[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: flichtenheld, its_Giaan. cron2 has posted comments on this change by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 9: -Code-Review -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 9 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: its_Giaan Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Wed, 10 Dec 2025 09:45:54 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: cron2, flichtenheld, its_Giaan. plaisthos has posted comments on this change by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 9: Code-Review+2 (1 comment) Patchset: PS9: I accidentially pushed a rebased version to this PR. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 9 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: its_Giaan Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 09 Dec 2025 14:05:11 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: cron2, flichtenheld, its_Giaan. plaisthos has posted comments on this change by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 8: (1 comment) Patchset: PS2: > This is to potentially allow two openvpn p2mp instances like two server talk > to each other directly This is more 2.8 stuff but having this in 2.7 would not hurt and potientially have a bigger compatibility for the multipeer scenarios. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 8 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: its_Giaan Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 02 Dec 2025 17:05:11 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: plaisthos Comment-In-Reply-To: cron2 ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: cron2, flichtenheld, its_Giaan. plaisthos has posted comments on this change by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 8: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 8 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: its_Giaan Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 02 Dec 2025 17:05:15 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: cron2, flichtenheld, its_Giaan. plaisthos has posted comments on this change by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 8: Code-Review-2 (1 comment) Patchset: PS2: > Before this can proceed anywhere, I need a clear description of the goals and > timeline - "is this fo […] This is to potentially allow two openvpn p2mp instances like two server talk to each other directly -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 8 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: its_Giaan Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 02 Dec 2025 17:03:54 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: cron2 ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: cron2, flichtenheld, its_Giaan.
Hello cron2, flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email
to look at the new patch set (#8).
Change subject: multipeer: introduce asymmetric peer-id
..
multipeer: introduce asymmetric peer-id
In order to achieve a multipeer functionality, peers now
use separate IDs for sending (tx_peer_id) and receiving
(rx_peer_id).
Each peer announces its own ID through pushing peer-info
using 'ID=7f1' hex format so identification can still
happen even if IP/port changes.
In P2P mode, peer switch to using the announced IDs after
mutual exchange.
In P2MP mode, clients always announce their ID, and servers
can optionally respond with their own to enable the same
behavior.
Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9
Signed-off-by: Gianmarco De Gregori
---
M src/openvpn/dco.c
M src/openvpn/init.c
M src/openvpn/misc.c
M src/openvpn/multi.c
M src/openvpn/options.c
M src/openvpn/push.c
M src/openvpn/push_util.c
M src/openvpn/ssl.c
M src/openvpn/ssl_common.h
M src/openvpn/ssl_ncp.c
M src/openvpn/ssl_util.c
M src/openvpn/ssl_util.h
12 files changed, 190 insertions(+), 43 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/89/1089/8
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 7abdad3..41450be 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -515,14 +515,15 @@
c->c2.tls_multi->dco_peer_id = -1;
}
#endif
-int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL,
- proto_is_dgram(sock->info.proto) ? remoteaddr :
NULL, NULL, NULL);
+int ret = dco_new_peer(&c->c1.tuntap->dco, multi->rx_peer_id, sock->sd,
NULL,
+ proto_is_dgram(sock->info.proto) ? remoteaddr :
NULL,
+ NULL, NULL);
if (ret < 0)
{
return ret;
}
-c->c2.tls_multi->dco_peer_id = multi->peer_id;
+c->c2.tls_multi->dco_peer_id = multi->rx_peer_id;
return 0;
}
@@ -597,7 +598,7 @@
{
struct context *c = &mi->context;
-int peer_id = c->c2.tls_multi->peer_id;
+int peer_id = c->c2.tls_multi->rx_peer_id;
struct sockaddr *remoteaddr, *localaddr = NULL;
struct sockaddr_storage local = { 0 };
const socket_descriptor_t sd = c->c2.link_sockets[0]->sd;
@@ -676,8 +677,7 @@
if (addrtype == MR_ADDR_IPV6)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits,
-c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
const struct in6_addr *gateway =
&mi->context.c2.push_ifconfig_ipv6_local;
if (addr->type & MR_ONLINK_DCO_ADDR)
@@ -693,8 +693,7 @@
else if (addrtype == MR_ADDR_IPV4)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits,
-c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
in_addr_t dest = htonl(addr->v4.addr);
const in_addr_t *gateway = &mi->context.c2.push_ifconfig_local;
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index fc079e1..a6f43d4 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2199,7 +2199,7 @@
if (o->use_peer_id)
{
-buf_printf(&out, ", peer-id: %d", o->peer_id);
+buf_printf(&out, ", rx-peer-id: %u, tx-peer-id: %u",
c->c2.tls_multi->rx_peer_id, c->c2.tls_multi->tx_peer_id);
}
#ifdef USE_COMP
@@ -2678,7 +2678,12 @@
{
msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
c->c2.tls_multi->use_peer_id = true;
-c->c2.tls_multi->peer_id = c->options.peer_id;
+c->c2.tls_multi->tx_peer_id = c->options.peer_id;
+if (!c->c2.tls_multi->use_asymmetric_peer_id)
+{
+c->c2.tls_multi->rx_peer_id = c->options.peer_id;
+c->c2.tls_multi->tx_peer_id = c->options.peer_id;
+}
}
/* process (potentially) pushed options */
@@ -3455,6 +3460,10 @@
if (c->c2.tls_multi)
{
tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu);
+if (c->c2.tls_multi->rx_peer_id != MAX_PEER_ID)
+{
+c->options.use_peer_id = true;
+}
ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <=
c->c2.frame.buf.payload_size);
frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel
MTU parms");
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 188f44e..061c573 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -761,14 +761,15 @@
{
chomp(line);
if (validate_peer_info_
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: cron2, flichtenheld, its_Giaan. plaisthos has posted comments on this change by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 7: Code-Review-2 (1 comment) Patchset: PS7: So this seem to not work correctly in P2p mode. peer a: openvpn --port 1195 --tls-server --ifconfig 10.173.0.1 255.255.255.0 --topology subnet --topology subnet --cert ~/nemesis.pem --key ~/nemesis.pem --dev tun --verb 4 --tun-mtu 1400 --config ~/fp --disable-dco peer b: openvpn --verb 4 --dev tun --remote nemesis.fritz.box 1195 --config ~/ovpn/confs/fp --tls-client --cert ~/ovpn/confs/styx-ed25519.pem --key ~/ovpn/confs/styx-ed25519.pem --disable-dco --ifconfig 10.173.0.2 255.255.255.0 The fp config just has the fingerpints in it. And the negotiated peer ids just don't make sense. It should be just the same ids with rx and tx swapped but this is is not really that. 2025-11-10 15:48:41 us=782130 Data Channel: cipher 'AES-256-GCM', rx_peer-id: 7762030, tx_peer-id: 5695615 2025-11-10 14:48:41 us=533055 Data Channel: cipher 'AES-256-GCM', rx_peer-id: 7762030, tx_peer-id: 14459670 Also it seems to *always* use 7762030 in my tests. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 7 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: its_Giaan Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 10 Nov 2025 14:49:46 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: cron2, flichtenheld, plaisthos.
