Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-02 Thread Marvin Adeff 
Antonio,
I certainly don’t disagree with you. 

However I think I’ve taken up enough bandwidth over this topic on 
Openvpn-devel. Thank you all. 

Marvin

> On Apr 1, 2018, at 7:20 PM, Antonio Quartulli  wrote:
> 
>> On 02/04/18 10:12, Marvin Adeff wrote:
>> Even on the internet I can tell country, ISP etc. Very useful for security 
>> ACLs etc. Unless I’m completely mistaken, I don’t believe this is easily 
>> done in ipv6. 
> 
> mostly because at this very moment Tunnel Brokers are widely used and
> they act as a "proxy", effectively covering the real location of the
> client host.
> 
> Many websites just show you (client) as connecting from the country
> where your Tunnel Broker is located.
> 
> When using native IPv6 this problem does not exists anymore.
> 
> Therefore, the proper way to get over this "limitation" (even though I
> don't think is a real problem, but this is of course my perspective) is
> to speed up the transition and move everybody over native IPv6 (which is
> something we can't achieve if we continue to be "afraid" of using IPv6
> in our everyday life).
> 
> Cheers,
> 
> -- 
> Antonio Quartulli
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Antonio Quartulli 
On 02/04/18 10:12, Marvin Adeff wrote:
> Even on the internet I can tell country, ISP etc. Very useful for security 
> ACLs etc. Unless I’m completely mistaken, I don’t believe this is easily done 
> in ipv6. 

mostly because at this very moment Tunnel Brokers are widely used and
they act as a "proxy", effectively covering the real location of the
client host.

Many websites just show you (client) as connecting from the country
where your Tunnel Broker is located.

When using native IPv6 this problem does not exists anymore.

Therefore, the proper way to get over this "limitation" (even though I
don't think is a real problem, but this is of course my perspective) is
to speed up the transition and move everybody over native IPv6 (which is
something we can't achieve if we continue to be "afraid" of using IPv6
in our everyday life).

Cheers,

-- 
Antonio Quartulli



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Marvin Adeff 
Gert,

Without invalidating the reason for your frustration, I am breathing a sigh of 
relief.

As a complete aside, in some ways ipv4 is actually more useful to me in my 
work. In a private network I can tell where in the network the traffic is 
coming from. Even on the internet I can tell country, ISP etc. Very useful for 
security ACLs etc. Unless I’m completely mistaken, I don’t believe this is 
easily done in ipv6. 

BTW, a big thank-you to you and all the devs in the OpenVPN project!

Marvin

> On Apr 1, 2018, at 12:34 PM, Gert Doering  wrote:
> 
> Hi,
> 
>> On Sun, Apr 01, 2018 at 12:21:53PM -0700, Marvin Adeff wrote:
>> I had not considered the extra work and code required to maintain both 
>> versions. But I get it now. Here is the unfortunate position this puts us in:
> [..]
> 
> Well, that part of my e-mail was a bit of frustration speaking - I've
> been advocating IPv6 for over 20 years now, and while large parts of
> the access networks are offering IPv6 now, other parts are still being
> *built* with IPv4 only, or stubbornly stick to IPv4 only...  thus, double
> work everywhere, not only in OpenVPN, seemingly for a lifetime.
> 
>> So if OpenVPN lost ipv4 support anytime soon, we would be in a world of hurt.
> 
> As far as OpenVPN is concerned, I am not aware of any plans to remove 
> IPv4 support.
> 
> The extra code adds some maintenance and testing effort, but since this
> is all in place now (especially the test setups with "connect over IPv4
> or IPv6" and "send IPv4 and IPv6 packets through the test VPN") it would
> be more work to rip out IPv4 now... :-)
> 
> gert
> -- 
> "If was one thing all people took for granted, was conviction that if you 
> feed honest figures into a computer, honest figures come out. Never doubted 
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh Mistress
> 
> Gert Doering - Munich, Germany g...@greenie.muc.de

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Gert Doering 
Hi,

On Sun, Apr 01, 2018 at 12:21:53PM -0700, Marvin Adeff wrote:
> I had not considered the extra work and code required to maintain both 
> versions. But I get it now. Here is the unfortunate position this puts us in:
[..]

