Page MenuHomeVyOS Platform
Create Task
Maniphest T6486

Generate openvpn client-config ignores configured protocol type
Closed, ResolvedPublicBUG
Actions

Description

When you create an openvpn vtun interface and set the protocol to tcp-passive it will be ignores when the client config is created:

Commands to reproduce:

run generate pki ca install ca
run generate pki certificate sign ca install openvpn-server
run generate pki certificate sign ca install openvpn-client

set int openvpn vtun1 mode server
set int openvpn vtun1 protocol tcp-passive
set int openvpn vtun1 server subnet 192.168.1.0/24
set int openvpn vtun1 tls ca-certificate ca
set int openvpn vtun1 tls certificate openvpn-server

run generate openvpn client-config interface vtun1 ca ca certificate openvpn-client

Results in client config:

client
nobind
remote None 1194
remote-cert-tls server
proto udp
dev tun
dev-type tun
persist-key
persist-tun
verb 3

...

it seems as proto udp is always used.

Details

Difficulty level
Unknown (require assessment)
Version
1.4.0
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

adestis created this task.Jun 14 2024, 10:09 AM
adestis added a comment.Jun 14 2024, 10:14 AM

There is another incompatibility:

In the client config the setting

comp-lzo no

is set while on server side when it is not set adaptive is used.
At least in my environment it always causes issues which I only can workaround by explictly define it.
e.g.

set interfaces openvpn vtun1 openvpn-option "comp-lzo no"

/Markus

Viacheslav triaged this task as Normal priority.Jun 14 2024, 11:31 AM
SrividyaA subscribed.Jun 25 2024, 9:38 AM
Viacheslav subscribed.Jul 1 2024, 10:48 AM

@adestis Can you add an example of the expected configuration if use-lzo-compression is configured and not configured?
https://github.com/vyos/vyos-1x/blob/e270712f7ebd76e4e1be598766d999cef4f05e26/src/op_mode/generate_ovpn_client_file.py#L57

Viacheslav changed the task status from Open to In progress.Jul 2 2024, 4:07 AM
Viacheslav claimed this task.
Viacheslav added a comment.Jul 2 2024, 5:55 AM

PR https://github.com/vyos/vyos-1x/pull/3747
Also it should fix T6379

adestis added a comment.Jul 2 2024, 2:13 PM
In T6486#193845, @Viacheslav wrote:

@adestis Can you add an example of the expected configuration if use-lzo-compression is configured and not configured?
https://github.com/vyos/vyos-1x/blob/e270712f7ebd76e4e1be598766d999cef4f05e26/src/op_mode/generate_ovpn_client_file.py#L57

Hi Viacheslav,
I can try to do it next week (if it is still required) but this week I have not much time (unfortuntely).

Seems like OpenVPN has changed the compression recommendations in general.
When you want to make use of offloading compression is also not supported anymore.
Unfortunately, there are no just one setting for compression ..

/ Markus

Viacheslav closed this task as Resolved.Aug 2 2024, 3:34 PM
Viacheslav added projects: Restricted Project, VyOS 1.5 Circinus.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
Viacheslav added a project: VyOS 1.4 Sagitta (1.4.1).
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.1) board.
pasik subscribed.Tue, Aug 27, 7:37 AM