Page MenuHomePhabricator

vyos 1.2 openvpn client names with spaces created incorrectly
Closed, ResolvedPublicBUG

Description

When setting an openvpn client with a name using the command

set interfaces openvpn vtun0 server client "John Smith" ip 10.190.1.1

the config is correctly set but the resulting user created in /opt/vyatta/etc/openvpn/ccd/vtun0/ is not created correctly. With the above command a file with the name John is created in /opt/vyatta/etc/openvpn/ccd/vtun0/ while a file name Smith is created in /home/vyos. In openvpn 2.3 and above, the client names no longer use the underscore to replace space or other special character and it expects the file name with the spaces and other special characters to be created for each user to match their client certificate CN. So a file with "John Smith" must be created in /opt/vyatta/etc/openvpn/ccd/vtun0/. This issue prevents any user whose name has spaces from being able to login to openvpn when the reject-unconfigured-clients option is set, as the name doesn't match. Since vyos 1,2 is uing openvpn 2.4, there is a temporary workaround for this by using openvpn-option --compat-names to force it to use the old naming convention of underscore instead of space. However, the --compat-names is deprecated and removed from openvpn 2.5. Below is the configurations causing the problem.

vyos@vyos# show interfaces openvpn
 openvpn vtun0 {
     description OpenVPN
     firewall {
         in {
         }
     }
     local-host 10.200.3.55
     mode server
     openvpn-option --float
     openvpn-option --compat-names
     protocol tcp-passive
     server {
         client "John Smith" {
             ip 10.190.1.1
         }
         name-server 10.111.111.111
         reject-unconfigured-clients
         subnet 10.190.0.0/16
     }
     tls {
         ca-cert-file /config/auth/ca.crt
         cert-file /config/auth/vpnserver2015.crt
         crl-file /config/auth/crl.pem
         dh-file /config/auth/dh2048.pem
         key-file /config/auth/vpnserver2015.key
     }
 }
[edit]
vyos@vyos# ls /opt/vyatta/etc/openvpn/ccd/vtun0/
John
[edit]
vyos@vyos# ls
Smith
[edit]
vyos@vyos#

Details

Difficulty level
Unknown (require assessment)
Version
1.2.x
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

rifau created this task.Jul 9 2019, 6:03 AM
pasik added a subscriber: pasik.Jul 16 2019, 9:50 AM
syncer assigned this task to c-po.Aug 30 2019, 11:57 PM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
c-po updated the task description. (Show Details)Sat, Sep 28, 7:39 AM
c-po set Is it a breaking change? to Perfectly compatible.
c-po updated the task description. (Show Details)

As VyOS 1.2 rolling and also the upcoming VyOS 1.3 will use OpenVPN 2.4 (b/c Debian Buster ships OpenVPN 2.4.7) the workaround should work for quiet some time! Thanks for pointing this out.

c-po closed this task as Resolved.Sat, Sep 28, 7:45 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Sun, Oct 13, 3:05 PM