Opened 10 months ago

Closed 6 weeks ago

#1164 closed Bug / Defect (fixed)

Options error: --pull-filter cannot be used with --mode server

Reported by: tincantech Owned by: selvanair
Priority: major Milestone:
Component: Windows GUI Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: selvanair

Description

https://forums.openvpn.net/viewtopic.php?f=6&t=27999

The GUI no longer supports --mode server due to additional --pull-filter

Change History (12)

comment:1 Changed 10 months ago by Gert Döring

Cc: selvanair added

oops

comment:2 Changed 9 months ago by tincantech

cc'ing because I did not receive notification of your comment.

oops ;-)

Last edited 9 months ago by tincantech (previous) (diff)

comment:3 Changed 9 months ago by tincantech

I am not proposing this change but it does at least work:

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index e34b65b1..99ab9eb0 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2228,10 +2228,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
         {
             msg(M_USAGE, "--pull cannot be used with --mode server");
         }
+
+/*
         if (options->pull_filter_list)
         {
             msg(M_USAGE, "--pull-filter cannot be used with --mode server");
         }
+*/
+
         if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
         {
             msg(M_USAGE, "--mode server currently only supports "

With this patch applied to git master

  • Tested a Linux server by adding pull-filter ignore "route 192.168." to the server config. Works as expected.
  • Tested a Windows server using the GUI. Works as expected. Relevant log:
Mon Mar 18 16:20:45 2019 us=716351   mode = 1
...
Mon Mar 18 16:20:45 2019 us=716351   Pull filters:
Mon Mar 18 16:20:45 2019 us=716351     ignore "route-method"
...
Mon Mar 18 16:20:45 2019 us=716351   server_network = 10.11.97.0
Mon Mar 18 16:20:45 2019 us=716351   server_netmask = 255.255.255.0
...
Mon Mar 18 16:20:45 2019 us=716351   pull = DISABLED
...
Mon Mar 18 16:20:45 2019 us=716351 OpenVPN 2.5_git [git:master/ccb636c75103f11b+] i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 18 2019
Mon Mar 18 16:20:45 2019 us=716351 Windows version 6.1 (Windows 7) 32bit
Mon Mar 18 16:20:45 2019 us=716351 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
...
Mon Mar 18 16:20:46 2019 us=435101 interactive service msg_channel=0
...
Mon Mar 18 16:20:56 2019 us=466351 Initialization Sequence Completed
...
Mon Mar 18 16:21:22 2019 us=403851 85.210.186.13:3879 [meltdown] Peer Connection Initiated with [AF_INET6]::ffff:85.210.186.13:3879
...
Mon Mar 18 16:21:23 2019 us=591351 meltdown/85.210.186.13:3879 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Mar 18 16:21:23 2019 us=591351 meltdown/85.210.186.13:3879 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

I presumed that pull-filter code is not called by a server because pull is disabled.

Last edited 9 months ago by tincantech (previous) (diff)

comment:4 Changed 9 months ago by selvanair

Of course that will "fix" it, but its not ideal, obviously. The right fix would be for the GUI to parse the config and not add it for server modes.

I never thought anyone is using the GUI to run a server as that would require the user to remain logged-in. This may be a rare use case.

comment:5 in reply to:  4 Changed 9 months ago by tincantech

Replying to selvanair:

Of course that will "fix" it, but its not ideal, obviously. The right fix would be for the GUI to parse the config and not add it for server modes.

I was simply testing a theory but your proposal to change the GUI is more suitable.

Replying to selvanair:

I never thought anyone is using the GUI to run a server as that would require the user to remain logged-in. This may be a rare use case.

Only two confirmed cases so far -- See the link to the Forum above.

Apparently, starting OpenVPN GUI with admin rights prevented this error .. which does not sound ideal either.

comment:6 in reply to:  4 Changed 8 months ago by tincantech

Replying to selvanair:

The right fix would be for the GUI to parse the config and not add it for server modes.

Are you planning to make this change or not ?

comment:7 Changed 5 months ago by papawel

It would be nice to see additional info in this guide:
https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide
which doesn't work due Options error: --pull-filter cannot be used with --mode server

comment:8 Changed 5 months ago by tincantech

I added a notice to the tutorial for the time being.

comment:9 Changed 8 weeks ago by tincantech

Is it possible that the hard error in openvpn be downgraded to only a warning and continue anyway ?

comment:10 in reply to:  9 Changed 8 weeks ago by selvanair

Replying to tincantech:

Is it possible that the hard error in openvpn be downgraded to only a warning and continue anyway ?

Sounds good to me. We could change the fatal "Options error: .." to a warning like "Options warning: client-only option --pull-filter ignored in --mode server".

Alternatively, adding a config specific tick-box in the GUI is not hard but not very user-friendly. A proper fix is much more work.

comment:11 Changed 6 weeks ago by Gert Döring

commit bb1ea491cd16d11b448342e8287beacae619f980 (master)
commit 6a90f36f69e1f41d6c61ab7e566e7e7e0ba7d71a (release/2.4)
Author: Richard Bonhomme <tincanteksup@…>
Date: Thu Oct 24 22:48:32 2019 +0100

Ignore --pull-filter for --mode server

... so I think this ticket can be closed now, right?

comment:12 Changed 6 weeks ago by Gert Döring

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.