Re: [Openvpn-devel] IPv6 enhancement: non-/64 prefix lengths for IPv6

2013-01-20 Thread Gert Doering 
Hi,

On Sun, Jan 20, 2013 at 04:49:51PM +0100, Marcel Pennewiß wrote:
> > in time for 2.3, one of the remaining open itches for the IPv6 code 
> > is now fixed :-)  (and the changes needed turned out to be fairly
> > trivial).
> 
> Using ifconfig-ipv6-pool instead of server-ipv6(-macro) does not allow
> non-/64 prefix (in current 2.3). Bug or Feature?

Smells buggy.  As server-ipv6 is just a macro (not really, but sort of).

Indeed... options.c:

  else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] )
...
  if ( netbits != 64 )
{
  msg( msglevel, "--ifconfig-ipv6-pool settings: only /64 supported righ
t now (not /%d)", netbits );
  goto err;
}

... this is a leftover from the initial days, where nothing else was
supported (not for server-ipv6 either).

Patch is trivial, please find attached.  David: 2.3.1 and 2.4.0, please :-)

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
From cdfbc8952a01acde0eedf08fa0ebefed38fa2763 Mon Sep 17 00:00:00 2001
From: Gert Doering 
List-Post: openvpn-devel@lists.sourceforge.net
Date: Sun, 20 Jan 2013 20:50:38 +0200
Subject: [PATCH] Permit pool size of /64.../112 for ifconfig-ipv6-pool

(Leftover check from the early days where --server-ipv6 also only
accepted /64 - nowadays we handle smaller pools just fine)

Signem-off-by: Gert Doering 
---
 src/openvpn/options.c |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 8ca41a3..1d89e4b 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5484,9 +5484,9 @@ add_option (struct options *options,
  msg (msglevel, "error parsing --ifconfig-ipv6-pool parameters");
  goto err;
}
-  if ( netbits != 64 )
+  if ( netbits < 64 || netbits > 112 )
{
- msg( msglevel, "--ifconfig-ipv6-pool settings: only /64 supported 
right now (not /%d)", netbits );
+ msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 
supported right now (not /%d)", netbits );
  goto err;
}
 
-- 
1.7.3.5



pgpluBHBLkzV3.pgp
Description: PGP signature

Re: [Openvpn-devel] IPv6 enhancement: non-/64 prefix lengths for IPv6

2013-01-20 Thread Marcel Pennewiß 
On Fri, 3 Feb 2012 09:44:26 +0100
Gert Doering  wrote:

> Hi,
> 
> in time for 2.3, one of the remaining open itches for the IPv6 code 
> is now fixed :-)  (and the changes needed turned out to be fairly
> trivial).

Using ifconfig-ipv6-pool instead of server-ipv6(-macro) does not allow
non-/64 prefix (in current 2.3). Bug or Feature?

Best regards,
Marcel


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH 3/3] PolarSSL-1.2 support

2013-01-20 Thread Matthias Andree 
Is there any important system where requiring PolarSSL >= 1.2.3 is not
an option, besides "admin is too lazy or can't convince his manager that
he needs to upgrade"?

This #ifdef stuff makes the whole story a bit inconcise.  It might be
suitable for 2.3.X, but not to base 2.4 or newer releases on.

Barring that, I'd suggest to add stuff to fail the build with older
PolarSSL versions and kill the PolarSSL < 1.2.3 code.  It would seem
from the changelogs that PolarSSL 1.2.N (with N highest available) does
away with certain design issues in earlier versions, so there is a
compelling reason to upgrade.

(I was irritated anyways that the newest released OpenVPN version would
not work with the newest stable PolarSSL version, and am foregoing the
PolarSSL option on the FreeBSD port - we do have an up-to-date PolarSSL,
so it wouldn't build.)

Re: [Openvpn-devel] [Openvpn-users] OpenVPN client released for iOS

2013-01-20 Thread Marcel Pennewiß 
On Sat, 19 Jan 2013 23:06:55 -0700
James Yonan  wrote:

> Also... You mentioned Android 4 --

A user tested it and told me, that VPN works well. Our VPN-Server is
inside a /16 which is routed over VPN. So without the hostroute the
connection will die and VPN works well.

> I don't think the Android 4 VPN
> API has the capability to support net_gateway.  OpenVPN Connect for
> Android definitely doesn't support it.  And looking at Arne Schwabe's
> FAQ for ics-openvpn, in the Routing/Interface Configuration, it
> specifically mentions net_gateway as not being supported.  I think
> that VpnService.Builder would have to add an excludeRoute method to
> make this possible.

FAQ says, that VPNService API will create a hostroute itsself and
OpenVPN on ICS ignores net_gateway-routes. I neither own a Android 4
nor a iOS device to test this ;) So maybe this will work on iOS as well?

Best regards,
Marcel

Re: [Openvpn-devel] [Openvpn-users] OpenVPN client released for iOS

2013-01-20 Thread James Yonan 

On 18/01/2013 15:31, Marcel Pennewiß wrote:

On Wed, 16 Jan 2013 21:48:23 -0700
James Yonan  wrote:


The client is based on the new C++ OpenVPN core that is also used in
the OpenVPN Connect client for Android.  The C++ core is a portable,
lightweight class library for building OpenVPN clients and is 100%
protocol-compatible with the 2.x branch.


It seems, that the client does not support net_gateway in pushed routes:

2013-01-17 16:55:59 EVENT: ASSIGN_IP
2013-01-17 16:55:59 TUN Error: tun_builder_error: error parsing IPv4
route: [route] [141.24.xxx.xxx] [255.255.255.255] [net_gateway] :
tun_builder_route_error: only tunnel routes supported
2013-01-17 16:55:59 EVENT: TUN_SETUP_FAILED tun_builder_error: error
parsing IPv4 route: [route] [141.24.xxx.xxx] [255.255.255.255]
[net_gateway] : tun_builder_route_error: only tunnel routes supported
[ERR]
2013-01-17 16:55:59 EVENT: DISCONNECTED

This works as expected on Win, Linux and Android 4 (reported by user
that there are no connection issues).

Will net_gateway be available in iOS-Client in future?


It's tricky to make some of these features like net_gateway work on 
mobile devices, because they don't let you add routes directly, except 
through a limited API.


I'll take another look at the iOS VPN API and see if this is doable.

Also... You mentioned Android 4 -- I don't think the Android 4 VPN API 
has the capability to support net_gateway.  OpenVPN Connect for Android 
definitely doesn't support it.  And looking at Arne Schwabe's FAQ for 
ics-openvpn, in the Routing/Interface Configuration, it specifically 
mentions net_gateway as not being supported.  I think that 
VpnService.Builder would have to add an excludeRoute method to make this 
possible.


James