Discussion:
[Openvpn-users] options error: option 'setenv' cannot be used in this context ([PUSH-OPTIONS])
Ralf Hildebrandt
2016-10-21 14:45:24 UTC
Permalink
I recently changed on the server side:

#push "register-dns"
push "setenv opt register-dns"
#push "block-outside-dns"
push "setenv opt block-outside-dns"

and my linux client reports:

Fri Oct 21 14:41 options error: option 'setenv' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct 21 14:41 options error: option 'setenv' cannot be used in this context ([PUSH-OPTIONS])

one line for each "setenv opt".

Is my syntax correct? I wanted to make "register-dns" and
"block-outside-dns" optional for systems that don't support it (Linux,
OSX)
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
***@charite.de Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
Selva Nair
2016-10-22 16:53:11 UTC
Permalink
On Fri, Oct 21, 2016 at 10:45 AM, Ralf Hildebrandt <
Post by Ralf Hildebrandt
#push "register-dns"
push "setenv opt register-dns"
#push "block-outside-dns"
push "setenv opt block-outside-dns"
Fri Oct 21 14:41 options error: option 'setenv' cannot be used in this
context ([PUSH-OPTIONS])
Fri Oct 21 14:41 options error: option 'setenv' cannot be used in this
context ([PUSH-OPTIONS])
When pushed those options are optional (i.e will be ignored with a warning
on unsupported platforms), so simple "push register-dns" and "push
block-outside-dns" should be enough. Use of "setenv opt" in this context is
for those who want the option in a common config file that may be used in
different platforms, not for pushing it.

Now, pushing "setenv" was probably allowed in some very early versions but
not for long time for security reasons (also see setenv-safe in the
manpage). As for push "setenv opt ..", that also is not currently supported
though allowing it may not be risky. It seems the manpage is wrong in
saying setenv is pushable.

Selva
Jan Just Keijser
2016-10-24 08:38:13 UTC
Permalink
Post by Ralf Hildebrandt
#push "register-dns"
push "setenv opt register-dns"
#push "block-outside-dns"
push "setenv opt block-outside-dns"
Fri Oct 21 14:41 options error: option 'setenv' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct 21 14:41 options error: option 'setenv' cannot be used in this context ([PUSH-OPTIONS])
When pushed those options are optional (i.e will be ignored with a warning on unsupported platforms), so simple "push
register-dns" and "push block-outside-dns" should be enough. Use of "setenv opt" in this context is for those who want the
option in a common config file that may be used in different platforms, not for pushing it.
Now, pushing "setenv" was probably allowed in some very early versions but not for long time for security reasons (also see
setenv-safe in the manpage). As for push "setenv opt ..", that also is not currently supported though allowing it may not be
risky. It seems the manpage is wrong in saying setenv is pushable.
Indeed, it was allowed to do "push setenv" in version 2.0/early 2.1
I'd make a case for allowing a "push setenv opt", however: the whole idea behind "setenv opt" is to allow you to set an option
that is ignored on platforms that do not support it. Granted, this can also be achieved using "push-peer-info" and then examine
the client-side platform, but that requires more work (and a 2.4+ server).

JM2CW,

JJK
Selva Nair
2016-10-24 16:20:02 UTC
Permalink
Hi,
Post by Selva Nair
On Fri, Oct 21, 2016 at 10:45 AM, Ralf Hildebrandt <
Post by Ralf Hildebrandt
#push "register-dns"
push "setenv opt register-dns"
#push "block-outside-dns"
push "setenv opt block-outside-dns"
Fri Oct 21 14:41 options error: option 'setenv' cannot be used in this
context ([PUSH-OPTIONS])
Fri Oct 21 14:41 options error: option 'setenv' cannot be used in this
context ([PUSH-OPTIONS])
When pushed those options are optional (i.e will be ignored with a warning
on unsupported platforms), so simple "push register-dns" and "push
block-outside-dns" should be enough. Use of "setenv opt" in this context is
for those who want the option in a common config file that may be used in
different platforms, not for pushing it.
Now, pushing "setenv" was probably allowed in some very early versions but
not for long time for security reasons (also see setenv-safe in the
manpage). As for push "setenv opt ..", that also is not currently supported
though allowing it may not be risky. It seems the manpage is wrong in
saying setenv is pushable.
Indeed, it was allowed to do "push setenv" in version 2.0/early 2.1
I'd make a case for allowing a "push setenv opt", however: the whole idea
behind "setenv opt" is to allow you to set an option that is ignored on
platforms that do not support it. Granted, this can also be achieved using
"push-peer-info" and then examine the client-side platform, but that
requires more work (and a 2.4+ server).
While it does look safe to allow "push setenv opt .. ", is it really
useful? All pushed options are optional in the sense that none will cause a
FATAL error, just a warning in the logs. So prepending "setenv opt", if
allowed, would make no real difference, would it?

Selva
Ralf Hildebrandt
2016-10-25 13:52:02 UTC
Permalink
Post by Selva Nair
While it does look safe to allow "push setenv opt .. ", is it really
useful? All pushed options are optional in the sense that none will cause a
FATAL error, just a warning in the logs. So prepending "setenv opt", if
allowed, would make no real difference, would it?
In my case, it's a convenience feature:

TunneBlick on Mac OS X has this very nice way of sending logs to the
admin (me). The log is color coded, and the relevant (at least for me)
are coloured yellow or red.

yellow are warnings, red are fatal errors.

If I was able to make "register-dns" and "block-outside-dns" entirely
optional (on OS X / Linux), I'd have a "clean" log.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
***@charite.de Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
Selva Nair
2016-10-25 15:53:34 UTC
Permalink
On Tue, Oct 25, 2016 at 9:52 AM, Ralf Hildebrandt <
Post by Selva Nair
Post by Selva Nair
While it does look safe to allow "push setenv opt .. ", is it really
useful? All pushed options are optional in the sense that none will
cause a
Post by Selva Nair
FATAL error, just a warning in the logs. So prepending "setenv opt", if
allowed, would make no real difference, would it?
TunneBlick on Mac OS X has this very nice way of sending logs to the
admin (me). The log is color coded, and the relevant (at least for me)
are coloured yellow or red.
yellow are warnings, red are fatal errors.
If I was able to make "register-dns" and "block-outside-dns" entirely
optional (on OS X / Linux), I'd have a "clean" log.
Agreed, a way of having some unrecognized push options not tagged as an
error could be useful. If editing the client config is an option you can add

pull-filter ignore block-outside-dns
pull-filter ignore register-dns

That will cause those options pulled from the server to be silently ignored
(at --verb 3 level).

--pull-filter is available in 2.4_alpha2 release.

Selva
Jonathan K. Bullard
2016-10-25 16:18:54 UTC
Permalink
Hi.
Post by Selva Nair
Agreed, a way of having some unrecognized push options not tagged as an
error could be useful. If editing the client config is an option you can add
pull-filter ignore block-outside-dns
pull-filter ignore register-dns
That will cause those options pulled from the server to be silently ignored
(at --verb 3 level).
--pull-filter is available in 2.4_alpha2 release.
Tunnelblick 3.6.9beta01, released 2016-10-09, includes a "git-master"
version of OpenVPN that I believe includes --pull-filter. It includes
OpenVPN 2.3 git-master bae1ad7 dated 2016-10-07.

The next Tunnelblick beta will include OpenVPN 2.4_alpha2. It is
scheduled for release after OpenVPN 2.3.13, which as I understand it
is due "soon".

Best regards,

Jon Bullard (Tunnelblick developer)

Loading...