Project

General

Profile

Actions

Bug #282

closed

OVPN, --nobind and --local port conflict

Added by Angel Torres almost 12 years ago. Updated over 11 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
01/05/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

OpenVPN site to site shared key tunnel; In client config if local port is left blank (for a random local port), tunnel fails and shows the following error:

Jan 5 20:23:29 openvpn60443: Options error: --local and --nobind don't make sense when used together.

Entering a local port resolves issue but this was not necessary in 1.2.3; a random local port was used when local port was left blank.


Files

ovpnclient.png (43.1 KB) ovpnclient.png OpenVPN client settings Pierre POMES, 04/27/2010 10:10 PM
Actions #1

Updated by Ermal Luçi almost 12 years ago

  • Status changed from New to Feedback

Should be ok on newer snaps

Actions #2

Updated by Tyler Simpkin almost 12 years ago

Error still occurs by default on upgraded installs.

Might consider:

1. Defaulting 'Interface' parameter to 'any' on upgrade from 1.2.x
2. Making 'Local port' a REQUIRED parameter when 'Interface' is configured for anything BUT 'any' in the GUI

for OpenVPN clients.

Actions #3

Updated by Angel Torres almost 12 years ago

This is reproducable still just by leaving local port blank in the ovpn client config, not just on upgraded installs.

Actions #4

Updated by Angel Torres almost 12 years ago

Angel Torres wrote:

This is reproducable still just by leaving local port blank in the ovpn client config, not just on upgraded installs. This was handled in 1.2.3 with the Dynamic Sourceport checkbox.

Actions #5

Updated by Chris Buechler over 11 years ago

  • Status changed from Feedback to New

this is still a problem for client configurations. nobind should not be added to the config where local is used.

Actions #6

Updated by Pierre POMES over 11 years ago

Hi,

Just to clarify, are we talking about "local" directive (bind to a given IP) or "lport" (bind to a given port, "local port" in the WebGUI). I guess we are now talking about "local", because the code is seems to be ok with lport:

                if ($settings['local_port']) {
                        $conf .= "lport {$settings['local_port']}\n";
                        $conf .= "management 127.0.0.1 {$settings['local_port']}\n";
                }
                else
                        $conf .= "nobind\n";

Thanks,
Pierre

Actions #7

Updated by Chris Buechler over 11 years ago

This is referring to 'local', not 'lport'. Where lport is defined, nobind is never specified (as in the code snippet shown). The problem is if you don't specify local_port (lport) in the config, it adds both 'local x.x.x.x' and 'nobind', which errors out.

Actions #8

Updated by Pierre POMES over 11 years ago

Ok, I just did the test in the meanwhile.

I think you are using an old snapshot ? Actually, since March 12th, when the client OVPN is bound to a specific interface in the webGUI, and if no local port is given, the "local" directive is omited:

               if ($mode == "server" || ($mode == "client" && !empty($settings['local_port'])))
                       $conf .= "local {$iface_ip}\n";

So there is no error, but I don't think it's correct. "local" should be generated, and "nobind" should be omited. Can you confirm ?

Actions #9

Updated by Chris Buechler over 11 years ago

Yeah I saw exactly that code when I was looking at it last, 5 days ago. It's not doing what you think it should from glancing at that code snippet. That was there when I last tested it with an up to date mainline as of 5 days ago, and it was still adding both.

Actions #10

Updated by Pierre POMES over 11 years ago

Strange, I just upgraded to the lastest snapshot (April, 27th), and I still see that "local" is omitted and "nobind" is here.

The GUI screenshot is attached. The generated config is:

dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
tls-client
client
nobind
remote xxxxxxxxxxxxx 7823
ifconfig 10.8.0.2 10.8.0.1
ca /var/etc/openvpn/client2.ca
cert /var/etc/openvpn/client2.cert
key /var/etc/openvpn/client2.key
comp-lzo
passtos

Are we talking about the same settings ?

Actions #11

Updated by Chris Buechler over 11 years ago

You probably have "any" specified as the interface, it has to be one of the specific interfaces or a VIP to add the local.

Actions #12

Updated by Pierre POMES over 11 years ago

As you can see in my screenshot, "WAN" is used as interface for OpenVPN (I added this feature in ticket #69).

- From my attached screenshot: if WAN is used in the GUI, and "local port" is blank, "local" is not used in OVPN config, and "nobind" is used (and I think that's not correct)
- If you now specify "local port" in the GUI, "local", "lport" are used, which is correct.

Actions #13

Updated by Chris Buechler over 11 years ago

Yeah you're right, it doesn't add them both anymore. Though there is still a problem, if you select a particular non-WAN interface there, the 'local' must be added or it goes out the wrong interface. The one that was a problem before is on an OPT WAN, if a lport is not specified, it routes out the wrong interface because 'local' isn't specified. So unless you specify lport in the client config, it doesn't work the way you've configured it as it ignores the interface selection.

It needs to always specify 'local' unless "any" interface is selected. Which means skipping nobind.

Actions #14

Updated by Pierre POMES over 11 years ago

  • Status changed from New to Feedback

Fix commited.

Actions #15

Updated by Chris Buechler over 11 years ago

  • Status changed from Feedback to Resolved

fixed, thanks!

Actions

Also available in: Atom PDF