[Openvpn-devel] [PATCH 0/5] New feature: --auth-gen-token

[David Sommerseth]

This new feature enables re-authentication of on-going sessions without
asking the user for a new password.  This is in particular useful when
the authentication scheme is based on One Time Passwords (OTP).

When OTP is used and without auth-token support in the authentication module
OpenVPN is configured to use, the clients will be asked for a new OTP each
time OpenVPN starts a re-negotiation.  What often happens is that this
re-negotiation is disabled to avoid this.

OpenVPN does provide a remedy to this, by pushing a unique auth-token value
to each client.  Then the authentication module needs to keep track of which
client is using which auth-token value.  When a client receives the pushed
auth-token option and the attached value, it replaces the locally saved
password with this token value.  So for all coming re-authentications, the
client will send this value as the password instead of the users password.

But not all authentication modules adds support for this feature.  By adding
--auth-gen-token to the server configuration, the OpenVPN server will take
care of the auth-token processing and authentication.  This also means that
the server will not call the configured authentication module on
re-negotiations; it will do the re-negotiation internally by itself.

This feature may just as well be useful for non-OTP configurations as well.
Unless the OpenVPN client is configured with --auth-nocache, it will save
the users password in-memory for the lifetime of the OpenVPN session.  Using
this feature that password will be replaced by the auth-token instead.

The patch-set this thread covers focuses only on this new --auth-gen-token
feature.  The --auth-token option added to OpenVPN 2.3, but never properly
documented.  The --auth-token documentation is tracked in this mail thread:
http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12506.html
(Message-Id: 
)

One remark regarding PATCH 1/5.  This patch is needed by PATCH 5/5.  I just
chose to split it out as a separate patch to make the core auth-gen-token
patches easier to review.  This patch can be moved anywhere before PATCH 5/5
or squashed into PATCH 5/5 if that is requested.

David Sommerseth (5):
  Move memcmp_constant_time() to crypto.h
  auth-gen-token: Add --auth-gen-token option
  auth-gen-token: Generate an auth-token per client
  auth-gen-token: Push generated auth-tokens to the client
  auth-gen-token: Authenticate generated auth-tokens when client
re-authenticates

 doc/openvpn.8| 16 ++
 src/openvpn/crypto.c | 18 ---
 src/openvpn/crypto.h | 18 +++
 src/openvpn/init.c   |  2 ++
 src/openvpn/misc.c   |  5 +++
 src/openvpn/options.c| 16 ++
 src/openvpn/options.h|  2 ++
 src/openvpn/push.c   |  9 +-
 src/openvpn/ssl.c|  6 
 src/openvpn/ssl_common.h | 11 +++
 src/openvpn/ssl_verify.c | 83 
 11 files changed, 167 insertions(+), 19 deletions(-)

-- 
1.8.3.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 3/5] auth-gen-token: Generate an auth-token per client

[David Sommerseth]

When --auth-gen-token is used a random token key is generated for
each client after a successful user/password authentication.  This
token is expected to be returned in the password field on the
following authentications.

The token is 256 bits long and BASE64 encoded before it is stored.

Signed-off-by: David Sommerseth 
---
 src/openvpn/ssl.c|  6 ++
 src/openvpn/ssl_common.h |  6 ++
 src/openvpn/ssl_verify.c | 33 +
 3 files changed, 45 insertions(+)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index c7cf78d..54b6686 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1173,6 +1173,12 @@ tls_multi_free (struct tls_multi *multi, bool clear)
 
   cert_hash_free (multi->locked_cert_hash_set);
 
+  if (multi->auth_token)
+{
+  memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
+  free (multi->auth_token);
+}
+
   for (i = 0; i < TM_SIZE; ++i)
 tls_session_free (&multi->session[i], false);
 
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 60121db..1b90c5e 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -351,6 +351,7 @@ struct tls_options
 /** @} name Index of key_state objects within a tls_session structure */
 /** @} addtogroup control_processor */
 
+#define AUTH_TOKEN_SIZE 32  /**< Size of server side generated auth 
tokens.  32 bytes == 256 bits */
 
 /**
  * Security parameter state of a single session within a VPN tunnel.
@@ -525,6 +526,11 @@ struct tls_multi
   uint32_t peer_id;
   bool use_peer_id;
 
+  char *auth_token;  /** If server sends a generated auth-token,
+  * this is the token to use for future
+  * user/pass authentications in this session.
+  */
+  time_t auth_token_tstamp; /**< timestamp of the generated token */
   /*
* Our session objects.
*/
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index d0c22b8..24ec56e 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -39,6 +39,8 @@
 
 #include "misc.h"
 #include "manage.h"
+#include "otime.h"
+#include "base64.h"
 #include "ssl_verify.h"
 #include "ssl_verify_backend.h"
 
@@ -1174,6 +1176,37 @@ verify_user_pass(struct user_pass *up, struct tls_multi 
*multi,
   if (man_def_auth != KMDA_UNDEF)
ks->auth_deferred = true;
 #endif
+
+  if ((session->opt->auth_generate_token) && (NULL == multi->auth_token))
+   {
+ /* Server is configured with --auth-gen-token but no token has yet 
been
+  * generated for this client.  Generate one and save it.
+  */
+ uint8_t tok[AUTH_TOKEN_SIZE];
+
+ if (!rand_bytes(tok, AUTH_TOKEN_SIZE))
+   {
+ msg( M_FATAL, "Failed to get enough randomness for authentication 
token");
+   }
+
+ /* The token should be longer than the input when being base64 
encoded*/
+ if( openvpn_base64_encode(tok, AUTH_TOKEN_SIZE, &multi->auth_token) < 
AUTH_TOKEN_SIZE)
+   {
+ msg(D_TLS_ERRORS, "BASE64 encoding of token failed.  No 
auth-token will be activated now");
+ if (multi->auth_token)
+   {
+ memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
+ free (multi->auth_token);
+ multi->auth_token = NULL;
+   }
+   }
+ else
+   {
+ multi->auth_token_tstamp = now;
+ dmsg (D_SHOW_KEYS, "Generated token for client: %s", 
multi->auth_token);
+   }
+   }
+
   if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
set_common_name (session, up->username);
 #ifdef ENABLE_DEF_AUTH
-- 
1.8.3.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 4/5] auth-gen-token: Push generated auth-tokens to the client

[David Sommerseth]

If --auth-gen-token has been enabled and a token has been generated,
ensure this token is pushed to the client using the 'auth-token' option.

