OpenVPN Support Forum

Presently, --explicit-exit-notify is fatally disallowed as an option if you have TCP mode (init.c and options.c). I can imagine the thinking here was something like, 'TCP closes connections explicitly, so why bother?'

I wish, and have a case for, allowing explicit-exit-notify to be at least an allowed option, if not something actually sent upon connection closure.

Under --remote or <connection>, you can have your clients specify a proto. My fleet gets a config: (this is to get people connected when they run into silly firewalls, which is reasonably common). Because of having TCP in there, explicit-exit-notify is invalid, even if it would be valid for UDP.

I think explicit-exit-notify should be allowed for all clients, and filtered out at the sending-the-notify point, rather than at the option-parsing point. I mean, certainly it's worth a caution in the logs along the lines of "in TCP mode this will do nothing", but I don't believe that it should be immediately fatal.

This may be possible using <connection> blocks ..

However, the devs tend to agree that TCP & --explicit-exit-notify does not need to be fatal.
It's not a high priority but it will probably be changed some time soon-ish.

Thank you for relaying the request and the answer.

It's quite possible that this would work under a <connection> 'today' under raw openvpn, but I haven't tried using those blocks in about 6-12 months. Back then I just did a simple change to my default config, putting the blocks around the `remote` statement only, and I failed in testing. Memory says Ubuntu 14.04+Mint derivatives could not parse those blocks using NM.

I know that NM's mistakes aren't openvpn's problem, but they still impact our offerings, so anything we can fix upstream, well, all the better.

Has this accepted / tracked as a bug/RFE, or should I file it?

ratnix wrote: ↑

Sun Nov 25, 2018 3:13 am

should I file it?

Or better yet, how about a patch

Openvpn is an open project and this is an improvement, so it would make sense to trac it.