1 |
Marko Mikulicic <marko@××××.org> said: |
2 |
|
3 |
> -----BEGIN PGP SIGNED MESSAGE----- |
4 |
> Hash: SHA1 |
5 |
> |
6 |
> James Yonan wrote: |
7 |
> |
8 |
> | Which netmask are you referring to? The TUN/TAP device? The |
9 |
> | internet-connected public interface? OpenVPN actually knows nothing of |
10 |
> | netmasks, except for 255.255.255.255 which is used by the --ifconfig |
11 |
> option to |
12 |
> | configure a virtual tun adapter, so it's not clear what should be passed. |
13 |
> I mean "the destination network ip and netmask", which cannot be |
14 |
> extracted from |
15 |
> tunnel information because it depends on the other side's local network. |
16 |
|
17 |
I see. That would be difficult to implement without some sort of handshake. |
18 |
|
19 |
> | There's also the fact that --up can pass user-specified parameters to the |
20 |
> | script, which might be a way of generalizing the route script, so that |
21 |
> only |
22 |
> | one would be necessary for a set of tunnels. |
23 |
> | |
24 |
> | Every openvpn option can be expressed on either the command line or a |
25 |
> config |
26 |
> | file. The idea is that there is no reason to create yet another |
27 |
> config file |
28 |
> | metalanguage for openvpn, when you can do arbitrarily complex run-time |
29 |
> | derivations of options by invoking openvpn from a shell script, and |
30 |
> putting |
31 |
> | options on the command line. For that reason, openvpn config files |
32 |
> are simple |
33 |
> | and flat (with the exception that multiple config files can be placed |
34 |
> on the |
35 |
> | command line, and config files can include other config files). |
36 |
> Having said |
37 |
> | that, any command line smarts would need to go in the init.d file. |
38 |
> Perhaps |
39 |
> | the /etc/conf.d/openvpn file just has global command line options. |
40 |
> |
41 |
> if you can pass arbitrary arguments to the --up script the problem is |
42 |
> solved. |
43 |
> I didn't find it in the man page. |
44 |
|
45 |
The manual page could probably be more clear on this, but in fact the '--up |
46 |
cmd' usage allows cmd to be an actual shell command with parameters. For example: |
47 |
|
48 |
bash-2.05b# openvpn --dev tun --ifconfig 10.1.0.1 10.1.0.2 --up 'echo foo bar' |
49 |
Sat Jun 28 20:19:52 2003 0: OpenVPN 1.4.1.5 i686-pc-linux-gnu built on Jun 28 2003 |
50 |
Sat Jun 28 20:19:52 2003 1: UDP link local (bound): [undef]:5000 |
51 |
Sat Jun 28 20:19:52 2003 2: UDP link remote: [undef] |
52 |
Sat Jun 28 20:19:52 2003 3: ******* WARNING *******: all encryption and |
53 |
authentication features disabled -- all data will be tunnelled as cleartext |
54 |
Sat Jun 28 20:19:52 2003 4: TUN/TAP device tun1 opened |
55 |
Sat Jun 28 20:19:52 2003 5: /sbin/ifconfig tun1 10.1.0.1 pointopoint 10.1.0.2 |
56 |
mtu 1300 |
57 |
Sat Jun 28 20:19:52 2003 6: echo foo bar tun1 1300 1300 10.1.0.1 10.1.0.2 |
58 |
foo bar tun1 1300 1300 10.1.0.1 10.1.0.2 |
59 |
|
60 |
> |
61 |
> I see that the idea of the config file is good, the problem is that it |
62 |
> would be nice to have also |
63 |
> a --route option and not only an --ifconfig. But here we come the the |
64 |
> same old problem |
65 |
> monolithic vs. modular. openvpn is very monolithic (which is good |
66 |
> because it is simple to use) |
67 |
> but then is natural that the authors doesn't want to bloat it with too |
68 |
> many options. |
69 |
> In fact, routing is not strictly an issue of openvpn, since users may |
70 |
> prefer various techniques, |
71 |
> and hard coding one perhaps is not good. |
72 |
|
73 |
A kind of --route option has been considered, though it presents certain |
74 |
problems. For one, you are accepting a remote route from a foreign machine |
75 |
which has obvious security implications. The other is that route (like |
76 |
ifconfig) has subtle variations across platforms, so openvpn in a sense would |
77 |
need to implement a cross-platform route capability. If openvpn provided |
78 |
this, it would likely be designed for only the simplest cases (as --ifconfig |
79 |
does now), and would be no match for real routing technology such as OSPF |
80 |
(which incidentally, some people run over openvpn tunnels). |
81 |
|
82 |
James |
83 |
|
84 |
|
85 |
-- |
86 |
gentoo-dev@g.o mailing list |