Re: [Openvpn-devel] Why no ipv6 support for tap?

2011-06-10 Thread Sergey Matveychuk 

09.06.2011 21:48, Gert Doering пишет:

Hi,

On Thu, Jun 09, 2011 at 09:11:36PM +0400, Sergey Matveychuk wrote:

It's really weird that I can't set up IPv6 address for tap interface.


You can, but you need the "top of the tree" code, not 2.2 release.


Of course, I use it.




server-ipv6 turns a tun mode,


Actually, it doesn't.  server-ipv6 will use whatever is configured as
"device" (device tun / device tap).


From a man page:
--server-ipv6 ipv6addr/bits
   convenience-function to enable a number of IPv6 related  options
   at  once,  namely  --ifconfig-ipv6, --ifconfig-ipv6-pool, --tun-
   ipv6 and --push tun-ipv6 Is only accepted if  ``--mode  server''
   or ``--server'' is set.

It turns --tun-ipv6 and --push tun-ipv6. It's not exactly I want. And it 
require --server option, I can't understand why.





ifconfig-ipv6 suppose p2p interface and


No.  It will work in p2p and p2pm mode.


--ifconfig-ipv6 ipv6addr/bits ipv6remote
   configure IPv6 address ipv6addr/bits on the ``tun'' device.  The
   second parameter is used as route target for --route-ipv6 if  no
   gateway is specified.

I have no idea what is ipv6remote for tap interface. Moreover it 
"configure IPv6 address ipv6addr/bits on the *``tun'' device*".





even 'push route-ipv6' misticaly discards because of some flag
(tt->ipv6) has been unset.


push route-ipv6 will fail if you have no ifconfig-ipv6 on the interface
(because then it would not work anyway).

First get the ifconfig right, then worry about the routes.


I see not any IPv6 address on tap interface after --ifconfig-ipv6. Here 
is my config line:

ifconfig-ipv6 xxx:yyy:z:21f::/64 xxx:yyy:z:21f::2

And my tap interface:

# ifconfig tap0
tap0: flags=8843 metric 0 mtu 1500
options=8
ether 00:bd:e8:18:04:00
inet6 fe80::2bd:e8ff:fe18:400%tap0 prefixlen 64 scopeid 0xe
inet xx.yyy.154.254 netmask 0xff00 broadcast xx.yyy.154.255
nd6 options=3
Opened by PID 35635

Lines from syslog:
...
ifconfig_ipv6_local = 'xxx:yyy:z:21f::'
ifconfig_ipv6_netbits = 64
ifconfig_ipv6_remote = 'xxx:yyy:z:21f::2'
...
OpenVPN 2.x-master amd64-portbld-freebsd8.2 [SSL] [LZO2] [eurephia] [MH] 
[PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on Jun  7 2011

...
TUN/TAP device /dev/tap0 opened
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=1
...

But no real ifconfig call as I can see.





Looking on added ipv6 support I have only one question but many times
"why? why? why?".


"Something is wrong in your setup".


Sure :)



It works nicely for a number of people in p2mp tun mode, and it works
to some extent in p2mp tap mode (pushing routes does not yet, you need
to add them manually / by script after the interface is "up" - but
that's a documented limitation of the current state of the code).


Really there is no reason for this. I hack a code (just cut off a code 
with if(!tt->ipv6) { print_a_message; return} for route add and route 
delete) from a client and pushing start works.


IPv6 payload passed through tap interface with any version of openvpn. 
I'm telling about working with IPv6 addresses. (I don't care about 
ifconfig-ipv6-pool right now, rtadvd do things for clients.)

Re: [Openvpn-devel] Why no ipv6 support for tap?

2011-06-10 Thread Gert Doering 
Hi,

On Fri, Jun 10, 2011 at 01:20:56PM +0400, Sergey Matveychuk wrote:
> >On Thu, Jun 09, 2011 at 09:11:36PM +0400, Sergey Matveychuk wrote:
> >>It's really weird that I can't set up IPv6 address for tap interface.
> >
> >You can, but you need the "top of the tree" code, not 2.2 release.
> Of course, I use it.
> 
> >>server-ipv6 turns a tun mode,
> >
> >Actually, it doesn't.  server-ipv6 will use whatever is configured as
> >"device" (device tun / device tap).
> 
> From a man page:
> --server-ipv6 ipv6addr/bits
>convenience-function to enable a number of IPv6 related  options
>at  once,  namely  --ifconfig-ipv6, --ifconfig-ipv6-pool, --tun-
>ipv6 and --push tun-ipv6 Is only accepted if  ``--mode  server''
>or ``--server'' is set.
> 
> It turns --tun-ipv6 and --push tun-ipv6. It's not exactly I want. 