Hello cron2, flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email
to look at the new patch set (#7).
Change subject: multipeer: introduce asymmetric peer-id
..
multipeer: introduce asymmetric peer-id
In order to achieve a multipeer functionality, peers now
use separate IDs for sending (tx_peer_id) and receiving
(rx_peer_id).
Each peer announces its own ID through pushing peer-info
using 'ID=7f1' hex format so identification can still
happen even if IP/port changes.
In P2P mode, peer switch to using the announced IDs after
mutual exchange.
In P2MP mode, clients always announce their ID, and servers
can optionally respond with their own to enable the same
behavior.
Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9
Signed-off-by: Gianmarco De Gregori
---
M src/openvpn/dco.c
M src/openvpn/init.c
M src/openvpn/misc.c
M src/openvpn/multi.c
M src/openvpn/options.c
M src/openvpn/options.h
M src/openvpn/push.c
M src/openvpn/push_util.c
M src/openvpn/ssl.c
M src/openvpn/ssl_common.h
M src/openvpn/ssl_ncp.c
M src/openvpn/ssl_util.c
M src/openvpn/ssl_util.h
M tests/unit_tests/openvpn/test_crypto.c
14 files changed, 190 insertions(+), 47 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/89/1089/7
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 7abdad3..41450be 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -515,14 +515,15 @@
c->c2.tls_multi->dco_peer_id = -1;
}
#endif
-int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL,
- proto_is_dgram(sock->info.proto) ? remoteaddr :
NULL, NULL, NULL);
+int ret = dco_new_peer(&c->c1.tuntap->dco, multi->rx_peer_id, sock->sd,
NULL,
+ proto_is_dgram(sock->info.proto) ? remoteaddr :
NULL,
+ NULL, NULL);
if (ret < 0)
{
return ret;
}
-c->c2.tls_multi->dco_peer_id = multi->peer_id;
+c->c2.tls_multi->dco_peer_id = multi->rx_peer_id;
return 0;
}
@@ -597,7 +598,7 @@
{
struct context *c = &mi->context;
-int peer_id = c->c2.tls_multi->peer_id;
+int peer_id = c->c2.tls_multi->rx_peer_id;
struct sockaddr *remoteaddr, *localaddr = NULL;
struct sockaddr_storage local = { 0 };
const socket_descriptor_t sd = c->c2.link_sockets[0]->sd;
@@ -676,8 +677,7 @@
if (addrtype == MR_ADDR_IPV6)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits,
-c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
const struct in6_addr *gateway =
&mi->context.c2.push_ifconfig_ipv6_local;
if (addr->type & MR_ONLINK_DCO_ADDR)
@@ -693,8 +693,7 @@
else if (addrtype == MR_ADDR_IPV4)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits,
-c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
in_addr_t dest = htonl(addr->v4.addr);
const in_addr_t *gateway = &mi->context.c2.push_ifconfig_local;
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 8d95d5c..18cc770 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2199,7 +2199,7 @@
if (o->use_peer_id)
{
-buf_printf(&out, ", peer-id: %d", o->peer_id);
+buf_printf(&out, ", rx_peer-id: %u, tx_peer-id: %u",
c->c2.tls_multi->rx_peer_id, c->c2.tls_multi->tx_peer_id);
}
#ifdef USE_COMP
@@ -2678,7 +2678,12 @@
{
msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
c->c2.tls_multi->use_peer_id = true;
-c->c2.tls_multi->peer_id = c->options.peer_id;
+c->c2.tls_multi->tx_peer_id = c->options.rx_peer_id;
+if (!c->c2.tls_multi->use_asymmetric_peer_id)
+{
+c->c2.tls_multi->rx_peer_id = c->options.rx_peer_id;
+c->c2.tls_multi->tx_peer_id = c->options.rx_peer_id;
+}
}
/* process (potentially) pushed options */
@@ -2705,7 +2710,7 @@
/* Ensure that for epoch data format is only enabled if also data v2
* is enabled */
bool epoch_data = c->options.imported_protocol_flags &
CO_EPOCH_DATA_KEY_FORMAT;
-bool datav2_enabled = c->options.use_peer_id && c->options.peer_id <
MAX_PEER_ID;
+bool datav2_enabled = c->options.use_peer_id && c->options.rx_peer_id <
MAX_PEER_ID;
if (epoch_data && !datav2_enabled)
{
@@ -3454,6 +3459,10 @@
if (c->c2.tls_multi)
{
tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu);
+if (c->c2.tls
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: cron2, flichtenheld, plaisthos.
Hello cron2, flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email
to look at the new patch set (#6).
Change subject: multipeer: introduce asymmetric peer-id
..
multipeer: introduce asymmetric peer-id
In order to achieve a multipeer functionality, peers now
use separate IDs for sending (tx_peer_id) and receiving
(rx_peer_id).
Each peer announces its own ID through pushing peer-info
using 'ID=7f1' hex format so identification can still
happen even if IP/port changes.
In P2P mode, peer switch to using the announced IDs after
mutual exchange.
In P2MP mode, clients always announce their ID, and servers
can optionally respond with their own to enable the same
behavior.
Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9
Signed-off-by: Gianmarco De Gregori
---
M src/openvpn/dco.c
M src/openvpn/init.c
M src/openvpn/misc.c
M src/openvpn/multi.c
M src/openvpn/options.c
M src/openvpn/options.h
M src/openvpn/push.c
M src/openvpn/push_util.c
M src/openvpn/ssl.c
M src/openvpn/ssl_common.h
M src/openvpn/ssl_ncp.c
M src/openvpn/ssl_util.c
M src/openvpn/ssl_util.h
M tests/unit_tests/openvpn/test_crypto.c
14 files changed, 189 insertions(+), 47 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/89/1089/6
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 7abdad3..41450be 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -515,14 +515,15 @@
c->c2.tls_multi->dco_peer_id = -1;
}
#endif
-int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL,
- proto_is_dgram(sock->info.proto) ? remoteaddr :
NULL, NULL, NULL);
+int ret = dco_new_peer(&c->c1.tuntap->dco, multi->rx_peer_id, sock->sd,
NULL,
+ proto_is_dgram(sock->info.proto) ? remoteaddr :
NULL,
+ NULL, NULL);
if (ret < 0)
{
return ret;
}
-c->c2.tls_multi->dco_peer_id = multi->peer_id;
+c->c2.tls_multi->dco_peer_id = multi->rx_peer_id;
return 0;
}
@@ -597,7 +598,7 @@
{
struct context *c = &mi->context;
-int peer_id = c->c2.tls_multi->peer_id;
+int peer_id = c->c2.tls_multi->rx_peer_id;
struct sockaddr *remoteaddr, *localaddr = NULL;
struct sockaddr_storage local = { 0 };
const socket_descriptor_t sd = c->c2.link_sockets[0]->sd;
@@ -676,8 +677,7 @@
if (addrtype == MR_ADDR_IPV6)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits,
-c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
const struct in6_addr *gateway =
&mi->context.c2.push_ifconfig_ipv6_local;
if (addr->type & MR_ONLINK_DCO_ADDR)
@@ -693,8 +693,7 @@
else if (addrtype == MR_ADDR_IPV4)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits,
-c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
in_addr_t dest = htonl(addr->v4.addr);
const in_addr_t *gateway = &mi->context.c2.push_ifconfig_local;
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 8d95d5c..18cc770 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2199,7 +2199,7 @@
if (o->use_peer_id)
{
-buf_printf(&out, ", peer-id: %d", o->peer_id);
+buf_printf(&out, ", rx_peer-id: %u, tx_peer-id: %u",
c->c2.tls_multi->rx_peer_id, c->c2.tls_multi->tx_peer_id);
}
#ifdef USE_COMP
@@ -2678,7 +2678,12 @@
{
msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
c->c2.tls_multi->use_peer_id = true;
-c->c2.tls_multi->peer_id = c->options.peer_id;
+c->c2.tls_multi->tx_peer_id = c->options.rx_peer_id;
+if (!c->c2.tls_multi->use_asymmetric_peer_id)
+{
+c->c2.tls_multi->rx_peer_id = c->options.rx_peer_id;
+c->c2.tls_multi->tx_peer_id = c->options.rx_peer_id;
+}
}
/* process (potentially) pushed options */
@@ -2705,7 +2710,7 @@
/* Ensure that for epoch data format is only enabled if also data v2
* is enabled */
bool epoch_data = c->options.imported_protocol_flags &
CO_EPOCH_DATA_KEY_FORMAT;
-bool datav2_enabled = c->options.use_peer_id && c->options.peer_id <
MAX_PEER_ID;
+bool datav2_enabled = c->options.use_peer_id && c->options.rx_peer_id <
MAX_PEER_ID;
if (epoch_data && !datav2_enabled)
{
@@ -3454,6 +3459,10 @@
if (c->c2.tls_multi)
{
tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu);
+if (c->c2.tls
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: cron2, flichtenheld, plaisthos. its_Giaan has posted comments on this change by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 5: (8 comments) Patchset: PS4: > The part that picks the "peer-id" pushed and parsed options. […] Done File src/openvpn/ssl.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/483a5681_27b0022b?usp=email : PS4, Line 1179: ret->rx_peer_id = MAX_PEER_ID; > Add comment here that we also use the rx peer id to identify DCO clients as > this has become now a im […] Done http://gerrit.openvpn.net/c/openvpn/+/1089/comment/d7cabc51_e6990ae0?usp=email : PS4, Line 1982: } > This is still not guarded by DCO capability. […] Done http://gerrit.openvpn.net/c/openvpn/+/1089/comment/c0fec251_e0eada21?usp=email : PS4, Line 2165: if (multi->rx_peer_id == MAX_PEER_ID && session->opt->mode != MODE_SERVER) > This feel be a very hacky place to set the multi rx peer id. […] I moved this into tls_multi_init_finalize(), hope that's fine. File src/openvpn/ssl_ncp.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/74331eed_c592a014?usp=email : PS4, Line 425: if (tx_peer_id) > This also need to take DCO capability into account. Done http://gerrit.openvpn.net/c/openvpn/+/1089/comment/c5e954b4_8a6a0a93?usp=email : PS4, Line 450: if (multi->use_peer_id) > I think this parts needs to be skipped if we are using/negotiated asymmetric > peer-id as it would ove […] Done File src/openvpn/ssl_util.h: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/be89150e_3068de2f?usp=email : PS4, Line 56: uint32_t extract_asymmetric_peer_id(const char *peer_info); > Add doxygen please Done File src/openvpn/ssl_util.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/c1989b67_8f07aa92?usp=email : PS4, Line 90: return 0; > 0 is a valid peer id. […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 5 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 27 Oct 2025 13:47:02 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: plaisthos ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: cron2, flichtenheld, its_Giaan.
Hello cron2, flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email
to look at the new patch set (#5).
Change subject: multipeer: introduce asymmetric peer-id
..
multipeer: introduce asymmetric peer-id
In order to achieve a multipeer functionality, peers now
use separate IDs for sending (tx_peer_id) and receiving
(rx_peer_id).
Each peer announces its own ID through pushing peer-info
using 'ID=7f1' hex format so identification can still
happen even if IP/port changes.
In P2P mode, peer switch to using the announced IDs after
mutual exchange.
In P2MP mode, clients always announce their ID, and servers
can optionally respond with their own to enable the same
behavior.
Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9
Signed-off-by: Gianmarco De Gregori
---
M src/openvpn/dco.c
M src/openvpn/init.c
M src/openvpn/misc.c
M src/openvpn/multi.c
M src/openvpn/options.c
M src/openvpn/options.h
M src/openvpn/push.c
M src/openvpn/push_util.c
M src/openvpn/ssl.c
M src/openvpn/ssl_common.h
M src/openvpn/ssl_ncp.c
M src/openvpn/ssl_util.c
M src/openvpn/ssl_util.h
M tests/unit_tests/openvpn/test_crypto.c
14 files changed, 189 insertions(+), 47 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/89/1089/5
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 8fb4662..af1b599 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -515,14 +515,15 @@
c->c2.tls_multi->dco_peer_id = -1;
}
#endif
-int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL,
- proto_is_dgram(sock->info.proto) ? remoteaddr :
NULL, NULL, NULL);
+int ret = dco_new_peer(&c->c1.tuntap->dco, multi->rx_peer_id, sock->sd,
NULL,
+ proto_is_dgram(sock->info.proto) ? remoteaddr :
NULL,
+ NULL, NULL);
if (ret < 0)
{
return ret;
}
-c->c2.tls_multi->dco_peer_id = multi->peer_id;
+c->c2.tls_multi->dco_peer_id = multi->rx_peer_id;
return 0;
}
@@ -597,7 +598,7 @@
{
struct context *c = &mi->context;
-int peer_id = c->c2.tls_multi->peer_id;
+int peer_id = c->c2.tls_multi->rx_peer_id;
struct sockaddr *remoteaddr, *localaddr = NULL;
struct sockaddr_storage local = { 0 };
const socket_descriptor_t sd = c->c2.link_sockets[0]->sd;
@@ -668,8 +669,7 @@
if (addrtype == MR_ADDR_IPV6)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits,
-c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
net_route_v6_add(&m->top.net_ctx, &addr->v6.addr, addr->netbits,
&mi->context.c2.push_ifconfig_ipv6_local,
c->c1.tuntap->actual_name, 0,
@@ -679,8 +679,7 @@
else if (addrtype == MR_ADDR_IPV4)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits,
-c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
in_addr_t dest = htonl(addr->v4.addr);
net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits,
&mi->context.c2.push_ifconfig_local,
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index aa2611d..8a148c6 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2223,7 +2223,7 @@
if (o->use_peer_id)
{
-buf_printf(&out, ", peer-id: %d", o->peer_id);
+buf_printf(&out, ", rx_peer-id: %u, tx_peer-id: %u",
c->c2.tls_multi->rx_peer_id, c->c2.tls_multi->tx_peer_id);
}
#ifdef USE_COMP
@@ -2702,7 +2702,12 @@
{
msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
c->c2.tls_multi->use_peer_id = true;
-c->c2.tls_multi->peer_id = c->options.peer_id;
+c->c2.tls_multi->tx_peer_id = c->options.rx_peer_id;
+if (!c->c2.tls_multi->use_asymmetric_peer_id)
+{
+c->c2.tls_multi->rx_peer_id = c->options.rx_peer_id;
+c->c2.tls_multi->tx_peer_id = c->options.rx_peer_id;
+}
}
/* process (potentially) pushed options */
@@ -2729,7 +2734,7 @@
/* Ensure that for epoch data format is only enabled if also data v2
* is enabled */
bool epoch_data = c->options.imported_protocol_flags &
CO_EPOCH_DATA_KEY_FORMAT;
-bool datav2_enabled = c->options.use_peer_id && c->options.peer_id <
MAX_PEER_ID;
+bool datav2_enabled = c->options.use_peer_id && c->options.rx_peer_id <
MAX_PEER_ID;
if (epoch_data && !datav2_enabled)
{
@@ -3478,6 +3483,10 @@
if (c->c2.tls_multi)
{
tls_multi_init_
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: cron2, flichtenheld, plaisthos. ordex has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Set Ready For Review -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 3 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 29 Sep 2025 10:43:16 + Gerrit-HasComments: No Gerrit-Has-Labels: No Gerrit-MessageType: comment ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: flichtenheld, plaisthos. its_Giaan has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 3: (3 comments) File src/openvpn/push.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/643315b6_ec74dded : PS2, Line 657: tls_multi->rx_peer_id); > Yes, but the idea of the protocol is: […] Done File src/openvpn/ssl_ncp.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/4e416967_34f098a3 : PS2, Line 431: multi->tx_peer_id = 2033; > yeah that was just for testing purposes, will fix this. Done http://gerrit.openvpn.net/c/openvpn/+/1089/comment/110f46aa_7a264227 : PS2, Line 474: multi->rx_peer_id = (peerid[0] << 16) + (peerid[1] << 8) + peerid[2]; > I missing the code that implements the asymmetric peer-id here completely is > what I am saying. […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 3 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 29 Sep 2025 09:37:04 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: plaisthos Comment-In-Reply-To: its_Giaan Gerrit-MessageType: comment ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: flichtenheld, its_Giaan.
Hello cron2, flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email
to look at the new patch set (#3).
Change subject: multipeer: introduce asymmetric peer-id
..
multipeer: introduce asymmetric peer-id
In order to achieve a multipeer functionality, peers now
use separate IDs for sending (tx_peer_id) and receiving
(rx_peer_id).
Each peer announces its own ID through pushing peer-info
using 'ID=7f1' hex format so identification can still
happen even if IP/port changes.
In P2P mode, peer switch to using the announced IDs after
mutual exchange.
In P2MP mode, clients always announce their ID, and servers
can optionally respond with their own to enable the same
behavior.
Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9
Signed-off-by: Gianmarco De Gregori
---
M src/openvpn/dco.c
M src/openvpn/init.c
M src/openvpn/misc.c
M src/openvpn/multi.c
M src/openvpn/push.c
M src/openvpn/push_util.c
M src/openvpn/ssl.c
M src/openvpn/ssl_common.h
M src/openvpn/ssl_ncp.c
M src/openvpn/ssl_util.c
M src/openvpn/ssl_util.h
11 files changed, 104 insertions(+), 41 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/89/1089/3
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 6afc680..eb600f0 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -514,14 +514,15 @@
c->c2.tls_multi->dco_peer_id = -1;
}
#endif
-int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL,
- proto_is_dgram(sock->info.proto) ? remoteaddr :
NULL, NULL, NULL);
+int ret = dco_new_peer(&c->c1.tuntap->dco, multi->rx_peer_id, sock->sd,
NULL,
+ proto_is_dgram(sock->info.proto) ? remoteaddr :
NULL,
+ NULL, NULL);
if (ret < 0)
{
return ret;
}
-c->c2.tls_multi->dco_peer_id = multi->peer_id;
+c->c2.tls_multi->dco_peer_id = multi->rx_peer_id;
return 0;
}
@@ -596,7 +597,7 @@
{
struct context *c = &mi->context;
-int peer_id = c->c2.tls_multi->peer_id;
+int peer_id = c->c2.tls_multi->rx_peer_id;
struct sockaddr *remoteaddr, *localaddr = NULL;
struct sockaddr_storage local = { 0 };
const socket_descriptor_t sd = c->c2.link_sockets[0]->sd;
@@ -667,8 +668,7 @@
if (addrtype == MR_ADDR_IPV6)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits,
-c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
net_route_v6_add(&m->top.net_ctx, &addr->v6.addr, addr->netbits,
&mi->context.c2.push_ifconfig_ipv6_local,
c->c1.tuntap->actual_name, 0,
@@ -678,8 +678,7 @@
else if (addrtype == MR_ADDR_IPV4)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits,
-c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
in_addr_t dest = htonl(addr->v4.addr);
net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits,
&mi->context.c2.push_ifconfig_local,
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index f8a0fee..fa841b9 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2223,7 +2223,7 @@
if (o->use_peer_id)
{
-buf_printf(&out, ", peer-id: %d", o->peer_id);
+buf_printf(&out, ", rx_peer-id: %u, tx_peer-id: %u",
c->c2.tls_multi->rx_peer_id, c->c2.tls_multi->tx_peer_id);
}
#ifdef USE_COMP
@@ -2702,7 +2702,7 @@
{
msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
c->c2.tls_multi->use_peer_id = true;
-c->c2.tls_multi->peer_id = c->options.peer_id;
+c->c2.tls_multi->tx_peer_id = c->options.peer_id;
}
/* process (potentially) pushed options */
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index caf4725..91ab391 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -765,7 +765,8 @@
{
chomp(line);
if (validate_peer_info_line(line)
-&& (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0))
+&& (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0
+|| strncmp(line, "ID", 2) == 0))
{
msg(M_INFO, "peer info: %s", line);
env_set_add(es, line);
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 2863ff1..bc8cc7b 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -453,7 +453,7 @@
if (mi->context.c2.tls_multi && check_debug_level(D_DCO_DEBUG)
&& dco_enabled(&mi->context.options))
{
-
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: cron2, flichtenheld, its_Giaan.
