[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] Init Scripts
From:       "James Yonan" <jim () yonan ! net>
Date:       2003-06-29 2:41:50
[Download RAW message or body]

Marko Mikulicic <marko@seul.org> said:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> James Yonan wrote:
> 
> | Which netmask are you referring to?  The TUN/TAP device?  The
> | internet-connected public interface?  OpenVPN actually knows nothing of
> | netmasks, except for 255.255.255.255 which is used by the --ifconfig
> option to
> | configure a virtual tun adapter, so it's not clear what should be passed.
> I mean "the destination network ip and netmask", which cannot be
> extracted from
> tunnel information because it depends on the other side's local network.

I see.  That would be difficult to implement without some sort of handshake.

> | There's also the fact that --up can pass user-specified parameters to the
> | script, which might be a way of generalizing the route script, so that
> only
> | one would be necessary for a set of tunnels.
> |
> | Every openvpn option can be expressed on either the command line or a
> config
> | file.  The idea is that there is no reason to create yet another
> config file
> | metalanguage for openvpn, when you can do arbitrarily complex run-time
> | derivations of options by invoking openvpn from a shell script, and
> putting
> | options on the command line.  For that reason, openvpn config files
> are simple
> | and flat (with the exception that multiple config files can be placed
> on the
> | command line, and config files can include other config files).
> Having said
> | that, any command line smarts would need to go in the init.d file.
> Perhaps
> | the /etc/conf.d/openvpn file just has global command line options.
> 
> if you can pass arbitrary arguments to the --up script the problem is
> solved.
> I didn't find it in the man page.

The manual page could probably be more clear on this, but in fact the '--up
cmd' usage allows cmd to be an actual shell command with parameters.  For example:

bash-2.05b# openvpn --dev tun --ifconfig 10.1.0.1 10.1.0.2 --up 'echo foo bar'
Sat Jun 28 20:19:52 2003 0: OpenVPN 1.4.1.5 i686-pc-linux-gnu built on Jun 28 2003
Sat Jun 28 20:19:52 2003 1: UDP link local (bound): [undef]:5000
Sat Jun 28 20:19:52 2003 2: UDP link remote: [undef]
Sat Jun 28 20:19:52 2003 3: ******* WARNING *******: all encryption and
authentication features disabled -- all data will be tunnelled as cleartext
Sat Jun 28 20:19:52 2003 4: TUN/TAP device tun1 opened
Sat Jun 28 20:19:52 2003 5: /sbin/ifconfig tun1 10.1.0.1 pointopoint 10.1.0.2
mtu 1300
Sat Jun 28 20:19:52 2003 6: echo foo bar tun1 1300 1300 10.1.0.1 10.1.0.2
foo bar tun1 1300 1300 10.1.0.1 10.1.0.2

> 
> I see that the idea of the config file is good, the problem is that it
> would be nice to have also
> a --route option and not only an --ifconfig. But here we come the the
> same old problem
> monolithic vs. modular. openvpn is very monolithic (which is good
> because it is simple to use)
> but then is natural that the authors doesn't want to bloat it with too
> many options.
> In fact, routing is not strictly an issue of openvpn, since users may
> prefer various techniques,
> and hard coding one perhaps is not good.

A kind of --route option has been considered, though it presents certain
problems.  For one, you are accepting a remote route from a foreign machine
which has obvious security implications.  The other is that route (like
ifconfig) has subtle variations across platforms, so openvpn in a sense would
need to implement a cross-platform route capability.  If openvpn provided
this, it would likely be designed for only the simplest cases (as --ifconfig
does now), and would be no match for real routing technology such as OSPF
(which incidentally, some people run over openvpn tunnels).

James


--
gentoo-dev@gentoo.org mailing list

[prev in list] [next in list] [prev in thread] [next in thread]