Re: ratble and rdomain support on dhcpd and openvpn
Great ideas! Thank you Pierre! -Original Message- From: BARDOU Pierre [mailto:bardo...@mipih.fr] Sent: Monday, July 18, 2016 8:51 AM To: Difan Zhao Cc: misc@openbsd.org Subject: RE: ratble and rdomain support on dhcpd and openvpn Hi, OpenVPN does not support rdomains and probably never will, as it is OpenBSD-specific. I had some success by running it in the default rdomain an then dispatching the clients in different rdomains via PF. But this was for server mode. Maybe you can do something like that for the client, like running it in the default rdomain and make PF rules in your rdomain 200 to send relevant packets to the VPN. You might also use "route -T 200 exec openvpn ..." and a script, which will set the rdomain on connection. Look at the --up parameter of the OpenVPN man page. -- Cordialement, Pierre BARDOU -Message d'origine- De : Difan Zhao [mailto:difan.z...@pason.com] Envoyé : vendredi 15 juillet 2016 21:35 À : Chris Cappuccio Cc : Pierre Emeriaud ; misc@openbsd.org Objet : Re: ratble and rdomain support on dhcpd and openvpn Thank you sir! So I probably just stick with my hacking approach and wait for the 6.0. I see that will come in November so not too much waiting. So any idea how the openvpn might start to support rtable or rdomain? Thanks, Difan -Original Message- From: Chris Cappuccio [mailto:ch...@nmedia.net] Sent: Friday, July 15, 2016 11:07 AM To: Difan Zhao Cc: Pierre Emeriaud ; misc@openbsd.org Subject: Re: ratble and rdomain support on dhcpd and openvpn Difan Zhao [difan.z...@pason.com] wrote: > Hi Pierre, > > I just upgraded the soekris box to openbsd 5.9 however I am still > having the problem setting the rtable... > This requires OpenBSD 6.0 which is not yet released. You can use snapshots at http//ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/ to install the beta code.
Re: ratble and rdomain support on dhcpd and openvpn
Hi, OpenVPN does not support rdomains and probably never will, as it is OpenBSD-specific. I had some success by running it in the default rdomain an then dispatching the clients in different rdomains via PF. But this was for server mode. Maybe you can do something like that for the client, like running it in the default rdomain and make PF rules in your rdomain 200 to send relevant packets to the VPN. You might also use "route -T 200 exec openvpn ..." and a script, which will set the rdomain on connection. Look at the --up parameter of the OpenVPN man page. -- Cordialement, Pierre BARDOU -Message d'origine- De : Difan Zhao [mailto:difan.z...@pason.com] Envoyé : vendredi 15 juillet 2016 21:35 À : Chris Cappuccio Cc : Pierre Emeriaud ; misc@openbsd.org Objet : Re: ratble and rdomain support on dhcpd and openvpn Thank you sir! So I probably just stick with my hacking approach and wait for the 6.0. I see that will come in November so not too much waiting. So any idea how the openvpn might start to support rtable or rdomain? Thanks, Difan -Original Message- From: Chris Cappuccio [mailto:ch...@nmedia.net] Sent: Friday, July 15, 2016 11:07 AM To: Difan Zhao Cc: Pierre Emeriaud ; misc@openbsd.org Subject: Re: ratble and rdomain support on dhcpd and openvpn Difan Zhao [difan.z...@pason.com] wrote: > Hi Pierre, > > I just upgraded the soekris box to openbsd 5.9 however I am still > having the problem setting the rtable... > This requires OpenBSD 6.0 which is not yet released. You can use snapshots at http//ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/ to install the beta code.
Re: ratble and rdomain support on dhcpd and openvpn
Kapetanakis Giannis wrote: On 15/07/16 22:34, Difan Zhao wrote: Thank you sir! So I probably just stick with my hacking approach and wait for the 6.0. I see that will come in November so not too much waiting. So any idea how the openvpn might start to support rtable or rdomain? Thanks, Difan OpeBSD -current (snapshots) is quite stable. I would suggest you try it and don't wait for the next release. G Be careful though; the API/ABI in -current is essentially a moving target, so if you do want to stick to -current, be certain the packages you run are downloaded roughly the same date you download the snapshot. Running -current vs -release/-stable should be considered on a case-by-case basis. If you know exactly what packages you expect to run, and are likely to keep that set, then -current is for you.
