Project

General

Profile

Feature #9702

OpenVPN "push-reset" option in Client Specific Override breaks "subnet" topology

Added by Damien Gombault about 1 year ago. Updated 24 days ago.

Status:
Resolved
Priority:
Normal
Category:
OpenVPN
Target version:
Start date:
08/26/2019
Due date:
% Done:

100%

Estimated time:

Description

Hi.

I have configured an OpenVPN server in Remote Access (SSL/TLS) mode with the "subnet" topology (preferred topology with recent versions of OpenVPN).
My server pushes some default IPv4 local networks to the clients.

For some clients, I have configured a Client Specific Override with specific IP and restricted IPv4 local networks (and restricted rules).
I have checked the option "Prevent this client from receiving any server-defined client settings" ("push-reset" option in OpenVPN) to prevent pushing the default networks configured in the server options.
For these clients, the connection is broken because the topology is not pushed anymore by the server.
This is due to : https://community.openvpn.net/openvpn/ticket/29 (push-reset should not reset topology and route-gateway from global config)

As a workaround, I have set "push "topology subnet";push "route-gateway 192.168.4.1";push "ping 10";push "ping-restart 60"" in Advanced Settings in the client override.

I think a note should be added under the "push-reset" option to tell the user that it also resets the topology, route-gateway and keepalive options (and break the connection is the options are not pushed in Advanced Settings or defined in the client configuration).

Recent versions of OpenVPN implement a new "push-remove" option :
–push-remove opt
selectively remove all –push options matching “opt” from the option list for a client. “opt” is matched as a substring against the whole option string to-be-pushed to the client, so –push-remove route would remove all –push route … and –push route-ipv6 … statements, while –push-remove ‘route-ipv6 2001:’ would only remove IPv6 routes for 2001:… networks.–push-remove can only be used in a client-specific context, like in a –client-config-dir file, or –client-connect script or plugin — similar to –push-reset, just more selective.
NOTE: to change an option, –push-remove can be used to first remove the old value, and then add a new –push option with the new value.

I think it would be great to implement this new option in pfSense.
Maybe just add a checkbox to reset routes (push-remove route) ?

Hardware : Netgate XG-7100 1U
Software : pfSense 2.4.4-p3

Associated revisions

Revision 8d44d56a (diff)
Added by Viktor Gurov 5 months ago

OpenVPN CSO remove routes option. Implements #9702

History

#1 Updated by Pippin MMD 8 months ago

+1 for this option to be added.

A checkbox, when ticked reveals a box to enter the options to remove.

Thanks.

#3 Updated by Jim Pingle 5 months ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0

#4 Updated by Renato Botelho 5 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#5 Updated by Steve Beaver 24 days ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF