Bug #13116
Updated by Jim Pingle over 2 years ago
There are a few problems with how we currently build a client configuration using the @tls-client@ and @client@ directives.
* In current versions of OpenVPN @client@ expands to @tls-client@ and @pull@ so it is redundant to have @tls-client@ and @client@, but both end up in generated TLS client configurations
* @pull@ should not be used with peer-to-peer modes (SSL/TLS with /30 or smaller subnet for a single client, or shared key mode), but currently we put in @client@ on both of those cases which is invalid. (Though due to a bug in the shared key test, it ends up correctly omitted)
* OpenVPN complains if the configuration contains @ifconfig@ and @pull@ together, so @pull@ should probably be omitted if there is *any* tunnel network defined. There may be other cases where it's valid (tap mode maybe?)
Static client addresses in client/server mode should be set in CSO entries on the server and not in client tunnel networks. If the user wants this behavior they could always add @pull@ to custom options on their own. We could add a GUI option to force @pull@ but that may be confusing since it should almost never be used.