Re: [Openvpn-devel] p2p topology on Windows
On Fri, 2016-09-30 at 10:11 +0200, Jan Just Keijser wrote: > > I'm still grappling for the "killer use case" for this - yes, it would be > nice to implement support on all platforms for all > modes, **BUT** I don't think anybody actually uses 'topology p2p' at this > moment (because Windows clients don't support it - > catch 22). > How would client routing become easier in this case compared to 'topology > subnet' ? you will still need to set some routes on > the client side - all of which can also be set in subnet mode. > Also, in theory you don't have to put a client inside the server-side network > (/24) range in any mode - it's just a matter of > setting the right routing rules on both client and server, regardless of the > mode (net30, p2p or subnet). It's not so much about the IP addresses you *do* want to route; it's more about the ones you *don't*. Let's say that for whatever reason (rehoming, connecting to another RFC1918 network with conflicting address ranges, whatever) I have a specific IP address like 192.168.0.95 which is for use on the VPN (and talking to selected hosts on that VPN). On Windows, the *smallest* netmask I can use with that IP address would be a /26. Because any narrower netmask would result in Windows refusing to configure it — on the basis that .95 would be the *broadcast* address for such a subnet. So now I have a /26 and I end up routing every IP address between 192.168.0.64 and 192.168.0.127 onto the VPN, when some of those might be IP addresses that I need to talk to on the *local* network. Sure, if you have completely free choice of IP addresses, you'd choose something else like 192.168.0.94 and then you *could* have a /30 and "only" waste three IP addresses for it. But maybe you can't. Or maybe even those three IP addresses are IP addresses we *really* need to talk to on the local network, not the remote. > Finally, in view of the fact that I seem to be the only one > responding to this thread, I'm afraid that not too many people are > getting enthousiastic ... Seems that way :) So my ulterior motive is this... I am using the TAP-Windows driver in a way which you don't. In the TAP_IOCTL_CONFIG_TUN ioctl I basically *ignore* the VPN netmask settings, and set both the network and mask to 0.0.0.0 as I described in my first message in this thread: http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/95da6b6cd15d574 Then all the VPN routes can be added as On-link routes by specifying the interface index. I'd be *happier* if OpenVPN had a mode that used the driver this way too; then I wouldn't keep waking up in the night in a cold sweat, having dreamt that you broke it and I coudn't even ship a signed driver that makes it work again... I was hoping that saying "hey, you can fix your p2p mode which you document as broken on Windows for no good reason" would tempt you into actually doing it. Maybe it'll still work if I submit a patch myself to fix it. :) -- dwmw2 smime.p7s Description: S/MIME cryptographic signature -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] p2p topology on Windows
Hi David, On 26/09/16 14:08, David Woodhouse wrote: > On Mon, 2016-09-26 at 13:34 +0200, Jan Just Keijser wrote: >> this sounds like a typical use case for "assign a public IP address". >> This is already possible with topology subnet and some special config >> stuff on the server side, e.g. >> - give the openvpn server an IP range that overlaps with existing >> (server-side) IP space >> - don't assign address from a large DHCP pool, but use a client-connect >> script to assign an address per certificate >> - use proxy arp and some routing tricks to ensure that all client >> traffic is routed properly via the server. > Ewww! But OK, yes I suppose that can work i most cases — at least for > the server's routing. > > It still leaves the client routing more than it should down the VPN, > and for some client IP addresses like x.x.x.127 you end up needing much > more than a /30 — Windows won't let you have that IP address on the > client side unless you use a netmask wide enough that it wouldn't be > the broadcast address, so you have to send a whole /24 down the VPN > from the client. When you only actually wanted *one* IP address to be > routed that way. An IP address which might not even be in even that /24 > subnet, in the general case of a p2p setup. > >> the one thing I'm afraid of with your new type of p2p addressing is that >> we'd introduce yet-another topology system: net30, "old" p2p, subnet and >> now "new" p2p - or would this simply be an extension of the never-used >> "old" p2p topology? > It wouldn't even be "an extension". It is *precisely* the original p2p > mode. It would simply be a case of "this never used to work on Windows; > now it does". I'm still grappling for the "killer use case" for this - yes, it would be nice to implement support on all platforms for all modes, **BUT** I don't think anybody actually uses 'topology p2p' at this moment (because Windows clients don't support it - catch 22). How would client routing become easier in this case compared to 'topology subnet' ? you will still need to set some routes on the client side - all of which can also be set in subnet mode. Also, in theory you don't have to put a client inside the server-side network (/24) range in any mode - it's just a matter of setting the right routing rules on both client and server, regardless of the mode (net30, p2p or subnet). Finally, in view of the fact that I seem to be the only one responding to this thread, I'm afraid that not too many people are getting enthousiastic ... cheers, JJK -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] p2p topology on Windows
