Re: [Openvpn-devel] [PATCH] bash->bourne script cleanup
On Monday 19 April 2010, David Sommerseth wrote: > I've done a quick test on one of my connections on Fedora 12 without any > resolvconf package (meaning it invokes the simple cp approach), and it > worked like a charm. > > Applied to bugfix2.1 and merged into allmerged. > Commit a9c9a89e96dc1e4e843e05ecadc4349b81606b06 Sorry, I just realized that I didn't change the sha-bang line in client.down. Apologies. Fix attached. -- D. --- openvpn-2.1.1/contrib/pull-resolv-conf/client.down 2010-03-11 21:32:09.0 + +++ openvpn-2.1.1-a/contrib/pull-resolv-conf/client.down2010-04-19 22:33:53.0 +0100 @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # Copyright (c) 2005-2009 OpenVPN Technologies, Inc. # Licensed under the GPL version 2
Re: [Openvpn-devel] [PATCH] bash->bourne script cleanup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/03/10 22:41, Davide Brini wrote: > On Wednesday 10 March 2010, David Sommerseth wrote: > >>> Well, I was actually going to write a patch, but shortly after starting I >>> found out that it would end up being essentially the same as Gentoo's >>> scripts. Would it be worth separately maintaining something that has >>> already been written somewhere else? >> >> I would say that if there are things which are distro related, they >> should either be found only in that distribution or we can consider (if >> it is considered important by more people) to put distro specific stuff >> into a separate folder in the OpenVPN source tree. >> >> If it is possible to get some up/down scripts which are generic for the >> vast majority of POSIX sh based distributions, that would be the >> preferred approach. If not, then we are back to where we started :) > > Ok, here it goes (it's against 2.1.1). As said, it's basically a complete > rewrite that draws many ideas from the Gentoo scripts. These are the main > differences from the "old" client.{up,down} scripts: > > - No more bashisms (AFAICT). Should work with any POSIX-compatible shell > (which means "almost all reasonably recent shells"), though I've only tested > with bash and dash. > > - Unnecessary calls to external tools (sed) removed > > - Manages multiple DNS and DOMAIN options. Each DNS option becomes a > "nameserver" line in the new resolv.conf (up to a maximum of 3). If there's a > single DOMAIN option, it becomes a "domain" line in resolv.conf; otherwise, > all the domains are listed in a "search" line in resolv.conf (eg "search > foo.com example.net"). > > - Client.up renames the existing resolv.conf and creates a brand new one; > client.down restores it from the saved copy when the VPN terminates (the > usual > rules about running as root apply). This is how Gentoo does that; the old > scripts instead added/removed some lines at the beginning of the file, which > looks a less clean approach to me. The rename approach also dramatically > simplifies and shortens client.down, as you'll see. > > - Uses resolvconf if it's available (detected by the presence of > /sbin/resolvconf) rather than writing to resolv.conf directly. Not sure > whether this is a Linux-only thing or other systems use it though. > > A doubt I have is: should the script output its errors as it does now? If > yes, > is it possible to somehow send them to the main OpenVPN log so they appear > among the other normal messages? > > Let me know what you think. ACK! I've done a quick test on one of my connections on Fedora 12 without any resolvconf package (meaning it invokes the simple cp approach), and it worked like a charm. Applied to bugfix2.1 and merged into allmerged. Commit a9c9a89e96dc1e4e843e05ecadc4349b81606b06 kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvMwe0ACgkQDC186MBRfroWOwCeMFu3NO/s6UDeTSjGkmde/DpQ MtsAn0rqsF7B5/4RIjcF4k7zyoryvhsw =RuVf -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH] Mention mssfix default value in the man page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 19/04/10 11:19, Davide Brini wrote: > On Sunday 18 Apr 2010 23:27:31 David Sommerseth wrote: > >> Added as commit 38025abb47f74363c3ee87ca7265e99a4055459e to bugfix2.1 >> and merged into allmerged. > > Thanks. Though I understand it's not critical, in case you didn't notice, > there's also another pending patch I submitted more than one month ago now, > about the removal of bashisms in the user-contributed scripts client.up and > client.down (plus adding other functionalities): > > http://article.gmane.org/gmane.network.openvpn.devel/3343 > > I'm reattaching it here, but see the original message for some > discussion/explanation. Aikes! I'm sorry for having failed to catch this one! I'm going to test it out on one of my Fedora boxes within a couple of days. If it plays nicely, I'll give it an ACK and will include it! Anyway, it's now in my "queue box" :) David S. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvMJCYACgkQDC186MBRfrq3bgCgoSpsaDQ7qZmWzH5eucF5UNrN SykAn2OgmifrzWVvJRSCLU1D2cNZ99Iu =QUJm -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH] Mention mssfix default value in the man page
