n, the "L3 routing interface" will also go down,
and I found that usually to be "what I expect and want to happen")
Now, I'm not saying that this would be trivial to do, but tremendously
useful :-)
gert
--
USENET is *not* the non-clickable part of WWW!
:=4
> +PKG_RELEASE:=5
While at it, you could bump to upstream 2.3.7...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc
is what you really want.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...
c -
setup ipv4/ipv6 addresses on tun if, add ipv4/ipv6 routes)
gert,
openvpn upstream
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax:
am will not accept it (traditional
patch will, and complain about fuzz needed).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.
is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
si
d job with this today).
The old model "strong firewall, weak devices behind it" is just a thing
not matching reality anymore...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
d the default be", and I'm
not sure we can come to an agreement on this.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.d
firewall requirements.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.infor
will not listen and stick to their religion anyway. So I
should spend my time coding instead)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
nd the firewall?
A hacker "from the wild" is likely to not even *find* the device if it's
using EUI64 IPv6 addressing and not registered in DNS, while an attacker
on the same LAN just needs to ping ff02::1 to see them all, wide open...
gert
--
USENET is *not* the non-clickable
t your Joe Random attacker.
If someone is that determined, he'll just target your PC first, and
jump from there to the devices on your LAN. Way easier in general)
gert
--
USENET is *not* the non-clickable part of WWW!
server as part of --push-peer-info (so server admins can poke
users to upgrade, if needed).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
Hi,
On Wed, Sep 24, 2014 at 07:43:13PM +0200, Stefano De Carlo wrote:
> Il 24/09/2014 18:30, Gert Doering ha scritto:
> >
> > "OpenVPN Upstream" would recommend to go up to HEAD in git/master, aka
> > 9048d50b0a27a724ad088dc4904eb4888b0bca87 - this is all "op
s: can you explain a bit better in which cases this change
would be needed and/or beneficial?
thanks,
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
OpenVPN client, server, 3G router
(using an USB UMTS dongle, with OpenVPN and IPv6 over OpenVPN), ...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
on-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
pgpVect2PRbsy.pgp
De
/community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-356
ixes tomorrow, so you might want to go
right there...
(As far as OpenWRT goes, the necessary patches for 2.3.1 and 2.3.2 should
be the same)
gert,
speaking as OpenVPN maintainer
--
USENET is *not* the non-clickable part of WWW!
//w
eases/openvpn-2.3.2.tar.xz
http://swupdate.openvpn.org/community/releases/openvpn-2.3.2.zip
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@gree
e assigned
prefix can - and likely, will - change)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
W!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
pgpu1T_DL5sDR.pgp
Description: PGP signature
relevant broadcom bits are not there, so you plainly *can't*...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +
t;send back ICMP PTB").
[..]
> Is there any options to disable the fragmentation on IPV4 ?
In that case, you'd need to drop the IPv4 packet. Gain? Zero :-)
gert
--
USENET is *not* the non-clickable part of WWW!
ed by the IPv4 Stack even if the MTU 1500 vs 1460
> (40 is the size of ipv6 headers)
>
>
> Any ideas ?
>
>
>
>
>
> Pietro Paolini
> pulsarpie...@aol.com
>
>
>
>
> -Original Message-
> From: Gert Doering
> To: OpenWrt Develo
n or not, the kernel doesn't *know*
that this is going to end up as an IPv6 packet. Layering, and that.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
to lower TCP MSS side on the IPv4
packets, to avoid having full-sized packets on the IPv4 side -> no need
for IPv6 fragmentation. But that will not help UDP or other IP protocols.
Or accept IPv4 fragmentation...
gert
--
USENET is *not* the non-clickable part of WWW!
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
too
many places.
As a quick fix, just remove "#include " from "ssl_polarssl.h".
We'll get this fixed upstream in one way or the other, and I'll send
over a new commit ID with the fix.
gert
--
USENET is *not* the non-clickable part of WWW!
p inside the .h hierarchy... (reviewd on the openvpn-devel
list, considered reasonable, ACKed).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g
port for iproute2"
- default n
+ default y
endmenu
thanks,
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49
t images?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenc
d, as upstream
is unlikely to accept a special #ifdef for LINUX_BUSYBOX_IFCONFIG.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.infor
We used to call "ifconfig tun0 inet6 add...". The "inet6" part is optional,
and not understood by busybox. So now we call "ifconfig tun0 add ...",
which works on all supported Linux variants.