"tun-ipv6" does not turn the device to "tun" mode.  It just turns on IPv6
on whatever device you are using.

> And it require --server option, I can't understand why.

Because there's assumptions in the code that will not be true if 
--server is not set.  (--server itself is just a helper macro).

If you don't want --server and --server-ipv6, just set all the options
yourself.

If you want the server to manage the IPv6 stuff for you, that is, run
the "ifconfig" commands, push addresses to the client, etc., you MUST
enable "--tun-ipv6".  If you want to configure everything manually,
tou can leave all that off.

> >>ifconfig-ipv6 suppose p2p interface and
> >
> >No.  It will work in p2p and p2pm mode.
> 
> --ifconfig-ipv6 ipv6addr/bits ipv6remote
>configure IPv6 address ipv6addr/bits on the ``tun'' device.  The
>second parameter is used as route target for --route-ipv6 if  no
>gateway is specified.
> 
> I have no idea what is ipv6remote for tap interface. 

As I said, pushing routes on TAP is not working yet.  But if it were working,
that would be the gateway to be used (in a bridged setup, the gateway
address does not have to be the OpenVPN server, it could be something
else in the server side LAN).

> Moreover it 
> "configure IPv6 address ipv6addr/bits on the *``tun'' device*".

Don't get so hung up on individual words in the docs.  When I implemented
this, we only had "tun".  Now we have some support for "tap", so I need
to update the docs (thanks for pointing this out, put on my TODO).


> >>even 'push route-ipv6' misticaly discards because of some flag
> >>(tt->ipv6) has been unset.
> >
> >push route-ipv6 will fail if you have no ifconfig-ipv6 on the interface
> >(because then it would not work anyway).
> >
> >First get the ifconfig right, then worry about the routes.
> 
> I see not any IPv6 address on tap interface after --ifconfig-ipv6. Here 
> is my config line:
> ifconfig-ipv6 xxx:yyy:z:21f::/64 xxx:yyy:z:21f::2

You NEED to set tun-ipv6.  Otherwise all the rest will be ignored.

[..]
> IPv6 payload passed through tap interface with any version of openvpn. 

I'm aware of that :-)

> I'm telling about working with IPv6 addresses. 

It should do that nicely if you set --tun-ipv6.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpQ50c2MbS7G.pgp
Description: PGP signature

Re: [Openvpn-devel] Why no ipv6 support for tap?

2011-06-10 Thread Sergey Matveychuk 

10.06.2011 14:11, Gert Doering wrote:

I'm telling about working with IPv6 addresses.


It should do that nicely if you set --tun-ipv6.


OK. Thanks for the explanation. I thought turning tun-ipv6 on makes 
openvpn treat my tap interface as a tun one some way.


So I have it work but some troubles with ifconfig-ipv6-pool. I'll be 
test more later next week.

Re: [Openvpn-devel] Why no ipv6 support for tap?

2011-06-10 Thread Gert Doering 
Hi,

On Fri, Jun 10, 2011 at 03:54:32PM +0400, Sergey Matveychuk wrote:
> 10.06.2011 14:11, Gert Doering wrote:
> >>I'm telling about working with IPv6 addresses.
> >
> >It should do that nicely if you set --tun-ipv6.
> 
> OK. Thanks for the explanation. I thought turning tun-ipv6 on makes 
> openvpn treat my tap interface as a tun one some way.

I will update the documentation to clear up this misunderstanding :-)

> So I have it work but some troubles with ifconfig-ipv6-pool. I'll be 
> test more later next week.

OK, looking forward to hear about it!

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpAdXYkenNTh.pgp
Description: PGP signature

[Openvpn-devel] Summary of the IRC meeting (9th June 2011)

2011-06-10 Thread Samuli Seppänen 
Hi,

Here's the summary of the previous community meeting.

