[Openvpn-devel] [RFC 3/4] tun.c: use sitnl to handle tun configuration on Linux

2018-04-01 Thread Antonio Quartulli
Signed-off-by: Antonio Quartulli --- src/openvpn/tun.c | 199 -- 1 file changed, 58 insertions(+), 141 deletions(-) diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 263cacdf..4e0b3f90 100644 --- a/src/openvpn/tun.c

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Selva Nair
Hi, On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will > be IPv6-only. Removal of IPv4-related code and options will dramatically > reduce code complexity, confusing options, bugs and user questions. >

[Openvpn-devel] [RFC 2/4] introduce sitnl: Simplified Interface To NetLink

2018-04-01 Thread Antonio Quartulli
This patch introduces a tiny netlink interface, optimized for the openvpn use case. It basically exposes all those operations that are currently handled by directly calling the /sbin/ip command (or even ifconfig/route, if configured). By using netlink, openvpn won't need to spawn new processes

[Openvpn-devel] [RFC 0/4] add netlink support for Linux

2018-04-01 Thread Antonio Quartulli
Hi all, this patchset introduces native netlink support for the Linux platform. At the moment openvpn operates on the tun interface and on the routing table by directly invoking the "ip" command (or ifconfig/route if nettools is selected at compile time). With this patchset, openvpn would not

[Openvpn-devel] [RFC 4/4] route.c: use sitnl to handle route configuration on Linux

2018-04-01 Thread Antonio Quartulli
Signed-off-by: Antonio Quartulli --- src/openvpn/route.c | 364 ++-- 1 file changed, 71 insertions(+), 293 deletions(-) diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 8990a986..4b398366 100644 ---

[Openvpn-devel] [RFC 1/4] configure: add LINUX conditional variable

2018-04-01 Thread Antonio Quartulli
This variable is helpful when the configure script has to take actions that are strictly limited to the LINUX platform, as required by the introduction of netlink support. Signed-off-by: Antonio Quartulli --- configure.ac | 2 ++ 1 file changed, 2 insertions(+) diff --git

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Gert Doering
Hi, On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote: > On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: > > > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will > > be IPv6-only. Removal of IPv4-related code and options will dramatically > >

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Jonathan K. Bullard
Hi, On Sun, Apr 1, 2018 at 11:34 AM, Gert Doering wrote: > Hi, > > On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote: >> On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: >> >> > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5

[Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Gert Doering
As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will be IPv6-only. Removal of IPv4-related code and options will dramatically reduce code complexity, confusing options, bugs and user questions. Add deprecation warnings for IPv4-related config options to 2.4 branch, so users have

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Jonathan K. Bullard
Hi, On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will > be IPv6-only. Removal of IPv4-related code and options will dramatically > reduce code complexity, confusing options, bugs and user questions. >

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Samuel Thibault
Hello, Jonathan K. Bullard, on dim. 01 avril 2018 06:17:55 -0400, wrote: > Either way, can anyone give an approximate release date for 2.5, so we > can have a time frame for the change? (Even a "not before" date would > be very helpful in evaluating the impact of these proposed changes.) I guess

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Gert Doering
Hi, On Sun, Apr 01, 2018 at 12:21:53PM -0700, Marvin Adeff wrote: > I had not considered the extra work and code required to maintain both > versions. But I get it now. Here is the unfortunate position this puts us in: [..] Well, that part of my e-mail was a bit of frustration speaking - I've

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Gert Doering
Hi, On Sun, Apr 01, 2018 at 11:19:57AM -0700, Marvin Adeff wrote: > Think of us poor mail list lurkers. Practically gave this one a heart attack! > Not having seen that private reply, I hope that means I can discard the > long-ass (and quite irate) reply I was working on? Please share! >

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Marvin Adeff
Gert, Without invalidating the reason for your frustration, I am breathing a sigh of relief. As a complete aside, in some ways ipv4 is actually more useful to me in my work. In a private network I can tell where in the network the traffic is coming from. Even on the internet I can tell

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Antonio Quartulli
On 02/04/18 10:12, Marvin Adeff wrote: > Even on the internet I can tell country, ISP etc. Very useful for security > ACLs etc. Unless I’m completely mistaken, I don’t believe this is easily done > in ipv6. mostly because at this very moment Tunnel Brokers are widely used and they act as a

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Marvin Adeff
Think of us poor mail list lurkers. Practically gave this one a heart attack! Not having seen that private reply, I hope that means I can discard the long-ass (and quite irate) reply I was working on? Marvin (Sent from an ipv4 address) > On Apr 1, 2018, at 8:52 AM, Jonathan K. Bullard

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Marvin Adeff
Ok, I’ll only discard the irate part ;-] I had not considered the extra work and code required to maintain both versions. But I get it now. Here is the unfortunate position this puts us in: We use OpenVPN for connection from 1000’s of devices located at customer facilities back to us. These

[Openvpn-devel] [RFC 2/3] systemd: do not downgrade UID/GID

2018-04-01 Thread Christian Hesse
From: Christian Hesse Now that systemd starts the process with dedicated user we do no longer want to downgrade privileges. Also remove CAP_SETGID and CAP_SETUID from granted privileges. Signed-off-by: Christian Hesse --- distro/systemd/openvpn-cli...@.service.in

[Openvpn-devel] [RFC 3/3] systemd: create configuration directories from tmpfiles

2018-04-01 Thread Christian Hesse
From: Christian Hesse We have a dedicated user created by systemd-sysusers, so create configuration directories from systemd-tmpfiles for proper permissions. This mitigates a race condition at packaging/install time. Signed-off-by: Christian Hesse ---

[Openvpn-devel] [RFC 0/3] follow-up netlink support, systemd integration

2018-04-01 Thread Christian Hesse
This series is a follow-up to 'add netlink support for Linux' by Antonio Quartulli. It enhances integration with systemd and improves system security by running the openvpn process with a dedicated user. Christian Hesse (3): systemd: run openvpn with dedicated user systemd: do not downgrade