Tested on Gentoo, RHEL5+, Debian Lenny & up.
Signed-off-by: Ge
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
Hi,
On Tue, Sep 11, 2012 at 01:51:11PM +0200, Gert Doering wrote:
> We used to call "ifconfig tun0 inet6 add...". The "inet6" part is optional,
> and not understood by busybox. So now we call "ifconfig tun0 add ...",
> which works on all supported Linux
Hi,
On Tue, Sep 11, 2012 at 03:00:10PM +0200, Joachim Schlipper wrote:
> Am 11.09.2012 13:53, schrieb Gert Doering:
> > Indeed, it's that simple. I have just sent a patch upstream to change
> > this in the openvpn git sources, as all "non-busybox" Linux versions
please update :-)
(As a side note & heads up: we're likely going to tag the openvpn git
tree as "2.3_beta1" tomorrow or Friday)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~g
Hi,
On Wed, Sep 12, 2012 at 10:06:00AM +0800, Mirko Vogt wrote:
> On 09/12/2012 03:30 AM, Gert Doering wrote:
> > Commited to openvpn upstream in cae102ae0c2ff934c456cd584cbf87a33cd95206
>
> Nice - glad to see fixes get applied that fast upstream.
> I also committed th
git of the soon-to-be released 2.3 version)
If you need a remote server that has working IPv6 and will push
IPv6 routes, to see that everything works, let me know and I'll set up
something.
gert
--
USENET is *not* the non-clickable part of WWW!
free to mail
me directly, of course)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
pgpCoLgNDnuzN.pgp
Description: PGP
and being able to get
back via link-local was useful, even if slightly cumbersome due to the
interface-dependent syntax "fe80::1:2:3%eth0" on the client side)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.mu
-
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
pgpnb1Th
part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
pgpHNoajovfYp.pgp
Description: PGP signature
___
openwrt-devel m
n-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
pgpfRH7MEuErv.pgp
Des
s is what large scale providers need to do.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
antage: well, it complicates source address selection on the
CPE, as locally sourced packets leaving via WAN need to use a global
address elsewhere - you named it, already.
gert
--
USENET is *not* the non-clickable part of WWW!
Plug in that thing, received DHCPv6-PD from upstream
routers, offer v6 to connected LANs, off you go...)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
pgpXyce0NB9VQ.pgp
Description: PGP signature
like that - can't find
it right now. It's good to know that it works, though I'm fully
intending to not use bridging anyway :-) - I really really like the
hnet approach.
Will let you know how it works out!
thanks,
gert
--
USENET is *not* the non-clickable part of WWW!
uot;: [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
]
},
"data": {
"dhcpv4": "di
Hi,
On Fri, May 02, 2014 at 10:56:07PM +0200, Gert Doering wrote:
> May 2 22:47:09: IPv6 DHCP: Received SOLICIT from FE80::CC4F:57BB:3A1:93FD on
> Vlan2
> May 2 22:47:09: IPv6 DHCP: Option IA-NA(3) is not supported yet
> May 2 22:47:09: IPv6 DHCP: Sending ADVERTISE to FE80::CC4F:5
Hi,
On Fri, May 02, 2014 at 10:56:07PM +0200, Gert Doering wrote:
> ... so, something I am missing... :-/
Oh well. First thing is "I should have looked at 'ifstatus wan_6'" which
indeed tells me "WAN is working":
root@OpenWrt:/etc/config# ifstatus wan_6
{
ut "otherwise harmless",
but the route shouldn't point to eth1 - my belly says "this would make
the box unable to reach other devices on the :0:62:: LAN".
Incidentially, when I ping6 the GUA address of the router, it *does* work:
root@OpenWrt:~# ping6 2001:608:0:62::
PING 2001:608:0:62:: (2001:608:0:62::): 56 data
ing until you do "network restart")
- "/etc/init.d/network restart" restarts, but after that, some of the
routes are gone - in one case, 2001:608:0:62::/64, in the other case,
the 2001:608:5:b1::/64 one. This (again, FTR) is due to hnetd not
noticing that "network re
r your patch, it was committed in r41026 and 41027.
> Will there be a backport to AA 12.09?
Seconded - that would be very welcome (because OpenVPN is vulnerable to
CVE-2014-0224).
gert
--
USENET is *not* the non-clickable part of WWW!
been written so
far" has been read, and not wait for the reader buffer to fill up.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@green
the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
pgpgd6wzN41Vm.
et, and make sure it's set to "1" :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
pgpeFWWvjUy0p.pgp
Description: PG
need of IPv6, and the problems are still
there.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
6 prefix support
using DHCP-PD. As in "router queries ISP for a prefix, ISP assigns
2001:db8:1::/56, router assigns 2001:db8:1:1::/64 to LAN,
2001:db8:1:2::/64 for WiFi and informs radvd that this is the prefix
to be used". AVM's Fritz!Box does this nicely today, but not
uch more useful today than "IPv6 only via 6to4".
> (And no, I wouldn't advocate 6to4 being enabled by default anyway).
+1 :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich,
to and from the relay is
inside the ISP's domain - so you actually have someone who can troubleshoot
issues, and latency is likely to be as good as IPv4.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.d
w.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
pgpnFxq58EflH.pgp
Description: PGP signature
___
openwrt-devel mailing list
table ("rearranging deck chairs on the titanic").
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89
thingie is completely independent on the specific firmware you want to
load - be it original linksys, dd-wrt or tomatoUSB :-) )
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
m release changes? (OpenVPN development uses weekly
snapshots for 'platform builds', e.g. FreeBSD ports, and my OpenWRT
Makefile is based on these).
Thanks for your help,
gert
--
USENET is *not* the non-clickable part of WWW!
SENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
Hi Florian,
On Sun, Aug 01, 2010 at 12:35:19AM +0200, Florian Fainelli wrote:
> Le Wednesday 7 July 2010 10:46:50, Gert Doering a écrit :
[..]
> > OTOH, that package does not have any sort of IPv6 support, which means
> > that IPv6-on-OpenWRT users need to compile their own
er already).
Tested on 10.03/ar71xx with udp and tcp TUN, IPv4+IPv6 payload, tests passed.
Please include :-)
Signed-off-by: Gert Doering
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doeri
ved regarding dependencies or something
like that...)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
aPlug comes to mind (Kirkwood SoC).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net
in the application of
the last commit - or my local SVN is confused. I know I sent this last
time, but "svn diff" claims it's not in the repository right now...
Anyway, here's the output of "svn update ; svn diff" on the packages feed
tree...
Please include :-)
Hi,
"ping?"
gert
- Forwarded message from Gert Doering -
Date: Thu, 11 Nov 2010 14:24:39 +0100
From: Gert Doering
To: openwrt-devel@lists.openwrt.org
Subject: Re: [OpenWrt-Devel] [PATCH] Update for openvpn-devel
the following patch brings openvpn-devel up to "week 4
Hi,
On Wed, Nov 24, 2010 at 08:16:35PM +0100, Florian Fainelli wrote:
> On Wednesday 24 November 2010 19:46:54 Gert Doering wrote:
> > "ping?"
>
> I have it committed locally, I will push this later tonight. Sorry about that.
Thanks!
(I know how busy you folks are, so
support, but not "E3000/N610" -
what are the usual problems in getting a certain platform to actually
*work*? Is there a howto or anything?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doe
; is completely unnecessary and potentially dangerous.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
pgpK
which I can't say).
I have an E3000 here, but it has no serial yet, so I can't even help
you testing (yet). Sorry. Hope my $0.02 are at least a bit useful.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc
that now. This is a real pity.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g
built into these boxes? Is it "15 parallel VLANs, no matter
which VIDs" or "802.1q VLAN IDs up to 15" (read: no way to use 920)?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert
get some better understanding about the different
things involved here.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-mue
t of the problem, not helping with any solution at all)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
I had the opportunity to reviewe a few chapters of it - and
it now has a place of honour right next to the Stevens in my book shelf)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doer
7;t *that* particularily hard to find.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
asiest approach would be to ask those people what's needed to do this
on Linux, no?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
86 matches
Mail list logo
