Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.
Antonio, I certainly don’t disagree with you. However I think I’ve taken up enough bandwidth over this topic on Openvpn-devel. Thank you all. Marvin > On Apr 1, 2018, at 7:20 PM, Antonio Quartulli wrote: > >> On 02/04/18 10:12, Marvin Adeff wrote: >> Even on the internet I can tell country, ISP etc. Very useful for security >> ACLs etc. Unless I’m completely mistaken, I don’t believe this is easily >> done in ipv6. > > mostly because at this very moment Tunnel Brokers are widely used and > they act as a "proxy", effectively covering the real location of the > client host. > > Many websites just show you (client) as connecting from the country > where your Tunnel Broker is located. > > When using native IPv6 this problem does not exists anymore. > > Therefore, the proper way to get over this "limitation" (even though I > don't think is a real problem, but this is of course my perspective) is > to speed up the transition and move everybody over native IPv6 (which is > something we can't achieve if we continue to be "afraid" of using IPv6 > in our everyday life). > > Cheers, > > -- > Antonio Quartulli > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.
On 02/04/18 10:12, Marvin Adeff wrote: > Even on the internet I can tell country, ISP etc. Very useful for security > ACLs etc. Unless I’m completely mistaken, I don’t believe this is easily done > in ipv6. mostly because at this very moment Tunnel Brokers are widely used and they act as a "proxy", effectively covering the real location of the client host. Many websites just show you (client) as connecting from the country where your Tunnel Broker is located. When using native IPv6 this problem does not exists anymore. Therefore, the proper way to get over this "limitation" (even though I don't think is a real problem, but this is of course my perspective) is to speed up the transition and move everybody over native IPv6 (which is something we can't achieve if we continue to be "afraid" of using IPv6 in our everyday life). Cheers, -- Antonio Quartulli signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.
Gert, Without invalidating the reason for your frustration, I am breathing a sigh of relief. As a complete aside, in some ways ipv4 is actually more useful to me in my work. In a private network I can tell where in the network the traffic is coming from. Even on the internet I can tell country, ISP etc. Very useful for security ACLs etc. Unless I’m completely mistaken, I don’t believe this is easily done in ipv6. BTW, a big thank-you to you and all the devs in the OpenVPN project! Marvin > On Apr 1, 2018, at 12:34 PM, Gert Doering wrote: > > Hi, > >> On Sun, Apr 01, 2018 at 12:21:53PM -0700, Marvin Adeff wrote: >> I had not considered the extra work and code required to maintain both >> versions. But I get it now. Here is the unfortunate position this puts us in: > [..] > > Well, that part of my e-mail was a bit of frustration speaking - I've > been advocating IPv6 for over 20 years now, and while large parts of > the access networks are offering IPv6 now, other parts are still being > *built* with IPv4 only, or stubbornly stick to IPv4 only... thus, double > work everywhere, not only in OpenVPN, seemingly for a lifetime. > >> So if OpenVPN lost ipv4 support anytime soon, we would be in a world of hurt. > > As far as OpenVPN is concerned, I am not aware of any plans to remove > IPv4 support. > > The extra code adds some maintenance and testing effort, but since this > is all in place now (especially the test setups with "connect over IPv4 > or IPv6" and "send IPv4 and IPv6 packets through the test VPN") it would > be more work to rip out IPv4 now... :-) > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.