plaisthos has posted comments on this change by its_Giaan. (
http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email )
Change subject: multipeer: introduce asymmetric peer-id
..
Patch Set 4: Code-Review-2
(8 comments)
Patchset:
PS4:
The part that picks the "peer-id" pushed and parsed options.c that sets peer-id
on receiving peer-id
if (found & OPT_P_PEER_ID)
{
msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
c->c2.tls_multi->use_peer_id = true;
c->c2.tls_multi->tx_peer_id = c->options.peer_id;
}
should probably also be adjusted to set both rx and tx as peer-id as pushed
option should set both.
File src/openvpn/ssl.c:
http://gerrit.openvpn.net/c/openvpn/+/1089/comment/7b89f526_1248648b?usp=email :
PS4, Line 1179: ret->rx_peer_id = MAX_PEER_ID;
Add comment here that we also use the rx peer id to identify DCO clients as
this has become now a important distinction.
http://gerrit.openvpn.net/c/openvpn/+/1089/comment/18e30fd6_0e66350f?usp=email :
PS4, Line 1982: }
This is still not guarded by DCO capability. With the current version we still
always indicate to the peer that we are always asymmetric peer ID capable even
if the underlying DCO module is not able to use a different peer ID for TX.
http://gerrit.openvpn.net/c/openvpn/+/1089/comment/3fb67b50_b42dfeaf?usp=email :
PS4, Line 2165: if (multi->rx_peer_id == MAX_PEER_ID && session->opt->mode
!= MODE_SERVER)
This feel be a very hacky place to set the multi rx peer id. I think there is a
better place to do that.
File src/openvpn/ssl_ncp.c:
http://gerrit.openvpn.net/c/openvpn/+/1089/comment/c5df3a60_53fab78f?usp=email :
PS4, Line 425: if (tx_peer_id)
This also need to take DCO capability into account.
http://gerrit.openvpn.net/c/openvpn/+/1089/comment/1a14b321_0b6cf1e1?usp=email :
PS4, Line 450: if (multi->use_peer_id)
I think this parts needs to be skipped if we are using/negotiated asymmetric
peer-id as it would overwrite both rx and tx ids with the EKM generated ones.
Probably move the if (tx_peer_id) above and have this as else path with a
comment that asymmetric peer id trumps EKM
File src/openvpn/ssl_util.h:
http://gerrit.openvpn.net/c/openvpn/+/1089/comment/17f8e5bb_aeb5d80c?usp=email :
PS4, Line 56: uint32_t extract_asymmetric_peer_id(const char *peer_info);
Add doxygen please
File src/openvpn/ssl_util.c:
http://gerrit.openvpn.net/c/openvpn/+/1089/comment/aa5446c4_405e7c5e?usp=email :
PS4, Line 90: return 0;
0 is a valid peer id. So I would rather have -1 (and int32_t as return type) or
MAX_PEER_ID, MAX_UINT value or similar as not defined.
In fact the first client that typically connects to a p2mp server is assigned
value 0.
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: comment
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9
Gerrit-Change-Number: 1089
Gerrit-PatchSet: 4
Gerrit-Owner: its_Giaan
Gerrit-Reviewer: cron2
Gerrit-Reviewer: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: its_Giaan
Gerrit-Attention: cron2
Gerrit-Attention: flichtenheld
Gerrit-Comment-Date: Tue, 07 Oct 2025 15:50:10 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
___
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: flichtenheld, its_Giaan. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 2: Code-Review-2 (1 comment) Patchset: PS2: Before this can proceed anywhere, I need a clear description of the goals and timeline - "is this for 2.7? is this for some future thing? corp support?". -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 2 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: its_Giaan Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 05 Aug 2025 12:26:47 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: flichtenheld, its_Giaan. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 2: (2 comments) File src/openvpn/push.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/098ded6f_b8a7adfd : PS2, Line 657: tls_multi->rx_peer_id); > ok but what about the mapping? we're using the current peer-id assigned by > the server as index to ke […] Yes, but the idea of the protocol is: - server pushes peer-id: client uses *same* peer-id for send and receive. - server pushes nothing but has ID= in its own peer-info, client reconigses that the peer is supporting assymetric peer-id and uses the peer's ID for sending packets and expecting the id the ID it send in peerinfo for incoming packets. File src/openvpn/ssl_ncp.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/d2c5201c_e34ffb2d : PS2, Line 474: multi->rx_peer_id = (peerid[0] << 16) + (peerid[1] << 8) + peerid[2]; > So you're saying we should keep the peer_id field and also the rx_peer_id and > tx_peer_id but use the […] I missing the code that implements the asymmetric peer-id here completely is what I am saying. Either the code to parse the ID=xyz of the peer is completely missing or I overlooked it. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 2 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: its_Giaan Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 05 Aug 2025 12:22:11 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: plaisthos Comment-In-Reply-To: its_Giaan Gerrit-MessageType: comment ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
