Re: [Openvpn-devel] p2p topology on Windows

2016-09-30 Thread David Woodhouse 
On Fri, 2016-09-30 at 10:11 +0200, Jan Just Keijser wrote:
> 
> I'm still grappling for the "killer use case" for this - yes, it would be 
> nice to implement support on all platforms for all 
> modes, **BUT** I don't think anybody actually uses 'topology p2p' at this 
> moment (because Windows clients don't support it - 
> catch 22).
> How would client routing become easier in this case compared to 'topology 
> subnet' ?   you will still need to set some routes on 
> the client side - all of which can also be set in subnet mode.
> Also, in theory you don't have to put a client inside the server-side network 
> (/24) range in any mode - it's just a matter of 
> setting the right routing rules on both client and server, regardless of the 
> mode (net30, p2p or subnet).

It's not so much about the IP addresses you *do* want to route; it's
more about the ones you *don't*.

Let's say that for whatever reason (rehoming, connecting to another
RFC1918 network with conflicting address ranges, whatever) I have a
specific IP address like 192.168.0.95 which is for use on the VPN (and
talking to selected hosts on that VPN).

On Windows, the *smallest* netmask I can use with that IP address would
be a /26. Because any narrower netmask would result in Windows refusing
to configure it — on the basis that .95 would be the *broadcast*
address for such a subnet.

So now I have a /26 and I end up routing every IP address between
192.168.0.64 and 192.168.0.127 onto the VPN, when some of those might
be IP addresses that I need to talk to on the *local* network.

Sure, if you have completely free choice of IP addresses, you'd choose
something else like 192.168.0.94 and then you *could* have a /30 and
"only" waste three IP addresses for it. But maybe you can't. Or maybe
even those three IP addresses are IP addresses we *really* need to talk
to on the local network, not the remote.

> Finally, in view of the fact that I seem to be the only one
> responding to this thread, I'm afraid that not too many people are 
> getting enthousiastic ...

Seems that way :)

So my ulterior motive is this... I am using the TAP-Windows driver in a
way which you don't. In the TAP_IOCTL_CONFIG_TUN ioctl I basically
*ignore* the VPN netmask settings, and set both the network and mask to
0.0.0.0 as I described in my first message in this thread:
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/95da6b6cd15d574

Then all the VPN routes can be added as On-link routes by specifying
the interface index.

I'd be *happier* if OpenVPN had a mode that used the driver this way
too; then I wouldn't keep waking up in the night in a cold sweat,
having dreamt that you broke it and I coudn't even ship a signed driver
that makes it work again...

I was hoping that saying "hey, you can fix your p2p mode which you
document as broken on Windows for no good reason" would tempt you into
actually doing it. Maybe it'll still work if I submit a patch myself to
fix it. :)

-- 
dwmw2

smime.p7s
Description: S/MIME cryptographic signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] p2p topology on Windows

2016-09-30 Thread Jan Just Keijser 
Hi David,

On 26/09/16 14:08, David Woodhouse wrote:
> On Mon, 2016-09-26 at 13:34 +0200, Jan Just Keijser wrote:
>> this sounds like a typical use case for "assign a public IP address".
>> This is already possible with topology subnet and some special config
>> stuff on the server side, e.g.
>> - give the openvpn server an IP range that overlaps with existing
>> (server-side) IP space
>> - don't assign address from a large DHCP pool, but use a client-connect
>> script to assign an address per certificate
>> - use proxy arp and some routing tricks to ensure that all client
>> traffic is routed properly via the server.
> Ewww! But OK, yes I suppose that can work i most cases — at least for
> the server's routing.
>
> It still leaves the client routing more than it should down the VPN,
> and for some client IP addresses like x.x.x.127 you end up needing much
> more than a /30 — Windows won't let you have that IP address on the
> client side unless you use a netmask wide enough that it wouldn't be
> the broadcast address, so you have to send a whole /24 down the VPN
> from the client. When you only actually wanted *one* IP address to be
> routed that way. An IP address which might not even be in even that /24
> subnet, in the general case of a p2p setup.
>
>> the one thing I'm afraid of with your new type of p2p addressing is that
>> we'd introduce yet-another topology system: net30, "old" p2p, subnet and
>> now "new" p2p - or would this simply be an extension of the never-used
>> "old" p2p topology?
> It wouldn't even be "an extension". It is *precisely* the original p2p
> mode. It would simply be a case of "this never used to work on Windows;
> now it does".
I'm still grappling for the "killer use case" for this - yes, it would be nice 
to implement support on all platforms for all 
modes, **BUT** I don't think anybody actually uses 'topology p2p' at this 
moment (because Windows clients don't support it - 
catch 22).
How would client routing become easier in this case compared to 'topology 
subnet' ?   you will still need to set some routes on 
the client side - all of which can also be set in subnet mode.
Also, in theory you don't have to put a client inside the server-side network 
(/24) range in any mode - it's just a matter of 
setting the right routing rules on both client and server, regardless of the 
mode (net30, p2p or subnet).