Signed-off-by: David Sommerseth 
---
 src/openvpn/misc.c   | 5 +
 src/openvpn/push.c   | 9 -
 src/openvpn/ssl_common.h | 2 ++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 225f0bf..b74ac9d 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -2073,6 +2073,11 @@ sanitize_control_message(const char *src, struct 
gc_arena *gc)
  skip = 4;
  redact = true;
}
+  else if (!check_debug_level(D_SHOW_KEYS) && (c == 'a' && !strncmp(src, 
"auth-token ", 11)))
+   {
+ skip = 10;
+ redact = true;
+   }
 
   if (c == ',') /* end of redacted item? */
{
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index ee2eda4..0fb87ba 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -309,7 +309,7 @@ prepare_push_reply (struct context *c, struct gc_arena *gc,
struct push_list *push_list)
 {
   const char *optstr = NULL;
-  const struct tls_multi *tls_multi = c->c2.tls_multi;
+  struct tls_multi *tls_multi = c->c2.tls_multi;
   const char * const peer_info = tls_multi->peer_info;
   struct options *o = &c->options;
 
@@ -371,6 +371,13 @@ prepare_push_reply (struct context *c, struct gc_arena *gc,
  push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
}
 }
+
+  /* If server uses --auth-gen-token and we have an auth token to send to 
client */
+  if (false == tls_multi->auth_token_sent && NULL != tls_multi->auth_token)
+{
+  push_option_fmt(gc, push_list, M_USAGE, "auth-token %s", 
tls_multi->auth_token);
+  tls_multi->auth_token_sent = true;
+}
   return true;
 }
 
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 1b90c5e..3d802c9 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -526,6 +526,8 @@ struct tls_multi
   uint32_t peer_id;
   bool use_peer_id;
 
+  bool auth_token_sent;  /**< If server uses --auth-gen-token and
+  *   token has been sent to client */
   char *auth_token;  /** If server sends a generated auth-token,
   * this is the token to use for future
   * user/pass authentications in this session.
-- 
1.8.3.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/5] Move memcmp_constant_time() to crypto.h

[David Sommerseth]

This function is quite useful other places, so make it generally
accessible.

Signed-off-by: David Sommerseth 
---
 src/openvpn/crypto.c | 18 --
 src/openvpn/crypto.h | 18 ++
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 3dd4a9e..026d9ae 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -66,24 +66,6 @@
 #define CRYPT_ERROR(format) \
   do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } 
while (false)
 
-/**
- * As memcmp(), but constant-time.
- * Returns 0 when data is equal, non-zero otherwise.
- */
-static int
-memcmp_constant_time (const void *a, const void *b, size_t size) {
-  const uint8_t * a1 = a;
-  const uint8_t * b1 = b;
-  int ret = 0;
-  size_t i;
-
-  for (i = 0; i < size; i++) {
-  ret |= *a1++ ^ *b1++;
-  }
-
-  return ret;
-}
-
 static void
 openvpn_encrypt_aead (struct buffer *buf, struct buffer work,
 struct crypto_options *opt) {
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 3b6bb98..9ae0610 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -476,6 +476,24 @@ void get_tls_handshake_key (const struct key_type 
*key_type,
  * Inline functions
  */
 
+/**
+ * As memcmp(), but constant-time.
+ * Returns 0 when data is equal, non-zero otherwise.
+ */
+static int
+memcmp_constant_time (const void *a, const void *b, size_t size) {
+  const uint8_t * a1 = a;
+  const uint8_t * b1 = b;
+  int ret = 0;
+  size_t i;
+
+  for (i = 0; i < size; i++) {
+  ret |= *a1++ ^ *b1++;
+  }
+
+  return ret;
+}
+
 static inline bool
 key_ctx_bi_defined(const struct key_ctx_bi* key)
 {
-- 
1.8.3.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 2/5] auth-gen-token: Add --auth-gen-token option

[David Sommerseth]

This sets the flag if the OpenVPN server should create authentication
tokens on-the-fly on successful --auth-user-pass-verify or --plugin with
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY processing.

If an OpenVPN server is running without this option, it should behave
as before.  Next patches will implement the auth-token generation and
passing it on to the clients.

The --auth-gen-token can be given an optional integer argument which
defines the lifetime of generated tokens.  The lifetime argument
must be given in number of seconds.