On Mon, 2016-09-26 at 13:34 +0200, Jan Just Keijser wrote: > > this sounds like a typical use case for "assign a public IP address". > This is already possible with topology subnet and some special config > stuff on the server side, e.g. > - give the openvpn server an IP range that overlaps with existing > (server-side) IP space > - don't assign address from a large DHCP pool, but use a client-connect > script to assign an address per certificate > - use proxy arp and some routing tricks to ensure that all client > traffic is routed properly via the server. Ewww! But OK, yes I suppose that can work i most cases — at least for the server's routing. It still leaves the client routing more than it should down the VPN, and for some client IP addresses like x.x.x.127 you end up needing much more than a /30 — Windows won't let you have that IP address on the client side unless you use a netmask wide enough that it wouldn't be the broadcast address, so you have to send a whole /24 down the VPN from the client. When you only actually wanted *one* IP address to be routed that way. An IP address which might not even be in even that /24 subnet, in the general case of a p2p setup. > the one thing I'm afraid of with your new type of p2p addressing is that > we'd introduce yet-another topology system: net30, "old" p2p, subnet and > now "new" p2p - or would this simply be an extension of the never-used > "old" p2p topology? It wouldn't even be "an extension". It is *precisely* the original p2p mode. It would simply be a case of "this never used to work on Windows; now it does". -- dwmw2 smime.p7s Description: S/MIME cryptographic signature -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] p2p topology on Windows
Hi David, On 25/09/16 17:31, David Woodhouse wrote: > On Sun, 2016-09-25 at 16:40 +0200, Jan Just Keijser wrote: >> thanks for clarifying - but with OpenVPN 2.4 the default topology mode >> will be 'subnet topology', in which we also assign a single IP address >> to each client. Is there a (fundamental) difference between these two? > Subnet topology is nice if you *have* a subnet. At least you only > "waste" one network and one broadcast address for your entire subnet, > rather than wasting three IP addresses per client as with the 'net30' > topology. > > But still the true point-to-point mode allows absolutely *no* wastage, > and can be used in circumstances where you really *can't* just dedicate > a subnet to the purpose. If you have a thousand clients, then sure the > wastage of the subnet topology is in the noise. If you have just one > client then it's just the same as net30, because that's what you > actually end up doing. > > One example that comes to mind is if a machine is being rehomed from a > known IP address on a given subnet, but which still needs to be > reachable on its original IP address. Another machine on the original > subnet can be set up to do proxy ARP for it on the real Ethernet, and > route its packets over OpenVPN... but you can't just use that subnet > for the VPN. > > But mainly it just offends me that this is supported on other > platforms, but it *doesn't* work on Windows and I think it could. thanks for clarifying. this sounds like a typical use case for "assign a public IP address". This is already possible with topology subnet and some special config stuff on the server side, e.g. - give the openvpn server an IP range that overlaps with existing (server-side) IP space - don't assign address from a large DHCP pool, but use a client-connect script to assign an address per certificate - use proxy arp and some routing tricks to ensure that all client traffic is routed properly via the server. the one thing I'm afraid of with your new type of p2p addressing is that we'd introduce yet-another topology system: net30, "old" p2p, subnet and now "new" p2p - or would this simply be an extension of the never-used "old" p2p topology? cheers, JJK -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] p2p topology on Windows
On Sun, 2016-09-25 at 16:40 +0200, Jan Just Keijser wrote: > > thanks for clarifying - but with OpenVPN 2.4 the default topology mode > will be 'subnet topology', in which we also assign a single IP address > to each client. Is there a (fundamental) difference between these two? Subnet topology is nice if you *have* a subnet. At least you only "waste" one network and one broadcast address for your entire subnet, rather than wasting three IP addresses per client as with the 'net30' topology. But still the true point-to-point mode allows absolutely *no* wastage, and can be used in circumstances where you really *can't* just dedicate a subnet to the purpose. If you have a thousand clients, then sure the wastage of the subnet topology is in the noise. If you have just one client then it's just the same as net30, because that's what you actually end up doing. One example that comes to mind is if a machine is being rehomed from a known IP address on a given subnet, but which still needs to be reachable on its original IP address. Another machine on the original subnet can be set up to do proxy ARP for it on the real Ethernet, and route its packets over OpenVPN... but you can't just use that subnet for the VPN. But mainly it just offends me that this is supported on other platforms, but it *doesn't* work on Windows and I think it could. :) -- dwmw2 smime.p7s Description: S/MIME cryptographic signature -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] p2p topology on Windows
