Re: [Openvpn-devel] route / route-ipv6 can not be used in ccd
David Sommerseth, on Wed 10 Feb 2016 01:56:57 +0100, wrote: > > 2 minutes after the client disconnected, which would probably be fine > > enough for our use case. > > If you use --proto udp, then it can take up to --ping-reset $SEC to trigger > (IIRC). You can use explicit-exit-notify to avoid this behaviour. Apparently I forgot to uncomment the option, indeed. Samuel
Re: [Openvpn-devel] route / route-ipv6 can not be used in ccd
On 09/02/16 13:45, Samuel Thibault wrote: > Gert Doering, on Tue 09 Feb 2016 12:58:26 +0100, wrote: >> On Tue, Feb 09, 2016 at 11:58:39AM +0100, Samuel Thibault wrote: >>> I have tried putting >>> >>> iroute-ipv6 2a01:474:5:1100::/56 >>> >>> in the ccd, but from the learn-address script the environment does not >>> contain this route. >> >>--learn-address cmd >> Run command cmd to validate client virtual addresses or >> routes. >> ... >> Three arguments will be appended to any arguments in cmd as >> fol- >> lows: > > D'oh. > > Busy people talking to busy people :) I didn't even take the time to > check that, sorry. > > I indeed see the learn-address script called with > > add 2a01:474:5:1100::/56 samuel.thibault.test > > And seen it called with > > delete 2a01:474:5:1100::/56 samuel.thibault.test > > 2 minutes after the client disconnected, which would probably be fine > enough for our use case. > If you use --proto udp, then it can take up to --ping-reset $SEC to trigger (IIRC). You can use explicit-exit-notify to avoid this behaviour. With this option set, the client will tell the server "I'm disconnecting now", which will trigger the --learn-address script instantly. This option is not useful in TCP mode, as explicit disconnect is part of the TCP protocol. -- kind regards, David Sommerseth
Re: [Openvpn-devel] route / route-ipv6 can not be used in ccd
Hello, Gert Doering, on Tue 09 Feb 2016 10:28:21 +0100, wrote: > Alternatively, using > --learn-address might actually be much easier than --client-connect, as > it will already tell you which networks are "new for this client" - from > the description, I'm fairly sure it handles iroute/iroute-ipv6 as well, > but for whatever reason I've never actually used this combination... That works indeed: #!/bin/bash add_del="$1" route="$2" cname="$3" case "$route" in *:*) six=-6 ;; *) six="" ;; esac if [ -n "$dev" ] then device="dev $dev" else device="" fi ip $six route "$add_del" "$route" $device Samuel
Re: [Openvpn-devel] route / route-ipv6 can not be used in ccd
Gert Doering, on Tue 09 Feb 2016 12:58:26 +0100, wrote: > On Tue, Feb 09, 2016 at 11:58:39AM +0100, Samuel Thibault wrote: > > I have tried putting > > > > iroute-ipv6 2a01:474:5:1100::/56 > > > > in the ccd, but from the learn-address script the environment does not > > contain this route. > >--learn-address cmd > Run command cmd to validate client virtual addresses or routes. > ... > Three arguments will be appended to any arguments in cmd as fol- > lows: D'oh. Busy people talking to busy people :) I didn't even take the time to check that, sorry. I indeed see the learn-address script called with add 2a01:474:5:1100::/56 samuel.thibault.test And seen it called with delete 2a01:474:5:1100::/56 samuel.thibault.test 2 minutes after the client disconnected, which would probably be fine enough for our use case. Thanks, Samuel
Re: [Openvpn-devel] route / route-ipv6 can not be used in ccd
Hi, On Tue, Feb 09, 2016 at 11:58:39AM +0100, Samuel Thibault wrote: > I have tried putting > > iroute-ipv6 2a01:474:5:1100::/56 > > in the ccd, but from the learn-address script the environment does not > contain this route. --learn-address cmd Run command cmd to validate client virtual addresses or routes. ... Three arguments will be appended to any arguments in cmd as fol- lows: [1] operation -- "add", "update", or "delete" based on whether or not the address is being added to, modified, or deleted from OpenVPN's internal routing table. [2] address -- The address being learned or unlearned. This can be an IPv4 address such as "198.162.10.14", an IPv4 subnet such as "198.162.10.0/24", or an ethernet MAC address (when --dev tap is being used) such as "00:FF:01:02:03:04". ... "it's not in the environment" :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] route / route-ipv6 can not be used in ccd
