Page MenuHomePhabricator

vyos 1.2 openvpn client names with spaces created incorrectly
Open, Requires assessmentPublicBUG


When setting an openvpn client with a name using the command

set interfaces openvpn vtun0 server client "John Smith" ip

the config is correctly set but the resulting user created in /opt/vyatta/etc/openvpn/ccd/vtun0/ is not created correctly. With the above command a file with the name John is created in /opt/vyatta/etc/openvpn/ccd/vtun0/ while a file name Smith is created in /home/vyos. In openvpn 2.3 and above, the client names no longer use the underscore to replace space or other special character and it expects the file name with the spaces and other special characters to be created for each user to match their client certificate CN. So a file with "John Smith" must be created in /opt/vyatta/etc/openvpn/ccd/vtun0/. This issue prevents any user whose name has spaces from being able to login to openvpn when the reject-unconfigured-clients option is set, as the name doesn't match. Since vyos 1,2 is uing openvpn 2.4, there is a temporary workaround for this by using openvpn-option '--compat-names' to force it to use the old naming convention of underscore instead of space. However, the --compat-names is deprecated and removed from openvpn 2.5. Below is the configurations causing the problem.

vyos@vyos# show interfaces openvpn
openvpn vtun0 {

description OpenVPN
firewall {
    in {
mode server
openvpn-option --float
openvpn-option --compat-names
protocol tcp-passive
server {
    client "John Smith" {
tls {
    ca-cert-file /config/auth/ca.crt
    cert-file /config/auth/vpnserver2015.crt
    crl-file /config/auth/crl.pem
    dh-file /config/auth/dh2048.pem
    key-file /config/auth/vpnserver2015.key

vyos@vyos# ls /opt/vyatta/etc/openvpn/ccd/vtun0/
vyos@vyos# ls


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close

Event Timeline

rifau created this task.Jul 9 2019, 6:03 AM
pasik added a subscriber: pasik.Jul 16 2019, 9:50 AM