Hi, On Sun, Apr 01, 2018 at 12:21:53PM -0700, Marvin Adeff wrote: > I had not considered the extra work and code required to maintain both > versions. But I get it now. Here is the unfortunate position this puts us in: [..] Well, that part of my e-mail was a bit of frustration speaking - I've been advocating IPv6 for over 20 years now, and while large parts of the access networks are offering IPv6 now, other parts are still being *built* with IPv4 only, or stubbornly stick to IPv4 only... thus, double work everywhere, not only in OpenVPN, seemingly for a lifetime. > So if OpenVPN lost ipv4 support anytime soon, we would be in a world of hurt. As far as OpenVPN is concerned, I am not aware of any plans to remove IPv4 support. The extra code adds some maintenance and testing effort, but since this is all in place now (especially the test setups with "connect over IPv4 or IPv6" and "send IPv4 and IPv6 packets through the test VPN") it would be more work to rip out IPv4 now... :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [RFC 0/3] follow-up netlink support, systemd integration
This series is a follow-up to 'add netlink support for Linux' by Antonio Quartulli. It enhances integration with systemd and improves system security by running the openvpn process with a dedicated user. Christian Hesse (3): systemd: run openvpn with dedicated user systemd: do not downgrade UID/GID systemd: create configuration directories from tmpfiles configure.ac | 8 distro/systemd/Makefile.am| 4 distro/systemd/openvpn-cli...@.service.in | 4 +++- distro/systemd/openvpn-ser...@.service.in | 4 +++- distro/systemd/sysusers-openvpn.conf | 1 + distro/systemd/tmpfiles-openvpn.conf | 6 -- src/openvpn/init.c| 8 7 files changed, 31 insertions(+), 4 deletions(-) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [RFC 1/3] systemd: run openvpn with dedicated user
From: Christian Hesse Now that we have a native netlink interface run the process with dedicated user 'openvpn'. This is possibly by granting ambient capabilities, see systemd.exec(5). Signed-off-by: Christian Hesse --- configure.ac | 8 distro/systemd/Makefile.am| 4 distro/systemd/openvpn-cli...@.service.in | 4 +++- distro/systemd/openvpn-ser...@.service.in | 4 +++- distro/systemd/sysusers-openvpn.conf | 1 + distro/systemd/tmpfiles-openvpn.conf | 4 ++-- 6 files changed, 21 insertions(+), 4 deletions(-) create mode 100644 distro/systemd/sysusers-openvpn.conf diff --git a/configure.ac b/configure.ac index f2e4aa47..3d9d2ed5 100644 --- a/configure.ac +++ b/configure.ac @@ -365,6 +365,7 @@ AC_ARG_VAR([GIT], [path to git utility]) AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility]) AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory @<:@default=LIBDIR/systemd/system@:>@]) AC_ARG_VAR([TMPFILES_DIR], [Path of tmpfiles directory @<:@default=LIBDIR/tmpfiles.d@:>@]) +AC_ARG_VAR([SYSUSERS_DIR], [Path of sysusers directory @<:@default=LIBDIR/sysusers.d@:>@]) AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) @@ -1198,6 +1199,12 @@ if test "$enable_systemd" = "yes" ; then else tmpfilesdir="\${libdir}/tmpfiles.d" fi + +if test -n "${SYSUSERS_DIR}"; then +sysusersdir="${SYSUSERS_DIR}" +else +sysusersdir="\${libdir}/sysusers.d" +fi fi @@ -1381,6 +1388,7 @@ AC_SUBST([sampledir]) AC_SUBST([systemdunitdir]) AC_SUBST([tmpfilesdir]) +AC_SUBST([sysusersdir]) VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/" VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist" diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am index 69e12699..2641a63d 100644 --- a/distro/systemd/Makefile.am +++ b/distro/systemd/Makefile.am @@ -14,6 +14,7 @@ EXTRA_DIST = \ tmpfiles-openvpn.conf \ + sysusers-openvpn.conf \ openvpn-cli...@.service.in \ openvpn-ser...@.service.in @@ -23,11 +24,14 @@ systemdunit_DATA = \ openvpn-server@.service tmpfiles_DATA = \ tmpfiles-openvpn.conf +sysusers_DATA = \ + sysusers-openvpn.conf dist_doc_DATA = \ README.systemd install-data-hook: mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf + mv $(DESTDIR)$(sysusersdir)/sysusers-openvpn.conf $(DESTDIR)$(sysusersdir)/openvpn.conf endif MAINTAINERCLEANFILES = \ diff --git a/distro/systemd/openvpn-cli...@.service.in b/distro/systemd/openvpn-cli...@.service.in index cbcef653..a103d751 100644 --- a/distro/systemd/openvpn-cli...@.service.in +++ b/distro/systemd/openvpn-cli...@.service.in @@ -9,9 +9,11 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true +User=openvpn +Group=openvpn WorkingDirectory=/etc/openvpn/client ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in index a8366a04..7275e86a 100644 --- a/distro/systemd/openvpn-ser...@.service.in +++ b/distro/systemd/openvpn-ser...