pfSense

There are a few problems with how we currently build a client configuration using the tls-client and client directives.

• In current versions of OpenVPN client expands to tls-client and pull so it is redundant to have tls-client and client, but both end up in generated TLS client configurations
• pull should not be used with peer-to-peer modes (SSL/TLS with /30 or smaller subnet for a single client, or shared key mode), but currently we put in client on both of those cases which is invalid. (Though due to a bug in the shared key test, it ends up correctly omitted)
• OpenVPN complains if the configuration contains ifconfig and pull together, so pull should probably be omitted if there is any tunnel network defined. There may be other cases where it's valid (tap mode maybe?)

Static client addresses in client/server mode should be set in CSO entries on the server and not in client tunnel networks. If the user wants this behavior they could always add pull to custom options on their own. We could add a GUI option to force pull but that may be confusing since it should almost never be used.