After openvpn has the setenv and reverse push-peer-info that can be pushed, it can theoretically implement bidirectional push of any information, which is too convenient. However, convenience requires a price, that is, it is prone to confusion, errors, and the lack of security. In this world, there are two groups that are hostile to each other. One is how to make nodes more interconnected, and the other is how to control access to communications. In other words, some people hope that everyone can communicate with each other, but others expect that communication between people is controlled, which is also the status quo of computer networks. Just as openvpn is implemented as a virtual network, it simulates a network device, and the device also needs to play one of the two roles mentioned above.
The reason why openvpn does not implement push-peer-info is entangled in the conflicts between the two coexistence. You want to open the door of everyone's house, but do not want anyone to open the door of your house. For openvpn, it also plays two roles, because it has both clients and servers. Aside from the client's push-peer-Info, this is already discussed in previous articles. Let's talk about the problem of setenv that can be pushed on the server. In a word, it is not safe for the client.
What are the causes of insecurity? We know that openvpn has a variety of built-in event interfaces that can be linked to external programs. We can use plugin or script to do this. We know that in a common operating system, every executable program uses some so-called environment variables, which is reflected in the third parameter of the main function, if you are familiar with exec system calls, you can also see this from its parameters. These environment variables affect the behavior of the program. If so, it is a bit abstract, then it is specific to an environment variable ld_preload, this is a very dangerous environment variable. It can change the behavior of the system library function to your custom library function with the same name. To put it bluntly, it provides a system library function overload interface, therefore, this environment variable also hides many risks behind flexibility. For details, refer to this blog post "be cautious with ld_preload environment variables in Unix". If the openvpn server pushes such an ld_preload environment variable, and the client executes a script or exec an external program in its plugin, the client will be vulnerable to hijacking.
Openvpn is a software that makes the network safer. It cannot do such a bad thing. How can it solve it? Openvpn binds a permission for each option to distinguish whether the option is configured by itself or pushed by the peer. For some potentially dangerous options, such as setenv, this will be reflected as deny in permission when applying the option pushed by the peer, so that this option is no longer accepted. However, at the same time, it is not possible to lose flexibility for security. Therefore, openvpn provides a setenv-safe option, which can be safely pushed to the peer option. Why is it secure? Because it adds a magic value before the environment variable you push to the peer end, It is very simple, it is a string "openvpn _", even if you push a ld_preload, openvpn will change it to openvpn_ld_preload, but the operating system does not know this environment variable, thus ensuring security.
There are a lot of arguments about why openvpn is so designed and not so designed. In fact, you can't find the answer simply by looking at the code. Sometimes some clues have to be found from code comments, changelog or its maillist.