Signed-off-by: David Sommerseth 
---
 doc/openvpn.8| 16 
 src/openvpn/init.c   |  2 ++
 src/openvpn/options.c| 16 
 src/openvpn/options.h|  2 ++
 src/openvpn/ssl_common.h |  3 +++
 5 files changed, 39 insertions(+)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 1c341ae..521bd9b 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3595,6 +3595,22 @@ For a sample script that performs PAM authentication, see
 in the OpenVPN source distribution.
 .\"*
 .TP
+.B \-\-auth\-gen\-token [lifetime]
+After successful user/password authentication, the OpenVPN
+server will with this option generate a temporary
+authentication token and push that to client.  On the following
+renegotiations, the OpenVPN client will pass this token instead
+of the users password.  On the server side the server will do
+the token authentication internally and it will NOT do any
+additional authentications against configured external
+user/password authentication mechanisms.
+
+This feature is useful for environments which is configured
+to use One Time Passwords (OTP) as part of the user/password
+authentications and that authentication mechanism does not
+implement any auth-token support.
+.\"*
+.TP
 .B \-\-opt\-verify
 Clients that connect with options that are incompatible
 with those of the server will be disconnected.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index cc8e945..5a8cb1f 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2427,6 +2427,8 @@ do_init_crypto_tls (struct context *c, const unsigned int 
flags)
   if (options->ccd_exclusive)
 to.client_config_dir_exclusive = options->client_config_dir;
   to.auth_user_pass_file = options->auth_user_pass_file;
+  to.auth_generate_token = options->auth_generate_token;
+  to.auth_token_lifetime = options->auth_token_lifetime;
 #endif
 
   to.x509_track = options->x509_track;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 1ed14b0..1037619 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -445,6 +445,11 @@ static const char usage_message[] =
   "  run command cmd to verify.  If method='via-env', pass\n"
   "  user/pass via environment, if method='via-file', pass\n"
   "  user/pass via temporary file.\n"
+  "--auth-gen-token  [lifetime] Generate a random authentication token which 
is pushed\n"
+  "  to each client, replacing the password.  Usefull when\n"
+  "  OTP based two-factor auth mechanisms are in use and\n"
+  "  --reneg-* options are enabled. Optionally a lifetime in 
seconds\n"
+  "  for generated tokens can be set.\n"
   "--opt-verify: Clients that connect with options that are incompatible\n"
   "  with those of the server will be disconnected.\n"
   "--auth-user-pass-optional : Allow connections by clients that don't\n"
@@ -864,6 +869,7 @@ init_options (struct options *o, const bool init_gc)
 #ifdef ENABLE_PKCS11
   o->pkcs11_pin_cache_period = -1;
 #endif /* ENABLE_PKCS11 */
+  o->auth_generate_token = false;
 
 /* tmp is only used in P2MP server context */
 #if P2MP_SERVER
@@ -1264,6 +1270,8 @@ show_p2mp_parms (const struct options *o)
   SHOW_INT (max_routes_per_client);
   SHOW_STR (auth_user_pass_verify_script);
   SHOW_BOOL (auth_user_pass_verify_script_via_file);
+  SHOW_BOOL (auth_generate_token);
+  SHOW_INT (auth_token_lifetime);
 #if PORT_SHARE
   SHOW_STR (port_share_host);
   SHOW_STR (port_share_port);
@@ -2194,6 +2202,8 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
  "tcp-nodelay in the server configuration instead.");
   if (options->auth_user_pass_verify_script)
msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
+  if (options->auth_generate_token)
+   msg (M_USAGE, "--auth-gen-token requires --mode server");
 #if PORT_SHARE
   if (options->port_share_host || options->port_share_port)
msg (M_USAGE, "--port-share requires TCP server mode (--mode server 
--proto tcp-server)");
@@ -5973,6 +5983,12 @@ add_option (struct options *options,
   &options->auth_user_pass_verify_script,
   p[1], "auth-user-pass-verify", true);
 }
+  els

[Openvpn-devel] [PATCH 5/5] auth-gen-token: Authenticate generated auth-tokens when client re-authenticates

[David Sommerseth]

On a server with --auth-gen-token enabled, the server will have created
a random token and pushed it to the client.  When the client needs to
renegotiate the connection or otherwise reconnect, it will at this point
use the auth-token as password.

Here we check if we have a token generated and that it has been pushed
to the client, if so, then we check if the token matches the locally
stored token.  If everything matches, we're done and the connection
is still authenticated.

If the auth-token authentication fails, we delete our local copy of
the token and changes the connection to not being authenticated.  From
this moment of, the client needs to do a full reconnect providing
the users password again.

This token authentication also considers the token lifetime, if that
have been set via --auth-gen-token.  If the token have expired, the
client is rejected and needs to do a full reconnect with a new
authentication using the users password.

Signed-off-by: David Sommerseth 
---
 src/openvpn/ssl_verify.c | 50 
 1 file changed, 50 insertions(+)

diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 24ec56e..aa982e4 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -1139,6 +1139,55 @@ verify_user_pass(struct user_pass *up, struct tls_multi 
*multi,
   string_mod_remap_name (up->username, COMMON_NAME_CHAR_CLASS);
   string_mod (up->password, CC_PRINT, CC_CRLF, '_');
 
+  /* If server is configured with --auth-gen-token and we have an
+   * authentication token for this client, base this authentication round
+   * based on this token instead.
+   */
+  if (session->opt->auth_generate_token && multi->auth_token_sent && NULL != 
multi->auth_token)
+{
+  /* Ensure that the username have not changed */
+  if (!tls_lock_username(multi, up->username))
+{
+  ks->authenticated = false;
+  goto done;
+}
+
+  /* If auth-token lifetime have been enabled, ensure the token is still 
valid */
+  if (session->opt->auth_token_lifetime > 0
+  && (multi->auth_token_tstamp + session->opt->auth_token_lifetime) < 
now )
+{
+  msg (D_HANDSHAKE, "Auth-token for client expired\n");
+  ks->authenticated = false;
+  goto done;
+}
+
+  if (memcmp_constant_time(multi->auth_token, up->password,
+ strlen(multi->auth_token)) != 0)
+{
+  memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
+  free (multi->auth_token);
+  multi->auth_token = NULL;
+  multi->auth_token_sent = false;
+  ks->authenticated = false;
+  tls_deauthenticate (multi);
+
+  msg (D_TLS_ERRORS, "TLS Auth Error: Auth token verification failed 
for username '%s' %s",
+   up->username,
+   (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN 
SET]" : "");
+}
+  else
+{
+  ks->authenticated = true;
+
+  if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
+set_common_name (session, up->username);
+  msg (D_HANDSHAKE, "TLS: Username/auth-token authentication succeeded 
for username '%s' %s",
+   up->username,
+   (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN 
SET]" : "");
+}
+  goto done;
+}
+
   /* call plugin(s) and/or script */
 #ifdef MANAGEMENT_DEF_AUTH
   if (man_def_auth == KMDA_DEF)
@@ -1226,6 +1275,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi 
*multi,
   msg (D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification 
failed for peer");
 }
 
