Project

General

Profile

Bug #282

OVPN, --nobind and --local port conflict

Added by Angel Torres over 9 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
01/05/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

OpenVPN site to site shared key tunnel; In client config if local port is left blank (for a random local port), tunnel fails and shows the following error:

Jan 5 20:23:29 openvpn60443: Options error: --local and --nobind don't make sense when used together.

Entering a local port resolves issue but this was not necessary in 1.2.3; a random local port was used when local port was left blank.

ovpnclient.png (43.1 KB) ovpnclient.png OpenVPN client settings Pierre POMES, 04/27/2010 10:10 PM

Associated revisions

Revision 48a458d2 (diff)
Added by Pierre POMES about 9 years ago

Use nobind for OVPN client when no local port and/or no local interface is requested. Ticket #282

History

#1 Updated by Ermal Lu├ži over 9 years ago

  • Status changed from New to Feedback

Should be ok on newer snaps

#2 Updated by Tyler Simpkin over 9 years ago

Error still occurs by default on upgraded installs.

Might consider:

1. Defaulting 'Interface' parameter to 'any' on upgrade from 1.2.x
2. Making 'Local port' a REQUIRED parameter when 'Interface' is configured for anything BUT 'any' in the GUI

for OpenVPN clients.

#3 Updated by Angel Torres over 9 years ago

This is reproducable still just by leaving local port blank in the ovpn client config, not just on upgraded installs.

#4 Updated by Angel Torres over 9 years ago

Angel Torres wrote:

This is reproducable still just by leaving local port blank in the ovpn client config, not just on upgraded installs. This was handled in 1.2.3 with the Dynamic Sourceport checkbox.

#5 Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to New

this is still a problem for client configurations. nobind should not be added to the config where local is used.

#6 Updated by Pierre POMES about 9 years ago

Hi,

Just to clarify, are we talking about "local" directive (bind to a given IP) or "lport" (bind to a given port, "local port" in the WebGUI). I guess we are now talking about "local", because the code is seems to be ok with lport:

                if ($settings['local_port']) {
                        $conf .= "lport {$settings['local_port']}\n";
                        $conf .= "management 127.0.0.1 {$settings['local_port']}\n";
                }
                else
                        $conf .= "nobind\n";

Thanks,
Pierre

#7 Updated by Chris Buechler about 9 years ago

This is referring to 'local', not 'lport'. Where lport is defined, nobind is never specified (as in the code snippet shown). The problem is if you don't specify local_port (lport) in the config, it adds both 'local x.x.x.x' and 'nobind', which errors out.

#8 Updated by Pierre POMES about 9 years ago

Ok, I just did the test in the meanwhile.

I think you are using an old snapshot ? Actually, since March 12th, when the client OVPN is bound to a specific interface in the webGUI, and if no local port is given, the "local" directive is omited:

               if ($mode == "server" || ($mode == "client" && !empty($settings['local_port'])))
                       $conf .= "local {$iface_ip}\n";

So there is no error, but I don't think it's correct. "local" should be generated, and "nobind" should be omited. Can you confirm ?

#9 Updated by Chris Buechler about 9 years ago

Yeah I saw exactly that code when I was looking at it last, 5 days ago. It's not doing what you think it should from glancing at that code snippet. That was there when I last tested it with an up to date mainline as of 5 days ago, and it was still adding both.

#10 Updated by Pierre POMES about 9 years ago

Strange, I just upgraded to the lastest snapshot (April, 27th), and I still see that "local" is omitted and "nobind" is here.

The GUI screenshot is attached. The generated config is:

dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
tls-client
client
nobind
remote xxxxxxxxxxxxx 7823
ifconfig 10.8.0.2 10.8.0.1
ca /var/etc/openvpn/client2.ca
cert /var/etc/openvpn/client2.cert
key /var/etc/openvpn/client2.key
comp-lzo
passtos

Are we talking about the same settings ?

#11 Updated by Chris Buechler about 9 years ago

You probably have "any" specified as the interface, it has to be one of the specific interfaces or a VIP to add the local.

#12 Updated by Pierre POMES about 9 years ago

As you can see in my screenshot, "WAN" is used as interface for OpenVPN (I added this feature in ticket #69).

- From my attached screenshot: if WAN is used in the GUI, and "local port" is blank, "local" is not used in OVPN config, and "nobind" is used (and I think that's not correct)
- If you now specify "local port" in the GUI, "local", "lport" are used, which is correct.

#13 Updated by Chris Buechler about 9 years ago

Yeah you're right, it doesn't add them both anymore. Though there is still a problem, if you select a particular non-WAN interface there, the 'local' must be added or it goes out the wrong interface. The one that was a problem before is on an OPT WAN, if a lport is not specified, it routes out the wrong interface because 'local' isn't specified. So unless you specify lport in the client config, it doesn't work the way you've configured it as it ignores the interface selection.

It needs to always specify 'local' unless "any" interface is selected. Which means skipping nobind.

#14 Updated by Pierre POMES about 9 years ago

  • Status changed from New to Feedback

Fix commited.

#15 Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to Resolved

fixed, thanks!

Also available in: Atom PDF