@.service.in @@ -9,9 +9,11 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true +User=openvpn +Group=openvpn WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw diff --git a/distro/systemd/sysusers-openvpn.conf b/distro/systemd/sysusers-openvpn.conf new file mode 100644 index ..d200852b --- /dev/null +++ b/distro/systemd/sysusers-openvpn.conf @@ -0,0 +1 @@ +u openvpn - "OpenVPN user" / diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf index bb79671e..835dc1c8 100644 --- a/distro/systemd/tmpfiles-openvpn.conf +++ b/distro/systemd/tmpfiles-openvpn.conf @@ -1,2 +1,2 @@ -d /run/openvpn-client 0710 root root - -d /run/openvpn-server 0710 root root - +d /run/openvpn-client 0750 openvpn openvpn - +d /
[Openvpn-devel] [RFC 2/3] systemd: do not downgrade UID/GID
From: Christian Hesse Now that systemd starts the process with dedicated user we do no longer want to downgrade privileges. Also remove CAP_SETGID and CAP_SETUID from granted privileges. Signed-off-by: Christian Hesse --- distro/systemd/openvpn-cli...@.service.in | 2 +- distro/systemd/openvpn-ser...@.service.in | 2 +- src/openvpn/init.c| 8 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/distro/systemd/openvpn-cli...@.service.in b/distro/systemd/openvpn-cli...@.service.in index a103d751..ee7957a6 100644 --- a/distro/systemd/openvpn-cli...@.service.in +++ b/distro/systemd/openvpn-cli...@.service.in @@ -13,7 +13,7 @@ User=openvpn Group=openvpn WorkingDirectory=/etc/openvpn/client ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf -AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in index 7275e86a..03d28a2e 100644 --- a/distro/systemd/openvpn-ser...@.service.in +++ b/distro/systemd/openvpn-ser...@.service.in @@ -13,7 +13,7 @@ User=openvpn Group=openvpn WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 36c1a4c4..0fc60d62 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1151,6 +1151,14 @@ do_uid_gid_chroot(struct context *c, bool no_delay) /* set user and/or group if we want to setuid/setgid */ if (c0->uid_gid_specified) { +#ifdef ENABLE_SYSTEMD +if (sd_notify(0, "READY=0") > 0 && getuid() != 0) +{ +msg(M_INFO, "NOTE: Running from systemd with non-root uid, skipping downgrade"); +return; +} +#endif + if (no_delay) { platform_group_set(&c0->platform_state_group); -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [RFC 3/3] systemd: create configuration directories from tmpfiles
From: Christian Hesse We have a dedicated user created by systemd-sysusers, so create configuration directories from systemd-tmpfiles for proper permissions. This mitigates a race condition at packaging/install time. Signed-off-by: Christian Hesse --- distro/systemd/tmpfiles-openvpn.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf index 835dc1c8..0f96baa5 100644 --- a/distro/systemd/tmpfiles-openvpn.conf +++ b/distro/systemd/tmpfiles-openvpn.conf @@ -1,2 +1,4 @@ d /run/openvpn-client 0750 openvpn openvpn - d /run/openvpn-server 0750 openvpn openvpn - +d /etc/openvpn/client 0750 openvpn openvpn - +d /etc/openvpn/server 0750 openvpn openvpn - -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.
Ok, I’ll only discard the irate part ;-] I had not considered the extra work and code required to maintain both versions. But I get it now. Here is the unfortunate position this puts us in: We use OpenVPN for connection from 1000’s of devices located at customer facilities back to us. These devices/software have a lifespan of greater than 10 years and most are extremely expensive (not easily replaced). So a large quantity are incapable of ipv6 (and frankly many customer facility networks are not fully functional with ipv6). Also some of the devices/software at our end that interface with those legacy customer devices are also not ipv6 capable. So if OpenVPN lost ipv4 support anytime soon, we would be in a world of hurt. There is much more detail about all this, but I wanted to keep this a short email. Thanks for listening. Marvin > On Apr 1, 2018, at 11:39 AM, Gert Doering wrote: > > Hi, > >> On Sun, Apr 01, 2018 at 11:19:57AM -0700, Marvin Adeff wrote: >> Think of us poor mail list lurkers. Practically gave this one a heart >> attack! Not having seen that private reply, I hope that means I can discard >> the long-ass (and quite irate) reply I was working on? > > Please share! > >> (Sent from an ipv4 address) > > Whatever journey OpenVPN takes, the Internet as a whole will need to > either finish the move to IPv6, or give up and return to IPv4-only - > running dual-stack is just too expensive in the long run. Like, twice > the amount of code needed for routing, address parsing, firewalling, ... > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.
