Re: [Openvpn-users] Options error: Unrecognized option or missing or extra parameter(s)

[Gert D. <ge...@gr...>]

Hi,

On Mon, Jul 31, 2023 at 03:02:57PM +0200, Jochen Bern wrote:
> On 31.07.23 13:42, Jason Long wrote:
> > And added the following lines to the client.ovpn file:
> > 
> > route 172.20.1.0 255.255.255.0
> > push "dhcp-option dns 172.20.1.2"
> > push "dhcp-option dns 172.20.1.7"
> > dhcp-option DOMAIN MY_DOMAIN
> 
> (I would *hope* that clients *cannot* "push" any settings to a central
> server's OpenVPN ...)

They can't.  PUSH is pure server-to-client.

So putting "push" options into a client config will do exactly nothing,
except create warnings.

> > My problem is that I did it by enabling the IP Forwarding. I wanted
> > to do it without it. I guess that I must to enable the IP Forwarding
> > because of my OpenVPN server NICs. It has two NICs (NAT and Local)
> > and because of it I must enable IP Forwarding.
> > What is your opinion?
> 
> Traffic from and to the VPN clients flows between your server's enps0s3 and
> tun... interfaces, so I'm pretty sure that iptables+kernel *do* consider
> them "forwarded" and enabling forwarding is *required* for things to work.

Purely talking "from VPN client to an IP owned by the VPN server"
(like, a SSH connection through the VPN to the VPN server's eth0 address)
is not considered "forwarding" - so forward_ip=1 is not required, and
neither are FORWARD iptables evaluated (= INPUT only).

"From VPN client to *another* machine on the server's eth0 lan" *is*
"forwarding".

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             ge...@gr...