openvpn: cleanup and fix netifd proto script logic

- Default to '--ifconfig-noexec' and '--route-noexec' to allow hotplug script to handle IP and routing configuration. - Only append '--auth-user-pass-verify' if the option is explicitly configured to avoid unexpected authentication requirements. - Fix missing retrieval of 'auth_user_pass', 'askpass', and 'tls_verify'. - Remove redundant '--config' parameter (managed by option_builder). - Simplify 'script_security' assignment logic. Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
2026-04-15 10:51:55 +00:00 · 2026-03-17 19:16:27 +08:00
parent c3792992f2
commit bda60d1fc5
1 changed files with 13 additions and 7 deletions
--- a/net/openvpn/files/lib/netifd/proto/openvpn.sh
+++ b/net/openvpn/files/lib/netifd/proto/openvpn.sh
@@ -129,7 +129,6 @@ proto_openvpn_setup() {
 	append exec_params "--status /var/run/openvpn.$config.status"
 	append exec_params "--syslog openvpn_$config"
 	append exec_params "--tmp-dir /tmp"
-	[ -n "$config_file" ] && append exec_params "--config \"$config_file\""

 	json_get_var ALLOW_DEPRECATED allow_deprecated
 	[ -z "$ALLOW_DEPRECATED" ] && ALLOW_DEPRECATED=0
@@ -144,7 +143,7 @@ proto_openvpn_setup() {

 	proto_add_dynamic_defaults

-	json_get_vars username password cert_password
+	json_get_vars auth_user_pass askpass username password cert_password

 	mkdir -p /var/run
 	# combine into --askpass:
@@ -174,9 +173,7 @@ proto_openvpn_setup() {

 	# Check 'script_security' option
 	json_get_var script_security script_security
-	[ -z "$script_security" ] && {
-		script_security=3
-	}
+	[ -z "$script_security" ] && script_security=3

 	# Add default hotplug handling if 'script_security' option is equal '3'
 	if [ "$script_security" -eq '3' ]; then
@@ -194,6 +191,11 @@ proto_openvpn_setup() {
 		json_get_vars up down route_up route_pre_down
 		json_get_vars tls_crypt_v2_verify mode learn_address client_connect
 		json_get_vars client_crresponse client_disconnect auth_user_pass_verify
+
+		json_get_vars ifconfig_noexec route_noexec
+		[ -z "$ifconfig_noexec" ] && append exec_params "--ifconfig-noexec"
+		[ -z "$route_noexec" ] && append exec_params "--route-noexec"
+
 		append exec_params "--up '/usr/libexec/openvpn-hotplug'"
 		[ -n "$up" ] && append exec_params "--setenv user_up '$up'"

@@ -218,8 +220,11 @@ proto_openvpn_setup() {
 			[ -n "$client_crresponse" ] && append exec_params "--setenv user_client_crresponse '$client_crresponse'"
 			append exec_params "--client-disconnect '/usr/libexec/openvpn-hotplug'"
 			[ -n "$client_disconnect" ] && append exec_params "--setenv user_client_disconnect '$client_disconnect'"
-			append exec_params "--auth-user-pass-verify '/usr/libexec/openvpn-hotplug' via-file"
-			[ -n "$auth_user_pass_verify" ] && append exec_params "--setenv user_auth_user_pass_verify '$auth_user_pass_verify'"
+
+			[ -n "$auth_user_pass_verify" ] && {
+				append exec_params "--auth-user-pass-verify '/usr/libexec/openvpn-hotplug' via-file"
+				append exec_params "--setenv user_auth_user_pass_verify '$auth_user_pass_verify'"
+			}
 		}

 		json_get_vars client tls_client tls_server
@@ -231,6 +236,7 @@ proto_openvpn_setup() {

 		if [ "$tls_client" = 1 ] || [ "$tls_server" = 1 ]; then
 			append exec_params "--tls-verify '/usr/libexec/openvpn-hotplug'"
+			json_get_var tls_verify tls_verify
 			[ -n "$tls_verify" ] && append exec_params "--setenv user_tls_verify '$tls_verify'"
 		fi
 	else