On 09/04/2021 08:16, Gert Doering wrote:
Even though you already found out it should be pushable, I kinda also agree with Selva here. Also, OpenVPN 3 Core library already has explicit-exit-notify as the default (it doesn't even grok this option; it's hard-coded to always be enabled).HI,On Thu, Apr 08, 2021 at 07:05:32PM -0400, Selva Nair wrote:On Thu, Apr 8, 2021 at 6:53 PM Mason Walters via Openvpn-users < openvpn-users@lists.sourceforge.net> wrote:I've ran into this issue with 2.5 clients. Adding 'explicit-exit-notify' to the client's config resolved it for me. ???explicit-exit-notify [n]I have always felt that this (with say n=1) should have been on by default in UDP clients. And ignored byTCP clients instead of flagging a FATAL error. Wonder why keep this as an optional option.Not sure. I assume it's a relict from ancient times when the main focus was "p2p with --secret" (where you could restart each end without the other side having to notice). On the server side, explicit-exit-notify is a bit more problematic today (it currently interferes in strange ways with saved tokens on the client), but on the client side I'm not sure I see drawbacks. That said, maybe we should just make it pushable *and* de-FATAL it for TCP mode (pushed or not). So server operators can decide what they want.
But it needs to be restricted to UDP only and most likely tls-client mode only.
-- kind regards, David Sommerseth OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users