[Openvpn-devel] [PATCH] dynamic push buffer
hi guys
i run into the same problem as some of you, since i need the possibility
to push way more routes to the clients. but currently the push buffer is
limited which does not let you push more than about 15 routes.
so i wrote a patch which removes this limitation. please find the patch
attached to this posting. it is agains 2.0.9, tested on linux as
client/server.
the patch makes the push_list dynamic and sends it to the clients as
chunks. in order not to break older clients this will happen only if the
push buffer will be exceeded. however if exceeded, older clients can
still connect, print out warnings and connect successfully but certainly
don't apply the entire push list.
there is still a limitation. the openvpn routing table is still static
and holds max 100 routes, so you will not be able to push more than 100
routes. that value could be easily increased and/or if necessary this
could also made dynamic (however with deeper changes to the source).
please let me know what you think.
if you find it useful i will port the patch to the 2.1 branch
peter
--
:: e n d i a n
:: open source - open minds
:: peter warasin
:: http://www.endian.it :: pe...@endian.it
--- openvpn-2.0.9/options.c.orig 2007-01-24 23:23:42.0 +0100
+++ openvpn-2.0.9/options.c 2007-02-02 20:47:32.0 +0100
@@ -773,6 +773,7 @@
show_p2mp_parms (const struct options *o)
{
struct gc_arena gc = gc_new ();
+ struct push_list_item *item = NULL;
#if P2MP_SERVER
msg (D_SHOW_PARMS, " server_network = %s", print_in_addr_t (o->server_network, 0, &gc));
@@ -783,9 +784,12 @@
msg (D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t (o->server_bridge_pool_end, 0, &gc));
if (o->push_list)
{
- const struct push_list *l = o->push_list;
- const char *printable_push_list = l->options;
- msg (D_SHOW_PARMS, " push_list = '%s'", printable_push_list);
+ msg (D_SHOW_PARMS, " push_list = {");
+ for (item = o->push_list->options; item != NULL; item = item->next)
+{
+ msg (D_SHOW_PARMS, "%s", item->item);
+}
+ msg (D_SHOW_PARMS, " }");
}
SHOW_BOOL (ifconfig_pool_defined);
msg (D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t (o->ifconfig_pool_start, 0, &gc));
@@ -828,6 +832,20 @@
#endif /* ENABLE_DEBUG */
+
+void
+add_push_option(struct push_list *pl, struct gc_arena *gc, const char *option)
+{
+ struct push_list_item *item;
+
+ ALLOC_OBJ_CLEAR_GC (item, struct push_list_item, gc);
+ strncpy(item->item, option, sizeof(item->item));
+
+ item->next = pl->options;
+ pl->options = item;
+}
+
+
#if P2MP_SERVER
static void
@@ -901,14 +919,17 @@
void
options_detach (struct options *o)
{
+ struct gc_arena gc = o->gc;
gc_detach (&o->gc);
o->routes = NULL;
#if P2MP_SERVER
if (o->push_list) /* clone push_list */
{
const struct push_list *old = o->push_list;
- ALLOC_OBJ_GC (o->push_list, struct push_list, &o->gc);
- strcpy (o->push_list->options, old->options);
+ struct push_list_item *item = NULL;
+ ALLOC_OBJ_CLEAR_GC (o->push_list, struct push_list, &o->gc);
+ for (item = old->options; item != NULL; item = item->next)
+add_push_option(o->push_list, &o->gc, item->item);
}
#endif
}
@@ -2520,24 +2541,57 @@
}
}
+void
+push_list_to_buf(struct push_list *pl, struct buffer *buf)
+{
+ struct push_list_item *item;
+ bool first = true;
+
+ if (! pl)
+return;
+
+ for (item = pl->options; item != NULL; item = item->next)
+if (first)
+ buf_printf(buf, "%s", item->item);
+else
+ buf_printf(buf, ",%s", item->item);
+}
+
+void
+store_pull_buffer (struct options *options,
+ struct buffer *buf)
+{
+ char line[OPTION_PARM_SIZE];
+
+ if (options->pull_buffer == NULL)
+ALLOC_OBJ_CLEAR_GC (options->pull_buffer, struct push_list, &options->gc);
+
+ while (buf_parse (buf, ',', line, sizeof (line)))
+add_push_option(options->pull_buffer, &options->gc, line);
+
+ options->pull_buffer->chunks++;
+}
+
bool
apply_push_options (struct options *options,
- struct buffer *buf,
unsigned int permission_mask,
unsigned int *option_types_found,
struct env_set *es)
{
- char line[OPTION_PARM_SIZE];
int line_num = 0;
const char *file = "[PUSH-OPTIONS]";
const int msglevel = D_PUSH_ERRORS|M_OPTERR;
+ struct push_list_item *item = NULL;
- while (buf_parse (buf, ',', line, sizeof (line)))
+ if (! options->pull_buffer)
+return true;
+
+ for (item = options->pull_buffer->options; item != NULL; item = item->next)
{
char *p[MAX_PARMS];
CLEAR (p);
++line_num;
-
Re: [Openvpn-devel] Smartcard Authentication
hi Alon Bar-Lev wrote: > On 5/21/07, sithg...@stud.uni-erlangen.de > wrote: > How do you use with OpenSSH? > I recommend of using PKCS#11 as well. > http://alon.barlev.googlepages.com/openssh-pkcs11 also consider reading openvpn smartcard howto which has been posted here on the list short time ago: http://michele.pupazzo.org/docs/smart-cards-openvpn.html peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.com :: pe...@endian.com
Re: [Openvpn-devel] openvpn server in client-to-client mode - filtering
