Re: [Openvpn-devel] IPv6 enhancement: non-/64 prefix lengths for IPv6
Hi, On Sun, Jan 20, 2013 at 04:49:51PM +0100, Marcel Pennewiß wrote: > > in time for 2.3, one of the remaining open itches for the IPv6 code > > is now fixed :-) (and the changes needed turned out to be fairly > > trivial). > > Using ifconfig-ipv6-pool instead of server-ipv6(-macro) does not allow > non-/64 prefix (in current 2.3). Bug or Feature? Smells buggy. As server-ipv6 is just a macro (not really, but sort of). Indeed... options.c: else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] ) ... if ( netbits != 64 ) { msg( msglevel, "--ifconfig-ipv6-pool settings: only /64 supported righ t now (not /%d)", netbits ); goto err; } ... this is a leftover from the initial days, where nothing else was supported (not for server-ipv6 either). Patch is trivial, please find attached. David: 2.3.1 and 2.4.0, please :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de From cdfbc8952a01acde0eedf08fa0ebefed38fa2763 Mon Sep 17 00:00:00 2001 From: Gert DoeringList-Post: openvpn-devel@lists.sourceforge.net Date: Sun, 20 Jan 2013 20:50:38 +0200 Subject: [PATCH] Permit pool size of /64.../112 for ifconfig-ipv6-pool (Leftover check from the early days where --server-ipv6 also only accepted /64 - nowadays we handle smaller pools just fine) Signem-off-by: Gert Doering --- src/openvpn/options.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 8ca41a3..1d89e4b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5484,9 +5484,9 @@ add_option (struct options *options, msg (msglevel, "error parsing --ifconfig-ipv6-pool parameters"); goto err; } - if ( netbits != 64 ) + if ( netbits < 64 || netbits > 112 ) { - msg( msglevel, "--ifconfig-ipv6-pool settings: only /64 supported right now (not /%d)", netbits ); + msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits ); goto err; } -- 1.7.3.5 pgpluBHBLkzV3.pgp Description: PGP signature
Re: [Openvpn-devel] IPv6 enhancement: non-/64 prefix lengths for IPv6
On Fri, 3 Feb 2012 09:44:26 +0100 Gert Doeringwrote: > Hi, > > in time for 2.3, one of the remaining open itches for the IPv6 code > is now fixed :-) (and the changes needed turned out to be fairly > trivial). Using ifconfig-ipv6-pool instead of server-ipv6(-macro) does not allow non-/64 prefix (in current 2.3). Bug or Feature? Best regards, Marcel signature.asc Description: PGP signature
Re: [Openvpn-devel] [PATCH 3/3] PolarSSL-1.2 support
Is there any important system where requiring PolarSSL >= 1.2.3 is not an option, besides "admin is too lazy or can't convince his manager that he needs to upgrade"? This #ifdef stuff makes the whole story a bit inconcise. It might be suitable for 2.3.X, but not to base 2.4 or newer releases on. Barring that, I'd suggest to add stuff to fail the build with older PolarSSL versions and kill the PolarSSL < 1.2.3 code. It would seem from the changelogs that PolarSSL 1.2.N (with N highest available) does away with certain design issues in earlier versions, so there is a compelling reason to upgrade. (I was irritated anyways that the newest released OpenVPN version would not work with the newest stable PolarSSL version, and am foregoing the PolarSSL option on the FreeBSD port - we do have an up-to-date PolarSSL, so it wouldn't build.)
Re: [Openvpn-devel] [Openvpn-users] OpenVPN client released for iOS
On Sat, 19 Jan 2013 23:06:55 -0700 James Yonanwrote: > Also... You mentioned Android 4 -- A user tested it and told me, that VPN works well. Our VPN-Server is inside a /16 which is routed over VPN. So without the hostroute the connection will die and VPN works well. > I don't think the Android 4 VPN > API has the capability to support net_gateway. OpenVPN Connect for > Android definitely doesn't support it. And looking at Arne Schwabe's > FAQ for ics-openvpn, in the Routing/Interface Configuration, it > specifically mentions net_gateway as not being supported. I think > that VpnService.Builder would have to add an excludeRoute method to > make this possible. FAQ says, that VPNService API will create a hostroute itsself and OpenVPN on ICS ignores net_gateway-routes. I neither own a Android 4 nor a iOS device to test this ;) So maybe this will work on iOS as well? Best regards, Marcel
Re: [Openvpn-devel] [Openvpn-users] OpenVPN client released for iOS
On 18/01/2013 15:31, Marcel Pennewiß wrote: On Wed, 16 Jan 2013 21:48:23 -0700 James Yonanwrote: The client is based on the new C++ OpenVPN core that is also used in the OpenVPN Connect client for Android. The C++ core is a portable, lightweight class library for building OpenVPN clients and is 100% protocol-compatible with the 2.x branch. It seems, that the client does not support net_gateway in pushed routes: 2013-01-17 16:55:59 EVENT: ASSIGN_IP 2013-01-17 16:55:59 TUN Error: tun_builder_error: error parsing IPv4 route: [route] [141.24.xxx.xxx] [255.255.255.255] [net_gateway] : tun_builder_route_error: only tunnel routes supported 2013-01-17 16:55:59 EVENT: TUN_SETUP_FAILED tun_builder_error: error parsing IPv4 route: [route] [141.24.xxx.xxx] [255.255.255.255] [net_gateway] : tun_builder_route_error: only tunnel routes supported [ERR] 2013-01-17 16:55:59 EVENT: DISCONNECTED This works as expected on Win, Linux and Android 4 (reported by user that there are no connection issues). Will net_gateway be available in iOS-Client in future? It's tricky to make some of these features like net_gateway work on mobile devices, because they don't let you add routes directly, except through a limited API. I'll take another look at the iOS VPN API and see if this is doable. Also... You mentioned Android 4 -- I don't think the Android 4 VPN API has the capability to support net_gateway. OpenVPN Connect for Android definitely doesn't support it. And looking at Arne Schwabe's FAQ for ics-openvpn, in the Routing/Interface Configuration, it specifically mentions net_gateway as not being supported. I think that VpnService.Builder would have to add an excludeRoute method to make this possible. James