Date: Sat, 1 Aug 2009 18:32:39 +0200 From: Stefan Bethke <stb@lassitu.de> To: Julian Elischer <julian@elischer.org> Cc: Matthias Andree <matthias.andree@gmx.de>, freebsd-ports@freebsd.org Subject: Re: recent change to ifconfig breaks OpenVPN? Message-ID: <9F862E70-7D12-4DE5-8BDA-5A51C38471C4@lassitu.de> In-Reply-To: <4A745E41.2040608@elischer.org> References: <B4AA014B-2444-40AA-A3A3-417E4B89DF90@lassitu.de> <4A709126.5050102@elischer.org> <3A1518B9-2C8C-4F05-9195-82C6017E4902@lassitu.de> <op.uxusbswp1e62zd@merlin.emma.line.org> <BEE762CA-4282-4BA8-B92B-AFC7AAE3CA9A@lassitu.de> <ABCF4747-24D4-4435-952B-EA85A2AE999F@lassitu.de> <B583FBF374231F4A89607B4D08578A4304E22D95@bcs-mail03.internal.cacheflow.com> <4A721160.5080902@elischer.org> <20090730220658.M245@maildrop.int.zabbadoz.net> <op.uxwkqxxd1e62zd@merlin.emma.line.org> <B80ED984-7570-4C00-911C-7F47E25680D6@lassitu.de> <4A745E41.2040608@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 01.08.2009 um 17:24 schrieb Julian Elischer: > Stefan Bethke wrote: >> (Moving the discussion to -ports.) >> Am 31.07.2009 um 00:57 schrieb Matthias Andree: >>> Am 31.07.2009, 00:36 Uhr, schrieb Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net >>> >: >>> >>>> Yeah that is as great as we are or rather were. >>>> >>>> So really, fix the openvpn scripts that assign the address to >>>> interfaces to do something that would make sense from the ``man >>>> ip'' >>>> (not the literal command) point of view. Just that it's "working" >>>> somewhere or used to work elswhere neither means that it was >>>> correct >>>> nor made sense at any time before. >>> >>> It's actually in the C code where it was advertised as FreeBSD fix. >>> OpenVPN runs in 'topology subnet' mode here, which is documented >>> as follows: >>> >>> Use a subnet rather than a point-to-point topology by >>> configuring the tun interface with a local IP address and >>> subnet >>> mask, similar to the topology used in --dev tap and >>> ethernet >>> bridging mode. This mode allocates a single IP address per >>> con- >>> necting client [... MS-Windows stuff here ...] >>> When used on *nix, requires that the >>> tun driver supports an ifconfig(8) command which sets a >>> subnet >>> instead of a remote endpoint IP address. >>> >>> I wonder if TUNSIFMODE (see tun(4)) is somehow needed and if so, >>> already done, and how the proper ifconfig call would look like in >>> this case. Stefan already uttered some ideas in that direction. >> Here's a first draft at a patch for OpenVPN. With this, the tun >> interface gets set to IFF_BROADCAST mode. One small piece is still >> missing: OpenVPN tries to install a route for the subnet, but that >> fails because now ifconfig has already inserted that route. I'll >> try to look into that a bit later on. I also haven't tested the >> server side yet, or any other mode. > > I would have thought that the correct answer would be to set a > different address for the remote end.. > it is a p2p link so to make it look like an ethernet is a bit weird. Windows does not have p2p interfaces, so OpenVPN offers a "virtual ethernet" configuration where the OpenVPN server process routes packets between various clients inside this subnet. Looking from the outside, this --topology subnet mode is not a point to point link, but rather a broadcast network, and even before, OpenVPN installed a network route going over the p2p tun interface. This change aligns the configuration with the actual model OpenVPN uses. Other --topology modes continue to use p2p mode, and the interface is configured with the server's address. Stefan -- Stefan Bethke <stb@lassitu.de> Fon +49 151 14070811
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9F862E70-7D12-4DE5-8BDA-5A51C38471C4>