From 3fd2ff423b6c6e992b2ed531c7ba99fb9e1a2123 Mon Sep 17 00:00:00 2001
From: zsdc <taras@vyos.io>
Date: Mon, 4 Oct 2021 10:40:31 +0300
Subject: OpenVPN: T3350: Changed custom options for OpenVPN processing

Custom OpenVPN options moved back to the command line from a
configuration file. This should keep full compatibility with the
`crux` branch, and allows to avoid mistakes with parsing options
that contain `--` in the middle.
The only smart part of this - handling a `push` option. Because
of internal changes in OpenVPN, previously it did not require an
argument in the double-quotes, but after version update in
`equuleus` and `sagitta` old syntax became invalid. So, all the
`push` options are processed to add quotes. The solution is still
not complete, because if a single config line contains `push` with
other options, it will not work, but it is better than nothing.
---
 data/templates/openvpn/server.conf.tmpl           | 13 -------------
 data/templates/openvpn/service-override.conf.tmpl | 20 ++++++++++++++++++++
 2 files changed, 20 insertions(+), 13 deletions(-)
 create mode 100644 data/templates/openvpn/service-override.conf.tmpl

(limited to 'data')

diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
index bdf88b85f..213c5c785 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -218,16 +218,3 @@ auth {{ hash }}
 auth-user-pass {{ auth_user_pass_file }}
 auth-retry nointeract
 {% endif %}
-
-{% if openvpn_option is defined and openvpn_option is not none %}
-#
-# Custom options added by user (not validated)
-#
-{%   for option in openvpn_option %}
-{%     for argument in option.split('--') %}
-{%       if argument is defined and argument != '' %}
---{{ argument }}
-{%       endif %}
-{%     endfor %}
-{%   endfor %}
-{% endif %}
diff --git a/data/templates/openvpn/service-override.conf.tmpl b/data/templates/openvpn/service-override.conf.tmpl
new file mode 100644
index 000000000..069bdbd08
--- /dev/null
+++ b/data/templates/openvpn/service-override.conf.tmpl
@@ -0,0 +1,20 @@
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid
+{%- if openvpn_option is defined and openvpn_option is not none %}
+{%   for option in openvpn_option %}
+{#     Remove the '--' prefix from variable if it is presented #}
+{%     if option.startswith('--') %}
+{%       set option = option.split('--', maxsplit=1)[1] %}
+{%     endif %}
+{#     Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #}
+{#     But now it stopped doing this, so we need to add them for compatibility #}
+{#     HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #}
+{#     Using 'openvpn-option' you take all responsibility for compatibility for yourself. #}
+{%     if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %}
+{%       set option = 'push \"%s\"'|format(option.split('push ', maxsplit=1)[1]) %}
+{%     endif %}
+ --{{ option }}
+{%-   endfor %}
+{% endif %}
+
-- 
cgit v1.2.3