Hi, On Sun, Apr 01, 2018 at 11:19:57AM -0700, Marvin Adeff wrote: > Think of us poor mail list lurkers. Practically gave this one a heart attack! > Not having seen that private reply, I hope that means I can discard the > long-ass (and quite irate) reply I was working on? Please share! > (Sent from an ipv4 address) Whatever journey OpenVPN takes, the Internet as a whole will need to either finish the move to IPv6, or give up and return to IPv4-only - running dual-stack is just too expensive in the long run. Like, twice the amount of code needed for routing, address parsing, firewalling, ... gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.
Think of us poor mail list lurkers. Practically gave this one a heart attack! Not having seen that private reply, I hope that means I can discard the long-ass (and quite irate) reply I was working on? Marvin (Sent from an ipv4 address) > On Apr 1, 2018, at 8:52 AM, Jonathan K. Bullard wrote: > > Hi, > >> On Sun, Apr 1, 2018 at 11:34 AM, Gert Doering wrote: >> Hi, >> >>> On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote: On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will be IPv6-only. Removal of IPv4-related code and options will dramatically reduce code complexity, confusing options, bugs and user questions. >> [..] >>> >>> Nice try :) >> >> Hah, caught in the act ;-) >> >> (Apologies to Jonathan for scaring you about new user support issues...) > > No apologies necessary! I fell for it completely and have no excuse. I > probably laughed as hard as anyone else when I read your private reply > that pointed out today's date. > > Best regards, > > Jon > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.
Hi, On Sun, Apr 1, 2018 at 11:34 AM, Gert Doering wrote: > Hi, > > On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote: >> On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: >> >> > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will >> > be IPv6-only. Removal of IPv4-related code and options will dramatically >> > reduce code complexity, confusing options, bugs and user questions. > [..] >> >> Nice try :) > > Hah, caught in the act ;-) > > (Apologies to Jonathan for scaring you about new user support issues...) No apologies necessary! I fell for it completely and have no excuse. I probably laughed as hard as anyone else when I read your private reply that pointed out today's date. Best regards, Jon -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.
Hi, On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote: > On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: > > > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will > > be IPv6-only. Removal of IPv4-related code and options will dramatically > > reduce code complexity, confusing options, bugs and user questions. [..] > > Nice try :) Hah, caught in the act ;-) (Apologies to Jonathan for scaring you about new user support issues...) Trac #208 is really about *enabling* IPv6-only mode (which does not work today), but not about *mandating* IPv6-only / taking away IPv4. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.
Hi, On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will > be IPv6-only. Removal of IPv4-related code and options will dramatically > reduce code complexity, confusing options, bugs and user questions. > > Add deprecation warnings for IPv4-related config options to 2.4 branch, > so users have enough time to move their setups to work on IPv6-only > before 2.5 will be released. > > This affects: > > --ifconfig > --route > --server > --proto udp4/tcp4 > --ifconfig-pool > > More IPv4-related options will be identified and depreciated later. > Nice try :) Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [RFC 2/4] introduce sitnl: Simplified Interface To NetLink
