Project

General

Profile

Actions

Bug #13116

closed

OpenVPN client ``tls-client``/``client`` configuration directive not handled properly

Added by Jim Pingle over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

There are a few problems with how we currently build a client configuration using the tls-client and client directives.

  • In current versions of OpenVPN client expands to tls-client and pull so it is redundant to have tls-client and client, but both end up in generated TLS client configurations
  • pull should not be used with peer-to-peer modes (SSL/TLS with /30 or smaller subnet for a single client, or shared key mode), but currently we put in client on both of those cases which is invalid. (Though due to a bug in the shared key test, it ends up correctly omitted)
  • OpenVPN complains if the configuration contains ifconfig and pull together, so pull should probably be omitted if there is any tunnel network defined. There may be other cases where it's valid (tap mode maybe?)

Static client addresses in client/server mode should be set in CSO entries on the server and not in client tunnel networks. If the user wants this behavior they could always add pull to custom options on their own. We could add a GUI option to force pull but that may be confusing since it should almost never be used.

Actions

Also available in: Atom PDF