Am 13.05.22 um 13:22 schrieb David Sommerseth:
On 13/05/2022 11:37, Heiko Hund wrote:
Have clients set a bit in IV_PROTO, so that servers can make an informed
decision on whether to push --dns to the client. While unknown options
are ignored by clients when pushed, they generate a warning in the log.
That can be circumvented by server backends by checking if bit 7 is set.
Signed-off-by: Heiko Hund <he...@ist.eigentlich.net>
---
src/openvpn/ssl.c | 3 +++
src/openvpn/ssl.h | 3 +++
2 files changed, 6 insertions(+)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 61dea996..24d7f3f4 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1940,6 +1940,9 @@ push_peer_info(struct buffer *buf, struct
tls_session *session)
/* support for P_DATA_V2 */
int iv_proto = IV_PROTO_DATA_V2;
+ /* support for the --dns option */
+ iv_proto |= IV_PROTO_DNS_OPTION;
+
/* support for receiving push_reply before sending
* push request, also signal that the client wants
* to get push-reply messages without without requiring a round
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 0ba86d3e..c8802707 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -93,6 +93,9 @@
* result. */
#define IV_PROTO_NCP_P2P (1<<5)
+/** Supports the --dns option introduced in version 2.6 */
+#define IV_PROTO_DNS_OPTION (1<<6)
+
/* Default field in X509 to be username */
#define X509_USERNAME_FIELD_DEFAULT "CN"
Only glared on the code and compile tested. LGTM.
Acked-By: David Sommerseth <dav...@openvpn.net>
To be honest, I requested this flag but I don't think this is really
what I want/need any more. I wanted to have a flag that tells me as a
server that I can push --dns options instead of --dhcp-options and
accept the client to evaluate them.
But after some digging, I found that on platforms where dhcp-option is
NOT parsed by openvpn itself (so anything but Android and Windows) and
scripts are used to set DNS, these scripts will always use dhcp-options
as they rely on foreign_option support. So they end up with no DNS
configuration if only --dns is pushed and using --dhcp-option options if
both are pushed unless the script is updated.
I think having clear preference and not knowing will make debugging logs
from 3rd parties that have both --dns and --dhcp-option in them quite
tedious.
So this flag doesn't really do what I expected it to promose (This
client will accept --dns and use them)
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel