From f454a2d335fcd06d1b76df7a5765f40ad3c2ebcc Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 30 Sep 2024 08:54:39 +0200
Subject: [PATCH] VPN: OpenVPN: Instances - fix "auth-gen-token" being supplied
 in server mode introduced by
 https://github.com/opnsense/core/commit/ec23ffc0ef65ee3fe1f25d23c9690b709edb384c,
 closes https://github.com/opnsense/core/issues/7919

auth-gen-token should only be offered (and validated) in server mode, move the validation into the server block and split the patameter handling into generic and specific mode specific types.
---
 .../app/models/OPNsense/OpenVPN/OpenVPN.php   | 24 ++++++++++---------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
index ed10cdb5a..fdae860e7 100644
--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
@@ -133,6 +133,12 @@ class OpenVPN extends BaseModel
                         $key . ".verify_client_cert"
                     ));
                 }
+                if ((string)$instance->{'auth-gen-token'} != '0' && (string)$instance->{'reneg-sec'} == '0') {
+                    $messages->appendMessage(new Message(
+                        gettext('A token lifetime requires a non zero Renegotiate time.'),
+                        $key . ".auth-gen-token"
+                    ));
+                }
             }
             if (!empty((string)$instance->cert)) {
                 $tmp = Store::getCertificate((string)$instance->cert);
@@ -156,12 +162,6 @@ class OpenVPN extends BaseModel
                     $key . ".proto"
                 ));
             }
-            if ((string)$instance->{'auth-gen-token'} != '0' && (string)$instance->{'reneg-sec'} == '0') {
-                $messages->appendMessage(new Message(
-                    gettext('A token lifetime requires a non zero Renegotiate time.'),
-                    $key . ".auth-gen-token"
-                ));
-            }
         }
         return $messages;
     }
@@ -614,6 +614,12 @@ class OpenVPN extends BaseModel
                             $options['push'][] = "\"dhcp-option NTP {$opt}\"";
                         }
                     }
+                    foreach (['auth-gen-token'] as $opt) {
+                        if ((string)$node->$opt != '') {
+                            $options[$opt] = str_replace(',', ':', (string)$node->$opt);
+                        }
+                    }
+
                 }
                 $options['persist-tun'] = null;
                 $options['persist-key'] = null;
@@ -639,11 +645,7 @@ class OpenVPN extends BaseModel
                 $options['up'] = '/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup';
                 $options['down'] = '/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown';
 
-                foreach (
-                    [
-                    'reneg-sec', 'auth-gen-token', 'port', 'local', 'data-ciphers', 'data-ciphers-fallback', 'auth'
-                    ] as $opt
-                ) {
+                foreach (['reneg-sec', 'port', 'local', 'data-ciphers', 'data-ciphers-fallback', 'auth'] as $opt) {
                     if ((string)$node->$opt != '') {
                         $options[$opt] = str_replace(',', ':', (string)$node->$opt);
                     }