The client-config-dir phenomenon in OpenVPN 2.3

Today I learned again, that sometimes the devil is in the details. We are running OpenVPN since years. We are running it in a way, that we differ between "normal users" and "power users". While normal users are restricted to perform only the least needed within the VPN, power users (like NetOps) are granted a couple of more things. We are using the "client-config-dir" option for this. Basically a power user will have a special config file in that client-config-dir that assigns the different options to the user, once he connects.

After upgrading from OpenVPN 2.2 to the 2.3 we noticed that this feature didn't work anymore and the power users weren't assigned their special settings anymore. The Changelog of 2.3 only pointed out that "Support UTF-8 --client-config-dir" changed. Nothing else that had to do with this feature was changed lately. So I started to poke around in the code- it's surprisingly structured I have to admit. So it took only 15 minutes to find the actul problem. As said the devil is in the details...

This is the function that takes care of the options import:

So the problem is in the ccd_file variables. Probably due to the UTF-8 support for the client-config-dir parameter, the tls_common_name seems to have changed from "Winfried_Neessen" to "Winfried Neessen" when I logged on. So the gen_path() function instead of looking for "<path_to_ccd>/Winfried_Neessen", looked for "<path_to_ccd>/Winfried Neessen"- which of course wasn't existing. So the test_file( ccd_file ) would fail and the options import would be discarded silently. After renaming the config files for the super users, everything worked as expected again.

No comments yet.

Leave a Reply