OpenVPN 2 python wrapper error

[andreiglingeanu]

Hello,

I'm trying to start a tunnel via the openvpn2 wrapper script to a OpenVPN 2 to server. The command I'm running is that one (it works with the classic openvpn binary):

openvpn2  --config config.ovpn.txt --auth-user-pass auth.txt

For some kind of a reason, the Python script gets back with an error about wrong arguments:

/usr/bin/openvpn2: error: unrecognized arguments: --resolv-retry infinite --tun-mtu-extra 32 --tls-client

I've tried to dissect the Python script in order to find the source of the problem but I didn't found anything mentioning such args there.

Any help is highly appreciated, thanks!

[cron2]

Hi,

On Tue, Mar 13, 2018 at 12:01:01AM +0000, Andrei Glingeanu wrote:

For some kind of a reason, the Python script gets back with an error about wrong arguments:

/usr/bin/openvpn2: error: unrecognized arguments: --resolv-retry infinite --tun-mtu-extra 32 --tls-client

openvpn 3 does not understand all possible options that openvpn 2.x has -> go to your config file, and remove those named arguments.

--tls-client needs to be just "--client"

gert -- now what should I write here...

Gert Doering - Munich, Germany gert@greenie.muc.de

[dsommers]

First of all, this should have been filed against the openvpn3-linux project. The openvpn2 wrapper is specific to the OpenVPN3 Linux client. This openvpn3 project is just the OpenVPN 3 Core Library.

That said, @cron2 is right. OpenVPN 3 doesn't support all options openvpn2 support, hence the error you get. But it doesn't mean some options shouldn't be just silently ignored. The openvpn2 wrapper ignores options which doesn't make a real difference on the connection. Options which are required to be set on both sides (like --fragment) cannot be used, the VPN connection will most likely not be functional at all.

In this case, I have a feeling --tun-mtu-extra can be ignored. --resolv-retry might be supported in the Core Library (need to double check), but it defaults to the infinite by default in both OpenVPN 2 and OpenVPN 3, so in your case it's safe to ignore it too.

Now the tls-client option should just be ignored. OpenVPN 3 requires this type of client, so this should be the default behaviour. I'll improve that.

[andreiglingeanu]

Thank you very much for helping! This indeed helped, I'll adjust my configuration file to make it compatible with OpenVPN 3.

Is there anything I can further do in order to help? I feel like my problem already has a solution.

[dsommers]

If you're up to provide patches, that is the quickest way to see results :slightly_smiling_face: ... But please send them to openvpn-devel@lists.sourceforge.net for review, even though if it is a non-critical and not somehow security sensitive, I'm not too strict about it currently. The project is still fairly fresh, and I want things to move forward reasonably quick.

Most of the Python stuff falls into the "non-critical" part, unless you touch anything related to key/certificate handling, the PKCS#11 stuff, username/password handling etc. Option parsing is a grey area though, so if you want to be safe - mailing list is always the safest bet. But I can review patches coming via GitHub before they're sent to the mailing list though.

Since this issue isn't strictly OpenVPN 3 Core related, but openvpn3-linux, I'll close this ticket now. We can pick up the discussion there again whenever needed.

[andreiglingeanu]

Thanks for a very thorough clarification, very much appreciated! I can probably come up back with a possible patch for that once get more into it & gain a deeper understanding, thanks again.

[dsommers]

I've pushed out an updated openvpn3-linux tree, which improves the situation for --tls-client and --resolv-retry. Copr builds completed as well.