Well, that part of my e-mail was a bit of frustration speaking - I've
been advocating IPv6 for over 20 years now, and while large parts of
the access networks are offering IPv6 now, other parts are still being
*built* with IPv4 only, or stubbornly stick to IPv4 only...  thus, double
work everywhere, not only in OpenVPN, seemingly for a lifetime.

> So if OpenVPN lost ipv4 support anytime soon, we would be in a world of hurt.

As far as OpenVPN is concerned, I am not aware of any plans to remove 
IPv4 support.

The extra code adds some maintenance and testing effort, but since this
is all in place now (especially the test setups with "connect over IPv4
or IPv6" and "send IPv4 and IPv6 packets through the test VPN") it would
be more work to rip out IPv4 now... :-)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Marvin Adeff 
Ok, I’ll only discard the irate part  ;-]

I had not considered the extra work and code required to maintain both 
versions. But I get it now. Here is the unfortunate position this puts us in:

We use OpenVPN for connection from 1000’s of devices located at customer 
facilities back to us. These devices/software have a lifespan of greater than 
10 years and most are extremely expensive (not easily replaced). So a large 
quantity are incapable of ipv6 (and frankly many customer facility networks are 
not fully functional with ipv6). Also some of the devices/software at our end 
that interface with those legacy customer devices are also not ipv6 capable. 

So if OpenVPN lost ipv4 support anytime soon, we would be in a world of hurt.  
There is much more detail about all this, but I wanted to keep this a short 
email. 

Thanks for listening. 

Marvin

> On Apr 1, 2018, at 11:39 AM, Gert Doering  wrote:
> 
> Hi,
> 
>> On Sun, Apr 01, 2018 at 11:19:57AM -0700, Marvin Adeff wrote:
>> Think of us poor mail list lurkers. Practically gave this one a heart 
>> attack!  Not having seen that private reply, I hope that means I can discard 
>> the long-ass (and quite irate) reply I was working on?
> 
> Please share!
> 
>> (Sent from an ipv4 address)
> 
> Whatever journey OpenVPN takes, the Internet as a whole will need to 
> either finish the move to IPv6, or give up and return to IPv4-only -
> running dual-stack is just too expensive in the long run.  Like, twice
> the amount of code needed for routing, address parsing, firewalling, ...
> 
> gert
> -- 
> "If was one thing all people took for granted, was conviction that if you 
> feed honest figures into a computer, honest figures come out. Never doubted 
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh Mistress
> 
> Gert Doering - Munich, Germany g...@greenie.muc.de

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Gert Doering 
Hi,

On Sun, Apr 01, 2018 at 11:19:57AM -0700, Marvin Adeff wrote:
> Think of us poor mail list lurkers. Practically gave this one a heart attack! 
>  Not having seen that private reply, I hope that means I can discard the 
> long-ass (and quite irate) reply I was working on?

Please share!

> (Sent from an ipv4 address)

Whatever journey OpenVPN takes, the Internet as a whole will need to 
either finish the move to IPv6, or give up and return to IPv4-only -
running dual-stack is just too expensive in the long run.  Like, twice
the amount of code needed for routing, address parsing, firewalling, ...

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Marvin Adeff 
Think of us poor mail list lurkers. Practically gave this one a heart attack!  
Not having seen that private reply, I hope that means I can discard the 
long-ass (and quite irate) reply I was working on?