hi Oleg Motienko wrote: > > Is it possible to filter some ports between clients while server is in > > client-to-clientmode? you need to direct the traffic out to the servers tun/tap device in order to filter centralized on the server. i have the same problem like you. i solved it manually but don't know exactly how to push the rules correctly. i toggled of client-to-client mode and set up on each client a host route for the servers ip address which is bound to the tap device. then i created on each client routes for each subnet assigned to the several clients with gateway pointing to the servers tap ip address. the server certainly routes each client-network back into the tap device this way each traffic coming from a client going to a client must pass the servers tap device twice,. so you can filter using netfilter. only thing which i did not manage to do is to push this routing configuration to the clients. maybe we need something like redirect-gateway, but only for a list of subnets? or did i understood something wrong? regards, peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.com :: pe...@endian.com
[Openvpn-devel] centralized filtering
hi guys Is there a possibility to configure openvpn server in order to push to it's clients a routing constellation in a manner that every traffic from a vpn endpoint to another vpn endpoint must pass the tap device on the openvpn server? I have an openvpn (2.0) server and several clients which connect to it. This is the relevant part of the server configuration: - dev tap1 client-to-client server-bridge 10.0.0.1 255.255.255.0 10.0.0.160 10.0.0.180 push "route-gateway 10.0.0.1" - Since this pushes the following to the clients: - ip link set dev tap2 up ip addr add dev tap2 10.0.0.x/24 broadcast 10.0.0.255 - traffic from one endpoint to another will never pass the tap1 device on the server, but go directly. Now i would like to filter traffic between the both endpoints, but can do it only if the traffic passes the tap device and so also netfilter. Manually i am able to set this up: - ip route add 10.0.0.1/32 dev tap2 ip route add 10.0.0.x/32 dev tap2 ip route add 10.0.0.0/24 via 10.0.0.1 - But i would like to push those routes from the server to the client. I see no possibility to achieve this. Did i miss something or is this not possible at all? I tried - ifconfig 10.0.0.1 255.255.255.0 ifconfig-pool 10.0.0.160 10.0.0.180 255.255.255.255 push "route 10.0.0.0/24" push "route-gateway 10.8.0.1" - but so certainly the hostroute which directs traffic for the vpn_gateway 10.0.0.1 to the clients tap device will not be created and thus route 10.0.0.0/24 will not be inserted because it's gateway is unknown. Is there no possibility to push this type of config? I would need something like this: push "route 10.0.0.1 0.0.0.0 0 client_device", which then explodes to ip route add 10.0.0.1/32 dev client_device. I thought about to patch this in (and i will, if there is no other possibility), but since our customers like to have the choice to use the original openvpn client from the openvpn.net page it is not a good solution and i would prefer if there is a solution which i did not see yet :) Hope for some pointers in the right direction and thank you in advance by now. peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.com :: pe...@endian.com
Re: [Openvpn-devel] centralized filtering
hola Peter Warasin wrote: > > Is there a possibility to configure openvpn server in order to push to > > it's clients a routing constellation in a manner that every traffic from > > a vpn endpoint to another vpn endpoint must pass the tap device on the > > openvpn server? For whom it may concern: I have found a workaround for this problem. (maybe there is someone with the same problem) Use a bigger server-bridge subnet for server-bridge than the address pool you use for openvpn clients, like: server-bridge 10.0.0.1 255.255.255.0 10.0.0.129 10.0.0.254 push a lesser subnet which fits the openvpn-pool to the clients: push "route 10.0.0.128/25" remove client-to-client What happens? The roadwarriors get the whole subnet for setting up their interface but then get a routing entry which direct traffic to the vpn_gateway for ip-addresses of the smaller subnet. each vpn endpoint is in the smaller subnet, so each connection will pass the vpn_gateway and thus also the servers tap device. peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.com :: pe...@endian.com
Re: [Openvpn-devel] multi-homed udp-based OpenVPN Server
Hi Kate Kretz wrote: > > we tried to use OpenVPN Server on two-nic (both are internet-connected) > > server. > > udp packets always go out on default gateway, even if they came from > > another nic. I have the same problem. Was not able to go more in depth into this problem, but i will (need to) soon. In the meantime, i thought about using --float on the clients. This should work. peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.com :: pe...@endian.com <>
