On 12-02-21 02:44 PM, Alberto Gonzalez Iniesta wrote:
> On Tue, Feb 21, 2012 at 02:23:19PM -0500, Simon Deziel wrote:
>> On 12-02-21 01:57 PM, Alberto Gonzalez Iniesta wrote:
>>> On Tue, Feb 21, 2012 at 01:46:51PM -0500, Simon Deziel wrote:
>>>> On 12-02-21 11:41 AM, Teodor MICU wrote:
>>>>> This is a hack anyway. How about dealing with this properly with some
>>>>> code in OpenVPN? If I were you I would propose this to upstream
>>>>> developers.
>>>>
>>>> Upstream (EugeneKay on #openvpn) expressed that they were not inclined
>>>> to make those changes. They suggest to filter those bogus ICMP redirects
>>>> at the firewall level. IMHO, avoiding the generation of those bogus ICMP
>>>> redirects is cleaner and I still think the init script should take care
>>>> of this.
>>>>
>>>> @Alberto, may I ask your opinion on this one ?
>>>
>>> Hi,
>>>
>>> I'd like to give this a second thought (kfreebsd compatibility worries
>>> me too)
>>
>> I'm also for portability and wouldn't mind using sysctl instead of
>> relying on proc files. I think the following procedure relying on sysctl
>> would provide effectively turn off redirects for dynamically and
>> statically created tun devices :
>>
>> 1) Set net.ipv4.conf.all.send_redirects = 0
>> 2) Save net.ipv4.conf.default.send_redirects value
>> 3) Set net.ipv4.conf.default.send_redirects = 0
>> 4) Call the daemon to create the tun
>> 5) Restore net.ipv4.conf.default.send_redirects initial value
>>
>> Is this better ?
>
> Sounds good :-)
> Could you try it, please? I don't have a setup with that issue right now.
This new patch implements the above pseudo code and rely only on sysctl
for kfreebsd compatibility. I tested it with dynamically and statically
named tun devices.
Please let me know if something should be reworked/improved.
Thanks,
Simon
--- openvpn.orig 2011-12-22 09:44:03.049246165 -0500
+++ openvpn 2012-02-21 19:39:38.778032728 -0500
@@ -57,6 +57,22 @@
script_security="--script-security 2"
fi
+ # tun using the "subnet" topology confuses the routing code that wrongly
+ # emits ICMP redirects for client to client communications
+ if grep -q '^[[:space:]]*dev[[:space:]]*tun' $CONFIG_DIR/$NAME.conf && \
+ grep -q '^[[:space:]]*topology[[:space:]]*subnet' $CONFIG_DIR/$NAME.conf ; then
+ # When using "client-to-client", OpenVPN routes the traffic itself without
+ # involving the TUN/TAP interface so no ICMP redirects are sent
+ if ! grep -q '^[[:space:]]*client-to-client' $CONFIG_DIR/$NAME.conf ; then
+ sysctl -w net.ipv4.conf.all.send_redirects=0 > /dev/null
+
+ # Save the default value for send_redirects before disabling it
+ # to make sure the tun device is created with send_redirects disabled
+ SAVED_DEFAULT_SEND_REDIRECTS=$(sysctl -n net.ipv4.conf.default.send_redirects)
+ sysctl -w net.ipv4.conf.default.send_redirects=0 > /dev/null
+ fi
+ fi
+
STATUS=0
# Check to see if it's already started...
if test -e /var/run/openvpn.$NAME.pid ; then
@@ -66,6 +82,12 @@
$DAEMONARG $STATUSARG --cd $CONFIG_DIR \
--config $CONFIG_DIR/$NAME.conf $script_security < /dev/null || STATUS=1
fi
+
+ # Set the back the original default value of send_redirects if it was changed
+ if [ -n "$SAVED_DEFAULT_SEND_REDIRECTS" ]; then
+ sysctl -w net.ipv4.conf.default.send_redirects=$SAVED_DEFAULT_SEND_REDIRECTS > /dev/null
+ fi
+
log_end_msg $STATUS
}
stop_vpn () {
