Bug #13380


OpenVPN client options cause "Options error: --proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client"

Added by Lev Prokofev 2 months ago. Updated 23 days ago.

Not a Bug
OpenVPN Client Export
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:


Find that if the OpenVPN client has the "TCP" option of the remote (--remote host [port] [proto])


remote 443 tcp

after upgrade to 22.05 or 22.09(DEV) you get

Options error: --proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client

Pretty similar to

In the 22.01 such I didn't observe such behavior.

Can be solved by set tcp-client

remote 443 tcp-client

Actions #1

Updated by Kris Phillips about 2 months ago

Can confirm the OpenVPN Export Utility does not specify tcp-client in it's config for clients to use, but instead defines just tcp, tcp6 or tcp4.

Actions #2

Updated by Jim Pingle about 2 months ago

  • Status changed from New to Feedback
  • Plus Target Version deleted (22.01)

Is this a problem in base or in the OpenVPN client export package? The issue was opened under base (not packages), but I can't reproduce it in a client in base. The code in the linked issue is still in place and working, the resulting configuration file ends up with the correct tcp-client string in the remote directive.

If it's a problem in exported clients, as the comment seems to indicate, the issue needs moved to packages and the category updated to be the export package.

This may be a setting that needs to be tcp if the "legacy" option is ticked when exporting but "tcp-client" otherwise, or maybe the versions that allow "tcp" are so old we don't care about them, that's open for debate.

Actions #3

Updated by Danilo Zrenjanin about 2 months ago

Tested on the:

2.7.0-DEVELOPMENT (amd64)
built on Fri Jul 29 06:15:24 UTC 2022

It seems to be an issue with the OpenVPN Export Utility. After exporting a client config file, the resulting configuration file ends up with tcp4,tcp6, or tcp in the remote directive.

remote 1194 tcp4

I haven't had any issues connecting to the server with tcp4 or tcp remote directive using Viscosity.

A client in the base ends up with tcp4-client in the remote directive.

remote 1194 tcp4-client
Actions #4

Updated by Jim Pingle about 2 months ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from OpenVPN to OpenVPN Client Export
  • Release Notes deleted (Default)

Which version(s) of the OpenVPN binary are in place on the clients when they have problems / when they do not have problems?

Windows should be whatever version is installed, Viscosity sometimes has multiple you can select, either way check the client log and see what versions are when it works and when it doesn't.

Actions #5

Updated by Lev Prokofev about 2 months ago

In origin, the config was imported to 22.01.

With problems:
OpenVPN 2.6_git amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO] built on Jun 4 2022
library versions: OpenSSL 1.1.1n-freebsd 15 Mar 2022, LZO 2.10

Without problems:
OpenVPN 2.5.4 amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 13 2022
library versions: OpenSSL 1.1.1l-freebsd 24 Aug 2021, LZO 2.10

It's about only custom options for client and not about import utility

Seems the syntax is incorrect for OVPN 2.6.

Actions #6

Updated by Danilo Zrenjanin about 2 months ago

It's not a bug, then. The correct syntax must be manually entered in the Custom Options field in the OpenVPN base client configuration.

Actions #7

Updated by Danilo Zrenjanin 23 days ago

  • Status changed from Feedback to Not a Bug

pfSense has no impact on the entries defined in the custom options. Custom options must be updated manually. Not a bug.


Also available in: Atom PDF