OpenVPN not saving the custom configuration for client-connect on ASUS GT-AX6000

[Rotsen24154]

Hi.

I am trying to follow these instructions (https://www.snbforums.com/threads/o...-on-site-to-site-connection.24268/post-335476) to allow all the clients of my VPN has communication among them.
The problem is when I add the Custom Configuration like this:

script-security 2
# Assign static I/P addresses to clients (and optionally add ADVANCED CCD directives)
client-connect /jffs/scripts/VPNClientConnect.sh
route 192.168.3.0 255.255.255.0 vpn_gateway
route 192.168.4.0 255.255.255.0 vpn_gateway
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"

The client-connect command is not saved in the server config.ovpn, so the script is never executed.
I tried adding --client-connect, adding quotes to the route, using a Hello World script, but the command disappears from the generated config.ovpn, this is an example of the final config.ovpn.

 Automatically generated configuration                                                                       
                                                                                                              
# Tunnel options                                                                                               
proto udp6                                                                                                     
multihome                                                                                                     
port 1194                                                                                                     
dev tun21                                                                                                     
route-pre-down '/etc/openvpn/ovpn-route-pre-down'                                                             
sndbuf 0                                                                                                       
rcvbuf 0                                                                                                       
keepalive 10 30                                                                                               
up '/etc/openvpn/ovpn-up'                                                                                     
down '/etc/openvpn/ovpn-down'                                                                                 
setenv ovpn_type 0                                                                                             
setenv unit 1                                                                                                 
script-security 2                                                                                             
daemon vpnserver1                                                                                             
verb 3                                                                                                         
status-version 2                                                                                               
status status 10                                                                                               
compress lzo                                                                                                   
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn                                                             
                                                                                                              
# Server Mode                                                                                                 
server 10.8.0.0 255.255.255.0                                                                                 
duplicate-cn                                                                                                   
push "route 192.168.50.0 255.255.255.0 vpn_gateway 500"                                                       
push "route 192.168.60.0 255.255.255.0 vpn_gateway 500"                                                       
                                                                                                              
# Data Channel Encryption Options                                                                             
auth SHA1                                                                                                     
cipher AES-128-CBC                                                                                             
ncp-disable                                                                                                   
                                                                                                              
# TLS Mode Options                                                                                             
ca ca.crt                                                                                                     
dh dh.pem                                                                                                     
cert server.crt                                                                                               
key server.key                                                                                                 
                                                                                                              
# Custom Configuration                                                                                         
script-security 2                                                                                             
# Assign static I/P addresses to clients (and optionally add ADVANCED CCD directives)                         
route 192.168.3.0 255.255.255.0 vpn_gateway                                                                   
route 192.168.4.0 255.255.255.0 vpn_gateway                                                                   
push "route 192.168.3.0 255.255.255.0"                                                                         
push "route 192.168.4.0 255.255.255.0"

As you can see the # Custom Configuration section has all the lines except the client-connect.

I use a GT-AX6000 stock; the OpenVPN --version shows this information.

OpenVPN 2.4.12 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 15 2024
library versions: OpenSSL 1.1.1t  7 Feb 2023, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

And sorry I am a super newbie on these, this is a personal project, and I don't have a lot of experience of networking or things like this.
I find nothing like this issue on the forum, that's why I ask for help
Thank you.

 

[eibgrad]

This is a total guess since I don't have access to the OEM firmware, I use Merlin. But it might be that the OEM firmware is already using that directive for itself, and perhaps NOT in the config file, but on the command line when the OpenVPN process is executed. Any option on the command line *overrides* that same option in the config file.

Again, a total guess at this point.

 

[Rotsen24154]

This is a total guess since I don't have access to the OEM firmware, I use Merlin. But it might be that the OEM firmware is already using that directive for itself, and perhaps NOT in the config file, but on the command line when the OpenVPN process is executed. Any option on the command line *overrides* that same option in the config file.

Again, a total guess at this point.

Is there any way to check that?
I found this https://community.ipfire.org/t/client-connect-client-disconnect-in-server-config/5271, but is not working.

Because in the Asus System logs there are not any signs that a hello world script that I created for testing was executed.
If I run the script from the console shows the text in logs.
Probably I am going to test with Merlin, maybe it is a bug or something with OpenVPN

 

[eibgrad]

You could check the process table to see the actual command-line.

ps | grep openvpn

 

[Rotsen24154]

You could check the process table to see the actual command-line.

ps | grep openvpn

Thanks.
/etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn

Seems all the config comes from de config.ovpn.

 

[eibgrad]

Probably I am going to test with Merlin, maybe it is a bug or something with OpenVPN

Merlin is better anyway.

 

[draharz]

Since this is the only thread I found about this issue.., The solution is to either use Merlin firmware as there it does not have this behavior or to add in your configuration:

config /jffs/scripts/config.ovpn

Which will load config from another file and there you can use whatever you want and your asus will not remove anything.