Date: Sat, 01 Aug 2009 08:24:49 -0700 From: Julian Elischer <julian@elischer.org> To: Stefan Bethke <stb@lassitu.de> Cc: Matthias Andree <matthias.andree@gmx.de>, freebsd-ports@freebsd.org Subject: Re: recent change to ifconfig breaks OpenVPN? Message-ID: <4A745E41.2040608@elischer.org> In-Reply-To: <B80ED984-7570-4C00-911C-7F47E25680D6@lassitu.de> References: <B4AA014B-2444-40AA-A3A3-417E4B89DF90@lassitu.de> <4A709126.5050102@elischer.org> <3A1518B9-2C8C-4F05-9195-82C6017E4902@lassitu.de> <op.uxusbswp1e62zd@merlin.emma.line.org> <BEE762CA-4282-4BA8-B92B-AFC7AAE3CA9A@lassitu.de> <ABCF4747-24D4-4435-952B-EA85A2AE999F@lassitu.de> <B583FBF374231F4A89607B4D08578A4304E22D95@bcs-mail03.internal.cacheflow.com> <4A721160.5080902@elischer.org> <20090730220658.M245@maildrop.int.zabbadoz.net> <op.uxwkqxxd1e62zd@merlin.emma.line.org> <B80ED984-7570-4C00-911C-7F47E25680D6@lassitu.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Stefan Bethke wrote:
> (Moving the discussion to -ports.)
>
> Am 31.07.2009 um 00:57 schrieb Matthias Andree:
>
>> Am 31.07.2009, 00:36 Uhr, schrieb Bjoern A. Zeeb
>> <bzeeb-lists@lists.zabbadoz.net>:
>>
>>> Yeah that is as great as we are or rather were.
>>>
>>> So really, fix the openvpn scripts that assign the address to
>>> interfaces to do something that would make sense from the ``man ip''
>>> (not the literal command) point of view. Just that it's "working"
>>> somewhere or used to work elswhere neither means that it was correct
>>> nor made sense at any time before.
>>
>> It's actually in the C code where it was advertised as FreeBSD fix.
>> OpenVPN runs in 'topology subnet' mode here, which is documented as
>> follows:
>>
>> Use a subnet rather than a point-to-point topology by
>> configuring the tun interface with a local IP address and subnet
>> mask, similar to the topology used in --dev tap and ethernet
>> bridging mode. This mode allocates a single IP address per con-
>> necting client [... MS-Windows stuff here ...]
>> When used on *nix, requires that the
>> tun driver supports an ifconfig(8) command which sets a subnet
>> instead of a remote endpoint IP address.
>>
>> I wonder if TUNSIFMODE (see tun(4)) is somehow needed and if so,
>> already done, and how the proper ifconfig call would look like in this
>> case. Stefan already uttered some ideas in that direction.
>
>
> Here's a first draft at a patch for OpenVPN. With this, the tun
> interface gets set to IFF_BROADCAST mode. One small piece is still
> missing: OpenVPN tries to install a route for the subnet, but that fails
> because now ifconfig has already inserted that route. I'll try to look
> into that a bit later on. I also haven't tested the server side yet, or
> any other mode.
I would have thought that the correct answer would be to set a
different address for the remote end..
it is a p2p link so to make it look like an ethernet is a bit weird.
>
> root@freebsd-current:/usr/ports/security/openvpn-devel# cat
> files/patch-tun.c
> --- tun.c.orig 2009-05-30 23:34:13.000000000 +0200
> +++ tun.c 2009-07-31 14:22:31.000000000 +0200
> @@ -863,11 +863,10 @@
> else {
> if (tt->topology == TOP_SUBNET)
> argv_printf (&argv,
> - "%s %s %s %s netmask %s mtu %d up",
> + "%s %s %s netmask %s mtu %d up",
> IFCONFIG_PATH,
> actual,
> ifconfig_local,
> - ifconfig_local,
> ifconfig_remote_netmask,
> tun_mtu
> );
> @@ -1745,14 +1744,15 @@
> {
> open_tun_generic (dev, dev_type, dev_node, ipv6, true, true, tt);
>
> - if (tt->fd >= 0)
> + if (tt->fd >= 0 && tt->type == DEV_TYPE_TUN)
> {
> int i = 0;
>
> - /* Disable extended modes */
> + i = tt->topology == TOP_SUBNET ? IFF_BROADCAST : IFF_POINTOPOINT;
> + i |= IFF_MULTICAST;
> + ioctl (tt->fd, TUNSIFMODE, &i);
> + i = 0;
> ioctl (tt->fd, TUNSLMODE, &i);
> - i = 1;
> - ioctl (tt->fd, TUNSIFHEAD, &i);
> }
> }
>
>
> Stefan
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A745E41.2040608>