+ done:
   gc_free (&gc);
 }
 
-- 
1.8.3.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [Patch v5] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

[Arne Schwabe]

This option was useful when Ipv6 tun support was non standard and was an 
internal/user specified flag that tracked the Ipv6 capability of the tun device.

All supported OS support IPv6. Also tun-ipv6 is pushable by the remote so not 
putting tun-ipv6 does not forbid ipv6 addresses.

This commit also clean up a bit of the ipv6 related tun.c. Changes for most 
platforms are minimal.

For linux a bit more cleanup is done:
- Remove compatibility defines that were added 2008
- Always use IFF_NO_PI for the linux tun and not only for IPv4 only tun setups 
(Android also always IFF_NO_PI works fine with Ipv6).

This commit also remove a non ipv6 fallback for tap driver from OpenVPN 
2.2-beta or earlier and only warns.

Patch V2: Integrate Gert's comments
Patch V3: Remove tun_ipv4 option. It only used for MTU discovery and there it 
was wrong since it should on the transport protocol if at all
Patch V4: Completely remove support for NetBSD <= 4.0 and remove 
NETBSD_MULTI_AF defines
Patch V5: Assume generic OS in tun.c is also IPv6 capable. Add changes to man 
page. Fix typos/change message as suggest by David.
---
 Changes.rst   |   4 ++
 doc/openvpn.8 |  21 ++-
 src/openvpn/forward.c |   2 +-
 src/openvpn/helper.c  |   2 -
 src/openvpn/init.c|   6 --
 src/openvpn/multi.c   |   8 +--
 src/openvpn/openvpn.h |   5 --
 src/openvpn/options.c |  13 +---
 src/openvpn/options.h |   1 -
 src/openvpn/route.c   |  14 ++---
 src/openvpn/tun.c | 160 +-
 src/openvpn/tun.h |   2 -
 12 files changed, 47 insertions(+), 191 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index 9fcba75..27dc99e 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -135,6 +135,10 @@ User-visible Changes
   ciphers configured in the config file.  Use --ncp-disable if you don't want
   that.
 
+- All tun devices on all platforms are always considered to be IPv6
+  capable. The --tun-ipv6 option is ignored (behaves like it is always
+  on).
+
 
 Maintainer-visible changes
 --
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 1c341ae..2e58f33 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -797,18 +797,6 @@ changes the interpretation of the arguments of
 to mean "address netmask", no longer "local remote".
 .\"*
 .TP
-.B \-\-tun\-ipv6
-Build a tun link capable of forwarding IPv6 traffic.
-Should be used in conjunction with
-.B \-\-dev tun
-or
-.B \-\-dev tunX.
-A warning will be displayed
-if no specific IPv6 TUN support for your OS has been compiled into OpenVPN.
-
-See below for further IPv6-related configuration options.
-.\"*
-.TP
 .B \-\-dev\-node node
 Explicitly set the device node rather than using
 /dev/net/tun, /dev/tun, /dev/tap, etc.  If OpenVPN
@@ -3600,7 +3588,7 @@ Clients that connect with options that are incompatible
 with those of the server will be disconnected.
 
 Options that will be compared for compatibility include
-dev\-type, link\-mtu, tun\-mtu, proto, tun\-ipv6, ifconfig,
+dev\-type, link\-mtu, tun\-mtu, proto, ifconfig,
 comp\-lzo, fragment, keydir, cipher, auth, keysize, secret,
 no\-replay, no\-iv, tls\-auth, key\-method, tls\-server, and tls\-client.
 
@@ -5870,10 +5858,13 @@ is used.
 .B \-\-server\-ipv6 ipv6addr/bits
 convenience-function to enable a number of IPv6 related options at
 once, namely
-.B \-\-ifconfig\-ipv6, \-\-ifconfig\-ipv6\-pool, \-\-tun\-ipv6
+.B \-\-ifconfig\-ipv6, \-\-ifconfig\-ipv6\-pool
 and
 .B \-\-push tun\-ipv6
-Is only accepted if ``\-\-mode server'' or ``\-\-server'' is set.
+Is only accepted if ``\-\-mode server'' or ``\-\-server'' is set. Pushing of 
the
+.B \-\-tun\-ipv6
+directive is done for older clients which require an explicit
+``\-\-tun\-ipv6'' in their configuration.
 .TP
 .B \-\-ifconfig\-ipv6\-pool ipv6addr/bits
 Specify an IPv6 address pool for dynamic assignment to clients.  The
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 6c11439..b3077ed 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -391,7 +391,7 @@ check_fragment_dowork (struct context *c)
   struct link_socket_info *lsi = get_link_socket_info (c);
 
   /* OS MTU Hint? */
-  if (lsi->mtu_changed && c->c2.ipv4_tun)
+  if (lsi->mtu_changed)
 {
   frame_adjust_path_mtu (&c->c2.frame_fragment, c->c2.link_socket->mtu,
 c->options.ce.proto);
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 62f88ec..229523d 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -200,8 +200,6 @@ helper_client_server (struct options *o)
add_in6_addr( o->server_network_ipv6, 0x1000 );
o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6;
 
