recent change to ifconfig breaks OpenVPN?

Stefan Bethke stb at lassitu.de
Sat Aug 1 16:32:45 UTC 2009 

Am 01.08.2009 um 17:24 schrieb Julian Elischer:

> Stefan Bethke wrote:
>> (Moving the discussion to -ports.)
>> Am 31.07.2009 um 00:57 schrieb Matthias Andree:
>>> Am 31.07.2009, 00:36 Uhr, schrieb Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net 
>>> >:
>>>
>>>> Yeah that is as great as we are or rather were.
>>>>
>>>> So really, fix the openvpn scripts that assign the address to
>>>> interfaces to do something that would make sense from the ``man  
>>>> ip''
>>>> (not the literal command) point of view.  Just that it's "working"
>>>> somewhere or used to work elswhere neither means that it was  
>>>> correct
>>>> nor made sense at any time before.
>>>
>>> It's actually in the C code where it was advertised as FreeBSD fix.
>>> OpenVPN runs in 'topology subnet' mode here, which is documented  
>>> as follows:
>>>
>>>    Use a subnet rather than a point-to-point topology by
>>>       configuring the tun interface with a local IP address and  
>>> subnet
>>>       mask,  similar  to  the  topology used in --dev tap and  
>>> ethernet
>>>       bridging mode.  This mode allocates a single IP address per  
>>> con-
>>>       necting  client [... MS-Windows stuff here ...]
>>>          When used on *nix, requires that the
>>>       tun driver supports an ifconfig(8) command which sets  a   
>>> subnet
>>>       instead of a remote endpoint IP address.
>>>
>>> I wonder if TUNSIFMODE (see tun(4)) is somehow needed and if so,  
>>> already done, and how the proper ifconfig call would look like in  
>>> this case. Stefan already uttered some ideas in that direction.
>> Here's a first draft at a patch for OpenVPN.  With this, the tun  
>> interface gets set to IFF_BROADCAST mode.  One small piece is still  
>> missing: OpenVPN tries to install a route for the subnet, but that  
>> fails because now ifconfig has already inserted that route.  I'll  
>> try to look into that a bit later on.  I also haven't tested the  
>> server side yet, or any other mode.
>
> I would have thought that the correct answer would be to set a  
> different address for the remote end..
> it is a p2p link so to make it look like an ethernet is a bit weird.

Windows does not have p2p interfaces, so OpenVPN offers a "virtual  
ethernet" configuration where the OpenVPN server process routes  
packets between various clients inside this subnet.  Looking from the  
outside, this --topology subnet mode is not a point to point link, but  
rather a broadcast network, and even before, OpenVPN installed a  
network route going over the p2p tun interface.  This change aligns  
the configuration with the actual model OpenVPN uses.

Other --topology modes continue to use p2p mode, and the interface is  
configured with the server's address.


Stefan

-- 
Stefan Bethke <stb at lassitu.de>   Fon +49 151 14070811

More information about the freebsd-ports mailing list