Hi, On Tue, Feb 09, 2016 at 11:55:44AM +0100, Jan Just Keijser wrote: > > Could you test and report whether --learn-address does the job for you? > > a 'learn-address' script is an entirely different beast than a > 'client-connect' script: you cannot write out new openvpn directives in > a 'learn-address' script. In both a 'client-connect' script (not a CCD > file) and in a 'learn-address' script you can add routes to the system > routing table provided that you're not running with "user nobody" - it's > just that you cannot use the "normal" openvpn stuff for this. The main difference (in relevance to this thread) is that --learn-address will *tell* the script what routes might be required for a specific client, while --client-connect would have to do some sort of database lookup... Or are iroutes exported? Manpage doesn't mention anything in that regard. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] route / route-ipv6 can not be used in ccd
Gert Doering, on Tue 09 Feb 2016 11:46:25 +0100, wrote: > On Tue, Feb 09, 2016 at 11:15:33AM +0100, Samuel Thibault wrote: > > Gert Doering, on Tue 09 Feb 2016 10:28:21 +0100, wrote: > > > On Mon, Feb 08, 2016 at 10:39:29PM +0100, Samuel Thibault wrote: > > > > Is there a reason for not being allowed to set route / route-ipv6 > > > > options in the ccd? > > > > > > "Nobody has implemented it yet" - plain and simple... > > > > Ok :) > > Could you test and report whether --learn-address does the job for you? I have tried putting iroute-ipv6 2a01:474:5:1100::/56 in the ccd, but from the learn-address script the environment does not contain this route. Samuel
Re: [Openvpn-devel] route / route-ipv6 can not be used in ccd
Hi, On 09/02/16 11:46, Gert Doering wrote: On Tue, Feb 09, 2016 at 11:15:33AM +0100, Samuel Thibault wrote: Gert Doering, on Tue 09 Feb 2016 10:28:21 +0100, wrote: On Mon, Feb 08, 2016 at 10:39:29PM +0100, Samuel Thibault wrote: Is there a reason for not being allowed to set route / route-ipv6 options in the ccd? "Nobody has implemented it yet" - plain and simple... Ok :) Could you test and report whether --learn-address does the job for you? I think this would be a useful result to have in the list archives :-) a 'learn-address' script is an entirely different beast than a 'client-connect' script: you cannot write out new openvpn directives in a 'learn-address' script. In both a 'client-connect' script (not a CCD file) and in a 'learn-address' script you can add routes to the system routing table provided that you're not running with "user nobody" - it's just that you cannot use the "normal" openvpn stuff for this. JJK
Re: [Openvpn-devel] route / route-ipv6 can not be used in ccd
Hi, On Tue, Feb 09, 2016 at 11:15:33AM +0100, Samuel Thibault wrote: > Gert Doering, on Tue 09 Feb 2016 10:28:21 +0100, wrote: > > On Mon, Feb 08, 2016 at 10:39:29PM +0100, Samuel Thibault wrote: > > > Is there a reason for not being allowed to set route / route-ipv6 > > > options in the ccd? > > > > "Nobody has implemented it yet" - plain and simple... > > Ok :) Could you test and report whether --learn-address does the job for you? I think this would be a useful result to have in the list archives :-) thanks, gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] route / route-ipv6 can not be used in ccd
Samuel Thibault, on Mon 08 Feb 2016 22:39:29 +0100, wrote: > We could of course use the --up script to set the routes, Oops, sorry, I didn't mean --up, but client-connect of course. Samuel
[Openvpn-devel] route / route-ipv6 can not be used in ccd
Hello, Is there a reason for not being allowed to set route / route-ipv6 options in the ccd? Here is our need: we have two openvpn daemons running on the same server, one in udp mode, the other in tcp mode. Both have the same configuration, that setup is meant for our users to use whichever happens to be working from their network, preferring udp whenever possible. The server thus has tun0 and tun1. Our users may have some additional IPs routed to them, so we record these in the ccd files, for instance: iroute-ipv6 2a01:474:5:100::/56 route-ipv6 2a01:474:5:100::/56 However, while iroute-ipv6 is accepted by openvpn, route-ipv6 is not accepted: samuel.thibault/:::83.200.171.86 Options error: option 'route-ipv6' cannot be used in this context The problem is that since one can not know in advance which openvpn daemon users will connect to (and thus which of tun0 or tun1 should have the route), we can not set these routes statically before the users connect. We could of course use the --up script to set the routes, but it looks much simpler and straightforward to set it from the ccd, since we need to set the iroute there already anyway. Samuel