On 13/05/2022 13:40, Arne Schwabe wrote:
Am 13.05.22 um 13:22 schrieb David Sommerseth:On 13/05/2022 11:37, Heiko Hund wrote:Have clients set a bit in IV_PROTO, so that servers can make an informed decision on whether to push --dns to the client. While unknown options are ignored by clients when pushed, they generate a warning in the log. That can be circumvented by server backends by checking if bit 7 is set.Signed-off-by: Heiko Hund <he...@ist.eigentlich.net>
[...snip...]
+ /* support for the --dns option */ + iv_proto |= IV_PROTO_DNS_OPTION; +
[...snip...]
+#define IV_PROTO_DNS_OPTION (1<<6) +
[...snip...]
To be honest, I requested this flag but I don't think this is really what I want/need any more. I wanted to have a flag that tells me as a server that I can push --dns options instead of --dhcp-options and accept the client to evaluate them.As I remember it, this wasn't initially about Android and Windows clients. It was about the server pushing both --dhcp-option DNS and --dns at the same time, and that OpenVPN 2.5 and older clients would complain about --dns option warnings. By signalling to a server who wants to avoid this (like the Access Server), the server can chose if it wants to send --dns or --dhcp-options, based on this flag.But after some digging, I found that on platforms where dhcp-option is NOT parsed by openvpn itself (so anything but Android and Windows) and scripts are used to set DNS, these scripts will always use dhcp-options as they rely on foreign_option support. So they end up with no DNS configuration if only --dns is pushed and using --dhcp-option options if both are pushed unless the script is updated.
Right?That the client side isn't parsing --dns options properly is to my understanding a different issue, which also needs a solution. And if my memory isn't completely corrupted, we had some brief talks about v2.6 clients adding some kind of "conversion" from --dns to --dhcp-options *data* for scripts/plug-ins - but only in a simplistic best-effort approach. If the strict --dhcp-option behavior is needed, that can be used with v2.6 clients for the time being if --dns causes troubles.
But if both --dns and --dhcp-options are used, and the --dhcp-option provides a setting --dns support, --dns should take precedence.
This should also work fine, as the --dns option is far more flexible in what it supports, while --dhcp-options are just simpler by design - and designed around a lesser dynamic Internet world.
-- kind regards, David Sommerseth OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
