Hi On Wed, Jun 6, 2018 at 12:02 PM, Antonio Quartulli <a...@unstable.cc> wrote: > Hi, > > On 06/06/18 23:40, Selva Nair wrote: >>> I am not sure why you get those 2 routes. Do you have a more extensive >>> log to show? It may help clearing up some doubts. >> ..
>> >> - Require either a v4 or a v6 address must be specified (this is not >> essential for v6-only tunnels but makes the logic easier) >> > > The check you already suggested to modify in open_tun() should do the > trick, no? > Apparently that should be enough to ensure that at least of address > family was configured (but I haven't tested on windows yet). Yes, it boils down to the check I had written about + your suggestion to keep it FATAL, not WARN. > .. > >> - Make sure v4 routes do not break a v6-only connection -- either >> filter out and warn about v4 routes via the tun interface or just let >> them fail with a warning but proceed with the rest of the tasks. >> Setting v4 routes via other adapters should work >> > > Do you think it makes sense to install other v4 routes (i.e. routes > using the LAN gateway as next-hop) even though we have no IPv4 on tun? > It feels like they would be totally unrelated. I think such routes should be allowed as there is no reason to fail them. And should work once we learn to skip the "waiting for tun to come up with a v4 ip" when there are no v4 routes to set on the tun/tap adapter. > Gert? what do you think? > >> - Redirect-gateway with no v4 address: mutate to !ipv4 and also omit >> the bypass route to the server. Or leaving that route in could be an >> easier option and should work once the logic for checking the adpater >> mentioned above is fixed >> > > Yeah, this is actually happening also on linux, but it's applied > externally to the route list. This is why I hadn't seen it before. > I have a fix that prevents setting that route in the pipe. Yes, this should be dependent on what is being redirected (v4 or v6) and how the server is being reached (by v4 or v6). But to keep the logic simple adding a bypass route when any kind of redirect-gateway is in effect keeps the logic simple. I think that's the current state and I don't see a need to change it. Selva ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