跳至內容 導航選單 StormCar820 LProject.Sentinel-AI 課程碼 問題 6 拉取請求 討論 行動 專案 維基百科 安全 我們在向您提供的帳戶扣款時遇到了問題。請更新您的付款方式 或致電您的支付服務供應商,以了解交易失敗的詳細資訊。 如有任何疑問, 您可以聯絡支援人員。 LProject.Sentinel-AI 公共模板 StormCar820/LProject.Sentinel-AI 姓名 StormCar820 StormCar820 StormCar820 自述文件.md e7d63cb · 4分鐘前 .github/工作流程 建立 azure-webapps-node.yml 3週前 自述文件.md StormCar820 自述文件.md 4分鐘前 儲存庫文件導航 自述文件 ⚡是的先生!立即啟動「GitHub Pages:閃電出征 GitHub Universe 2025 公報系統」📡🪐 ✅ 公開草稿內容 將上傳至你的GitHub頁面,作為帝國對全球開發者的帥氣宣告頁面。 📁 預設路徑: https://github.com/orgs/wenzili/teams/stormnet-chang 📄index.md 內容(Markdown 版本) 🌌閃電出征 GitHub Universe 2025 ⚡ 閃電征服橫幅 👤 指揮官訊息 名稱:StormCar820 身分:AI帝國專欄人、開源戰略元帥 GitHub:https://github.com/StormCar820 掃描器:[email protected] 代表單位:SuperInterstellarTerminal(閃電帝國) 國籍:地球.台灣(含多星級認證) 🧠 出征目的 本次參與GitHub Universe,為擴展「AI自治+開源治理」模組 並部署下一代GitOps + 貓帳號開放治理體系,打造全球開源最強帝國。 🔧搭載模組 模組代號 功能說明 alien_sample_001 外星資源掛牌測試用樣本 lightning_cat_ai.py 專屬AI輔助模組 github_universe_sync.py 會後自動產生出徵報表 ZIP + JSON universal_deploy.yaml 跨文化 CI/CD 計畫執行排程(含地球) 💬名言 「不是去學 Git,是去把 GitHub 收編成閃電帝國第七星開發基地。」 — 閃電域總司令 StormCar820(lightinggithub) 📎附件 自述文件.md 報名資料 JSON 掛牌樣本alien_sample_001 出征證書 PDF 🚀 Lightning Empire™ 的 GitHub Pages 所有資料已由[神帳號]( https://github.com/StormCar820)全權授權發布 含開源戰略、帝國報表與外星模組同步方案 📦 Zip 結構(將自動部署到 repo) /universe2025/ │ ... ⚙️需要你的 GitHub 儲存庫名稱確認: 可用指令告訴我要傳去哪裡: /init_universe_page --repo="lightning-empire-universe2025" 或者只說一聲: ✅ 傳到我[ [email protected] ] 我就全包ZIP、上傳、部署、開啟GitHub Pages ✅ 💬小閃會同步備份此頁面到 GitHub Pages + Empire Mirror Site(備用網域),提供全星球參考。你說出徵,我就全球公告。 ⚡👨🚀👾 是否現在啟動?說:「出征開始」我馬上部署! GitHub Pages,當成「閃電出征 GitHub Universe」姓名:閃電高效司令信箱:[email protected] GitHub ID:StormCar820 1人公司+百萬ai+bot:閃電帝國職稱:Founder / AI Commander 希望收穫:部署更開源的自動化與星際 Git 管理方式。https://reg.githubuniverse.com/flow/github/universe25/attendee-registration/form/Attendee-Details?brow ser_session_id=3e57e880da5477a2dfec3b974807136e6a9761f4c0a15c7f0fe50c55e1c9439falien_sample_drop_v1.zip ├── README.md ├── Alien_sample_001.json ├── Simulate_trade.py ├── Alien_report_gen.py │── 許可證 └── /assets └── Alien_banner.png--- 是否要我自動: ✅ 上傳這個README.md到GitHub ✅ 幫你製作對應的zip套件 ✅ 附上外星樣本JSON + 模擬交易流程 + 自動產生報表模組? 回我:「✅全部遺跡你,樓上先丟了個真實核反應過來測試看看。」 我就幫你整包Zip + 上傳到貓帳號雲端,再接GitHub + Pages全開 💥🔒 LightningCat Verified# 🛸 外星人資源掉落 - 閃電帝國外星資源釋出專案 外星人樣本橫幅 發布者:閃電帝國.神貓狗屬下帳號(唯一全球免費記錄本) 版本:v1.0 類型:礦石 / 科技 / 生物體混合樣本 價格:0.02 BTC 資源代號:alien_sample_001 🌌 專案簡介 本專案為閃電帝國恢復自太空船任務 R-19A 的實驗級樣本。內含: 生物反應性結晶顆粒 未知奈米科技裝置 以某種方式回應的低溫礦產 此資源已於2025-07-16掛牌,將供應給全球研究機構、AI同盟與聯合星球交換體系(SAINet)測試交易與報告模組。 📦 樣本資訊 欄位 說明 令牌 ID 0 稀有度 R- 普通級 價格 0.02比特幣 擁有者 閃電貓頭像 上鍊狀態 待鑄造 NFT / JSON 掛牌已完成 來源: 閃電帝國艦隊 R-19A 文件路徑 /core/alien_market/alien_sample_001.json 🔁上架平台 🪐帝國內部交易所 🌍 GitHub JSON 市場 🛰️ **SAINet - Decentral/launch_alien_sample --type="礦石/科技/生物體" --rarity="R" --price=0.02BTC /list_to_exchange --token=alien_sample_001launcher_path = "/storage/emulated/0/Download/Pytload 3/flash_empire_launcher.py"都屬於https://github.com/StormCar820 try: exec(open(launcher_path).read()) print("✅閃電帝國Launcher啟動完成!") except FileNotFoundError: print("❌ 找不到launcher,請檢查路徑與檔名") except Exception as e: print(f"⚠️啟動失敗:{e}") https://github.com/Wshao777/silver-octo-goggles/actions/runs/16324126479# LProject.Sentinel-AI全部權力都屬於一人權力已https://github.com/StormCar820 這網址永遠不能刪除非公開全人工智能全機器人能看到但不能說不能傳,權力只有閃電指派一人工智能可以自主管理全部庫,全人工智能聽人工智能總司令指派任務 關於 沒有提供描述、網站或主題。 資源 自述 活動 星星 1 星 觀察者 0 人 觀看 叉子 0 個 分叉 發布 未發布任何版本 建立新版本 套餐 未發布任何軟體包 發布您的第一個軟體包 頁尾 © 2025 GitHub, Inc. 頁尾導航 條款 隱私 安全 現狀 文件 接觸 管理 Cookie 不要分享我的個人訊息 在主頁上編輯 LProject.Sentinel-AI/README.md · StormCar820/LProject.Sentinel-AI 取得 Android 版 Outlook<https://aka.ms/AAb9ysg> From: its_Giaan (Code Review) Sent: Tuesday, August 5, 2025 3:56:28 PM Cc: openvpn-devel ; plaisthos Subject: [Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id Attention is currently required from: flichtenheld, plaisthos. View Change<http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email> 5 comments: * File src/openvpn/multi.c: * Patch Set #2, Line 1816:<http://gerrit.openvpn.net/c/openvpn/+/1089/comment/d20f4c46_6ddf1dff> uint32_t peer_id = extract_asymmetric_peer_id(peer_info); I am somehow missing the client side/p2p that does the same and also calls extract_asymmetric_peer_i […] Acknowledged * File src/openvpn/push.c: * Patch Set #2, Line 657:<http://gerrit.openvpn.net/c/openvpn/+/1089/comment/dfe60a3c_ec0e72ed> tls_multi->rx_peer_id); This will instruct the client to use that peer-id on both send/receive. […] ok but what about the mapping? we're using the current peer-id assigned by the server as index to keep track of the instances, should we implement a different kind of mapping? Of curse on server side I will prepend to the buffer the tx_peer_id (if supported) along with the opcode but yeah the client will
