Page MenuHomeVyOS Platform

vyos 1.2 openvpn client names with spaces created incorrectly
Closed, ResolvedPublicBUG

Description

When setting an openvpn client with a name using the command

set interfaces openvpn vtun0 server client "John Smith" ip 10.190.1.1

the config is correctly set but the resulting user created in /opt/vyatta/etc/openvpn/ccd/vtun0/ is not created correctly. With the above command a file with the name John is created in /opt/vyatta/etc/openvpn/ccd/vtun0/ while a file name Smith is created in /home/vyos. In openvpn 2.3 and above, the client names no longer use the underscore to replace space or other special character and it expects the file name with the spaces and other special characters to be created for each user to match their client certificate CN. So a file with "John Smith" must be created in /opt/vyatta/etc/openvpn/ccd/vtun0/. This issue prevents any user whose name has spaces from being able to login to openvpn when the reject-unconfigured-clients option is set, as the name doesn't match. Since vyos 1,2 is uing openvpn 2.4, there is a temporary workaround for this by using openvpn-option --compat-names to force it to use the old naming convention of underscore instead of space. However, the --compat-names is deprecated and removed from openvpn 2.5. Below is the configurations causing the problem.

vyos@vyos# show interfaces openvpn
 openvpn vtun0 {
     description OpenVPN
     firewall {
         in {
         }
     }
     local-host 10.200.3.55
     mode server
     openvpn-option --float
     openvpn-option --compat-names
     protocol tcp-passive
     server {
         client "John Smith" {
             ip 10.190.1.1
         }
         name-server 10.111.111.111
         reject-unconfigured-clients
         subnet 10.190.0.0/16
     }
     tls {
         ca-cert-file /config/auth/ca.crt
         cert-file /config/auth/vpnserver2015.crt
         crl-file /config/auth/crl.pem
         dh-file /config/auth/dh2048.pem
         key-file /config/auth/vpnserver2015.key
     }
 }
[edit]
vyos@vyos# ls /opt/vyatta/etc/openvpn/ccd/vtun0/
John
[edit]
vyos@vyos# ls
Smith
[edit]
vyos@vyos#

Details

Difficulty level
Unknown (require assessment)
Version
1.2.x
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

rifau created this task.Jul 9 2019, 6:03 AM
pasik added a subscriber: pasik.Jul 16 2019, 9:50 AM
syncer assigned this task to c-po.Aug 30 2019, 11:57 PM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
c-po updated the task description. (Show Details)Sep 28 2019, 7:39 AM
c-po set Is it a breaking change? to Unspecified (possibly destroys the router).
c-po updated the task description. (Show Details)

As VyOS 1.2 rolling and also the upcoming VyOS 1.3 will use OpenVPN 2.4 (b/c Debian Buster ships OpenVPN 2.4.7) the workaround should work for quiet some time! Thanks for pointing this out.

c-po closed this task as Resolved.Sep 28 2019, 7:45 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Oct 13 2019, 3:05 PM
jjakob added a subscriber: jjakob.Apr 17 2020, 9:55 AM

So if we wanted to not use compat-names because of T2113 the client node names would need to have spaces, I don't know how the config system would handle this? It could probably take a quoted value as the client node, but I'm not sure the shell completion would handle this - it already has problems autocompleting quoted values (for example if you try tab-completing a description with a space in it, you'll see what I mean). Shell completion would very likely break with quoted node names. A workaround could be to remap underscores in the config client node names to spaces for the actual ccd file names. I don't quote like that option, but the alternative would be to have to fix the shell autocompletion for quoted values (better in the big picture but more complex and time consuming), or not fix T2113.