Re: [Openvpn-devel] [PATCH] man: Describe --proto options better

Fri, 03 Nov 2017 12:11:08 -0700 

Hi,

On Fri, Oct 06, 2017 at 01:25:42AM +0200, David Sommerseth wrote:
> The --proto options changed a bit in OpenVPN v2.4.  This tries to
> expand this section, explaining the new variants and how they
> related to older OpenVPN versions.

As discussed on IRC, this is not fully right yet.  I'm somewhat too
lazy to write up a proper patch, so I'll just write it up again.

Client and server are slightly different, as are 2.3/2.4.  So:

 client/2.3
    --proto udp/tcp    -> IPv4-only
    --proto udp6/tcp6  -> IPv6-only
       (no way to get "use what the server advertises in DNS")

 client/2.4
    --proto udp4/tcp4  -> IPv4-only
    --proto udp6/tcp6  -> IPv6-only
    --proto udp/tcp    -> "ask DNS, and try IPv6 and/or IPv4, whatever
                          comes back from DNS and works"

 server/2.3
    --proto udp/tcp    -> IPv4-only
    --proto udp6/tcp6  -> IPv6-only *or* dual-stack, depending on 
                          "net.inet6.ip6.v6only" sysctl (1 -> ipv6-only)

 server/2.4
    --proto udp4/tcp4  -> IPv4-only
    --proto udp6/tcp6  -> dual-stack or IPv6-only, depending on the
                          setting of "--bind [ipv6only]" (default is dual)
    --proto udp/tcp    -> "ask getaddrinfo() what the recommended value for
                          a listening socket is, and use that" - this can
                          result in an IPv4-only (INADDR_ANY) or an IPv6/
                          dual-stack socket (IN6ADDR_ANY_INIT)

                          So, for best results, use "udp6/tcp6" on machines 
                          that have IPv6 active, and only fallback to "udp/tcp"
                          when you *know* that udp6/tcp6 isn't working (e.g.
                          because some smart guy removed ipv6.ko from the 
                          system).

The slightly undefined behaviour of the 2.4/server side wrt "udp/tcp" is
something we should fix to always get dual-stack unless that fails, and
then fall back to IPv4-only - but that's slightly complicated (socket.c)
and needs lots of cross-platform testing, so "nobody has done it yet"

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: signature.asc
Description: PGP signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to