From 89135cdc7bf23ad57ca9fcd725b2b13989a3aea1 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 25 Jul 2024 19:39:27 +0200
Subject: [PATCH] VPN: OpenVPN: Servers [legacy] - disable DCO, only supported
 for new instances (and prevents server startup for tun devices).

---
 src/etc/inc/plugins.inc.d/openvpn.inc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/etc/inc/plugins.inc.d/openvpn.inc b/src/etc/inc/plugins.inc.d/openvpn.inc
index 30fab2b43..9ff36d084 100644
--- a/src/etc/inc/plugins.inc.d/openvpn.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn.inc
@@ -530,6 +530,10 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
     }
 
     $conf .= "dev-type {$settings['dev_mode']}\n";
+    if ($settings['dev_mode'] == 'tun') {
+        /* legacy does not support DCO */
+        $conf .= "disable-dco\n";
+    }
     $conf .= "dev-node /dev/{$devnode}\n";
     $conf .= "writepid /var/run/openvpn_{$mode_id}.pid\n";
     $conf .= "script-security 3\n";