From d6a0cf599c68edc672c67c6afa4bdff0e1a30b8a Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 23 Oct 2025 17:56:08 +0200 Subject: [PATCH] Warn if push is used without --mode server/--server/--server-bridge This is not a supported configuration and will often work good enough to get a connection working but will operate more in a weird pre P2P negotiation compatibility way rather than actually negotiating protocol features. While at it, remove an unused macro (PUSH_DEFINED). Change-Id: I82c7c61be07593ecd5bf2f854767dda74ab5170c Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1288 Message-Id: <20251023155614.20642-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33856.html Signed-off-by: Gert Doering --- doc/man-sections/server-options.rst | 3 +++ src/openvpn/options.c | 7 +++++++ src/openvpn/options.h | 5 ----- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index ccc13744d..347a25185 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -497,6 +497,9 @@ fast hardware. SSL/TLS authentication must be used in this mode. ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` + Note: using ``--push`` requires OpenVPN to run in ``--mode server`` (or + using of one of `--server`, `--server-bridge` helper directives). + --push-remove opt Selectively remove all ``--push`` options matching "opt" from the option list for a client. ``opt`` is matched as a substring against the whole diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 65c6b3b3e..9c02a8c3d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2690,6 +2690,13 @@ options_postprocess_verify_ce(const struct options *options, const struct connec MUST_BE_UNDEF(vlan_accept, "vlan-accept"); MUST_BE_UNDEF(vlan_pvid, "vlan-pvid"); MUST_BE_UNDEF(force_key_material_export, "force-key-material-export"); + + if (options->push_list.head) + { + msg(M_WARN, "Note: Using --push without --mode server is an " + "unsupported configuration. Negotiation of OpenVPN " + "features is expected to fail."); + } } /* diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 009904aa9..24253afa2 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -768,16 +768,11 @@ struct options #define OPT_P_DEFAULT (~(OPT_P_INSTANCE | OPT_P_PULL_MODE)) #define PULL_DEFINED(opt) ((opt)->pull) -#define PUSH_DEFINED(opt) ((opt)->push_list) #ifndef PULL_DEFINED #define PULL_DEFINED(opt) (false) #endif -#ifndef PUSH_DEFINED -#define PUSH_DEFINED(opt) (false) -#endif - #ifdef _WIN32 #define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK) #else -- 2.47.3