On Sunday 18 Apr 2010 23:27:31 David Sommerseth wrote: > Added as commit 38025abb47f74363c3ee87ca7265e99a4055459e to bugfix2.1 > and merged into allmerged. Thanks. Though I understand it's not critical, in case you didn't notice, there's also another pending patch I submitted more than one month ago now, about the removal of bashisms in the user-contributed scripts client.up and client.down (plus adding other functionalities): http://article.gmane.org/gmane.network.openvpn.devel/3343 I'm reattaching it here, but see the original message for some discussion/explanation. -- D. diff -burp openvpn-2.1.1/contrib/pull-resolv-conf/client.up openvpn-2.1.1-a/contrib/pull-resolv-conf/client.up --- openvpn-2.1.1/contrib/pull-resolv-conf/client.up 2009-10-01 19:02:17.0 +0100 +++ openvpn-2.1.1-a/contrib/pull-resolv-conf/client.up 2010-03-11 21:32:03.0 + @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # Copyright (c) 2005-2009 OpenVPN Technologies, Inc. # Licensed under the GPL version 2 @@ -14,7 +14,6 @@ # Place this in /etc/openvpn/client.up # Then, add the following to your /etc/openvpn/.conf: # client -# pull dhcp-options # up /etc/openvpn/client.up # Next, "chmod a+x /etc/openvpn/client.up" @@ -22,8 +21,8 @@ # Note that this script is best served with the companion "client.down" # script. -# Only tested on Gentoo Linux 2005.0 with OpenVPN 2.0 -# It should work with any GNU/Linux with /etc/resolv.conf +# Tested under Debian lenny with OpenVPN 2.1_rc11 +# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf # This runs with the context of the OpenVPN UID/GID # at the time of execution. This generally means that @@ -38,38 +37,64 @@ # init variables i=1 -j=1 -unset fopt -unset dns -unset opt - -# Convert ENVs to an array - -while fopt=foreign_option_$i; [ -n "${!fopt}" ]; do -{ - opt[i-1]=${!fopt} - case ${opt[i-1]} in - *DOMAIN* ) domain=`echo ${opt[i-1]} | \ -sed -e 's/dhcp-option DOMAIN //g'` ;; - *DNS*) dns[j-1]=`echo ${opt[i-1]} | \ -sed -e 's/dhcp-option DNS //g'` - let j++ ;; +domains= +fopt= +ndoms=0 +nns=0 +nl=' +' + +# $foreign_option_ is something like +# "dhcp-option DOMAIN example.com" (multiple allowed) +# or +# "dhcp-option DNS 10.10.10.10" (multiple allowed) + +# each DNS option becomes a "nameserver" option in resolv.con +# if we get one DOMAIN, that becomes "domain" in resolv.conf +# if we get multiple DOMAINS, those become "search" lines in resolv.conf + +while true; do + eval fopt=\$foreign_option_${i} + [ -z "${fopt}" ] && break + + case ${fopt} in + dhcp-option\ DOMAIN\ *) + ndoms=$((ndoms + 1)) + domains="${domains} ${fopt#dhcp-option DOMAIN }" + ;; + dhcp-option\ DNS\ *) + nns=$((nns + 1)) + if [ $nns -le 3 ]; then + dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }" + else + printf "%s\n" "Too many nameservers - ignoring after third" >&2 + fi + ;; +*) + printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2 + ;; esac - let i++ -} + i=$((i + 1)) done -# Now, do the work - -if [ -n "${dns[*]}" ]; then - for i in "${dns[@]}"; do - sed -i -e "1,1 i nameserver ${i}" /etc/resolv.conf || die - done +ds=domain +if [ $ndoms -gt 1 ]; then + ds=search fi -if [ -n "${domain}" ]; then - sed -i -e "$j,1 i search ${domain}" /etc/resolv.conf || die +# This is the complete file - "$domains" has a leading space already +out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}" + +# use resolvconf if it's available +if [ -x /sbin/resolvconf ] ; then + printf "%s\n" "${out}" | /sbin/resolvconf -a "${1}" +else + # Preserve the existing resolv.conf + if [ -e /etc/resolv.conf ] ; then +cp /etc/resolv.conf /etc/resolv.conf.ovpnsave + fi + printf "%s\n" "${out}" > /etc/resolv.conf + chmod 644 /etc/resolv.conf fi -# all done... exit 0 diff -burp openvpn-2.1.1/contrib/pull-resolv-conf/client.down openvpn-2.1.1-a/contrib/pull-resolv-conf/client.down --- openvpn-2.1.1/contrib/pull-resolv-conf/client.down 