---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thursday, 9th June 2011
Time: 18:00 UTC

Planned meeting topics for this meeting were on this page:



Next meeting will be announced in advance, but will be on the same
weekday and at the same time. Your local meeting time is easy to check
from services such as



or with

$ date -u


SUMMARY

cron2, dazo, ecrist and mattock were present in this meeting.

--

Discussed branching out beta/2.3. There are a few patches that are
required first:

* PolarSSL and Doxygen patches from andj
* Visual Studio 2008 build fixes now in "winbuildtmp" branch
* Cron2 needs to make "tap" work with "push route-ipv6"
* https://community.openvpn.net/openvpn/ticket/128 (if reproducible)
* https://community.openvpn.net/openvpn/ticket/140
* https://community.openvpn.net/openvpn/ticket/125
* Some open tickets from 2.2.0

--

Discussed 2.2.0 release. Will try to get it out in two weeks. There's at
least a few patches missing:

* James segfault fix from SVN (left out from 2.2.0)
* https://community.openvpn.net/openvpn/ticket/125

--

Discussed the possibility of placing non-invasive ads to OpenVPN Windows
installers, e.g. links to commercials product in Start menu or to the
README file. Idea met with lukewarm response, because the community has
effectively ran the project for the last ~18 months. The fact that
OpenVPN (OSS) is hard to find from all commercial content in openvpn.net
also raised critique.

For the above reasons agreed that splitting openvpn.net (commercial
site) and openvpn.org (community site) would make sense. Both sites
would be linked together tightly. Agreed that having a joint community /
company meeting focusing on this issue makes sense. At least Samuli,
Francis and James would need to attend (from the company) along with
most active  community members.

Also agreed that the company needs to mentally "let openvpn go" and
focus on working with the project and build products on top of it
like everyone else. If a fork ever happened, getting distributors (*NIX
distros) and later users to migrate to it should not pose a big problem.
OpenOffice.org/LibreOffice is a good analogy: most/all major *NIX
distros migrated to LibreOffice in their first post-fork release.

--

Discussed the possibility of arranging a "real" face-to-face meeting
between the company and community people, for example in New York. Costs
are an issue, but this might happen eventually.

--

Discussed the problem with Access Server's OpenVPN version, which is
effectively a fork (based on 2,1 release). This means AS is atm lacking
features which OpenVPN has. This divergence has already caused some
nasty merge conflicts.

--

Discussed Russell's questions posted to the mailinglist:



Management interface does come up before connection, but it's only used
for passing the username and password to OpenVPN daemon.

Adding more granular exit codes to OpenVPN would be possible, but it
would not be trivial without a (needed) overhaul of err.[ch].

---

Full chatlog as an attachment

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
cron2 21:01:19
meeting
let's go about it and be quick, I'm up since 04:30 and it's now 20:00 over here 
- and I'm tired 21:01:34
 
dazo 21:03:54

agreed 21:04:01
 
mattock 21:04:22
meeting time
https://community.openvpn.net/openvpn/wiki/Topics-2011-06-09 21:05:23
 
vpnHelper 21:05:24
Title: Topics-2011-06-09 – OpenVPN Community (at community.openvpn.net)   

mattock 21:05:32
2.2.1 patch queue?
what's missing? 21:05:34
dazo? 21:06:06
 
dazo 21:06:08
tbh, I don't know   

cron2 21:06:09
dazo?   

mattock 21:06:37
are the VS2008 build fixes already in "master"? 

dazo 21:06:38
I remember having merged in quite some patches ...
most of them, yes ... I think there was some more cleanup from jjo which I'm 
not sure of 21:06:56
 
mattock 21:07:10
we can take a look later
I think we should set a release date today 21:07:29
 
dazo 21:07:36
sure can do!

cron2 21:08:30
dazo: did you merge to master? I thought it's all in the winbuild-test branch?  

mattock 21:08:34
it's been nearly 6 weeks since 2.2.0... is next Friday (not tomorrow) doable?   

cron2 21:08:38
haven't seen any mails otherwise

dazo 21:08:40
but lets also agree on what we want to have cleaned up ... in the moment we 
branch out the beta/2.3 branch, I'd say we should have agreed on all new 
additional features
I'm waiting for andj to come up with the PolarSSL and doxygen patches, which we 
want into 2.3 21:09:14
that's the only "missing" pieces 21:09:24
 
mattock 21:09:39
have we seen any pieces yet?

dazo 21:09:40
there are also quite a few Trac tickets to look at as well
a