[fix] Handle missing VPN_DOMAIN safely in OpenVPN startup #572

Avoid container failure when VPN_DOMAIN is unset by logging a warning and exiting gracefully.

Fixes #572

Author: Piyushkhobragade

images/common/init_command.sh

@@ -29,7 +29,10 @@ elif [ "$MODULE_NAME" = 'freeradius' ]; then
 		source docker-entrypoint.sh -X
 	fi
 elif [ "$MODULE_NAME" = 'openvpn' ]; then
-	if [[ -z "$VPN_DOMAIN" ]]; then exit; fi
+        if [ -z "$VPN_DOMAIN" ]; then
+                echo "WARNING: VPN_DOMAIN not set, skipping OpenVPN setup" >&2
+                exit 0
+        fi
 	wait_nginx_services
 	openvpn_preconfig
 	openvpn_config

images/common/utils.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 function init_conf {
 	default_psql_vars
@@ -86,7 +86,7 @@ function wait_nginx_services {
 	set +e
 	while :; do
 		wget -qS ${DASHBOARD_INTERNAL}/admin/login/ 2>&1 | grep -q "200 OK"
-		if [[ $? = "0" ]]; then
+		if [ $? = "0" ]; then
 			FAILURE=0
 			echo "Connection with dashboard established."
 			break
@@ -97,7 +97,7 @@ function wait_nginx_services {
 }
 
 function ssl_http_behaviour {
-	if [ "$NGINX_HTTP_ALLOW" == "True" ]; then
+	if [ "$NGINX_HTTP_ALLOW" = "True" ]; then
 		envsubst_create_config /etc/nginx/openwisp.template.conf http DOMAIN
 	else
 		envsubst </etc/nginx/openwisp.ssl.80.template.conf >/etc/nginx/conf.d/openwisp.http.conf
@@ -236,18 +236,25 @@ function openvpn_config_checksum {
 }
 
 function openvpn_config_download {
-	curl --silent --retry 10 --retry-delay 5 --retry-max-time 300\
-		--insecure --output vpn.tar.gz \
-		${API_INTERNAL}/controller/vpn/download-config/$UUID/?key=$KEY
+	curl --silent --retry 10 --retry-delay 5 --retry-max-time 300 --insecure --output vpn.tar.gz \
+		"${API_INTERNAL}/controller/vpn/download-config/$UUID/?key=$KEY"
 	curl --silent --insecure --output checksum \
-		${API_INTERNAL}/controller/vpn/checksum/$UUID/?key=$KEY
+		"${API_INTERNAL}/controller/vpn/checksum/$UUID/?key=$KEY"
 	tar xzf vpn.tar.gz
 	chmod 600 *.pem
+	# Prefer a newly extracted non-standard filename and normalize it.
+	CONF_FILE=$(find . -maxdepth 1 -type f -name '*.conf' ! -name 'openvpn.conf' -print -quit)
+	if [ -n "$CONF_FILE" ]; then
+		mv -f -- "$CONF_FILE" openvpn.conf
+	elif [ ! -f openvpn.conf ]; then
+		echo "ERROR: no OpenVPN config file found after extraction" >&2
+		return 1
+	fi
 }
 
 function crl_download {
 	curl --silent --insecure --output revoked.crl \
-	${DASHBOARD_INTERNAL}/admin/pki/ca/x509/ca/${CA_UUID}.crl
+		"${DASHBOARD_INTERNAL}/admin/pki/ca/x509/ca/${CA_UUID}.crl"
 }
 
 function init_send_network_topology {

images/openwisp_dashboard/openvpn.json

@@ -12,14 +12,14 @@
       "comp_lzo": "no",
       "auth": "SHA1",
       "data_ciphers": [
-          {
-              "cipher": "AES-128-GCM",
-              "optional": false
-          },
-          {
-              "cipher": "none",
-              "optional": false
-          }
+        {
+          "cipher": "AES-128-GCM",
+          "optional": false
+        },
+        {
+          "cipher": "none",
+          "optional": false
+        }
       ],
       "data_ciphers_fallback": "AES-128-GCM",
       "cipher": "AES-128-GCM",

images/openwisp_openvpn/supervisord.conf

@@ -18,7 +18,7 @@ pidfile=/supervisord.pid
 [program:openvpn]
 user=root
 directory=/
-command=/usr/sbin/openvpn --config %(ENV_VPN_NAME)s.conf
+command=/usr/sbin/openvpn --config openvpn.conf
 autostart=true
 autorestart=true
 stopsignal=INT

tests/runtests.py

@@ -237,6 +237,39 @@ def test_create_prefix_users(self):
         except (urlerror.HTTPError, OSError, ConnectionResetError, ValueError) as error:
             self.fail(f"Cannot download PDF file: {error}")
 
+    def test_openvpn_config_whitespace_handling(self):
+        """Verify openvpn_config_download handles whitespace."""
+        import shlex
+        import tempfile
+
+        with tempfile.TemporaryDirectory() as tmpdir:
+            r_root = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
+            u_path = os.path.join(r_root, "images", "common", "utils.sh")
+            script = (
+                f"source {shlex.quote(u_path)}\n"
+                "curl() { true; }\n"
+                "tar() { touch 'my vpn with spaces.conf'; }\n"
+                "chmod() { true; }\n"
+                "UUID='x'; KEY='x'; API='http://x'\n"
+                "openvpn_config_download\n"
+                "if [ -f 'openvpn.conf' ]; then echo 'PASS'; fi\n"
+            )
+            script_path = os.path.join(tmpdir, "test_mock.sh")
+            with open(script_path, "w") as sf:
+                sf.write(script)
+            res = subprocess.run(
+                ["bash", script_path],
+                cwd=tmpdir,
+                capture_output=True,
+                text=True,
+            )
+            self.assertEqual(
+                res.returncode,
+                0,
+                f"Mock script failed:\n{res.stdout}\n{res.stderr}",
+            )
+            self.assertIn("PASS", res.stdout)
+
     def test_console_errors(self):
         url_list = [
             "/admin/",
@@ -492,5 +525,6 @@ def test_containers_down(self):
 if __name__ == "__main__":
     suite = unittest.TestSuite()
     suite.addTest(TestServices("test_topology_graph"))
+    suite.addTest(TestServices("test_openvpn_config_whitespace_handling"))
     runner = unittest.TextTestRunner(verbosity=2)
     runner.run(suite)