2009-10-01 19:02:17.0 +0100 +++ openvpn-2.1.1-a/contrib/pull-resolv-conf/client.down 2010-03-11 21:32:09.0 + @@ -14,7 +14,6 @@ # Place this in /etc/openvpn/client.down # Then, add the following to your /etc/openvpn/.conf: # client -# pull dhcp-options # up /etc/openvpn/client.up # down /etc/openvpn/client.down # Next, "chmod a+x /etc/openvpn/client.down" @@ -23,8 +22,8 @@ # Note that this script is best served with the companion "client.up" # script. -# Only tested on Gentoo Linux 2005.0 with OpenVPN 2.0 -# It should work with any GNU/Linux with /etc/resolv.conf +# Tested under Debian lenny with OpenVPN 2.1_rc11 +# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf # This runs with the context of the OpenVPN UID/GID # at the time of execution. This generally means that @@
Re: [Openvpn-devel] man page patch
Hi, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/04/10 19:48, Jan Just Keijser wrote: man page patch to fix (based on the git page). - explicit-exit-notify text is misleading : parameter [n] is the number of attempts not the number of retries - I would make a statement that a section starting with 'so I would make a statement' does not belong in a man page --- new-openvpn.82010-04-16 19:16:08.427860657 +0200 +++ jjk-openvpn.82010-04-16 19:46:01.374609848 +0200 @@ -3308,8 +3308,8 @@ option will tell the server to immediately close its client instance object rather than waiting for a timeout. The .B n -parameter (default=1) controls the maximum number of retries that the client -will attempt to resend the exit notification message. +parameter (default=1) controls the maximum number of attempts that the client +will make to send the exit notification message. ACK .\"* .SS Data Channel Encryption Options: These options are meaningful for both Static & TLS-negotiated key modes @@ -3591,7 +3591,7 @@ OpenVPN adds to the IPSec model by limiting the window size in time as well as sequence space. -OpenVPN also adds TCP transport as an option (not offered by IPSec) in which +OpenVPN also adds TCP transport as an option (not offered by plain IPSec) in which Does some IPSec implementations support TCP transport? I thought that IPSec was OSI layer 3 (network) traffic, while TCP starts on OSI layer 4 (transport). at least Cisco support IPSec-over-TCP , similarly to IPSec-over-UDP (aka NAT traversal) case OpenVPN can adopt a very strict attitude towards message deletion and reordering: Don't allow it. Since TCP guarantees reliability, any packet loss or reordering event can be assumed to be an attack. @@ -3601,11 +3601,6 @@ message deletion or reordering attack which falls within the normal operational parameters of IP networks. -So I would make the statement that one should never tunnel a non-IP protocol -or UDP application protocol over UDP, if the protocol might be vulnerable to a -message deletion or reordering attack that falls within the normal operating -parameters of what is to be expected from the physical IP layer. The problem -is easily fixed by simply using TCP as the VPN transport layer. Even though I do agree with you that a "personal message" should not be in a man page, I also do see the importance of the message given here. But it can be understood as controversial for some, as it is formulated in a biased way. If the message given is false, it should be removed as well. But I'd rather see this whole paragraph being rephrased, reworked and become a bit more unbiased towards the TCP/UDP discussion. Now it can be understood that TCP is the best security solution - but that's when you only read this little paragraph. Changing from TCP to UDP also got it's fair share of advantages and disadvantages as well, which should be covered somehow in the man page. to me the last paragraph seems like a rehash of the previous one, with wording like "I would make a statement bla bla" . I don't know who wrote the original paragraph but at the very least the wording should be changed such that - it is no longer a personal message - it adds value to the paragraph above. I tried rewriting the Personal Message paragraph myself but ended up with something almost identical to the paragraph right above it. Could we please split these three changes into three different patches, as they cover three different parts of the man page and tracking their changes separately is cleaner when people try to figure out what was discussed and which conclusions was made. no problem; I'll send another man page patch. cheers, JJK