OpenVPN on the latest snapshots

I'm running the latest snapshot for 23.05 and OpenVPN server will not start. It keeps generating an error message "Options error: --ipchange cannot be used with --mode server (use --client-connect instead)"

I thought it might be my settings but even the default settings don't work.

Is anyone else having a similar issues? Can this be fixed?

Yes I am having similar issues. Apparently someone has started tweaking the /etc/init.d/openvpn script, and has decided to add:

--ipchange "/usr/libexec/openvpn-hotplug ipchange $name"

to line 158 under the openvpn_add_instance function definition, along with "--route-up" and "--route-pre-down". They definitely are not present in the same file on 22.03.5.

Seems whomever is doing the changes decided to not see if ipchange worked for an OpenVPN server as well as a client....

At any rate, you can comment the --ipchange line I mentioned above out, which simply means you'll lose the ability to:

Run command cmd when our remote ip-address is initially authenticated or changes.
cmd consists of a path to a script (or executable program), optionally followed by arguments.

Per the OpenVPN reference manual. No big deal.

Then, you'll need to add "script-security 2" to your openvpn server config, if it's not already there. After that, your server will probably start again using the new init.d script :slight_smile:

Took the time to look and found the offending commit (f8a8b71):;a=commit;h=f8a8b71e26b9bdbf86fbb7d4d1482637af7f3ba4

1 Like

Thank you @klipz
Commenting out the line seems to have helped. However, I'm now getting a different error

Sat May 27 10:50:20 2023 daemon.warn openvpn(MyOpenVPN)[29154]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Sat May 27 10:50:20 2023 daemon.err openvpn(MyOpenVPN)[29154]: WARNING: Failed running command (--up/--down): disallowed by script-security setting
Sat May 27 10:50:20 2023 daemon.notice openvpn(MyOpenVPN)[29154]: Exiting due to fatal error

I set script_security to 0 and to 'remove' in the Luci UCI to no avail.

Try setting it to 2 (or 3)

--script-security level

This directive offers policy-level control over OpenVPN's usage of external programs and scripts.
 Lower level values are more restrictive, higher values are more permissive. Settings for level:

    Strictly no calling of external programs.
    (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.
    Allow calling of built-in executables and user-defined scripts.
    Allow passwords to be passed to scripts via environmental variables (potentially unsafe). ```

@tam481 Per my last paragraph (and egc) you need to set your script-security to 2 or 3 as well. Or you could try hacking things up further to remove that new requirement as well.

I simply chose to add it to my config and continue testing snapshot :slight_smile:

Tried that. It was already set to 2 in my config which is why I tried 0 and 'remove'. Tried setting it to 3 as well to no avail.

After commenting out the ipchange line in /etc/init.d/openvpn I received weird errors like /etc/rc.common: eval: line 162: --script-security: not found when running that script.

Completely deleting the ipchange line allowed my script_security setting to be correctly applied.

Also changing "ipchange" to "client-connect" (2x) like the logs suggested worked, though I don't know if it's functional.

@Pepe what are you Turris guys up to ?

Reach the author's commit, that's not me. :wink: Also, I did not merge that.

The proper reference is this:

and most likely, it is going to be fixed by this:

I know it wasn't you in person, just wanted to get some attention ,)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.