This patch introduces a tiny netlink interface, optimized for the openvpn use case. It basically exposes all those operations that are currently handled by directly calling the /sbin/ip command (or even ifconfig/route, if configured). By using netlink, openvpn won't need to spawn new processes when configuring the tun interface or routes. This new approach will also allow openvpn to be granted CAP_NET_ADMIN and be able to properly work even though it dropped the root privileges (currently handled via workarounds). By moving this logic into the sitnl module, tun.c and route.c also benefit from some code simplification Signed-off-by: Antonio Quartulli --- src/openvpn/Makefile.am |3 + src/openvpn/errlevel.h |1 + src/openvpn/sitnl.c | 1195 +++ src/openvpn/sitnl.h | 217 + 4 files changed, 1416 insertions(+) create mode 100644 src/openvpn/sitnl.c create mode 100644 src/openvpn/sitnl.h diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index eda08351..8bd25049 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -131,6 +131,9 @@ openvpn_LDADD = \ $(OPTIONAL_SELINUX_LIBS) \ $(OPTIONAL_SYSTEMD_LIBS) \ $(OPTIONAL_DL_LIBS) +if LINUX +openvpn_SOURCES += sitnl.c sitnl.h +endif if WIN32 openvpn_SOURCES += openvpn_win32_resources.rc block_dns.c block_dns.h openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm -lfwpuclnt -lrpcrt4 -lncrypt diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h index 5ca4fa8f..3f2a0f1b 100644 --- a/src/openvpn/errlevel.h +++ b/src/openvpn/errlevel.h @@ -109,6 +109,7 @@ #define D_LOG_RW LOGLEV(5, 0, 0)/* Print 'R' or 'W' to stdout for read/write */ +#define D_RTNL LOGLEV(6, 68, M_DEBUG) /* show RTNL low level operations */ #define D_LINK_RWLOGLEV(6, 69, M_DEBUG) /* show TCP/UDP reads/writes (terse) */ #define D_TUN_RW LOGLEV(6, 69, M_DEBUG) /* show TUN/TAP reads/writes */ #define D_TAP_WIN_DEBUG LOGLEV(6, 69, M_DEBUG) /* show TAP-Windows driver debug info */ diff --git a/src/openvpn/sitnl.c b/src/openvpn/sitnl.c new file mode 100644 index ..e9018093 --- /dev/null +++ b/src/openvpn/sitnl.c @@ -0,0 +1,1195 @@ +/* + * Simplified Interface To NetLink + * + * Copyright (C) 2016-2018 Antonio Quartulli + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#include "errlevel.h" +#include "buffer.h" +#include "sitnl.h" + +#include +#include +#include +#include +#include +#include +#include + +#define SNDBUF_SIZE (1024 * 2) +#define RCVBUF_SIZE (1024 * 4) + +/** + * Generic address data structure used to pass addresses and prefixes as + * argument to AF family agnostic functions + */ +typedef union { +in_addr_t ipv4; +struct in6_addr ipv6; +} inet_address_t; + +/** + * Link state request message + */ +struct sitnl_link_req { +struct nlmsghdr n; +struct ifinfomsg i; +char buf[256]; +}; + +/** + * Address request message + */ +struct sitnl_addr_req { +struct nlmsghdr n; +struct ifaddrmsg i; +char buf[256]; +}; + +/** + * Route request message + */ +struct sitnl_route_req { +struct nlmsghdr n; +struct rtmsg r; +char buf[256]; +}; + +typedef int (*sitnl_parse_reply_cb)(struct nlmsghdr *msg, void *arg); + +/** + * Object returned by route request operation + */ +struct sitnl_route_data_cb { +unsigned int iface; +inet_address_t gw; +}; + +#define NLMSG_TAIL(nmsg) \ +((struct rtattr *)(((uint8_t *)(nmsg)) + NLMSG_ALIGN((nmsg)->nlmsg_len))) + +#define SITNL_ADDATTR(_msg, _max_size, _attr, _data, _size) \ +{ \ +if (sitnl_addattr(_msg, _max_size, _attr, _data, _size) < 0)\ +{ \ +goto err; \ +} \ +} + +/** + * Helper function used to easily add attributes to a rtnl message + */ +static int +sitnl_addattr(struct nlmsghdr *n, int
[Openvpn-devel] [RFC 1/4] configure: add LINUX conditional variable
