bitmask-root (Python) whitelist is outdated, causing OpenVPN handshake failures

[spivanatalie64]

Reporter: Natalie Spiva natalie@acreetionos.org
Environment: Linux (Garuda/Arch), RiseupVPN 0.24.10, OpenVPN 2.7.1, bitmask-root Version 19.

Description:
The bitmask-root Python helper script contains an outdated ALLOWED_FLAGS whitelist and a restrictive PARAM_FORMATS regex. When the RiseupVPN GUI passes modern OpenVPN flags, bitmask-root strips them, leading to a connection failure.

Critical Issues Found:

1. Stripped Flags: Critical flags like --data-ciphers, --key-direction, and --persist-tun are missing from the whitelist.
2. Handshake Failure: Stripping --key-direction 1 prevents the TLS-Auth/TLS-Crypt handshake from succeeding, causing the connection to drop immediately.
3. Regex Restriction: The CIPHER parameter format regex (^[A-Z0-9-\:]+$) rejects arguments containing dots, such as --tls-version-min 1.2, marking them as "Bad argument".

Solution (Identified and Verified by Natalie Spiva):
I have patched my local /usr/bin/bitmask-root with the following changes to restore functionality:

1. Update ALLOWED_FLAGS dictionary:

    "--data-ciphers": ["CIPHER"],
    "--float": [],
    "--rcvbuf": ["NUMBER"],
    "--sndbuf": ["NUMBER"],
    "--key-direction": ["NUMBER"],
    "--persist-key": [],
    "--persist-tun": [],
    "--tls-version-min": ["CIPHER"],

2. Update CIPHER regex in PARAM_FORMATS:

    "CIPHER": lambda s: re.match(r"^[A-Z0-9-\:\.]+", s),

These changes allow the necessary flags to pass through to OpenVPN, resolving the handshake and configuration issues.