Craig Knox <c...@purplefields.com> said: > Hi, > > > One of the problems I can see with this is that you give some information > > away about the payload, mind you not much, but you are regardless. > > That is true - but for me its either give away TOS or have things become > unresponsive. > > > I > > guess if you really wanted to do this, one could modify openvpn to look at > > the IP headers directly inside of openvpn and get the TOS off of the > > packet and then use setsockopt() to set it for the outgoing packet. It > > might not seem pretty, but it'll work. Let me know if you want me to hack > > up a patch for you to do this. > > Cheers - Think I've manage to make the changes by getting the TOS field > of the incoming packet and setting it on the udp packet - in that it > seems to work.
I think TOS pass-through would be a nice optional feature to add to OpenVPN. I would be curious to know how this works for you, i.e. extracting the TOS from the TUN/TAP data and calling setsockopt before the encrypted packet gets written to the UDP port. Some caveats that immediately come to mind: * Since OpenVPN does not assume a particular TUN encoding of IP traffic, this patch requires OpenVPN to assume an offset of the TOS bits. * Does the TOS extract and set on the UDP socket with setsockopt work in all cases, such as when packets are fragmented, dropped, or retransmitted? * This process causes the TOS to be sent as plaintext, which could be undesirable from a security standpoint. James