Re: ratble and rdomain support on dhcpd and openvpn
On 15/07/16 22:34, Difan Zhao wrote: Thank you sir! So I probably just stick with my hacking approach and wait for the 6.0. I see that will come in November so not too much waiting. So any idea how the openvpn might start to support rtable or rdomain? Thanks, Difan OpeBSD -current (snapshots) is quite stable. I would suggest you try it and don't wait for the next release. G
Re: ratble and rdomain support on dhcpd and openvpn
Thank you sir! So I probably just stick with my hacking approach and wait for the 6.0. I see that will come in November so not too much waiting. So any idea how the openvpn might start to support rtable or rdomain? Thanks, Difan -Original Message- From: Chris Cappuccio [mailto:ch...@nmedia.net] Sent: Friday, July 15, 2016 11:07 AM To: Difan Zhao Cc: Pierre Emeriaud ; misc@openbsd.org Subject: Re: ratble and rdomain support on dhcpd and openvpn Difan Zhao [difan.z...@pason.com] wrote: > Hi Pierre, > > I just upgraded the soekris box to openbsd 5.9 however I am still having the problem setting the rtable... > This requires OpenBSD 6.0 which is not yet released. You can use snapshots at http//ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/ to install the beta code.
Re: ratble and rdomain support on dhcpd and openvpn
Difan Zhao [difan.z...@pason.com] wrote: > Hi Pierre, > > I just upgraded the soekris box to openbsd 5.9 however I am still having the > problem setting the rtable... > This requires OpenBSD 6.0 which is not yet released. You can use snapshots at http//ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/ to install the beta code.
Re: ratble and rdomain support on dhcpd and openvpn
Hi Pierre, I just upgraded the soekris box to openbsd 5.9 however I am still having the problem setting the rtable... # uname -a OpenBSD covebsd.cove.net 5.9 GENERIC#1561 i386 # rcctl set dhcpd200 rtable 200 usage: rcctl get|getdef|set service | daemon [variable [arguments]] rcctl [-df] action daemon ... rcctl disable|enable|order [daemon ...] rcctl ls lsarg same for the original dhcpd service... # rcctl set dhcpd rtable 200 usage: rcctl get|getdef|set service | daemon [variable [arguments]] rcctl [-df] action daemon ... rcctl disable|enable|order [daemon ...] rcctl ls lsarg silly question, where can I find a list of dhcpd options that I can set? Is that just what "rcctl get" lists? # rcctl get dhcpd dhcpd_class=daemon dhcpd_flags=vr1 dhcpd_timeout=30 dhcpd_user=root Also how do I find out my dhcpd version? "dhcpd --version" does not work for me... Thanks guys! Difan -Original Message- From: petrus...@gmail.com [mailto:petrus...@gmail.com] On Behalf Of Pierre Emeriaud Sent: Tuesday, July 12, 2016 11:33 PM To: Difan Zhao Cc: Chris Cappuccio ; misc@openbsd.org Subject: Re: ratble and rdomain support on dhcpd and openvpn 2016-07-13 1:37 GMT+02:00 Difan Zhao : > Thank you Chris! I come from the Cisco world with a little Linux experience > but It does make sense to me. It looks like I could run two DHCP processes > this way. > > However the problem is that I still can't set the rtable.. Also tried the > "rdomain" but got the same error. It took the "set flag" command though. I > also tried "rcctl set dhcpd200 status on" and it took it too. > > Is it problem with my openbsd or dhcpd version? rcctl table needs a fairly recent openbsd. Not sure if it was already in 5.9, I'm using -current.
Re: ratble and rdomain support on dhcpd and openvpn
2016-07-13 1:37 GMT+02:00 Difan Zhao : > Thank you Chris! I come from the Cisco world with a little Linux experience > but It does make sense to me. It looks like I could run two DHCP processes > this way. > > However the problem is that I still can't set the rtable.. Also tried the > "rdomain" but got the same error. It took the "set flag" command though. I > also tried "rcctl set dhcpd200 status on" and it took it too. > > Is it problem with my openbsd or dhcpd version? rcctl table needs a fairly recent openbsd. Not sure if it was already in 5.9, I'm using -current.