-   o->tun_ipv6 = true;
-
push_option( o, "tun-ipv6", M_USAGE );
  }
 
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index cc8e945..73f8c6d 100644
--- a/src/openv

Re: [Openvpn-devel] [PATCH applied] Check --ncp-ciphers list on startup

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Your patch has been applied to the master branch

commit dc4fa3c4656b92aff3f26d4134c509410add142e
Author: Steffan Karger
Date:   Wed Oct 12 09:32:49 2016 +0200

 Check --ncp-ciphers list on startup

 Signed-off-by: Steffan Karger 
 Acked-by: Selva Nair 
 Message-Id: <1476257569-16301-1-git-send-email-stef...@karger.me>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12671.html
 Trac: #737
 Signed-off-by: David Sommerseth 


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJX/7OcAAoJEIbPlEyWcf3ym58P/0egwsxlOL4tSdSLc7Lwo41r
kxacwdshA+1hlJMRXeNoXh+5hv7JktTnisN9Skk/kvbpHXLNpKUPklbWgup0tLq+
GIQAeHcAeuocDYwIqzH2mdlZV7txCq6oES25+XGQY04FTLJIXANF0W37WEL8
XjUzeFGbO7hkqA+f6h68n6kFGrWyVJ0VmAsUt8PWtoPEo3gPXymzferqF0GAKmTs
bwINagyNLr6FtvwoJVAQt4k69Mkp+9idManUabeXRKb1IyVrepHLpDKC0ESvv7Vs
oEOri+A6QzljCuc/rFrL0XMjCRg2E0+ocABbawtGwEUCJivj5YM6mnr37WrdFvgN
PWPt0xToKLe/e01KjoJH6dsgma38M822LbwcMxUszygzURGKBLZm/d4Tl/4IBUms
nru3w4YiHNDa9P/F2d3XUTaah6FmFsRowatszuA1D0zfj5IOqS3nkb85ph9lRDvb
nPwizqVzZD+aELPXNKZgU46cXFeI8WD2q3ORS4jOH6aUjsvg2OPwakMI/UnXNoFi
bHotkerLP+AizHNPrkYm2T1agEJHN5sv82FmqLEEw9NGiZKA3zRvndLrBTb5LNJY
CwBGaJ+coDKdpGCmgs2naySOYnVfJgxZY0rElsYmIAQ8C8s0vjqwATqnvYtceIZ9
tojHc8KC4m01MEF7/Neo
=t9Hn
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Change the hold command to communicate the time that OpenVPN would wait to the UI.

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Your patch has been applied to the master branch

commit 396d30c264e6cb6b9f57c3e566f3b7187662
Author: Arne Schwabe
Date:   Wed Oct 12 12:47:07 2016 +0200

 Change the hold command to communicate the time that OpenVPN would wait to 
the UI.

 Acked-by: Selva Nair 
 Message-Id: <1476269227-13290-1-git-send-email-a...@rfc2549.org>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12675.html
 Signed-off-by: David Sommerseth 


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJX/7OFAAoJEIbPlEyWcf3yy8MQAKWMd5Y9NkUY36Visbkufu2R
89tEQakX26zInduOAmmf879FvZcUBRSRWoxY9H0Jacvik0h9IWIikfopzqCG/17A
zMVS0XRcjylQf7OVrM8oSUCXTWoI15J+DibuI9PhyZUthBd3NZbH61c7RgCX9fzN
dwFlEl9dYNj01WUtj5R3bFUwSUZl5kw1dua7pqYjJIIIYNAdzTCd8ML/VSTG0O+M
9iybH28d4jOcd154qomjka2Yqz5sSs4cK7gGZ9dDaIoMreI+gKIBQiM1nl6hz16z
2yg7B+4VOxsj9prhCGrFeQyzXO6H8cRc8+NyFIO8ZiVjDaSkdXNn6oixfnDulo+i
go6Q5oPqs5wpk20b0KHIqBuz3fJ5DJobURRvazY3r7x3vFoYHg7Yo6f5VZyx+Xjh
c19MIWzCBnQLrx7d/E3PsBXMBgfcElVwmM8+j0eaC1KB0wWSqnIwlDvUyjrPVNgA
sFZQeTB664bKhxCkoH5vSd/pbevNm539HoMLmYIxJ8PwPuIcsWC+q7d2MkqBRage
jxz1w73b2+dcTyYj91241QV2wY/UcaOFOSEafVwoloRc2vZeWxzx7dEDxYTtkVvO
K3I8EY1hW3JsQzmGrRwIeJQ0dyEwlQWoIpoP1ra2roFYJcs+txTS2hS/E613v+U+
FrhurTzaG+gUTxM/EZTJ
=yszQ
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

[David Sommerseth]

