| 1 |
Marko Mikulicic <marko@××××.org> said: |
| 2 |
|
| 3 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 4 |
> Hash: SHA1 |
| 5 |
> |
| 6 |
> James Yonan wrote: |
| 7 |
> | Marko, |
| 8 |
> | |
| 9 |
> | It's an interesting approach, though it requires that you gentooize the |
| 10 |
> | openvpn config files, therefore breaking the ability to move the |
| 11 |
> config files |
| 12 |
> | across platforms. |
| 13 |
> | |
| 14 |
> | I'm not sure if the init script you provided is just something you |
| 15 |
> wrote for |
| 16 |
> | personal use, or if you are making an argument that it (or the style it |
| 17 |
> | embodies) should be officially incorporated as the Gentoo Init Script for |
| 18 |
> | OpenVPN. If it is the latter, then I must take this opportunity to |
| 19 |
> argue :) |
| 20 |
> |
| 21 |
> Yes, the script was for personal use. I was not so happy with it to |
| 22 |
> propose it as standard. |
| 23 |
> However there is a little reasion for that design choice: |
| 24 |
> routing must be implemented in a separate script pointed by the "up" keyword |
| 25 |
> in the config file. This script must contain a full route command and |
| 26 |
> must have an execute bit |
| 27 |
> set and I personally don't like redundant information. Also I didn't |
| 28 |
> find a way to use only one |
| 29 |
> routing script for all tunnels because netmask information is not passed |
| 30 |
> by openvpn to the script. |
| 31 |
|
| 32 |
Which netmask are you referring to? The TUN/TAP device? The |
| 33 |
internet-connected public interface? OpenVPN actually knows nothing of |
| 34 |
netmasks, except for 255.255.255.255 which is used by the --ifconfig option to |
| 35 |
configure a virtual tun adapter, so it's not clear what should be passed. |
| 36 |
There's also the fact that --up can pass user-specified parameters to the |
| 37 |
script, which might be a way of generalizing the route script, so that only |
| 38 |
one would be necessary for a set of tunnels. |
| 39 |
|
| 40 |
> ~ So the real reasion was: the openvpn config file is not so good as it |
| 41 |
> seems, or better said, |
| 42 |
> is not even a config file, is simply a text-file cmdline wrapper. |
| 43 |
|
| 44 |
Every openvpn option can be expressed on either the command line or a config |
| 45 |
file. The idea is that there is no reason to create yet another config file |
| 46 |
metalanguage for openvpn, when you can do arbitrarily complex run-time |
| 47 |
derivations of options by invoking openvpn from a shell script, and putting |
| 48 |
options on the command line. For that reason, openvpn config files are simple |
| 49 |
and flat (with the exception that multiple config files can be placed on the |
| 50 |
command line, and config files can include other config files). Having said |
| 51 |
that, any command line smarts would need to go in the init.d file. Perhaps |
| 52 |
the /etc/conf.d/openvpn file just has global command line options. |
| 53 |
|
| 54 |
James |
| 55 |
|
| 56 |
> ~ That said, and agreeing on your argumentations, I think it would be |
| 57 |
> better, from a practical point of view, |
| 58 |
> ~ to put one file for each tunnel in /etc/openvpn as you say, and |
| 59 |
> a) put optianally a second file, say /etc/openvpn/tunnelname.route, |
| 60 |
> which will be parsed |
| 61 |
> from the /etc/init.d/openvpn and it will apply routing. |
| 62 |
> or |
| 63 |
> b) put a specially formatted comment ("#@route blabla") in the .conf |
| 64 |
> file and do the same as above |
| 65 |
> |
| 66 |
> | # Location of openvpn binary |
| 67 |
> | openvpn=/usr/local/sbin/openvpn |
| 68 |
> | |
| 69 |
> | # PID directory |
| 70 |
> | piddir=/var/run/openvpn |
| 71 |
> | |
| 72 |
> | # Our working directory (.conf files should be here) |
| 73 |
> | work=/etc/openvpn |
| 74 |
> this things should go in conf.d/xyz or |
| 75 |
> it maybe something like |
| 76 |
> $work = ${work:-/etc/openvpn} |
| 77 |
> ? |
| 78 |
> in other words: if the conf.d/xyz file gets lost should the script |
| 79 |
> use it's builtin default, while allowing the user to override them in |
| 80 |
> conf.d, |
| 81 |
> or should the script strictly depend on the existence of the conf.d/xyz |
| 82 |
> file ? |
| 83 |
> |
| 84 |
> | for c in `/bin/ls *.conf 2>/dev/null`; do |
| 85 |
> is there a reason for not using "for c in *.conf; do" ? |
| 86 |
> |
| 87 |
> yours, |
| 88 |
> Marko |
| 89 |
> -----BEGIN PGP SIGNATURE----- |
| 90 |
> Version: GnuPG v1.2.2 (GNU/Linux) |
| 91 |
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
| 92 |
> |
| 93 |
> iD8DBQE+/h1+j0pLiOk7oZoRAi4wAJ0YTZZYZXdvqWlKdbLNHCaq9EDixQCgiTQU |
| 94 |
> fdBaun+yOFup2iMWAWdh1sE= |
| 95 |
> =Fbx1 |
| 96 |
> -----END PGP SIGNATURE----- |
| 97 |
> |
| 98 |
|
| 99 |
|
| 100 |
|
| 101 |
-- |
| 102 |
|
| 103 |
|
| 104 |
|
| 105 |
|
| 106 |
-- |
| 107 |
gentoo-dev@g.o mailing list |
Archives