Bug #282
closed
OVPN, --nobind and --local port conflict
0%
Description
OpenVPN site to site shared key tunnel; In client config if local port is left blank (for a random local port), tunnel fails and shows the following error:
Jan 5 20:23:29 openvpn60443: Options error: --local and --nobind don't make sense when used together.
Entering a local port resolves issue but this was not necessary in 1.2.3; a random local port was used when local port was left blank.
Files
Updated by Ermal Luçi almost 15 years ago
- Status changed from New to Feedback
Should be ok on newer snaps
Updated by Tyler Simpkin almost 15 years ago
Error still occurs by default on upgraded installs.
Might consider:
1. Defaulting 'Interface' parameter to 'any' on upgrade from 1.2.x
2. Making 'Local port' a REQUIRED parameter when 'Interface' is configured for anything BUT 'any' in the GUI
for OpenVPN clients.
Updated by Angel Torres almost 15 years ago
This is reproducable still just by leaving local port blank in the ovpn client config, not just on upgraded installs.
Updated by Angel Torres almost 15 years ago
Angel Torres wrote:
This is reproducable still just by leaving local port blank in the ovpn client config, not just on upgraded installs. This was handled in 1.2.3 with the Dynamic Sourceport checkbox.
Updated by Chris Buechler over 14 years ago
- Status changed from Feedback to New
this is still a problem for client configurations. nobind should not be added to the config where local is used.
Updated by Pierre POMES over 14 years ago
Hi,
Just to clarify, are we talking about "local" directive (bind to a given IP) or "lport" (bind to a given port, "local port" in the WebGUI). I guess we are now talking about "local", because the code is seems to be ok with lport:
if ($settings['local_port']) {
$conf .= "lport {$settings['local_port']}\n";
$conf .= "management 127.0.0.1 {$settings['local_port']}\n";
}
else
$conf .= "nobind\n";
Thanks,
Pierre
Updated by Chris Buechler over 14 years ago
This is referring to 'local', not 'lport'. Where lport is defined, nobind is never specified (as in the code snippet shown). The problem is if you don't specify local_port (lport) in the config, it adds both 'local x.x.x.x' and 'nobind', which errors out.
Updated by Pierre POMES over 14 years ago
Ok, I just did the test in the meanwhile.
I think you are using an old snapshot ? Actually, since March 12th, when the client OVPN is bound to a specific interface in the webGUI, and if no local port is given, the "local" directive is omited:
if ($mode == "server" || ($mode == "client" && !empty($settings['local_port'])))
$conf .= "local {$iface_ip}\n";
So there is no error, but I don't think it's correct. "local" should be generated, and "nobind" should be omited. Can you confirm ?
Updated by Chris Buechler over 14 years ago
Yeah I saw exactly that code when I was looking at it last, 5 days ago. It's not doing what you think it should from glancing at that code snippet. That was there when I last tested it with an up to date mainline as of 5 days ago, and it was still adding both.
Updated by Pierre POMES over 14 years ago
- File ovpnclient.png ovpnclient.png added
Strange, I just upgraded to the lastest snapshot (April, 27th), and I still see that "local" is omitted and "nobind" is here.
The GUI screenshot is attached. The generated config is:
dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_client2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher BF-CBC up /etc/rc.filter_configure down /etc/rc.filter_configure tls-client client nobind remote xxxxxxxxxxxxx 7823 ifconfig 10.8.0.2 10.8.0.1 ca /var/etc/openvpn/client2.ca cert /var/etc/openvpn/client2.cert key /var/etc/openvpn/client2.key comp-lzo passtos
Are we talking about the same settings ?
Updated by Chris Buechler over 14 years ago
You probably have "any" specified as the interface, it has to be one of the specific interfaces or a VIP to add the local.
Updated by Pierre POMES over 14 years ago
As you can see in my screenshot, "WAN" is used as interface for OpenVPN (I added this feature in ticket #69).
- From my attached screenshot: if WAN is used in the GUI, and "local port" is blank, "local" is not used in OVPN config, and "nobind" is used (and I think that's not correct)
- If you now specify "local port" in the GUI, "local", "lport" are used, which is correct.
Updated by Chris Buechler over 14 years ago
Yeah you're right, it doesn't add them both anymore. Though there is still a problem, if you select a particular non-WAN interface there, the 'local' must be added or it goes out the wrong interface. The one that was a problem before is on an OPT WAN, if a lport is not specified, it routes out the wrong interface because 'local' isn't specified. So unless you specify lport in the client config, it doesn't work the way you've configured it as it ignores the interface selection.
It needs to always specify 'local' unless "any" interface is selected. Which means skipping nobind.