nothing from the server is pushed, only the settings from the override. There is no setting on the override for toplogy.

You have that backward, it's saying your value here must match the topology used on the server. It does not control the topology sent to the client.

Adding new fields for those two is possible, but it's not a bug, it's a feature request.

I get your point now that I understood it. But at first, it took me a while to figure it out and look at the client debug code to find the pushed options. I thiught it was a bug somewhere because it works on OpenVPN for Android out of the box, but fails on OpenVPN Connect client which is more strict regarding topology and gateway

Well, let's hope someone looks at the code there once, or maybe just enhancing the help man or the tool tips

Thank you

Jim Pingle wrote in #note-5:

Yes, that's exactly expected. When you check it, nothing from the server is pushed, only the settings from the override. There is no setting on the override for toplogy.
Adding new fields for those two is possible, but it's not a bug, it's a feature request.

I took a little time and adapted the GUI as below:
https://philz-cwm6.github.io/pfsense_preview/vpn_openvpn_csc_v1dot3_gui.html

GUI Changes:
- add individual server overrides for the optional client settings (local routes/gateway, remote routes, DNS, NTP, Netbios...)
- add option to override topology when selecting "Remove All Server Options" (push-reset)
- add option to set gateways (useful when removing routes)
- add option to override Redirect IPv6 Gateway in addition to existing IPv4 option
- move all server override options to the "Override Configuration" group
- hide override options with a "Select Server Overrides" toggle
- disable un-needed overrides when "Remove All Server Options" (push-reset) is selected
- when "Redirect IPv4/6 Gateway" is toggled, the Local Routes fields are hidden/shown correspondingly like for the server edit part
- fix bug when "0" is entered in DNS/Domain... fields (using !empty() discards 0)
- fix GUI toggle for NTP and DNS options causes inverted results when repeating clicks too quickly

Please use the provided html link to test the GUI only part. I tried to make it openvpn noob friendly.
https://philz-cwm6.github.io/pfsense_preview/vpn_openvpn_csc_v1dot3_gui.html

If it seems fine to you, I will push the source and start adapting code in openvpn.inc file. That should be the simpler part, the harder was the GUI to find something friendly.

A last note: the changes are very conservative and follow the code / layout of vpn_openvpn_server.php code
- One of the commits also changes deprecated variables from legacy to new which seems to be safe in my tests but needs a closer look:
https://github.com/pfsense/pfsense/pull/4570/commits/9ef7329d210adbd2e377a97e3bda03bd4f547799

- Also, I commented the ipv6 gateway code I added (same as server current implementation)
https://github.com/pfsense/pfsense/pull/4570/commits/9876e6fb58320d3f3bbc9bb11279e46cd0607cfd

I pushed a clean version for 2.7
Hope it can be reviewed

https://github.com/pfsense/pfsense/pull/4570

Preview link:
https://philz-cwm6.github.io/pfsense_preview/vpn_openvpn_csc_v1dot3_gui.html

Patches for 2.7 attached

I updated the commit as you suggested
https://github.com/pfsense/pfsense/pull/4570