On 12/10/16 11:13, Arne Schwabe wrote:
> This option was useful when Ipv6 tun support was non standard and was
> an internal/user specified flag that tracked the Ipv6 capability of
> the tun device.
> 
> All supported OS support IPv6. Also tun-ipv6 is pushable by the 
> remote so not putting tun-ipv6 does not forbid ipv6 addresses.
> 
> This commit also clean up a bit of the ipv6 related tun.c. Changes 
> for most platforms are minimal.
> 
> For linux a bit more cleanup is done: - Remove compatibility defines 
> that were added 2008 - Always use IFF_NO_PI for the linux tun and
> not only for IPv4 only tun setups (Android also always IFF_NO_PI
> works fine with Ipv6).
> 
> This commit also remove a non ipv6 fallback for tap driver from
> OpenVPN 2.2-beta or earlier and only warns.
> 
> Patch V2: Integrate Gert's comments Patch V3: Remove tun_ipv4 option.
> It only used for MTU discovery and there it was wrong since it should
> on the transport protocol if at all Patch V4: Completely remove
> support for NetBSD <= 4.0 and remove NETBSD_MULTI_AF defines
> ---
>  Changes.rst   |   3 ++
>  src/openvpn/forward.c |   2 +-
>  src/openvpn/helper.c  |   2 -
>  src/openvpn/init.c|   6 ---
>  src/openvpn/multi.c   |   8 ++-
>  src/openvpn/openvpn.h |   5 --
>  src/openvpn/options.c |  11 +---
>  src/openvpn/options.h |   1 -
>  src/openvpn/route.c   |  13 ++---
>  src/openvpn/tun.c | 139 
> +++---
>  src/openvpn/tun.h |   2 -
>  11 files changed, 30 insertions(+), 162 deletions(-)
> 
> diff --git a/Changes.rst b/Changes.rst
> index 9fcba75..2956003 100644
> --- a/Changes.rst
> +++ b/Changes.rst
> @@ -135,6 +135,9 @@ User-visible Changes
>ciphers configured in the config file.  Use --ncp-disable if you don't want
>that.
>  
> +- ALl tun devices on all platforms are considered always IPv6 capable. The 
> --tun-ipv6

Silly typo.  (I would have done this one in-flight, hadn't it been for
a few other minor things).
[...snip...]
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index d97dc8f..ee8d351 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -4577,7 +4569,6 @@ add_option (struct options *options,
>else if (streq (p[0], "tun-ipv6") && !p[1])
>  {
>VERIFY_PERMISSION (OPT_P_UP);
> -  options->tun_ipv6 = true;

Should we add a "Deprecated/NO-OP option used." message?

[...snip]
aace2af..8a3bbba 100644
> --- a/src/openvpn/route.c
> +++ b/src/openvpn/route.c
> @@ -1729,10 +1729,10 @@ add_route_ipv6 (struct route_ipv6 *r6, const struct 
> tuntap *tt, unsigned int fla
>  }
>  #endif
>  
> -  if ( !tt->ipv6 )
> +  if (!tt->did_ifconfig_ipv6_setup)
>  {
> -  msg( M_INFO, "add_route_ipv6(): not adding %s/%d, no IPv6 on if %s",
> - network, r6->netbits, device );
> +  msg( M_INFO, "add_route_ipv6(): not adding %s/%d, no IPv6 ifconfig on 
> if %s",
> + network, r6->netbits, device);

>

Wouldn't it be nicer we said "no IPv6 address configured on
interface %s" ?  Just trying to be slightly more user friendly in the
logs.

[...snip...]

> diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
> index b7a29f7..226ff7d 100644
> --- a/src/openvpn/tun.c
> +++ b/src/openvpn/tun.c
> @@ -741,8 +741,8 @@ do_ifconfig (struct tuntap *tt,
>  
>argv_init (&argv);
>  
> -  msg( M_INFO, "do_ifconfig, tt->ipv6=%d, 
> tt->did_ifconfig_ipv6_setup=%d",
> -tt->ipv6, tt->did_ifconfig_ipv6_setup );
> +  msg( M_INFO, "do_ifconfig, tt->did_ifconfig_ipv6_setup=%d",
> + tt->did_ifconfig_ipv6_setup );

While we're changing log lines ... could we make this one a bit less
technical, or at least increase the verb level if we want it to be so
technical?  Again, just to be more user friendly

[...snip...]

> @@ -1526,7 +1513,7 @@ open_tun_generic (const char *dev, const char 
> *dev_type, const char *dev_node,
>bool dynamic_opened = false;
>  
>  
> -  if ( tt->ipv6 && ! ipv6_explicitly_supported )
> +  if (  ! ipv6_explicitly_supported )
>  msg (M_WARN, "NOTE: explicit support for IPv6 tun devices is not 
> provided for this OS");

Isn't this if() block a NOOP?

$ git grep -Hni ipv6_explicitly_supported
src/openvpn/tun.c:1521:  bool ipv6_explicitly_supported, bool dynamic,
src/openvpn/tun.c:1529:  if ( tt->ipv6 && ! ipv6_explicitly_supported )

Could we kill this as well?

[...snip...]

> @@ -1977,53 +1940,13 @@ close_tun (struct tuntap *tt)
>  int
>  write_tun (struct tuntap* tt, uint8_t *buf, int len)
>  {
> -  if (tt->ipv6)
> -{
> -  struct tun_pi pi;
> -  struct iphdr *iph;
> -  struct iovec vect[2];
> -  int ret;
> -
> -  iph = (struct iphdr *)buf;
> -
> -  pi.flags = 0;
> -
> -  if(iph->version == 6)
> - pi.proto = htons(OPENVPN_ETH_P_IPV6);
> -  else
> - pi.proto = htons(OPENVPN_ETH_P_IPV4);

whitespace issues.

[...snip...]

> @@ -5308,11 +5208,10 @@ open_tun (const char *dev, const

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Please disregard this mail.  I will resent it again without getting it
destroyed by Engimail's text wrapping.

David S.



