Page MenuHomeVyOS Platform

OpenVPN: openvpn-option parsed/rendered improperly
Open, HighPublicBUG

Description

The CLI statement interfaces openvpn vtun10 openvpn-option '--tun-mtu 1500 --fragment 1300 --mssfix' will render in vtun10.conf to

--tun-mtu 1500 --fragment 1300 --mssfix

On startup OpenVPN complains about:

Apr 26 09:26:47 vyos openvpn-vtun10[27854]: Options error: Unrecognized option or missing or extra parameter(s) in vtun10.conf:76: tun-mtu (2.4.7)

This happened to work in 1.2.4 so it must be something with the rendering - I know that passing openvpn-option is maximum bad practice but it should not become a problem on an upgrade

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling-202004231230
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

c-po triaged this task as High priority.Apr 26 2020, 7:31 AM
c-po created this task.
c-po added a subscriber: jjakob.

@jjakob as you seem to be the OpenVPN pro - you mind taking a look?

sould rewrite to multioption:

openvpn-option tun-mtu 1500
openvpn-option fragment 1300
openvpn-option foo bar

@elbandi sure that I used as workaround.

The problem is if someone upgrades from 1.2.5 to 1.3.x this will break OpenVPN which is bad.

Crux probably passed this as a string of options to the command line or
split it into multiple options. We need to add a parser to split the
options by '--', hopefully this won't break any options which should
include -- in one line.

Just call the multiple options other name (like 'option'), and admin can modify they config if they want. no need a IM migrate script.
And leave the openvpn-option for raw option, if someone want to make a magic things in openvpn.
(like, in dhcp server, static mapping has option tagnode for "Host-specific settings" and static-mapping-parameters for raw hacking :)

@elbandi how should this approach fix the error on image upgrade?

If in crux this was just a option string passed to the openvpn process,
quoting or escaping could be used to pass a parameter with '--' to an
openvpn option. I need to have a good long look at how Crux did this and
have some real life examples. For example: openvpn-option '--mssfix --up
"/some/command --param1 --param2"' (I'm not sure if this would've worked
on Crux, the quoting is probably wrong, and the up option parameter too,
but my point remains that this could've been a valid option syntax)

We'd probably need to write a migrator script that was quoting and
escaping aware, because we can't just split by '--'.
I'll take a look this week after I get some free time.