Re: ratble and rdomain support on dhcpd and openvpn
Thank you Chris! I come from the Cisco world with a little Linux experience but It does make sense to me. It looks like I could run two DHCP processes this way. However the problem is that I still can't set the rtable.. Also tried the "rdomain" but got the same error. It took the "set flag" command though. I also tried "rcctl set dhcpd200 status on" and it took it too. Is it problem with my openbsd or dhcpd version? Thanks, Difan -Original Message- From: Chris Cappuccio [mailto:ch...@nmedia.net] Sent: Tuesday, July 12, 2016 10:25 AM To: Difan Zhao Cc: Pierre Emeriaud ; misc@openbsd.org Subject: Re: ratble and rdomain support on dhcpd and openvpn Difan Zhao [difan.z...@pason.com] wrote: > Thanks Pierre! However the command does not work for me... Do I need to upgrade my openbsd box? I am on 5.8 right now. > > # rcctl set dhcpd rtable 200 > usage: rcctl [-df] action|get|getdef|ls|order|set > [service | daemon [variable [arguments]] | daemons | > lsarg] # rcctl get dhcpd dhcpd_class=daemon > dhcpd_flags=vr1 > dhcpd_timeout=30 > dhcpd_user=root > > If it works, does it mean that dhcpd will only operate on rtable 200? It will be nice if it can run on both rtable 200 and the default rtable 0... > I believe under -current, you'd just: ln -s /etc/rc.d/dhcpd /etc/rc.d/dhcpd200 rcctl set dhcpd200 rtable 200 rcctl set dhcpd200 flags "-f /etc/dhcpd.conf.200" and use dhcpd200 and /etc/dhcpd.conf.200 to start for rtable 200, use dhcpd and /etc/dhcpd.conf for rtable 0 Chris
Re: ratble and rdomain support on dhcpd and openvpn
Difan Zhao [difan.z...@pason.com] wrote: > Thanks Pierre! However the command does not work for me... Do I need to > upgrade my openbsd box? I am on 5.8 right now. > > # rcctl set dhcpd rtable 200 > usage: rcctl [-df] action|get|getdef|ls|order|set > [service | daemon [variable [arguments]] | daemons | lsarg] > # rcctl get dhcpd > dhcpd_class=daemon > dhcpd_flags=vr1 > dhcpd_timeout=30 > dhcpd_user=root > > If it works, does it mean that dhcpd will only operate on rtable 200? It will > be nice if it can run on both rtable 200 and the default rtable 0... > I believe under -current, you'd just: ln -s /etc/rc.d/dhcpd /etc/rc.d/dhcpd200 rcctl set dhcpd200 rtable 200 rcctl set dhcpd200 flags "-f /etc/dhcpd.conf.200" and use dhcpd200 and /etc/dhcpd.conf.200 to start for rtable 200, use dhcpd and /etc/dhcpd.conf for rtable 0 Chris
Re: ratble and rdomain support on dhcpd and openvpn
Thanks Pierre! However the command does not work for me... Do I need to upgrade my openbsd box? I am on 5.8 right now. # rcctl set dhcpd rtable 200 usage: rcctl [-df] action|get|getdef|ls|order|set [service | daemon [variable [arguments]] | daemons | lsarg] # rcctl get dhcpd dhcpd_class=daemon dhcpd_flags=vr1 dhcpd_timeout=30 dhcpd_user=root If it works, does it mean that dhcpd will only operate on rtable 200? It will be nice if it can run on both rtable 200 and the default rtable 0... Thanks! Difan -Original Message- From: petrus...@gmail.com [mailto:petrus...@gmail.com] On Behalf Of Pierre Emeriaud Sent: Tuesday, July 12, 2016 12:53 AM To: Difan Zhao Cc: misc@openbsd.org Subject: Re: ratble and rdomain support on dhcpd and openvpn 2016-07-12 7:41 GMT+02:00 Difan Zhao : > > So I have been playing with rdomain and I am able to get dhcp and > openvpn working but with some hacking. I am seeking a proper way to do this. rcctl(8) is the way to go: # rcctl set dhcpd rtable 200 # rcctl get dhcpd dhcpd_class=daemon dhcpd_flags= dhcpd_rtable=200 dhcpd_timeout=30 dhcpd_user=root (thanks again aja, much appreciated)
Re: ratble and rdomain support on dhcpd and openvpn
Ahoy,
> [...]
> Same for the openVPN. I use privateinternetaccess service. I ran
> "openvpn US\ Seattle.ovpn" to start the vpn and that gives me the tun0
> with IP on it. Then I have run the following to move the tun0 to the
> rdomain200 manually.
> [...]
> However, when the openvpn times out or reconnects, it gives tun0 new
> IP and puts tun0 back in the default rdomain (0?). So I have to
> manually do this all over again... So anyway to configure it, maybe by
> editing the ovpn file?
> [...]
OpenVPN has a mechanism that allows using a user supplied script to do
the device configuration instead of having OpenVPN do that by itself.
I use the following for my IPredator VPN:
# --- 8< --- SNIP --- 8< ---
script-security 2 # Allows OpenVPN to execute scripts
ifconfig-noexec
route-noexec
route-up /etc/openvpn/ipredator/up.sh
up /etc/openvpn/ipredator/up.sh
# --- 8< --- SNAP --- 8< ---
The script looks like this:
# --- 8< --- SNIP --- 8< ---
#!/bin/ksh
case "${script_type}" in
up)
/sbin/ifconfig "${dev}" "${ifconfig_local}" \
netmask "${ifconfig_netmask}" mtu "${tun_mtu}" rdomain 3
;;
route-up)
route -T3 add default ${route_vpn_gateway}
;;
*)
echo "Unknown script type ${script_type}" | logger -t up
;;
esac
# --- 8< --- SNAP --- 8< ---
--
Gregor
Re: ratble and rdomain support on dhcpd and openvpn
2016-07-12 7:41 GMT+02:00 Difan Zhao : > > So I have been playing with rdomain and I am able to get dhcp and openvpn > working but with some hacking. I am seeking a proper way to do this. rcctl(8) is the way to go: # rcctl set dhcpd rtable 200 # rcctl get dhcpd dhcpd_class=daemon dhcpd_flags= dhcpd_rtable=200 dhcpd_timeout=30 dhcpd_user=root (thanks again aja, much appreciated)