Finally, in view of the fact that I seem to be the only one responding to this 
thread, I'm afraid that not too many people are 
getting enthousiastic ...

cheers,

JJK



--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] p2p topology on Windows

2016-09-26 Thread David Woodhouse 
On Mon, 2016-09-26 at 13:34 +0200, Jan Just Keijser wrote:
> 
> this sounds like a typical use case for "assign a public IP address". 
> This is already possible with topology subnet and some special config 
> stuff on the server side, e.g.
> - give the openvpn server an IP range that overlaps with existing 
> (server-side) IP space
> - don't assign address from a large DHCP pool, but use a client-connect 
> script to assign an address per certificate
> - use proxy arp and some routing tricks to ensure that all client 
> traffic is routed properly via the server.

Ewww! But OK, yes I suppose that can work i most cases — at least for
the server's routing.

It still leaves the client routing more than it should down the VPN,
and for some client IP addresses like x.x.x.127 you end up needing much
more than a /30 — Windows won't let you have that IP address on the
client side unless you use a netmask wide enough that it wouldn't be
the broadcast address, so you have to send a whole /24 down the VPN
from the client. When you only actually wanted *one* IP address to be
routed that way. An IP address which might not even be in even that /24
subnet, in the general case of a p2p setup.

> the one thing I'm afraid of with your new type of p2p addressing is that 
> we'd introduce yet-another topology system: net30, "old" p2p, subnet and 
> now "new" p2p - or would this simply be an extension of the never-used 
> "old" p2p topology?

It wouldn't even be "an extension". It is *precisely* the original p2p
mode. It would simply be a case of "this never used to work on Windows;
now it does".

-- 
dwmw2

smime.p7s
Description: S/MIME cryptographic signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] p2p topology on Windows

2016-09-26 Thread Jan Just Keijser 
Hi David,

On 25/09/16 17:31, David Woodhouse wrote:
> On Sun, 2016-09-25 at 16:40 +0200, Jan Just Keijser wrote:
>> thanks for clarifying - but with OpenVPN 2.4 the default topology mode
>> will be 'subnet topology', in which we also assign a single IP address
>> to each client. Is there a (fundamental) difference between these two?
> Subnet topology is nice if you *have* a subnet. At least you only
> "waste" one network and one broadcast address for your entire subnet,
> rather than wasting three IP addresses per client as with the 'net30'
> topology.
>
> But still the true point-to-point mode allows absolutely *no* wastage,
> and can be used in circumstances where you really *can't* just dedicate
> a subnet to the purpose. If you have a thousand clients, then sure the
> wastage of the subnet topology is in the noise. If you have just one
> client then it's just the same as net30, because that's what you
> actually end up doing.
>
> One example that comes to mind is if a machine is being rehomed from a
> known IP address on a given subnet, but which still needs to be
> reachable on its original IP address. Another machine on the original
> subnet can be set up to do proxy ARP for it on the real Ethernet, and
> route its packets over OpenVPN... but you can't just use that subnet
> for the VPN.
>
> But mainly it just offends me that this is supported on other
> platforms, but it *doesn't* work on Windows and I think it could.
thanks for clarifying.
this sounds like a typical use case for "assign a public IP address". 
This is already possible with topology subnet and some special config 
stuff on the server side, e.g.
- give the openvpn server an IP range that overlaps with existing 
(server-side) IP space
- don't assign address from a large DHCP pool, but use a client-connect 
script to assign an address per certificate
- use proxy arp and some routing tricks to ensure that all client 
traffic is routed properly via the server.

the one thing I'm afraid of with your new type of p2p addressing is that 
we'd introduce yet-another topology system: net30, "old" p2p, subnet and 
now "new" p2p - or would this simply be an extension of the never-used 
"old" p2p topology?

