openvpn not passing dhcp-option (not a problem with update-systemd-resolved)
scotte opened this issue · 3 comments
Thanks for this script, it's very useful and helpful. I ran into an odd issue with my version of openvpn (debian stretch opevnpn 2.4.0, and stretch-backports 2.4.3) where dhcp-option pushes don't get passed to the up/down script at all. I'm not sure why this is the case, so I though I'd open an issue here in case other folks have also seen this, or if anyone has a solution.
The openvpn log contains:
Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:X: dhcp-option
For all dhcp-options (where X is the option position in the PUSH).
With some additional debugging in update-systemd-resolved, I was able to confirm that these options get swallowed by openvpn and aren't passed as foreign_option_ at all. As a workaround, I'm calling update-systemd-resolved with a wrapper that looks something like:
#!/usr/bin/env bash
export foreign_option_100="dhcp-option DOMAIN domain.com"
export foreign_option_101="dhcp-option DOMAIN-SEARCH domain.com. domain.net. domain.org."
$(dirname $0)/update-systemd-resolved $@
Seems to work, although the search list ends up in the systemd generated resolve file as fqdn.com.\x032fqdn.net.\x032fqdn.org. for some reason - I'm not sure what is escaping the spaces, but it does seem to work OK.
Anyway, if anyone has seen this and has a solution, I'd appreciate it - searches have so far not turned up anything. Additionally, perhaps the wrapper is useful to anyone else who needs to inject additional options to update-systemd-resolved.
Great to hear you find the script useful. I wonder if the general issue you're having is because you're trying to do too much on a single line - OpenVPN, and hence the script, is designed to only take a pair of values after dhcp-option: key and value. Taking your example script, you put three domains against DOMAIN-SEARCH - my script treats this as a single domain name string and hence the \x032 value in the resolve file.
Can you give it a try by specifying the DOMAIN-SEARCH value multiple times with single values in your OpenVPN configuration? I think this solve your issue with OpenVPN (i..e the extra parameters you're passing) and therefore correctly put the configuration into your /etc/resolve.conf:
dhcp-option DOMAIN-SEARCH domain.com.
dhcp-option DOMAIN-SEARCH domain.net.
dhcp-option DOMAIN-SEARCH domain.org.
I hope that helps.
Ah, yes, obvious now - and explains why openvpn is swallowing those options, because they are invalid! In my wrapper I was just providing exactly what the openvpn server was pushing. I will let the maintainers of the (corporate) VPN in question know about the misconfiguration. Thanks for the reply, but sorry for bugging you with an unrelated support question. :-/
You most certainly weren't bugging me! It was a reasonable question and hopefully I've been able to help you. 😄 If you need any more help, re-open the ticket.