summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--client/client_test.go6
-rw-r--r--internal/server/server.go13
2 files changed, 15 insertions, 4 deletions
diff --git a/client/client_test.go b/client/client_test.go
index b4b944b..4356736 100644
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -391,7 +391,8 @@ func TestPreferTCP(t *testing.T) {
t.Fatalf("Config error: %v", configErr)
}
- if !strings.HasSuffix(config.Config, "udp") {
+ // We also test for script security 0 here
+ if !strings.HasSuffix(config.Config, "udp\nscript-security 0") {
t.Fatalf("Suffix for prefer TCP is not in the right order for config: %s", config)
}
@@ -401,8 +402,9 @@ func TestPreferTCP(t *testing.T) {
t.Fatalf("Config error: %v", configErr)
}
+ // We also test for script security 0 here
if config.Type == "openvpn" &&
- !strings.HasSuffix(config.Config, "tcp") {
+ !strings.HasSuffix(config.Config, "tcp\nscript-security 0") {
t.Fatalf("Suffix for disable prefer TCP is not in the right order for config: %s", config.Config)
}
}
diff --git a/internal/server/server.go b/internal/server/server.go
index 7503219..0a0ac95 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -284,19 +284,28 @@ func Config(server Server, wireguardSupport bool, preferTCP bool) (*ConfigData,
}
}
+ var cfg *ConfigData
+
switch {
// The config supports wireguard and optionally openvpn
case wg:
// A wireguard connect call needs to generate a wireguard key and add it to the config
// Also the server could send back an OpenVPN config if it supports OpenVPN
- return wireguardGetConfig(server, preferTCP, ovpn)
+ cfg, err = wireguardGetConfig(server, preferTCP, ovpn)
// The config only supports OpenVPN
case ovpn:
- return openVPNGetConfig(server, preferTCP)
+ cfg, err = openVPNGetConfig(server, preferTCP)
// The config supports no available protocol because the profile only supports WireGuard but the client doesn't
default:
return nil, errors.Errorf("no supported protocol found")
}
+
+ // Add script security 0 to disable OpenVPN scripts
+ // The client may override this but we provide the default protection here
+ if err == nil && cfg.Type == "openvpn" {
+ cfg.Config += "\nscript-security 0"
+ }
+ return cfg, err
}
func Disconnect(server Server) error {