On 13/10/16 17:52, David Sommerseth wrote:
> On 12/10/16 11:13, Arne Schwabe wrote:
>> This option was useful when Ipv6 tun support was non standard
>> and was an internal/user specified flag that tracked the Ipv6 
>> capability of the tun device.
> 
>> All supported OS support IPv6. Also tun-ipv6 is pushable by the 
>> remote so not putting tun-ipv6 does not forbid ipv6 addresses.
> 
>> This commit also clean up a bit of the ipv6 related tun.c.
>> Changes for most platforms are minimal.
> 
>> For linux a bit more cleanup is done: - Remove compatibility 
>> defines that were added 2008 - Always use IFF_NO_PI for the
>> linux tun and not only for IPv4 only tun setups (Android also
>> always IFF_NO_PI works fine with Ipv6).
> 
>> This commit also remove a non ipv6 fallback for tap driver from 
>> OpenVPN 2.2-beta or earlier and only warns.
> 
>> Patch V2: Integrate Gert's comments Patch V3: Remove tun_ipv4 
>> option. It only used for MTU discovery and there it was wrong
>> since it should on the transport protocol if at all Patch V4:
>> Completely remove support for NetBSD <= 4.0 and remove
>> NETBSD_MULTI_AF defines --- Changes.rst   |   3 ++
>> src/openvpn/forward.c | 2 +- src/openvpn/helper.c  |   2 -
>> src/openvpn/init.c|   6 --- src/openvpn/multi.c   |   8 ++-
>> src/openvpn/openvpn.h |   5 -- src/openvpn/options.c |  11 +---
>> src/openvpn/options.h |   1 - src/openvpn/route.c   |  13 ++---
>> src/openvpn/tun.c | 139 
>> +++--- 
>> src/openvpn/tun.h |   2 - 11 files changed, 30
>> insertions(+), 162 deletions(-)
> 
>> diff --git a/Changes.rst b/Changes.rst index 9fcba75..2956003 
>> 100644 --- a/Changes.rst +++ b/Changes.rst @@ -135,6 +135,9 @@ 
>> User-visible Changes ciphers configured in the config file.  Use 
>> --ncp-disable if you don't want that.
> 
>> +- ALl tun devices on all platforms are considered always IPv6 
>> capable. The --tun-ipv6
> 
> Silly typo.  (I would have done this one in-flight, hadn't it been
> for a few other minor things).
> 
> [...snip...]
>> @@ -4577,7 +4569,6 @@ add_option (struct options *options, else
>> if (streq (p[0], "tun-ipv6") && !p[1]) { VERIFY_PERMISSION 
>> (OPT_P_UP); -  options->tun_ipv6 = true; }
> 
> Should we add a "Deprecated/NO-OP option used." message?
> 
> [...snip]
> 
>> +++ b/src/openvpn/route.c @@ -1729,10 +1729,10 @@ add_route_ipv6 
>> (struct route_ipv6 *r6, const struct tuntap *tt, unsigned int fla
>>  } #endif
> 
>> -  if ( !tt->ipv6 ) +  if (!tt->did_ifconfig_ipv6_setup) { - msg(
>> M_INFO, "add_route_ipv6(): not adding %s/%d, no IPv6 on if %s", -
>> network, r6->netbits, device ); +  msg( M_INFO, 
>> "add_route_ipv6(): not adding %s/%d, no IPv6 ifconfig on if %s",
>> + network, r6->netbits, device);
> 
> Wouldn't it be nicer we said "no IPv6 address configured on 
> interface %s" ?  Just trying to be slightly more user friendly in
> the logs.
> 
>> --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -741,8 +741,8
>> @@ do_ifconfig (struct tuntap *tt,
> 
>> argv_init (&argv);
> 
>> -  msg( M_INFO, "do_ifconfig, tt->ipv6=%d, 
>> tt->did_ifconfig_ipv6_setup=%d", -  tt->ipv6, 
>> tt->did_ifconfig_ipv6_setup ); +  msg( M_INFO, "do_ifconfig, 
>> tt->did_ifconfig_ipv6_setup=%d", + tt->did_ifconfig_ipv6_setup
>> );
> 
> While we're changing log lines ... could we make this one a bit
> less technical, or at least increase the verb level if we want it
> to be so technical?  Again, just to be more user friendly
> 
> [...snip...]
> 
>> @@ -1526,7 +1513,7 @@ open_tun_generic (const char *dev, const
>> char *dev_type, const char *dev_node, bool dynamic_opened =
>> false;
> 
> 
>> -  if ( tt->ipv6 && ! ipv6_explicitly_supported ) +  if (  ! 
>> ipv6_explicitly_supported ) msg (M_WARN, "NOTE: explicit support 
>> for IPv6 tun devices is not provided for this OS");
> 
> Isn't this if() block a NOOP?
> 
> $ git grep -Hni ipv6_explicitly_supported src/openvpn/tun.c:1521:
> bool ipv6_explicitly_supported, bool dynamic, 
> src/openvpn/tun.c:1529:  if ( tt->ipv6 && !
> ipv6_explicitly_supported )
> 
> Could we kill this as well?
> 
> 
> [...snip...0
>> @@ -1977,53 +1940,13 @@ close_tun (struct tuntap *tt) int
>> write_tun (struct tuntap* tt, uint8_t *buf, int len) { -  if
>> (tt->ipv6) - { -  struct tun_pi pi; -  struct iphdr *iph;
>> -  struct iovec vect[2]; -  int ret; - -  iph =
>> (struct iphdr *)buf; - -  pi.flags = 0; - -
>> if(iph->version == 6) -  pi.proto = htons(OPENVPN_ETH_P_IPV6); -
>> else -   pi.proto = htons(OPENVPN_ETH_P_IPV4); - -
>> vect[0].iov_len = sizeof(pi); - vect[0].iov_base = π -
>> vect[1].iov_len = len; - vect[1].iov_base = buf; - -  ret =
>> writev(tt->fd, vect, 2); - return(ret - sizeof(pi)); -} -
>> else -return write (tt->fd, b

