From owner-freebsd-current@FreeBSD.ORG Thu Jul 30 22:40:07 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 715421065673 for ; Thu, 30 Jul 2009 22:40:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id F34BF8FC0A for ; Thu, 30 Jul 2009 22:40:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 1DF4A41C7AD; Fri, 31 Jul 2009 00:40:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id xpqUux2rQ1AN; Fri, 31 Jul 2009 00:40:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id A0D2041C770; Fri, 31 Jul 2009 00:40:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 1F4864448E6; Thu, 30 Jul 2009 22:36:26 +0000 (UTC) Date: Thu, 30 Jul 2009 22:36:26 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Julian Elischer In-Reply-To: <4A721160.5080902@elischer.org> Message-ID: <20090730220658.M245@maildrop.int.zabbadoz.net> References: <4A709126.5050102@elischer.org><3A1518B9-2C8C-4F05-9195-82C6017E4902@lassitu.de> <4A721160.5080902@elischer.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Qing Li , "Li, Qing" , Matthias Andree , Stefan Bethke , FreeBSD Current Subject: Re: recent change to ifconfig breaks OpenVPN? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 22:40:07 -0000 On Thu, 30 Jul 2009, Julian Elischer wrote: Hi, some comments though it's late and I just got back from a UG meeting. > note that he is using *ether* which seems odd. Since we are talking about > tun. Is this the correct variable? yes: net.link.ether.inet.useloopback: 1 net.inet6.icmp6.nd6_useloopback: 1 (I guess historical accident). Stefan Bethke wrote: > The problem appears to be that OpenVPN invokes ifconfig with > incorrect (but previously working) parameters, namely "ifconfig tun0 > local_ip local_ip" instead of "ifconfig tun0 local_ip remote_ip". Exactly, that is the problem. So this is a ports issue. > p.s. log output wrt ifconfig: > > FreeBSD (working up to last week, continues to work in -stable): > /sbin/ifconfig tun1 44.128.127.2 44.128.127.2 netmask 255.255.255.0 mtu 1500 up The ifconfig error you can see in HEAD is, as pointed out before, from installing the additional route for the local address to the local machine that the command above already installs for the remote end. Changing sysctl net.link.ether.inet.useloopback=0 and the error goes away, as the extra route is not installed by the kernel and everything seems fine (to answer Qing). I would say that this is bad but still works (even with the ioctl error): tun1: flags=8051 metric 0 mtu 1500 inet 44.128.127.2 --> 44.128.127.2 netmask 0xffffff00 The problem is that seems bogus; It means that you reach the remote end on the local address; so it's kind of ifconfig lo0 44.128.127.2/32 alias You will never reach the remote ptp end this way and that'll not be any help with openvpn. I wonder what got the packets out in the past; probably lax checking and some other magic. Side-note: the same applies to a gif tunnel. > Linux: > /sbin/ifconfig tun4 44.128.127.15 netmask 255.255.255.0 mtu 1500 broadcast 44.128.127.255 > > It is interesting to note that tun4 on the Linux box has the same local and remote address: > /sbin/ifconfig tun4 > tun4 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > inet addr:44.128.127.15 P-t-P:44.128.127.15 Mask:255.255.255.0 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 Yeah that is as great as we are or rather were. So really, fix the openvpn scripts that assign the address to interfaces to do something that would make sense from the ``man ip'' (not the literal command) point of view. Just that it's "working" somewhere or used to work elswhere neither means that it was correct nor made sense at any time before. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.