Page 1 of 1

[RFE] explicit-exit-notify should be "allowed" in tcp clients

Posted: Fri Nov 23, 2018 9:57 pm
by ratnix
Presently, --explicit-exit-notify is fatally disallowed as an option if you have TCP mode (init.c and options.c). I can imagine the thinking here was something like, 'TCP closes connections explicitly, so why bother?'

I wish, and have a case for, allowing explicit-exit-notify to be at least an allowed option, if not something actually sent upon connection closure.

Under --remote or <connection>, you can have your clients specify a proto. My fleet gets a config:

Code: Select all

remote hostname 1194 udp
remote hostname 1194 tcp-client
remote hostname 443 tcp-client
remote hostname 80 tcp-client
(this is to get people connected when they run into silly firewalls, which is reasonably common). Because of having TCP in there, explicit-exit-notify is invalid, even if it would be valid for UDP.

I think explicit-exit-notify should be allowed for all clients, and filtered out at the sending-the-notify point, rather than at the option-parsing point. I mean, certainly it's worth a caution in the logs along the lines of "in TCP mode this will do nothing", but I don't believe that it should be immediately fatal.

Re: [RFE] explicit-exit-notify should be "allowed" in tcp clients

Posted: Sat Nov 24, 2018 1:45 pm
by TinCanTech
This may be possible using <connection> blocks ..

However, the devs tend to agree that TCP & --explicit-exit-notify does not need to be fatal.
It's not a high priority but it will probably be changed some time soon-ish.

Re: [RFE] explicit-exit-notify should be "allowed" in tcp clients

Posted: Sun Nov 25, 2018 3:13 am
by ratnix
Thank you for relaying the request and the answer.

It's quite possible that this would work under a <connection> 'today' under raw openvpn, but I haven't tried using those blocks in about 6-12 months. Back then I just did a simple change to my default config, putting the blocks around the `remote` statement only, and I failed in testing. Memory says Ubuntu 14.04+Mint derivatives could not parse those blocks using NM.

I know that NM's mistakes aren't openvpn's problem, but they still impact our offerings, so anything we can fix upstream, well, all the better.

Has this accepted / tracked as a bug/RFE, or should I file it?

Re: [RFE] explicit-exit-notify should be "allowed" in tcp clients

Posted: Sun Nov 25, 2018 4:23 am
by TinCanTech
ratnix wrote:
Sun Nov 25, 2018 3:13 am
should I file it?
Or better yet, how about a patch :D

Openvpn is an open project and this is an improvement, so it would make sense to trac it.