Opened 11 years ago

Last modified 18 months ago

#298 new Bug / Defect

"Local Options String"/"Expected Remote Options String": keydir misleading

Reported by: catkin Owned by:
Priority: minor Milestone: release 2.7
Component: Generic / unclassified Version: OpenVPN 2.3.1 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


Please consider:

  • Removing keydir from the "Local Options String" and "Expected Remote Options String" messages or setting it to the actual value configured.
  • Modifying the openvpn man page's --opt-verify section to specify the actual options strings when they are not identical to the options listed (affects only keydir?)
  • Adding a "Received Remote Options String" message to compare with the "Expected Remote Options String" message.

The reasons for making these requests are ...

The "Local Options String" and "Expected Remote Options String" messages appear as a pair and include "keydir 1" and "keydir 0" respectively. A reasonable guess at the meaning is that there is a mismatch in the configuration.

The only mention of keydir in the openvpn man page is under --opt-verify where it is one of the options listed after "Clients that connect with options that are incompatible with those of the server will be disconnected. Options that will be compared for compatibility include ...".

Thus it seems that keydir is important but there is no indication of which configuration option sets it.

If an OpenVPN user pursues this probable misconfiguration, the next question is "what is keydir?". A diligent search might light on --secret file [direction] but that should be dismissed if the configuration uses TLS.

In fact the keydir values in the messages are invariant so say nothing about the configuration.

In 2.3.1, the value is set by function keydirection2ascii according to the value of remote which is set by function do_compute_occ_strings: to true when generating the "Local Options String" string and to false when generating the "Expected Remote Options String".

The messages were seen using these versions:

  • OS: Debian 6.0 Squeeze
  • openvpn --version output:

OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 21 2012
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@…>

  • Installed package: 2.1.3-2+squeeze1

Change History (4)

comment:1 Changed 11 years ago by Samuli Seppänen

I don't quite follow... are you using openvpn 2.1.3 or 2.3.1? Also, what is the problem exactly?

comment:2 Changed 10 years ago by Gert Döring

--keydir is one of the more weird options that show in OCC checks but are not documented in the manpage... this is not critical, but "user confusion" which might benefit from better documentation.

comment:3 Changed 9 years ago by Samuli Seppänen

Shall we add some clarifications to the man-page?

comment:4 Changed 18 months ago by Gert Döring

Milestone: release 2.7

Current sources already ignore keydir in the OCC string (since commit 3baae9ba52187166b7d0b05901732666477a2acb, which went into 2.5).

2.7 will remove --secret tunnels, so this will all go out.

Note: See TracTickets for help on using tickets.