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/10/16 11:13, Arne Schwabe wrote:
> This option was useful when Ipv6 tun support was non standard and
> was an internal/user specified flag that tracked the Ipv6
> capability of the tun device.
> 
> All supported OS support IPv6. Also tun-ipv6 is pushable by the
> remote so not putting tun-ipv6 does not forbid ipv6 addresses.
> 
> This commit also clean up a bit of the ipv6 related tun.c. Changes
> for most platforms are minimal.
> 
> For linux a bit more cleanup is done: - Remove compatibility
> defines that were added 2008 - Always use IFF_NO_PI for the linux
> tun and not only for IPv4 only tun setups (Android also always
> IFF_NO_PI works fine with Ipv6).
> 
> This commit also remove a non ipv6 fallback for tap driver from
> OpenVPN 2.2-beta or earlier and only warns.
> 
> Patch V2: Integrate Gert's comments Patch V3: Remove tun_ipv4
> option. It only used for MTU discovery and there it was wrong since
> it should on the transport protocol if at all Patch V4: Completely
> remove support for NetBSD <= 4.0 and remove NETBSD_MULTI_AF
> defines --- Changes.rst   |   3 ++ src/openvpn/forward.c |
> 2 +- src/openvpn/helper.c  |   2 - src/openvpn/init.c|   6 --- 
> src/openvpn/multi.c   |   8 ++- src/openvpn/openvpn.h |   5 -- 
> src/openvpn/options.c |  11 +--- src/openvpn/options.h |   1 - 
> src/openvpn/route.c   |  13 ++--- src/openvpn/tun.c | 139
> +++--- 
> src/openvpn/tun.h |   2 - 11 files changed, 30 insertions(+),
> 162 deletions(-)
> 
> diff --git a/Changes.rst b/Changes.rst index 9fcba75..2956003
> 100644 --- a/Changes.rst +++ b/Changes.rst @@ -135,6 +135,9 @@
> User-visible Changes ciphers configured in the config file.  Use
> --ncp-disable if you don't want that.
> 
> +- ALl tun devices on all platforms are considered always IPv6
> capable. The --tun-ipv6

Silly typo.  (I would have done this one in-flight, hadn't it been for
a few other minor things).

[...snip...]
> @@ -4577,7 +4569,6 @@ add_option (struct options *options, else if
> (streq (p[0], "tun-ipv6") && !p[1]) { VERIFY_PERMISSION
> (OPT_P_UP); -  options->tun_ipv6 = true; }

Should we add a "Deprecated/NO-OP option used." message?

[...snip]

> +++ b/src/openvpn/route.c @@ -1729,10 +1729,10 @@ add_route_ipv6
> (struct route_ipv6 *r6, const struct tuntap *tt, unsigned int fla 
> } #endif
> 
> -  if ( !tt->ipv6 ) +  if (!tt->did_ifconfig_ipv6_setup) { -
> msg( M_INFO, "add_route_ipv6(): not adding %s/%d, no IPv6 on if
> %s", -network, r6->netbits, device ); +  msg( M_INFO,
> "add_route_ipv6(): not adding %s/%d, no IPv6 ifconfig on if %s", +
> network, r6->netbits, device);

Wouldn't it be nicer we said "no IPv6 address configured on
interface %s" ?  Just trying to be slightly more user friendly in the
logs.

> --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -741,8 +741,8 @@
> do_ifconfig (struct tuntap *tt,
> 
> argv_init (&argv);
> 
> -  msg( M_INFO, "do_ifconfig, tt->ipv6=%d,
> tt->did_ifconfig_ipv6_setup=%d", -   tt->ipv6,
> tt->did_ifconfig_ipv6_setup ); +  msg( M_INFO, "do_ifconfig,
> tt->did_ifconfig_ipv6_setup=%d", +
> tt->did_ifconfig_ipv6_setup );

While we're changing log lines ... could we make this one a bit less
technical, or at least increase the verb level if we want it to be so
technical?  Again, just to be more user friendly

[...snip...]

> @@ -1526,7 +1513,7 @@ open_tun_generic (const char *dev, const char
> *dev_type, const char *dev_node, bool dynamic_opened = false;
> 
> 
> -  if ( tt->ipv6 && ! ipv6_explicitly_supported ) +  if (  !
> ipv6_explicitly_supported ) msg (M_WARN, "NOTE: explicit support
> for IPv6 tun devices is not provided for this OS");

Isn't this if() block a NOOP?

$ git grep -Hni ipv6_explicitly_supported
src/openvpn/tun.c:1521:  bool ipv6_explicitly_supported, bool dynamic,
src/openvpn/tun.c:1529:  if ( tt->ipv6 && ! ipv6_explicitly_supported )

Could we kill this as well?


[...snip...0
> @@ -1977,53 +1940,13 @@ close_tun (struct tuntap *tt) int write_tun
> (struct tuntap* tt, uint8_t *buf, int len) { -  if (tt->ipv6) -
> { -  struct tun_pi pi; -  struct iphdr *iph; -  struct
> iovec vect[2]; -  int ret; - -  iph = (struct iphdr *)buf; 
> - -  pi.flags = 0; - -  if(iph->version == 6) -   pi.proto =
> htons(OPENVPN_ETH_P_IPV6); -  else -  pi.proto =
> htons(OPENVPN_ETH_P_IPV4); - -  vect[0].iov_len = sizeof(pi); -
> vect[0].iov_base = π -  vect[1].iov_len = len; -
> vect[1].iov_base = buf; - -  ret = writev(tt->fd, vect, 2); -
> return(ret - sizeof(pi)); -} -  else -return write (tt->fd,
> buf, len); +  return write (tt->fd, buf, len);

whitespace issue.

> }
> 
> int read_tun (struct tuntap* tt, uint8_t *buf, int len) { -  if
> (tt->ipv6) -{ -  struct iovec vect[2]; -  struct tun_pi
> pi; -  int ret; - -  vect[0].iov_len = sizeof(pi); -
> vect[0].i