Feature #9702
closed
OpenVPN "push-reset" option in Client Specific Override breaks "subnet" topology
100%
Description
Hi.
I have configured an OpenVPN server in Remote Access (SSL/TLS) mode with the "subnet" topology (preferred topology with recent versions of OpenVPN).
My server pushes some default IPv4 local networks to the clients.
For some clients, I have configured a Client Specific Override with specific IP and restricted IPv4 local networks (and restricted rules).
I have checked the option "Prevent this client from receiving any server-defined client settings" ("push-reset" option in OpenVPN) to prevent pushing the default networks configured in the server options.
For these clients, the connection is broken because the topology is not pushed anymore by the server.
This is due to : https://community.openvpn.net/openvpn/ticket/29 (push-reset should not reset topology and route-gateway from global config)
As a workaround, I have set "push "topology subnet";push "route-gateway 192.168.4.1";push "ping 10";push "ping-restart 60"" in Advanced Settings in the client override.
I think a note should be added under the "push-reset" option to tell the user that it also resets the topology, route-gateway and keepalive options (and break the connection is the options are not pushed in Advanced Settings or defined in the client configuration).
Recent versions of OpenVPN implement a new "push-remove" option :
–push-remove opt
selectively remove all –push options matching “opt” from the option list for a client. “opt” is matched as a substring against the whole option string to-be-pushed to the client, so –push-remove route would remove all –push route … and –push route-ipv6 … statements, while –push-remove ‘route-ipv6 2001:’ would only remove IPv6 routes for 2001:… networks.–push-remove can only be used in a client-specific context, like in a –client-config-dir file, or –client-connect script or plugin — similar to –push-reset, just more selective.
NOTE: to change an option, –push-remove can be used to first remove the old value, and then add a new –push option with the new value.
I think it would be great to implement this new option in pfSense.
Maybe just add a checkbox to reset routes (push-remove route) ?
Hardware : Netgate XG-7100 1U
Software : pfSense 2.4.4-p3
Updated by Pippin MMD almost 5 years ago
+1 for this option to be added.
A checkbox, when ticked reveals a box to enter the options to remove.
Thanks.
Updated by Viktor Gurov over 4 years ago
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Anonymous