Am 13.05.22 um 13:22 schrieb David Sommerseth:
On 13/05/2022 11:37, Heiko Hund wrote:
Have clients set a bit in IV_PROTO, so that servers can make an informed
decision on whether to push --dns to the client. While unknown options
are ignored by clients when pushed, they generate a warning in the log.
That can be circumvented by server backends by checking if bit 7 is set.

Signed-off-by: Heiko Hund <he...@ist.eigentlich.net>
---
  src/openvpn/ssl.c | 3 +++
  src/openvpn/ssl.h | 3 +++
  2 files changed, 6 insertions(+)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 61dea996..24d7f3f4 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1940,6 +1940,9 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
          /* support for P_DATA_V2 */
          int iv_proto = IV_PROTO_DATA_V2;
+        /* support for the --dns option */
+        iv_proto |= IV_PROTO_DNS_OPTION;
+
          /* support for receiving push_reply before sending
           * push request, also signal that the client wants
           * to get push-reply messages without without requiring a round
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 0ba86d3e..c8802707 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -93,6 +93,9 @@
   * result. */
  #define IV_PROTO_NCP_P2P         (1<<5)
+/** Supports the --dns option introduced in version 2.6 */
+#define IV_PROTO_DNS_OPTION      (1<<6)
+
  /* Default field in X509 to be username */
  #define X509_USERNAME_FIELD_DEFAULT "CN"

Only glared on the code and compile tested.  LGTM.

Acked-By: David Sommerseth <dav...@openvpn.net>

To be honest, I requested this flag but I don't think this is really what I want/need any more. I wanted to have a flag that tells me as a server that I can push --dns options instead of --dhcp-options and accept the client to evaluate them.

But after some digging, I found that on platforms where dhcp-option is NOT parsed by openvpn itself (so anything but Android and Windows) and scripts are used to set DNS, these scripts will always use dhcp-options as they rely on foreign_option support. So they end up with no DNS configuration if only --dns is pushed and using --dhcp-option options if both are pushed unless the script is updated.

I think having clear preference and not knowing will make debugging logs from 3rd parties that have both --dns and --dhcp-option in them quite tedious.

So this flag doesn't really do what I expected it to promose (This client will accept --dns and use them)

Arne



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to