Hi David, On 24/09/16 01:21, David Woodhouse wrote: > On Sat, 2016-09-24 at 00:01 +0200, Jan Just Keijser wrote: >> sorry for asking, but what's the use case for this? > The use case for point-to-point? It allows you to use a single IP > address per client instead of having to set aside a whole /30 subnet > per client as with the 'net30' mode. > > (And in my case, because some Cisco servers end up being configured > thus, their own client copes with it under Windows and users were > complaining.) thanks for clarifying - but with OpenVPN 2.4 the default topology mode will be 'subnet topology', in which we also assign a single IP address to each client. Is there a (fundamental) difference between these two? cheers, JJK -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] p2p topology on Windows
I may be wrong, but this sounds suspiciously like what we use Gava's client-nat patch for. To enable us to NAT the device's local IP to the one assigned dynamically by openvpn (dhcp). Marvin Sent from my iPhone > On Sep 23, 2016, at 4:21 PM, David Woodhouse wrote: > >> On Sat, 2016-09-24 at 00:01 +0200, Jan Just Keijser wrote: >> >> sorry for asking, but what's the use case for this? > > The use case for point-to-point? It allows you to use a single IP > address per client instead of having to set aside a whole /30 subnet > per client as with the 'net30' mode. > > (And in my case, because some Cisco servers end up being configured > thus, their own client copes with it under Windows and users were > complaining.) > >> And you say "configure it with the local IP address" - which address is >> that? the address that OpenVPN assigns? or the address of a local >> adapter on the Windows host? > > The address that OpenVPN assigns. > > -- > dwmw2 > > > -- > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] p2p topology on Windows
On Sat, 2016-09-24 at 00:01 +0200, Jan Just Keijser wrote: > > sorry for asking, but what's the use case for this? The use case for point-to-point? It allows you to use a single IP address per client instead of having to set aside a whole /30 subnet per client as with the 'net30' mode. (And in my case, because some Cisco servers end up being configured thus, their own client copes with it under Windows and users were complaining.) > And you say "configure it with the local IP address" - which address is > that? the address that OpenVPN assigns? or the address of a local > adapter on the Windows host? The address that OpenVPN assigns. -- dwmw2 smime.p7s Description: S/MIME cryptographic signature -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] p2p topology on Windows
Hi David, On 23/09/16 23:34, David Woodhouse wrote: > I believe I have P2P working on a Windows (8.1) client (with > OpenConnect, but I don't see why it can't work for OpenVPN). > > I configure the TAP device (with TAP_IOCTL_CONFIG_TUN) with the local > IP address, and with network and netmask both of 0.0.0.0. > > (AIUI this network/mask has nothing to do with Windows routing, and > purely affects which IP addresses the device driver will fake ARP > responses for. Setting them to zero means that the device driver does > proxy ARP for *everything*, and you can add them all as 'On-link' > routes.) > > Having done that, I can configure the local IP address and point-to- > point route in Windows (8.1) by running: > > netsh interface ip set address $IFINDEX status $LOCALIP > route add $REMOTEIP mask 255.255.255.255 0.0.0.0 if $IFINDEX > > Can we get p2p routing working in Windows that way or am I missing > something? It seems to be working here... > > sorry for asking, but what's the use case for this? And you say "configure it with the local IP address" - which address is that? the address that OpenVPN assigns? or the address of a local adapter on the Windows host? JJK -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] p2p topology on Windows
I believe I have P2P working on a Windows (8.1) client (with OpenConnect, but I don't see why it can't work for OpenVPN). I configure the TAP device (with TAP_IOCTL_CONFIG_TUN) with the local IP address, and with network and netmask both of 0.0.0.0. (AIUI this network/mask has nothing to do with Windows routing, and purely affects which IP addresses the device driver will fake ARP responses for. Setting them to zero means that the device driver does proxy ARP for *everything*, and you can add them all as 'On-link' routes.) Having done that, I can configure the local IP address and point-to- point route in Windows (8.1) by running: netsh interface ip set address $IFINDEX status $LOCALIP route add $REMOTEIP mask 255.255.255.255 0.0.0.0 if $IFINDEX Can we get p2p routing working in Windows that way or am I missing something? It seems to be working here... -- dwmw2 smime.p7s Description: S/MIME cryptographic signature -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel