Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

<connection> profiles are non-functional + unkown/unsupported option details are lacking #249

Open
ihipop opened this issue Apr 5, 2024 · 11 comments
Open

<connection> profiles are non-functional + unkown/unsupported option details are lacking #249

ihipop opened this issue Apr 5, 2024 · 11 comments

Comments

@ihipop
Copy link

ihipop commented Apr 5, 2024

Client configuration files may contain multiple remote servers which it will attempt to connect against. But there are some configuration options which are related to specific --remote options. For these use cases, connection profiles are the solution.

By enacpulating the --remote option and related options within and , these options are handled as a group.

An OpenVPN client will try each connection profile sequentially until it achieves a successful connection.

https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html#CONNECTION%20PROFILES:~:text=By%20enacpulating%20the,a%20successful%20connection.

if a configure file is contains any <connection> , the connection will fail with

2024-04-05 19:07:13 Client -- ERROR --: Connection failed: option_error: sorry, unsupported options present in configuration: UNKNOWN/UNSUPPORTED OPTIONS
2024-04-05 19:07:13 [STATUS] Connection, Client connection failed: option_error: sorry, unsupported options present in configuration: UNKNOWN/UNSUPPORTED OPTIONS

there are two problems about the error:

  1. This error message neither prints out the line that caused this issue nor provides any details about the UNKNOWN/UNSUPPORTED OPTION so I HAVE TO TRY line by line,may I have a detailed error about UNKNOWN/UNSUPPORTED OPTIONS
  2. They don't complain about this error when I use OpenVPN-connect IOS/ANDROID/MAC/Windows. They use openvpn3 too, why openvpn3-linux don't allow this, is this a bug or some misunderstanding?
@schwabe
Copy link
Contributor

schwabe commented Apr 5, 2024
edited

OpenVPN Connect might be using old version of OpenVPN3 that only warns and ignores these options instead of failing.

Also we have unit te sts that check for support:

https://github.com/OpenVPN/openvpn3/blob/master/test/unittests/test_remotelist.cpp#L98

so <connection> is supported

@ihipop
Copy link
Author

ihipop commented Apr 6, 2024

OpenVPN Connect might be using old version of OpenVPN3 that only warns and ignores these options instead of failing.

Also we have unit te sts that check for support:

https://github.com/OpenVPN/openvpn3/blob/master/test/unittests/test_remotelist.cpp#L98

so <connection> is supported

https://aur.archlinux.org/packages/openvpn3

I’m using https://github.com/OpenVPN/openvpn3-linux/tree/v21
It will fail with <connection> indeed

and shall we have the detail about UNKNOWN/UNSUPPORTED OPTIONS or at least the line numbers in the future?

@dsommers
Copy link
Member

dsommers commented Apr 6, 2024

@ihipop Which command do you use to start the VPN session? openvpn3 session-start or the Python script /usr/bin/openvpn2?

@ihipop
Copy link
Author

ihipop commented Apr 7, 2024

@ihipop Which command do you use to start the VPN session? openvpn3 session-start or the Python script /usr/bin/openvpn2?

openvpn3 session-start

@dsommers
Copy link
Member

dsommers commented Apr 7, 2024

@ihipop Thanks! I'll run some tests locally and debug this. I have to admit that <connection> profiles has not been tested in OpenVPN 3 Linux, and it does some parsing as well (via the OpenVPN 3 Core library). It might be there are some issues related to that parsing. The openvpn2 python wrapper does a different set of pre-parsing, that's why I asked about that.

@ihipop
Copy link
Author

ihipop commented Apr 8, 2024

@ihipop Thanks! I'll run some tests locally and debug this. I have to admit that <connection> profiles has not been tested in OpenVPN 3 Linux, and it does some parsing as well (via the OpenVPN 3 Core library). It might be there are some issues related to that parsing. The openvpn2 python wrapper does a different set of pre-parsing, that's why I asked about that.

I am glad to know about that :)

While looking forward to a fix for that, may I have a wish for a detailed error about UNKNOWN/UNSUPPORTED OPTIONS in the future, which will help us a lot to find out which UNKNOWN/UNSUPPORTED OPTIONS causes the problem instead of testing it by commenting out the config line by line.
I think a line number of the config file is required at least, I would much appreciate it if you give the name of the specific UNKNOWN/UNSUPPORTED OPTIONS

@schwabe
Copy link
Contributor

schwabe commented Apr 8, 2024

@ihipop that should already be detailed enough. There might be a bug with reporting in respect to <connection>. Can you share your configuration that triggers that?

@ihipop
Copy link
Author

ihipop commented Apr 8, 2024

this will cause the error when connecting (not importing)

2024-04-05 19:07:13 Client -- ERROR --: Connection failed: option_error: sorry, unsupported options present in configuration: UNKNOWN/UNSUPPORTED OPTIONS

# setenv USERNAME "test@example.com"
# OVPN_WEBAUTH_FRIENDLY_USERNAME=test@example.com
# OVPN_FRIENDLY_PROFILE_NAME=TEST
client
<connection>
remote example.com 1988 udp
</connection>
<connection>
remote example.com 1988 tcp
</connection>
push-peer-info

# Easy-RSA Type: client
# Name: test@example.com

<cert>
-----BEGIN CERTIFICATE-----
.
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
.
-----END PRIVATE KEY-----
</key>

<ca>
-----BEGIN CERTIFICATE-----
.
-----END CERTIFICATE-----
</ca>


<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
.
-----END OpenVPN Static key V1-----
</tls-crypt>

dev tun

NO line numbers, NO detailed error about which UNKNOWN/UNSUPPORTED OPTIONS cause the problem

comment out the <connection> </connection> fixs the issue

@dsommers dsommers changed the title CONNECTION PROFILES support is missing and may I have a detailed error about UNKNOWN/UNSUPPORTED OPTIONS <connection> profiles are non-functional + unkown/unsupported option details are lacking Apr 26, 2024
@dsommers
Copy link
Member

@ihipop Can you please try the latest development snapshot to see if the missing "unkown/unsupported options details" are resolved? The builds pushed out yesterday and today have a newer OpenVPN 3 Core library release included which should have some more improvements in that area.

Fedora Copr devsnapshots: https://copr.fedorainfracloud.org/coprs/dsommers/openvpn3-devsnapshots/
Ubuntu PPA based devsnapshots: https://launchpad.net/~djpig/+archive/ubuntu/openvpn

@ihipop
Copy link
Author

ihipop commented Apr 29, 2024
edited

@dsommers I'm sorry but I didn't use Fedora or Ubuntu, would this work if I rebuild using the AUR https://aur.archlinux.org/packages/openvpn3 ?

@dsommers
Copy link
Member

@ihipop I'm not experienced in how the PKGBUILD setup works. And I see that does several hacks to link against an older glib2 currently.

If you can get a PKGBUILD to use the latest glib2 library, using the dev/gdbuspp-migration branch in the OpenVPN 3 Linux git repo and you can get the GDBus++ library built ... then it should most likely be possible to test this properly on Arch too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ihipop @schwabe @dsommers