This variable is helpful when the configure script has to take actions that are strictly limited to the LINUX platform, as required by the introduction of netlink support. Signed-off-by: Antonio Quartulli --- configure.ac | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure.ac b/configure.ac index 626b4dd4..f2e4aa47 100644 --- a/configure.ac +++ b/configure.ac @@ -298,6 +298,7 @@ case "$host" in *-*-linux*) AC_DEFINE([TARGET_LINUX], [1], [Are we running on Linux?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["L"], [Target prefix]) + LINUX=yes ;; *-*-solaris*) AC_DEFINE([TARGET_SOLARIS], [1], [Are we running on Solaris?]) @@ -1367,6 +1368,7 @@ AC_SUBST([OPTIONAL_PKCS11_HELPER_LIBS]) AC_SUBST([PLUGIN_AUTH_PAM_CFLAGS]) AC_SUBST([PLUGIN_AUTH_PAM_LIBS]) +AM_CONDITIONAL([LINUX], [test "${LINUX}" = "yes"]) AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"]) AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"]) -- 2.16.3 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [RFC 4/4] route.c: use sitnl to handle route configuration on Linux
Signed-off-by: Antonio Quartulli --- src/openvpn/route.c | 364 ++-- 1 file changed, 71 insertions(+), 293 deletions(-) diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 8990a986..4b398366 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -41,6 +41,7 @@ #include "manage.h" #include "win32.h" #include "options.h" +#include "sitnl.h" #include "memdbg.h" @@ -1529,13 +1530,17 @@ add_route(struct route_ipv4 *r, { struct gc_arena gc; struct argv argv = argv_new(); +#if !defined(TARGET_LINUX) const char *network; #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX) const char *netmask; #endif const char *gateway; +#endif +const char *iface; bool status = false; int is_local_route; +int metric; if (!(r->flags & RT_DEFINED)) { @@ -1544,11 +1549,13 @@ add_route(struct route_ipv4 *r, gc_init(&gc); +#if !defined(TARGET_LINUX) network = print_in_addr_t(r->network, 0, &gc); #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX) netmask = print_in_addr_t(r->netmask, 0, &gc); #endif gateway = print_in_addr_t(r->gateway, 0, &gc); +#endif is_local_route = local_route(r->network, r->netmask, r->gateway, rgi); if (is_local_route == LR_ERROR) @@ -1557,47 +1564,26 @@ add_route(struct route_ipv4 *r, } #if defined(TARGET_LINUX) -#ifdef ENABLE_IPROUTE -argv_printf(&argv, "%s route add %s/%d", -iproute_path, -network, -netmask_to_netbits2(r->netmask)); - -if (r->flags & RT_METRIC_DEFINED) -{ -argv_printf_cat(&argv, "metric %d", r->metric); -} - +iface = NULL; if (is_on_link(is_local_route, flags, rgi)) { -argv_printf_cat(&argv, "dev %s", rgi->iface); +iface = rgi->iface; } -else -{ -argv_printf_cat(&argv, "via %s", gateway); -} -#else /* ifdef ENABLE_IPROUTE */ -argv_printf(&argv, "%s add -net %s netmask %s", -ROUTE_PATH, -network, -netmask); + +metric = -1; if (r->flags & RT_METRIC_DEFINED) { -argv_printf_cat(&argv, "metric %d", r->metric); -} -if (is_on_link(is_local_route, flags, rgi)) -{ -argv_printf_cat(&argv, "dev %s", rgi->iface); +metric = r->metric; } -else + +status = true; +if (sitnl_route_v4_add(&r->network, netmask_to_netbits2(r->netmask), + &r->gateway, iface, 0, metric) < 0) { -argv_printf_cat(&argv, "gw %s", gateway); +msg(M_WARN, "ERROR: Linux route add command failed"); +status = false; } -#endif /*ENABLE_IPROUTE*/ -argv_msg(D_ROUTE, &argv); -status = openvpn_execve_check(&argv, es, 0, "ERROR: Linux route add command failed"); - #elif defined (TARGET_ANDROID) char out[128]; @@ -1853,7 +1839,7 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag const char *gateway; bool status = false; const char *device = tt->actual_name; - +int metric; bool gateway_needed = false; if (!(r6->flags & RT_DEFINED) ) @@ -1918,38 +1904,20 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag } #if defined(TARGET_LINUX) -#ifdef ENABLE_IPROUTE -argv_printf(&argv, "%s -6 route add %s/%d dev %s", -iproute_path, -network, -r6->netbits, -device); -if (gateway_needed) -{ -argv_printf_cat(&argv, "via %s", gateway); -} -if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0) +metric = -1; +if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0)) { -argv_printf_cat(&argv, " metric %d", r6->metric); +metric = r6->metric; } -#else /* ifdef ENABLE_IPROUTE */ -argv_printf(&argv, "%s -A inet6 add %s/%d dev %s", -ROUTE_PATH, -network, -r6->netbits, -device); -if (gateway_needed) +status = true; +if (sitnl_route_v6_add(&r6->network, r6->netbits, + gateway_needed ? &r6->gateway : NULL, device, 0, + metric) < 0) { -argv_printf_cat(&argv, "gw %s", gateway); +msg(M_WARN, "ERROR: Linux IPv6 route can't be added"); +status = false; } -if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0) -{ -argv_printf_cat(&argv, " metric %d", r6->metric); -} -#endif /*ENABLE_IPROUTE*/ -argv_msg(D_ROUTE, &argv); -status = openvpn_execve_check(&argv, es, 0, "ERROR: Linux route -6/-A inet6 add command failed"); #elif defined (TARGET_ANDROID) char out[64]; @@ -2135,6 +2103,7 @@ delete_route(struct route_ipv4 *r, { struct gc_arena gc; struct argv argv = argv_new(); +#if !defined(TARGET_LINUX) const char *network; #if !defined(ENAB
[Openvpn-devel] [RFC 0/4] add netlink support for Linux
Hi all, this patchset introduces native netlink support for the Linux platform. At the moment openvpn operates on the tun interface and on the routing table by directly invoking the "ip" command (or ifconfig/route if nettools is selected at compile time). With this patchset, openvpn would not need to fork new processes to run the "ip" binary any longer, but would directly talk to the kernel by means of the netlink interface. This means simpler/cleaner code and, possibly, faster execution. Another important advantage of this change is that the openvpn process will be in charge of directly working with the kernel, thus it can be granted special capabilities so that interfaces/routes operations can be carried out even when running as non-root. Christian Hesse is working on a follow-up patch to properly allow the above. This patchset also offers a first step towards a refactoring of the tun.c and route.c code. The idea moving forward is to drop nettools support once this patchset is merged, but to retain support for ip and the --ifconfig/route-noexec options. Feedback of any type is of course welcome. This patch is posted as RFC because, as agreed during the last Hackathon, it will be considered for merging only when unit-tests will also be available. On to pof that, several aspects (like allowing iproute2 to be still used) have to be properly implemented. This code can also be found on GitHub (based on latest master) at: https://github.com/ordex/openvpn/tree/sitnl Regards, Antonio Quartulli (4): configure: add LINUX conditional variable introduce sitnl: Simplified Interface To NetLink tun.c: use sitnl to handle tun configuration on Linux route.c: use sitnl to handle route configuration on Linux configure.ac|2 + src/openvpn/Makefile.am |3 + src/openvpn/errlevel.h |1 + src/openvpn/route.c | 364 +++ src/openvpn/sitnl.c | 1195 +++ src/openvpn/sitnl.h | 217 + src/openvpn/tun.c | 199 +++- 7 files changed, 1547 insertions(+), 434 deletions(-) create mode 100644 src/openvpn/sitnl.c create mode 100644 src/openvpn/sitnl.h -- 2.16.3 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [RFC 3/4] tun.c: use sitnl to handle tun configuration on Linux
Signed-off-by: Antonio Quartulli --- src/openvpn/tun.c | 199 -- 1 file changed, 58 insertions(+), 141 deletions(-) diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 263cacdf..4e0b3f90 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -46,6 +46,7 @@ #include "route.h" #include "win32.h" #include "block_dns.h" +#include "sitnl.h" #include "memdbg.h" @@ -883,10 +884,12 @@ do_ifconfig(struct tuntap *tt, if (tt->did_ifconfig_setup) { bool tun = false; +#if !defined(TARGET_LINUX) const char *ifconfig_local = NULL; const char *ifconfig_remote_netmask = NULL; const char *ifconfig_broadcast = NULL; const char *ifconfig_ipv6_local = NULL; +#endif bool do_ipv6 = false; struct argv argv = argv_new(); @@ -898,18 +901,23 @@ do_ifconfig(struct tuntap *tt, */ tun = is_tun_p2p(tt); +#if !defined(TARGET_LINUX) /* * Set ifconfig parameters */ ifconfig_local = print_in_addr_t(tt->local, 0, &gc); ifconfig_remote_netmask = print_in_addr_t(tt->remote_netmask, 0, &gc); +#endif if (tt->did_ifconfig_ipv6_setup) { +#if !defined(TARGET_LINUX) ifconfig_ipv6_local = print_in6_addr(tt->local_ipv6, 0, &gc); +#endif do_ipv6 = true; } +#if !defined(TARGET_LINUX) /* * If TAP-style device, generate broadcast address. */ @@ -917,6 +925,7 @@ do_ifconfig(struct tuntap *tt, { ifconfig_broadcast = print_in_addr_t(tt->broadcast, 0, &gc); } +#endif #ifdef ENABLE_MANAGEMENT if (management) @@ -933,102 +942,43 @@ do_ifconfig(struct tuntap *tt, #if defined(TARGET_LINUX) -#ifdef ENABLE_IPROUTE -/* - * Set the MTU for the device - */ -argv_printf(&argv, -"%s link set dev %s up mtu %d", -iproute_path, -actual, -tun_mtu -); -argv_msg(M_INFO, &argv); -openvpn_execve_check(&argv, es, S_FATAL, "Linux ip link set failed"); - -if (tun) -{ - -/* - * Set the address for the device - */ -argv_printf(&argv, -"%s addr add dev %s local %s peer %s", -iproute_path, -actual, -ifconfig_local, -ifconfig_remote_netmask -); -argv_msg(M_INFO, &argv); -openvpn_execve_check(&argv, es, S_FATAL, "Linux ip addr add failed"); -} -else +if (sitnl_iface_mtu_set(actual, tun_mtu) < 0) { -argv_printf(&argv, -"%s addr add dev %s %s/%d broadcast %s", -iproute_path, -actual, -ifconfig_local, -netmask_to_netbits2(tt->remote_netmask), -ifconfig_broadcast -); -argv_msg(M_INFO, &argv); -openvpn_execve_check(&argv, es, S_FATAL, "Linux ip addr add failed"); +msg(M_FATAL, "Linux can't set mtu (%d) on %s", tun_mtu, actual); } -if (do_ipv6) + +if (sitnl_iface_up(actual, true) < 0) { -argv_printf( &argv, - "%s -6 addr add %s/%d dev %s", - iproute_path, - ifconfig_ipv6_local, - tt->netbits_ipv6, - actual - ); -argv_msg(M_INFO, &argv); -openvpn_execve_check(&argv, es, S_FATAL, "Linux ip -6 addr add failed"); +msg(M_FATAL, "Linux can't bring %s up", actual); } -tt->did_ifconfig = true; -#else /* ifdef ENABLE_IPROUTE */ + if (tun) { -argv_printf(&argv, -"%s %s %s pointopoint %s mtu %d", -IFCONFIG_PATH, -actual, -ifconfig_local, -ifconfig_remote_netmask, -tun_mtu -); +if (sitnl_addr_ptp_v4_add(actual, &tt->local, + &tt->remote_netmask) < 0) +{ +msg(M_FATAL, "Linux can't add IP to TUN interface %s", actual); +} } else { -argv_printf(&argv, -"%s %s %s netmask %s mtu %d broadcast %s", -IFCONFIG_PATH, -actual, -ifconfig_local, -ifconfig_remote_netmask, -tun_mtu, -ifconfig_broadcast -); +
Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.
Hello, Jonathan K. Bullard, on dim. 01 avril 2018 06:17:55 -0400, wrote: > Either way, can anyone give an approximate release date for 2.5, so we > can have a time frame for the change? (Even a "not before" date would > be very helpful in evaluating the impact of these proposed changes.) I guess it'll be "not before" tomorrow. Samuel -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.
Hi, On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will > be IPv6-only. Removal of IPv4-related code and options will dramatically > reduce code complexity, confusing options, bugs and user questions. > > Add deprecation warnings for IPv4-related config options to 2.4 branch, > so users have enough time to move their setups to work on IPv6-only > before 2.5 will be released. Are you proposing to remove all IPv4 support from OpenVPN 2.5, so that an IPv6 connection will be required and an IPv4-only connection will not work? Or is this is about removing IPv4-only options and code and leaving options and code that work for either IPv4 or IPv6, so users could continue to have an IPv4-only setup by changing the names of a few options in their configuration files? Either way, can anyone give an approximate release date for 2.5, so we can have a time frame for the change? (Even a "not before" date would be very helpful in evaluating the impact of these proposed changes.) Best regards, Jon Bullard (Tunnelblick developer) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel