VPN: OpenVPN: Instances - fix "auth-gen-token" being supplied in server mode introduced by ec23ffc0ef, closes https://github.com/opnsense/core/issues/7919

auth-gen-token should only be offered (and validated) in server mode, move the validation into the server block and split the patameter handling into generic and specific mode specific types.
2026-03-13 00:07:26 +00:00 · 2024-09-30 08:54:39 +02:00 · 2024-09-30 08:54:39 +02:00 · f454a2d335
commit f454a2d335
parent 1d8e5fec36
1 changed files with 13 additions and 11 deletions
--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
@ -133,6 +133,12 @@ class OpenVPN extends BaseModel
                        $key . ".verify_client_cert"
                    ));
                }
+                if ((string)$instance->{'auth-gen-token'} != '0' && (string)$instance->{'reneg-sec'} == '0') {
+                    $messages->appendMessage(new Message(
+                        gettext('A token lifetime requires a non zero Renegotiate time.'),
+                        $key . ".auth-gen-token"
+                    ));
+                }
            }
            if (!empty((string)$instance->cert)) {
                $tmp = Store::getCertificate((string)$instance->cert);
@ -156,12 +162,6 @@ class OpenVPN extends BaseModel
                    $key . ".proto"
                ));
            }
-            if ((string)$instance->{'auth-gen-token'} != '0' && (string)$instance->{'reneg-sec'} == '0') {
-                $messages->appendMessage(new Message(
-                    gettext('A token lifetime requires a non zero Renegotiate time.'),
-                    $key . ".auth-gen-token"
-                ));
-            }
        }
        return $messages;
    }
@ -614,6 +614,12 @@ class OpenVPN extends BaseModel
                            $options['push'][] = "\"dhcp-option NTP {$opt}\"";
                        }
                    }
+                    foreach (['auth-gen-token'] as $opt) {
+                        if ((string)$node->$opt != '') {
+                            $options[$opt] = str_replace(',', ':', (string)$node->$opt);
+                        }
+                    }
+
                }
                $options['persist-tun'] = null;
                $options['persist-key'] = null;
@ -639,11 +645,7 @@ class OpenVPN extends BaseModel
                $options['up'] = '/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup';
                $options['down'] = '/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown';

-                foreach (
-                    [
-                    'reneg-sec', 'auth-gen-token', 'port', 'local', 'data-ciphers', 'data-ciphers-fallback', 'auth'
-                    ] as $opt
-                ) {
+                foreach (['reneg-sec', 'port', 'local', 'data-ciphers', 'data-ciphers-fallback', 'auth'] as $opt) {
                    if ((string)$node->$opt != '') {
                        $options[$opt] = str_replace(',', ':', (string)$node->$opt);
                    }