Unsupported "status" option

[Benjamin]

Hello all!

On Cyberoam firewalls, it is possible to generate a configuration file for SSL VPN connections, which can be then imported into a VPN client (TunnelBlick, OpenVPN, or any other client).

On many softwares, the import process works great. But TunnelBlick rejects the configuration files because of the "status" option in the .openvpn file. So we have to manually edit the .openvpn file to remove the blocking option before trying to import it into TunnelBlick. It is quite annoying, especially for people who are "non-computer people" (which happens to be very common among Mac users).

My questions are:

• Why is the presence of this option a blocking step during the import process of a configuration file on TunnelBlick?
• Would it be possible to support this option on TunnelBlick, or at least ignore it if you don't want to support it?

I think that it would make more sense to search for supported parameters within a configuration file, instead of blocking the import process when unsupported parameters are found.

I'll be happy to provide you with more details if needed.

Thank you for your answer!

[jkbull...gmail.com]

Tunnelblick does not allow the "status" option (or the "write-pid" or "replay-persist" option) if it has a "relative" file reference. That's because

• Tunnelblick encapsulates each OpenVPN configuration file in a read only ".tblk" for security purposes; and
  
• The option causes writing to a file; and
  
• If that file is inside the Tunnelblick VPN Configuration (a ".tblk"), it cannot be written.
  

(For simplicity, Tunnelblick assumes that a "relative" file reference is located somewhere "near" the configuration file and would thus be inside the .tblk.)

"Absolute" file references are allowed on the assumption that they refer to a location that is read/write.

It isn't a question of Tunnelblick ignoring the status option. If Tunnelblick ignored it, then when OpenVPN tried to write the status file, it would fail and terminate.

Tunnelblick could be modified to remove the configuration line with the status option when you install a configuration, instead of complaining.

[Benjamin]

OK, thank you for your detailed answer. I could ask Cyberoam to remove the line when it generates the files, but I don't expect much from a large company that releases maybe one firmware update a year.

Are there plans to proceed as you said (remove the configuration line with the status option when you install a configuration)?

[jkbull...gmail.com]

There weren't, but I will be committing the changes needed to have Tunnelblick to "comment out" lines with the "status", "write-pid", and "replay-persist" options later today or tomorrow. They will be included in the next beta release. (I'm not sure when that will be.)

When you install a .tblk or convert an existing .ovpn/.conf file Tunnelblick will insert

##### Disabled by Tunnelblick: 

at the start of the line in the configuration file that contains the offending option.

[Benjamin]

Alright! Thank you very much for your support :)

Le dimanche 4 octobre 2015 17:08:56 UTC+2, Benjamin a écrit :