From 3d6ed788a2488d4b939e060d5ea97232ca986dcf Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Thu, 7 May 2020 10:51:31 +0200
Subject: [PATCH] Do not enable 'persist-tun' by default.

---
 defaults/main.yml        | 1 +
 templates/client.conf.j2 | 4 +++-
 templates/server.conf.j2 | 4 +++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index b364963..d07d9b0 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -48,6 +48,7 @@ openvpn_force_ccd: False
 # openvpn_users_customizations: 
 #   - { cn: 'Joe Bar', ip: '<Client IP>', netmask: '<openvpn_server_net netmask>', routes: [ '192.168.253.0 255.255.255.0' ] }
 
+openvpn_persist_tun: False
 openvpn_tls_server: True
 openvpn_dh: /etc/openvpn/dh2048.pem
 openvpn_tls_auth: '/etc/openvpn/ta.key'
diff --git a/templates/client.conf.j2 b/templates/client.conf.j2
index dc0d9fa..27a23f4 100644
--- a/templates/client.conf.j2
+++ b/templates/client.conf.j2
@@ -14,7 +14,9 @@ group {{ openvpn_unprivileged_group }}
 {% endif %}
 # Try to preserve some state across restarts.
 persist-key
-#persist-tun
+{% if openvpn_persist_tun %}
+persist-tun
+{% endif %}
 dh {{ openvpn_dh }}
 ca {{ openvpn_ca }}
 cert {{ openvpn_cert }}
diff --git a/templates/server.conf.j2 b/templates/server.conf.j2
index 370fdfc..d96d73f 100644
--- a/templates/server.conf.j2
+++ b/templates/server.conf.j2
@@ -66,8 +66,10 @@ auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
 script-security 3 execve
 {% endif %}
 max-clients {{ openvpn_max_clients }}
-persist-tun
 persist-key
+{% if openvpn_persist_tun %}
+persist-tun
+{% endif %}
 status status/openvpn-status.log
 {% if openvpn_run_unprivileged %}
 user {{ openvpn_unprivileged_user }}