Dear Jim and other OpenVPN hackers,
there is an OpenVPN regression, apparently affecting 2.1 on FreeBSD-8, and
caused by OpenVPN configuring the local address on a P2P interface for the
local AND ALSO the remote address.
See
http://lists.freebsd.org/pipermail/freebsd-current/2009-July/010032.html
and followups for details.
Am 30.07.2009, 08:40 Uhr, schrieb Stefan Bethke <s...@lassitu.de>:
I'm not sure if that is a more general problem with OpenVPN (at least in
--topology subnet mode), or a specific problem in the FreeBSD-specific
code. I just looked at a Linux box connected to the same OpenVPN
server, and their ifconfig invocation looks different from ours, so the
FreeBSD-specific code at least plays some role.
I'd still like to know whether the change to the routing code is
intentional or a regression.
Stefan,
Which version of OpenVPN are you using?
It might seem that this is a FreeBSD regression, as OpenVPN assumes this
about --topology subnet, so that the using of the local address as remote
is intentional.
(This is from the current OpenVPN 2.1-RC manpage):
subnet -- Use a subnet rather than a point-to-point
topology by
configuring the tun interface with a local IP address and
subnet
mask, similar to the topology used in --dev tap and
ethernet
bridging mode. This mode allocates a single IP address per
con-
necting client and works on Windows as well. Only
available
when server and clients are OpenVPN 2.1 or higher, or
OpenVPN
2.0.x which has been manually patched with the --topology
direc-
tive code. When used on Windows, requires version 8.2 or
higher
of the TAP-Win32 driver. When used on *nix, requires that
the
tun driver supports an ifconfig(8) command which sets a
subnet
instead of a remote endpoint IP address.
I see this in the ChangeLog:
2006.04.05 -- Version 2.1-beta12
...
* "topology subnet" fix for FreeBSD (Benoit Bourdin).
...
And it appears that exactly this patch may be the culprit. This is from
the OpenVPN 2.1 source repository:
------------------------------------------------------------------------
r986 | james | 2006-04-05 08:28:19 +0200 (Wed, 05 Apr 2006) | 2 lines
Changed paths:
M /branches/BETA21/openvpn/tun.c
"topology subnet" fix for FreeBSD (Benoit Bourdin).
------------------------------------------------------------------------
Index: tun.c
===================================================================
--- tun.c (Revision 985)
+++ tun.c (Revision 986)
@@ -795,19 +795,42 @@
ifconfig_remote_netmask,
tun_mtu
);
- else
- openvpn_snprintf (command_line, sizeof (command_line),
+ else {
+ if (tt->topology == TOP_SUBNET)
+ openvpn_snprintf (command_line, sizeof (command_line),
+ IFCONFIG_PATH " %s %s %s netmask %s mtu %d
up",
+ actual,
+ ifconfig_local,
+ ifconfig_local,
+ ifconfig_remote_netmask,
+ tun_mtu
+ );
+ else
+ openvpn_snprintf (command_line, sizeof (command_line),
IFCONFIG_PATH " %s %s netmask %s mtu %d up",
actual,
ifconfig_local,
ifconfig_remote_netmask,
tun_mtu
);
+ }
msg (M_INFO, "%s", command_line);
system_check (command_line, es, S_FATAL, "FreeBSD ifconfig failed");
tt->did_ifconfig = true;
+ /* Add a network route for the local tun interface */
+ if (!tun && tt->topology == TOP_SUBNET)
+ {
+ struct route r;
+ CLEAR (r);
+ r.defined = true;
+ r.network = tt->local & tt->remote_netmask;
+ r.netmask = tt->remote_netmask;
+ r.gateway = tt->local;
+ add_route (&r, tt, 0, es);
+ }
+
#elif defined (WIN32)
{
/*
--
Matthias Andree