cheers,

JJK




--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] p2p topology on Windows

2016-09-25 Thread Jan Just Keijser 
Hi David,

On 24/09/16 01:21, David Woodhouse wrote:
> On Sat, 2016-09-24 at 00:01 +0200, Jan Just Keijser wrote:
>> sorry for asking, but what's the use case for this?
> The use case for point-to-point? It allows you to use a single IP
> address per client instead of having to set aside a whole /30 subnet
> per client as with the 'net30' mode.
>
> (And in my case, because some Cisco servers end up being configured
> thus, their own client copes with it under Windows and users were
> complaining.)
thanks for clarifying - but with OpenVPN 2.4 the default topology mode 
will be 'subnet topology', in which we also assign a single IP address 
to each client. Is there a (fundamental) difference between these two?


cheers,

JJK


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] p2p topology on Windows

2016-09-23 Thread Marvin Adeff 
I may be wrong, but this sounds suspiciously like what we use Gava's client-nat 
patch for. To enable us to NAT the device's local IP to the one assigned 
dynamically by openvpn (dhcp). 

Marvin

Sent from my iPhone

> On Sep 23, 2016, at 4:21 PM, David Woodhouse  wrote:
> 
>> On Sat, 2016-09-24 at 00:01 +0200, Jan Just Keijser wrote:
>> 
>> sorry for asking, but what's the use case for this?
> 
> The use case for point-to-point? It allows you to use a single IP
> address per client instead of having to set aside a whole /30 subnet
> per client as with the 'net30' mode.
> 
> (And in my case, because some Cisco servers end up being configured
> thus, their own client copes with it under Windows and users were
> complaining.)
> 
>> And you say "configure it with the local IP address" - which address is 
>> that? the address that OpenVPN assigns? or the address of a local 
>> adapter on the Windows host?
> 
> The address that OpenVPN assigns.
> 
> -- 
> dwmw2
> 
> 
> --
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] p2p topology on Windows

2016-09-23 Thread David Woodhouse 
On Sat, 2016-09-24 at 00:01 +0200, Jan Just Keijser wrote:
> 
> sorry for asking, but what's the use case for this?

The use case for point-to-point? It allows you to use a single IP
address per client instead of having to set aside a whole /30 subnet
per client as with the 'net30' mode.

(And in my case, because some Cisco servers end up being configured
thus, their own client copes with it under Windows and users were
complaining.)

> And you say "configure it with the local IP address" - which address is 
> that? the address that OpenVPN assigns? or the address of a local 
> adapter on the Windows host?

The address that OpenVPN assigns.

-- 
dwmw2




smime.p7s
Description: S/MIME cryptographic signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] p2p topology on Windows

2016-09-23 Thread Jan Just Keijser 
Hi David,

On 23/09/16 23:34, David Woodhouse wrote:
> I believe I have P2P working on a Windows (8.1) client (with
> OpenConnect, but I don't see why it can't work for OpenVPN).
>
> I configure the TAP device (with TAP_IOCTL_CONFIG_TUN) with the local
> IP address, and with network and netmask both of 0.0.0.0.
>
> (AIUI this network/mask has nothing to do with Windows routing, and
> purely affects which IP addresses the device driver will fake ARP
> responses for. Setting them to zero means that the device driver does
> proxy ARP for *everything*, and you can add them all as 'On-link'
> routes.)
>
> Having done that, I can configure the local IP address and point-to-
> point route in Windows (8.1) by running:
>
> netsh interface ip set address $IFINDEX status $LOCALIP
> route add $REMOTEIP mask 255.255.255.255 0.0.0.0 if $IFINDEX
>
> Can we get p2p routing working in Windows that way or am I missing
> something? It seems to be working here...
>
>
sorry for asking, but what's the use case for this?

And you say "configure it with the local IP address" - which address is 
that? the address that OpenVPN assigns? or the address of a local 
adapter on the Windows host?

JJK

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] p2p topology on Windows

2016-09-23 Thread David Woodhouse 
I believe I have P2P working on a Windows (8.1) client (with
OpenConnect, but I don't see why it can't work for OpenVPN).

I configure the TAP device (with TAP_IOCTL_CONFIG_TUN) with the local
IP address, and with network and netmask both of 0.0.0.0.

(AIUI this network/mask has nothing to do with Windows routing, and
purely affects which IP addresses the device driver will fake ARP
responses for. Setting them to zero means that the device driver does
proxy ARP for *everything*, and you can add them all as 'On-link'
routes.)

Having done that, I can configure the local IP address and point-to-
point route in Windows (8.1) by running:

netsh interface ip set address $IFINDEX status $LOCALIP
route add $REMOTEIP mask 255.255.255.255 0.0.0.0 if $IFINDEX

Can we get p2p routing working in Windows that way or am I missing
something? It seems to be working here...

-- 
dwmw2




smime.p7s
Description: S/MIME cryptographic signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel