From owner-freebsd-current@FreeBSD.ORG Thu Jul 30 08:11:28 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB6A21065672 for ; Thu, 30 Jul 2009 08:11:28 +0000 (UTC) (envelope-from matthias.andree@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 4B7AB8FC08 for ; Thu, 30 Jul 2009 08:11:28 +0000 (UTC) (envelope-from matthias.andree@gmx.de) Received: (qmail invoked by alias); 30 Jul 2009 08:11:26 -0000 Received: from g225199035.adsl.alicedsl.de (EHLO mandree.no-ip.org) [92.225.199.35] by mail.gmx.net (mp068) with SMTP; 30 Jul 2009 10:11:26 +0200 X-Authenticated: #428038 X-Provags-ID: V01U2FsdGVkX18H+gdP5YMHWvVQEb3Xz4/kRgegNzQXWhzaXEvbYe F/oj+17IJ4ds8L Received: from merlin.emma.line.org (localhost [127.0.0.1]) by merlin.emma.line.org (Postfix) with ESMTP id BEFFC945D4; Thu, 30 Jul 2009 10:11:24 +0200 (CEST) Date: Thu, 30 Jul 2009 10:11:24 +0200 To: "Stefan Bethke" From: "Matthias Andree" Content-Type: text/plain; format=flowed; delsp=yes; charset=utf-8 MIME-Version: 1.0 References: <4A709126.5050102@elischer.org> <3A1518B9-2C8C-4F05-9195-82C6017E4902@lassitu.de> Content-Transfer-Encoding: 7bit Organization: Message-ID: In-Reply-To: User-Agent: Opera Mail/9.64 (Linux) X-Y-GMX-Trusted: 0 X-FuHaFi: 0.45 Cc: FreeBSD Current , OpenVPN Developer Mailing List , James Yonan Subject: Re: recent change to ifconfig breaks OpenVPN? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 08:11:29 -0000 Dear Jim and other OpenVPN hackers, there is an OpenVPN regression, apparently affecting 2.1 on FreeBSD-8, and caused by OpenVPN configuring the local address on a P2P interface for the local AND ALSO the remote address. See http://lists.freebsd.org/pipermail/freebsd-current/2009-July/010032.html and followups for details. Am 30.07.2009, 08:40 Uhr, schrieb Stefan Bethke : > I'm not sure if that is a more general problem with OpenVPN (at least in > --topology subnet mode), or a specific problem in the FreeBSD-specific > code. I just looked at a Linux box connected to the same OpenVPN > server, and their ifconfig invocation looks different from ours, so the > FreeBSD-specific code at least plays some role. > > I'd still like to know whether the change to the routing code is > intentional or a regression. Stefan, Which version of OpenVPN are you using? It might seem that this is a FreeBSD regression, as OpenVPN assumes this about --topology subnet, so that the using of the local address as remote is intentional. (This is from the current OpenVPN 2.1-RC manpage): subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode. This mode allocates a single IP address per con- necting client and works on Windows as well. Only available when server and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched with the --topology direc- tive code. When used on Windows, requires version 8.2 or higher of the TAP-Win32 driver. When used on *nix, requires that the tun driver supports an ifconfig(8) command which sets a subnet instead of a remote endpoint IP address. I see this in the ChangeLog: 2006.04.05 -- Version 2.1-beta12 ... * "topology subnet" fix for FreeBSD (Benoit Bourdin). ... And it appears that exactly this patch may be the culprit. This is from the OpenVPN 2.1 source repository: ------------------------------------------------------------------------ r986 | james | 2006-04-05 08:28:19 +0200 (Wed, 05 Apr 2006) | 2 lines Changed paths: M /branches/BETA21/openvpn/tun.c "topology subnet" fix for FreeBSD (Benoit Bourdin). ------------------------------------------------------------------------ Index: tun.c =================================================================== --- tun.c (Revision 985) +++ tun.c (Revision 986) @@ -795,19 +795,42 @@ ifconfig_remote_netmask, tun_mtu ); - else - openvpn_snprintf (command_line, sizeof (command_line), + else { + if (tt->topology == TOP_SUBNET) + openvpn_snprintf (command_line, sizeof (command_line), + IFCONFIG_PATH " %s %s %s netmask %s mtu %d up", + actual, + ifconfig_local, + ifconfig_local, + ifconfig_remote_netmask, + tun_mtu + ); + else + openvpn_snprintf (command_line, sizeof (command_line), IFCONFIG_PATH " %s %s netmask %s mtu %d up", actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); + } msg (M_INFO, "%s", command_line); system_check (command_line, es, S_FATAL, "FreeBSD ifconfig failed"); tt->did_ifconfig = true; + /* Add a network route for the local tun interface */ + if (!tun && tt->topology == TOP_SUBNET) + { + struct route r; + CLEAR (r); + r.defined = true; + r.network = tt->local & tt->remote_netmask; + r.netmask = tt->remote_netmask; + r.gateway = tt->local; + add_route (&r, tt, 0, es); + } + #elif defined (WIN32) { /* -- Matthias Andree