| 1 |
Marko Mikulicic <marko@××××.org> said: |
| 2 |
|
| 3 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 4 |
> Hash: SHA1 |
| 5 |
> |
| 6 |
> James Yonan wrote: |
| 7 |
> |
| 8 |
> | Which netmask are you referring to? The TUN/TAP device? The |
| 9 |
> | internet-connected public interface? OpenVPN actually knows nothing of |
| 10 |
> | netmasks, except for 255.255.255.255 which is used by the --ifconfig |
| 11 |
> option to |
| 12 |
> | configure a virtual tun adapter, so it's not clear what should be passed. |
| 13 |
> I mean "the destination network ip and netmask", which cannot be |
| 14 |
> extracted from |
| 15 |
> tunnel information because it depends on the other side's local network. |
| 16 |
|
| 17 |
I see. That would be difficult to implement without some sort of handshake. |
| 18 |
|
| 19 |
> | There's also the fact that --up can pass user-specified parameters to the |
| 20 |
> | script, which might be a way of generalizing the route script, so that |
| 21 |
> only |
| 22 |
> | one would be necessary for a set of tunnels. |
| 23 |
> | |
| 24 |
> | Every openvpn option can be expressed on either the command line or a |
| 25 |
> config |
| 26 |
> | file. The idea is that there is no reason to create yet another |
| 27 |
> config file |
| 28 |
> | metalanguage for openvpn, when you can do arbitrarily complex run-time |
| 29 |
> | derivations of options by invoking openvpn from a shell script, and |
| 30 |
> putting |
| 31 |
> | options on the command line. For that reason, openvpn config files |
| 32 |
> are simple |
| 33 |
> | and flat (with the exception that multiple config files can be placed |
| 34 |
> on the |
| 35 |
> | command line, and config files can include other config files). |
| 36 |
> Having said |
| 37 |
> | that, any command line smarts would need to go in the init.d file. |
| 38 |
> Perhaps |
| 39 |
> | the /etc/conf.d/openvpn file just has global command line options. |
| 40 |
> |
| 41 |
> if you can pass arbitrary arguments to the --up script the problem is |
| 42 |
> solved. |
| 43 |
> I didn't find it in the man page. |
| 44 |
|
| 45 |
The manual page could probably be more clear on this, but in fact the '--up |
| 46 |
cmd' usage allows cmd to be an actual shell command with parameters. For example: |
| 47 |
|
| 48 |
bash-2.05b# openvpn --dev tun --ifconfig 10.1.0.1 10.1.0.2 --up 'echo foo bar' |
| 49 |
Sat Jun 28 20:19:52 2003 0: OpenVPN 1.4.1.5 i686-pc-linux-gnu built on Jun 28 2003 |
| 50 |
Sat Jun 28 20:19:52 2003 1: UDP link local (bound): [undef]:5000 |
| 51 |
Sat Jun 28 20:19:52 2003 2: UDP link remote: [undef] |
| 52 |
Sat Jun 28 20:19:52 2003 3: ******* WARNING *******: all encryption and |
| 53 |
authentication features disabled -- all data will be tunnelled as cleartext |
| 54 |
Sat Jun 28 20:19:52 2003 4: TUN/TAP device tun1 opened |
| 55 |
Sat Jun 28 20:19:52 2003 5: /sbin/ifconfig tun1 10.1.0.1 pointopoint 10.1.0.2 |
| 56 |
mtu 1300 |
| 57 |
Sat Jun 28 20:19:52 2003 6: echo foo bar tun1 1300 1300 10.1.0.1 10.1.0.2 |
| 58 |
foo bar tun1 1300 1300 10.1.0.1 10.1.0.2 |
| 59 |
|
| 60 |
> |
| 61 |
> I see that the idea of the config file is good, the problem is that it |
| 62 |
> would be nice to have also |
| 63 |
> a --route option and not only an --ifconfig. But here we come the the |
| 64 |
> same old problem |
| 65 |
> monolithic vs. modular. openvpn is very monolithic (which is good |
| 66 |
> because it is simple to use) |
| 67 |
> but then is natural that the authors doesn't want to bloat it with too |
| 68 |
> many options. |
| 69 |
> In fact, routing is not strictly an issue of openvpn, since users may |
| 70 |
> prefer various techniques, |
| 71 |
> and hard coding one perhaps is not good. |
| 72 |
|
| 73 |
A kind of --route option has been considered, though it presents certain |
| 74 |
problems. For one, you are accepting a remote route from a foreign machine |
| 75 |
which has obvious security implications. The other is that route (like |
| 76 |
ifconfig) has subtle variations across platforms, so openvpn in a sense would |
| 77 |
need to implement a cross-platform route capability. If openvpn provided |
| 78 |
this, it would likely be designed for only the simplest cases (as --ifconfig |
| 79 |
does now), and would be no match for real routing technology such as OSPF |
| 80 |
(which incidentally, some people run over openvpn tunnels). |
| 81 |
|
| 82 |
James |
| 83 |
|
| 84 |
|
| 85 |
-- |
| 86 |
gentoo-dev@g.o mailing list |
Archives