1 |
Marko Mikulicic <marko@××××.org> said: |
2 |
|
3 |
> -----BEGIN PGP SIGNED MESSAGE----- |
4 |
> Hash: SHA1 |
5 |
> |
6 |
> James Yonan wrote: |
7 |
> | Marko, |
8 |
> | |
9 |
> | It's an interesting approach, though it requires that you gentooize the |
10 |
> | openvpn config files, therefore breaking the ability to move the |
11 |
> config files |
12 |
> | across platforms. |
13 |
> | |
14 |
> | I'm not sure if the init script you provided is just something you |
15 |
> wrote for |
16 |
> | personal use, or if you are making an argument that it (or the style it |
17 |
> | embodies) should be officially incorporated as the Gentoo Init Script for |
18 |
> | OpenVPN. If it is the latter, then I must take this opportunity to |
19 |
> argue :) |
20 |
> |
21 |
> Yes, the script was for personal use. I was not so happy with it to |
22 |
> propose it as standard. |
23 |
> However there is a little reasion for that design choice: |
24 |
> routing must be implemented in a separate script pointed by the "up" keyword |
25 |
> in the config file. This script must contain a full route command and |
26 |
> must have an execute bit |
27 |
> set and I personally don't like redundant information. Also I didn't |
28 |
> find a way to use only one |
29 |
> routing script for all tunnels because netmask information is not passed |
30 |
> by openvpn to the script. |
31 |
|
32 |
Which netmask are you referring to? The TUN/TAP device? The |
33 |
internet-connected public interface? OpenVPN actually knows nothing of |
34 |
netmasks, except for 255.255.255.255 which is used by the --ifconfig option to |
35 |
configure a virtual tun adapter, so it's not clear what should be passed. |
36 |
There's also the fact that --up can pass user-specified parameters to the |
37 |
script, which might be a way of generalizing the route script, so that only |
38 |
one would be necessary for a set of tunnels. |
39 |
|
40 |
> ~ So the real reasion was: the openvpn config file is not so good as it |
41 |
> seems, or better said, |
42 |
> is not even a config file, is simply a text-file cmdline wrapper. |
43 |
|
44 |
Every openvpn option can be expressed on either the command line or a config |
45 |
file. The idea is that there is no reason to create yet another config file |
46 |
metalanguage for openvpn, when you can do arbitrarily complex run-time |
47 |
derivations of options by invoking openvpn from a shell script, and putting |
48 |
options on the command line. For that reason, openvpn config files are simple |
49 |
and flat (with the exception that multiple config files can be placed on the |
50 |
command line, and config files can include other config files). Having said |
51 |
that, any command line smarts would need to go in the init.d file. Perhaps |
52 |
the /etc/conf.d/openvpn file just has global command line options. |
53 |
|
54 |
James |
55 |
|
56 |
> ~ That said, and agreeing on your argumentations, I think it would be |
57 |
> better, from a practical point of view, |
58 |
> ~ to put one file for each tunnel in /etc/openvpn as you say, and |
59 |
> a) put optianally a second file, say /etc/openvpn/tunnelname.route, |
60 |
> which will be parsed |
61 |
> from the /etc/init.d/openvpn and it will apply routing. |
62 |
> or |
63 |
> b) put a specially formatted comment ("#@route blabla") in the .conf |
64 |
> file and do the same as above |
65 |
> |
66 |
> | # Location of openvpn binary |
67 |
> | openvpn=/usr/local/sbin/openvpn |
68 |
> | |
69 |
> | # PID directory |
70 |
> | piddir=/var/run/openvpn |
71 |
> | |
72 |
> | # Our working directory (.conf files should be here) |
73 |
> | work=/etc/openvpn |
74 |
> this things should go in conf.d/xyz or |
75 |
> it maybe something like |
76 |
> $work = ${work:-/etc/openvpn} |
77 |
> ? |
78 |
> in other words: if the conf.d/xyz file gets lost should the script |
79 |
> use it's builtin default, while allowing the user to override them in |
80 |
> conf.d, |
81 |
> or should the script strictly depend on the existence of the conf.d/xyz |
82 |
> file ? |
83 |
> |
84 |
> | for c in `/bin/ls *.conf 2>/dev/null`; do |
85 |
> is there a reason for not using "for c in *.conf; do" ? |
86 |
> |
87 |
> yours, |
88 |
> Marko |
89 |
> -----BEGIN PGP SIGNATURE----- |
90 |
> Version: GnuPG v1.2.2 (GNU/Linux) |
91 |
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
92 |
> |
93 |
> iD8DBQE+/h1+j0pLiOk7oZoRAi4wAJ0YTZZYZXdvqWlKdbLNHCaq9EDixQCgiTQU |
94 |
> fdBaun+yOFup2iMWAWdh1sE= |
95 |
> =Fbx1 |
96 |
> -----END PGP SIGNATURE----- |
97 |
> |
98 |
|
99 |
|
100 |
|
101 |
-- |
102 |
|
103 |
|
104 |
|
105 |
|
106 |
-- |
107 |
gentoo-dev@g.o mailing list |