From owner-freebsd-ports@FreeBSD.ORG  Sat Aug  1 16:32:45 2009
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9CC831065672
	for <freebsd-ports@freebsd.org>; Sat,  1 Aug 2009 16:32:45 +0000 (UTC)
	(envelope-from stb@lassitu.de)
Received: from koef.zs64.net (koef.zs64.net [212.12.50.230])
	by mx1.freebsd.org (Postfix) with ESMTP id 30F2D8FC14
	for <freebsd-ports@freebsd.org>; Sat,  1 Aug 2009 16:32:44 +0000 (UTC)
	(envelope-from stb@lassitu.de)
Received: from localhost by koef.zs64.net (8.14.3/8.14.3) with ESMTP id
	n71GWeT5085258
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO);
	Sat, 1 Aug 2009 18:32:40 +0200 (CEST)
	(envelope-from stb@lassitu.de) (authenticated as stb)
Message-Id: <9F862E70-7D12-4DE5-8BDA-5A51C38471C4@lassitu.de>
From: Stefan Bethke <stb@lassitu.de>
To: Julian Elischer <julian@elischer.org>
In-Reply-To: <4A745E41.2040608@elischer.org>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Sat, 1 Aug 2009 18:32:39 +0200
References: <B4AA014B-2444-40AA-A3A3-417E4B89DF90@lassitu.de>	<4A709126.5050102@elischer.org>	<3A1518B9-2C8C-4F05-9195-82C6017E4902@lassitu.de>	<op.uxusbswp1e62zd@merlin.emma.line.org>	<BEE762CA-4282-4BA8-B92B-AFC7AAE3CA9A@lassitu.de>	<ABCF4747-24D4-4435-952B-EA85A2AE999F@lassitu.de>	<B583FBF374231F4A89607B4D08578A4304E22D95@bcs-mail03.internal.cacheflow.com>	<4A721160.5080902@elischer.org>	<20090730220658.M245@maildrop.int.zabbadoz.net>	<op.uxwkqxxd1e62zd@merlin.emma.line.org>
	<B80ED984-7570-4C00-911C-7F47E25680D6@lassitu.de>
	<4A745E41.2040608@elischer.org>
X-Mailer: Apple Mail (2.935.3)
Cc: Matthias Andree <matthias.andree@gmx.de>, freebsd-ports@freebsd.org
Subject: Re: recent change to ifconfig breaks OpenVPN?
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Aug 2009 16:32:45 -0000

Am 01.08.2009 um 17:24 schrieb Julian Elischer:

> Stefan Bethke wrote:
>> (Moving the discussion to -ports.)
>> Am 31.07.2009 um 00:57 schrieb Matthias Andree:
>>> Am 31.07.2009, 00:36 Uhr, schrieb Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net 
>>> >:
>>>
>>>> Yeah that is as great as we are or rather were.
>>>>
>>>> So really, fix the openvpn scripts that assign the address to
>>>> interfaces to do something that would make sense from the ``man  
>>>> ip''
>>>> (not the literal command) point of view.  Just that it's "working"
>>>> somewhere or used to work elswhere neither means that it was  
>>>> correct
>>>> nor made sense at any time before.
>>>
>>> It's actually in the C code where it was advertised as FreeBSD fix.
>>> OpenVPN runs in 'topology subnet' mode here, which is documented  
>>> as follows:
>>>
>>>    Use a subnet rather than a point-to-point topology by
>>>       configuring the tun interface with a local IP address and  
>>> subnet
>>>       mask,  similar  to  the  topology used in --dev tap and  
>>> ethernet
>>>       bridging mode.  This mode allocates a single IP address per  
>>> con-
>>>       necting  client [... MS-Windows stuff here ...]
>>>          When used on *nix, requires that the
>>>       tun driver supports an ifconfig(8) command which sets  a   
>>> subnet
>>>       instead of a remote endpoint IP address.
>>>
>>> I wonder if TUNSIFMODE (see tun(4)) is somehow needed and if so,  
>>> already done, and how the proper ifconfig call would look like in  
>>> this case. Stefan already uttered some ideas in that direction.
>> Here's a first draft at a patch for OpenVPN.  With this, the tun  
>> interface gets set to IFF_BROADCAST mode.  One small piece is still  
>> missing: OpenVPN tries to install a route for the subnet, but that  
>> fails because now ifconfig has already inserted that route.  I'll  
>> try to look into that a bit later on.  I also haven't tested the  
>> server side yet, or any other mode.
>
> I would have thought that the correct answer would be to set a  
> different address for the remote end..
> it is a p2p link so to make it look like an ethernet is a bit weird.

Windows does not have p2p interfaces, so OpenVPN offers a "virtual  
ethernet" configuration where the OpenVPN server process routes  
packets between various clients inside this subnet.  Looking from the  
outside, this --topology subnet mode is not a point to point link, but  
rather a broadcast network, and even before, OpenVPN installed a  
network route going over the p2p tun interface.  This change aligns  
the configuration with the actual model OpenVPN uses.

Other --topology modes continue to use p2p mode, and the interface is  
configured with the server's address.


Stefan

-- 
Stefan Bethke <stb@lassitu.de>   Fon +49 151 14070811