Unable to start OpenVPN client with renegotiate time 0

[uholeschak]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug The modification for https://github.com/opnsense/core/issues/7690 created a problem, when using the VPN client with renegotiate time 0. In this case you are forced to set a auth-gen-token time 0. This makes no sense in client mode. When starting the OpenVPN client you get the following error message:

Options error: --auth-gen-token requires --mode server

A clear and concise description of what the bug is, including last known working version (if any).

The bug has been introduced with commit ec23ffc0

To Reproduce

Set renegotiate time 0 in OpenVPN client mode.

Expected behavior

In OpenVPN client mode the check for auth-gen-token time should be removed. The check is only valid for server mode.

Describe alternatives you considered

Set renegotiate time of 10000000 in client mode, to disable the check.

Relevant log files

/usr/local/opnsense/scripts/openvpn/ovpn_service_control.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/instance-3e2fafe3-a9a8-4a55-b680-1be19f89fae1.conf'' returned exit code '1', the output was ''
Options error: --auth-gen-token requires --mode server

Environment

OPNsense 24.7.5

[uholeschak]

If you try to enter 0 for auth-gen-token you are blocked for ever, because the field is typically invisible in client mode (it is displayed only for the error message). You are not able to remove the entry any more and have to restore the configuration.

[fichtner]

One obvious drawback from trying to validate OpenVPNs strict internal validations is that it can trigger more validations. It would be nicer if the whole thing wasn't a blackbox validator or it would try to ignore some of these settings if it doesn't need them anyway. Nevertheless we'll patch this in a hotfix as soon as it has been confirmed working (by you ideally) later today.

Cheers, Franco

[AdSchellevis]

We can move the settings around and prevent this from happening, no problem. The issue with openvpn mainly is about the inconsistency in available options.

[AdSchellevis]

@uholeschak can you check https://github.com/opnsense/core/commit/f454a2d335fcd06d1b76df7a5765f40ad3c2ebcc, patch via console:

opnsense-update 454a2d

[uholeschak]

This is not working:

opnsense-update 454a2d

Do you mean?

opnsense-patch 454a2d

This results in error:

fetch: https://github.com/opnsense/core/commit/454a2d.patch: Not Found

[AdSchellevis]

ok, more typo's from my end, it. should be:

opnsense-patch f454a2d

[uholeschak]

Thanks, it's now working as expected.