Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1/2 Bug: Client Export & OpenVPN RAS UDP server

    Scheduled Pinned Locked Moved
    OpenVPN
    1
    1
    233
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JeGrJ
      JeGr LAYER 8 Moderator
      last edited by JeGr

      Hi,

      it's not really a bug per se but more of an unwanted automatic setting. With the update to 2.5.2, customers that have a bit more complex OpenVPN setup now have a problem using the client export package: it automatically adds "explicit exit notify" to UDP style OVPN RAS setups. That would normally be no problem, but many customers around here are making use of the possibility to setup 2 OVPN setups - one with 1194/udp and one with 443/tcp so their users have a fallback in case of a bad WiFi in hotels, guest portals etc.
      They are also using a single configuration file for their users to make it more convenient to use so they add a second "remote <ip> tcp 443" statement to their configuration via the advanced settings box in the client export screen. Up until 2.5 that worked like a charm.

      As the client export now automatically adds "explicit exit notify" to the config, that setting is NOT working with TCP style servers and creates an error message on the client when exported. So they now have to save the config, open it up, remove the line, save, send to the client.

      The intention to incluce the explicit exit notify is a good one as it makes reconnects on both server and client side much faster but in complex scenarios we now have no way to stop the export to insert that line into the server. Also setting up the TCP server first and using it to export is not working, as the advanced settings entries are added below all others so the client would always connect to the TCP service first instead of using UDP first and falling back to TCP.
      So currently there is no way rather then editing after saving to make that config work.

      I'd recommend/advise to replace that automagic insertion of "explicit-exit-notify" and make it a toggle action like the "random local port" option. It could also be "switched on per default" and if some complex configuration happens (that is saved on that screen) one can toggle it off and have the old behavior for e.g. multi remote configurations without problems :)

      Cheers

      Edit: added a Bug/FR in Redmine for that
      https://redmine.pfsense.org/issues/12188

      Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post