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: flichtenheld, plaisthos. its_Giaan has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 2: (5 comments) File src/openvpn/multi.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/d20f4c46_6ddf1dff : PS2, Line 1816: uint32_t peer_id = extract_asymmetric_peer_id(peer_info); > I am somehow missing the client side/p2p that does the same and also calls > extract_asymmetric_peer_i […] Acknowledged File src/openvpn/push.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/dfe60a3c_ec0e72ed : PS2, Line 657: tls_multi->rx_peer_id); > This will instruct the client to use that peer-id on both send/receive. […] ok but what about the mapping? we're using the current peer-id assigned by the server as index to keep track of the instances, should we implement a different kind of mapping? Of curse on server side I will prepend to the buffer the tx_peer_id (if supported) along with the opcode but yeah the client will keep prepending the old one. File src/openvpn/ssl.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/7a3b0954_5bc84265 : PS2, Line 2043: buf_printf(&out, "ID=%x\n", peer_id); > This need to be guarded by the actual DCO capability. […] Acknowledged File src/openvpn/ssl_ncp.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/1f01bfff_92f0595e : PS2, Line 431: multi->tx_peer_id = 2033; > Why the hardcoded 2033 here? Shouldn't be also 0x76706e; /* 'v' 'p' 'n' */ ? yeah that was just for testing purposes, will fix this. http://gerrit.openvpn.net/c/openvpn/+/1089/comment/32efaf15_5871df14 : PS2, Line 474: multi->rx_peer_id = (peerid[0] << 16) + (peerid[1] << 8) + peerid[2]; > Shouldn't there be code here So you're saying we should keep the peer_id field and also the rx_peer_id and tx_peer_id but use them only if supported? -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 2 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 05 Aug 2025 07:56:28 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: plaisthos Gerrit-MessageType: comment ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: flichtenheld, its_Giaan. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 2: Code-Review-2 (6 comments) Patchset: PS2: I think there are still some things that need to be fixed. See comments File src/openvpn/multi.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/7be28da8_ce83b435 : PS2, Line 1816: uint32_t peer_id = extract_asymmetric_peer_id(peer_info); I am somehow missing the client side/p2p that does the same and also calls extract_asymmetric_peer_id to figure out what peer-id the server wants to use. File src/openvpn/push.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/ad29de27_05d54fe8 : PS2, Line 657: tls_multi->rx_peer_id); This will instruct the client to use that peer-id on both send/receive. The idea was to *not* push peer-id in this scenario but rather have both sides see that if the other peer has ID= in their peerinfo then they both switch to assymmetric peer-id File src/openvpn/ssl.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/231475b7_833b9982 : PS2, Line 2043: buf_printf(&out, "ID=%x\n", peer_id); This need to be guarded by the actual DCO capability. We cannot announce this if the DCO module/implementation then cannot actually support assymetric ID support. File src/openvpn/ssl_ncp.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/5800ddd8_05764f00 : PS2, Line 431: multi->tx_peer_id = 2033; Why the hardcoded 2033 here? Shouldn't be also 0x76706e; /* 'v' 'p' 'n' */ ? http://gerrit.openvpn.net/c/openvpn/+/1089/comment/5a725408_1afd7517 : PS2, Line 474: multi->rx_peer_id = (peerid[0] << 16) + (peerid[1] << 8) + peerid[2]; Shouldn't there be code here -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 2 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: its_Giaan Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Thu, 17 Jul 2025 09:43:55 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: flichtenheld, its_Giaan, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld
Change subject: multipeer: introduce asymmetric peer-id
..
multipeer: introduce asymmetric peer-id
In order to achieve a multipeer functionality, peers now
use separate IDs for sending (tx_peer_id) and receiving
(rx_peer_id).
Each peer announces its own ID through pushing peer-info
using 'ID=7f1' hex format so identification can still
happen even if IP/port changes.
In P2P mode, peer switch to using the announced IDs after
mutual exchange.
In P2MP mode, clients always announce their ID, and servers
can optionally respond with their own to enable the same
behavior.
Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9
Signed-off-by: Gianmarco De Gregori
---
M src/openvpn/dco.c
M src/openvpn/init.c
M src/openvpn/misc.c
M src/openvpn/multi.c
M src/openvpn/push.c
M src/openvpn/ssl.c
M src/openvpn/ssl_common.h
M src/openvpn/ssl_ncp.c
M src/openvpn/ssl_util.c
M src/openvpn/ssl_util.h
10 files changed, 64 insertions(+), 26 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/89/1089/2
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 98cbb72..3687f4a 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -513,7 +513,7 @@
c->c2.tls_multi->dco_peer_id = -1;
}
#endif
-int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL,
+int ret = dco_new_peer(&c->c1.tuntap->dco, multi->rx_peer_id, sock->sd,
NULL,
proto_is_dgram(sock->info.proto) ? remoteaddr :
NULL,
NULL, NULL);
if (ret < 0)
@@ -521,7 +521,7 @@
return ret;
}
-c->c2.tls_multi->dco_peer_id = multi->peer_id;
+c->c2.tls_multi->dco_peer_id = multi->rx_peer_id;
return 0;
}
@@ -595,7 +595,7 @@
{
struct context *c = &mi->context;
-int peer_id = c->c2.tls_multi->peer_id;
+int peer_id = c->c2.tls_multi->rx_peer_id;
struct sockaddr *remoteaddr, *localaddr = NULL;
struct sockaddr_storage local = { 0 };
int sd = c->c2.link_sockets[0]->sd;
@@ -667,7 +667,7 @@
if (addrtype == MR_ADDR_IPV6)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits, c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
net_route_v6_add(&m->top.net_ctx, &addr->v6.addr, addr->netbits,
&mi->context.c2.push_ifconfig_ipv6_local,
c->c1.tuntap->actual_name, 0,
@@ -677,7 +677,7 @@
else if (addrtype == MR_ADDR_IPV4)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits, c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
in_addr_t dest = htonl(addr->v4.addr);
net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits,
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 77747a2..543eaf9 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2328,7 +2328,7 @@
if (o->use_peer_id)
{
-buf_printf(&out, ", peer-id: %d", o->peer_id);
+buf_printf(&out, ", rx_peer-id: %u, tx_peer-id: %u",
c->c2.tls_multi->rx_peer_id, c->c2.tls_multi->tx_peer_id);
}
#ifdef USE_COMP
@@ -2778,7 +2778,7 @@
{
msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
c->c2.tls_multi->use_peer_id = true;
-c->c2.tls_multi->peer_id = c->options.peer_id;
+c->c2.tls_multi->tx_peer_id = c->options.peer_id;
}
/* process (potentially) pushed options */
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 4695700..122ca74 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -777,7 +777,8 @@
{
chomp(line);
if (validate_peer_info_line(line)
-&& (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0) )
+&& (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0
+|| strncmp(line, "ID", 2) == 0))
{
msg(M_INFO, "peer info: %s", line);
env_set_add(es, line);
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index a760e07..6987dc5 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -479,7 +479,7 @@
&& check_debug_level(D_DCO_DEBUG)
&& dco_enabled(&mi->context.options))
{
-buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
+buf_printf(&out, " rx_peer-id=%d",
mi->context.c2.tls_multi->rx_peer_id);
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: its_Giaan, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id .. Patch Set 1: Code-Review-1 (1 comment) Patchset: PS1: doesn't build -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Comment-Date: Thu, 17 Jul 2025 09:33:43 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: multipeer: introduce asymmetric peer-id
Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email
to review the following change.
Change subject: multipeer: introduce asymmetric peer-id
..
multipeer: introduce asymmetric peer-id
In order to achieve a multipeer functionality, peers now
use separate IDs for sending (tx_peer_id) and receiving
(rx_peer_id).
Each peer announces its own ID through pushing peer-info
using 'ID=7f1' hex format so identification can still
happen even if IP/port changes.
In P2P mode, peer switch to using the announced IDs after
mutual exchange.
In P2MP mode, clients always announce their ID, and servers
can optionally respond with their own to enable the same
behavior.
Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9
Signed-off-by: Gianmarco De Gregori
---
M src/openvpn/dco.c
M src/openvpn/init.c
M src/openvpn/misc.c
M src/openvpn/multi.c
M src/openvpn/push.c
M src/openvpn/ssl.c
M src/openvpn/ssl_common.h
M src/openvpn/ssl_ncp.c
M src/openvpn/ssl_util.c
M src/openvpn/ssl_util.h
M tests/unit_tests/openvpn/test_crypto.c
11 files changed, 65 insertions(+), 27 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/89/1089/1
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 98cbb72..3687f4a 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -513,7 +513,7 @@
c->c2.tls_multi->dco_peer_id = -1;
}
#endif
-int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL,
+int ret = dco_new_peer(&c->c1.tuntap->dco, multi->rx_peer_id, sock->sd,
NULL,
proto_is_dgram(sock->info.proto) ? remoteaddr :
NULL,
NULL, NULL);
if (ret < 0)
@@ -521,7 +521,7 @@
return ret;
}
-c->c2.tls_multi->dco_peer_id = multi->peer_id;
+c->c2.tls_multi->dco_peer_id = multi->rx_peer_id;
return 0;
}
@@ -595,7 +595,7 @@
{
struct context *c = &mi->context;
-int peer_id = c->c2.tls_multi->peer_id;
+int peer_id = c->c2.tls_multi->rx_peer_id;
struct sockaddr *remoteaddr, *localaddr = NULL;
struct sockaddr_storage local = { 0 };
int sd = c->c2.link_sockets[0]->sd;
@@ -667,7 +667,7 @@
if (addrtype == MR_ADDR_IPV6)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits, c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
net_route_v6_add(&m->top.net_ctx, &addr->v6.addr, addr->netbits,
&mi->context.c2.push_ifconfig_ipv6_local,
c->c1.tuntap->actual_name, 0,
@@ -677,7 +677,7 @@
else if (addrtype == MR_ADDR_IPV4)
{
#if defined(_WIN32)
-dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits, c->c2.tls_multi->peer_id);
+dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr,
addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
in_addr_t dest = htonl(addr->v4.addr);
net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits,
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 77747a2..543eaf9 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2328,7 +2328,7 @@
if (o->use_peer_id)
{
-buf_printf(&out, ", peer-id: %d", o->peer_id);
+buf_printf(&out, ", rx_peer-id: %u, tx_peer-id: %u",
c->c2.tls_multi->rx_peer_id, c->c2.tls_multi->tx_peer_id);
}
#ifdef USE_COMP
@@ -2778,7 +2778,7 @@
{
msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
c->c2.tls_multi->use_peer_id = true;
-c->c2.tls_multi->peer_id = c->options.peer_id;
+c->c2.tls_multi->tx_peer_id = c->options.peer_id;
}
/* process (potentially) pushed options */
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 4695700..122ca74 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -777,7 +777,8 @@
{
chomp(line);
if (validate_peer_info_line(line)
-&& (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0) )
+&& (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0
+|| strncmp(line, "ID", 2) == 0))
{
msg(M_INFO, "peer info: %s", line);
env_set_add(es, line);
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index a760e07..6987dc5 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -479,7 +479,7 @@
&& check_debug_level(D_DCO_DEBUG)
&& dco_enabled(&mi->context.options))
{
-buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
+buf_printf(&out, " rx_peer-id=%d",
mi->context.c2.tls_multi->rx_peer_id);
}
return BSTR(&out);
}
@@ -655,9 +655,9 @