Marvin
(Sent from an ipv4 address)

> On Apr 1, 2018, at 8:52 AM, Jonathan K. Bullard  wrote:
> 
> Hi,
> 
>> On Sun, Apr 1, 2018 at 11:34 AM, Gert Doering  wrote:
>> Hi,
>> 
>>> On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote:
 On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering  wrote:
 
 As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
 be IPv6-only.  Removal of IPv4-related code and options will dramatically
 reduce code complexity, confusing options, bugs and user questions.
>> [..]
>>> 
>>> Nice try :)
>> 
>> Hah, caught in the act ;-)
>> 
>> (Apologies to Jonathan for scaring you about new user support issues...)
> 
> No apologies necessary! I fell for it completely and have no excuse. I
> probably laughed as hard as anyone else when I read your private reply
> that pointed out today's date.
> 
> Best regards,
> 
> Jon
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Jonathan K. Bullard 
Hi,

On Sun, Apr 1, 2018 at 11:34 AM, Gert Doering  wrote:
> Hi,
>
> On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote:
>> On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering  wrote:
>>
>> > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
>> > be IPv6-only.  Removal of IPv4-related code and options will dramatically
>> > reduce code complexity, confusing options, bugs and user questions.
> [..]
>>
>> Nice try :)
>
> Hah, caught in the act ;-)
>
> (Apologies to Jonathan for scaring you about new user support issues...)

No apologies necessary! I fell for it completely and have no excuse. I
probably laughed as hard as anyone else when I read your private reply
that pointed out today's date.

Best regards,

Jon

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Gert Doering 
Hi,

On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote:
> On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering  wrote:
> 
> > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
> > be IPv6-only.  Removal of IPv4-related code and options will dramatically
> > reduce code complexity, confusing options, bugs and user questions.
[..]
> 
> Nice try :)

Hah, caught in the act ;-)

(Apologies to Jonathan for scaring you about new user support issues...)

Trac #208 is really about *enabling* IPv6-only mode (which does not work
today), but not about *mandating* IPv6-only / taking away IPv4.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Selva Nair 
Hi,

On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering  wrote:

> As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
> be IPv6-only.  Removal of IPv4-related code and options will dramatically
> reduce code complexity, confusing options, bugs and user questions.
>
> Add deprecation warnings for IPv4-related config options to 2.4 branch,
> so users have enough time to move their setups to work on IPv6-only
> before 2.5 will be released.
>
> This affects:
>
>   --ifconfig
>   --route
>   --server
>   --proto udp4/tcp4
>   --ifconfig-pool
>
> More IPv4-related options will be identified and depreciated later.
>

Nice try :)

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Samuel Thibault 
Hello,

Jonathan K. Bullard, on dim. 01 avril 2018 06:17:55 -0400, wrote:
> Either way, can anyone give an approximate release date for 2.5, so we
> can have a time frame for the change? (Even a "not before" date would
> be very helpful in evaluating the impact of these proposed changes.)

I guess it'll be "not before" tomorrow.

Samuel

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Jonathan K. Bullard 
 Hi,

On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering  wrote:
> As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
> be IPv6-only.  Removal of IPv4-related code and options will dramatically
> reduce code complexity, confusing options, bugs and user questions.
>
> Add deprecation warnings for IPv4-related config options to 2.4 branch,
> so users have enough time to move their setups to work on IPv6-only
> before 2.5 will be released.

Are you proposing to remove all IPv4 support from OpenVPN 2.5, so that
an IPv6 connection will be required and an IPv4-only connection will
not work?

Or is this is about removing IPv4-only options and code and leaving
options and code that work for either IPv4 or IPv6, so users could
continue to have an IPv4-only setup by changing the names of a few
options in their configuration files?

Either way, can anyone give an approximate release date for 2.5, so we
can have a time frame for the change? (Even a "not before" date would
be very helpful in evaluating the impact of these proposed changes.)

Best regards,

Jon Bullard (Tunnelblick developer)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Gert Doering 
As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
be IPv6-only.  Removal of IPv4-related code and options will dramatically
reduce code complexity, confusing options, bugs and user questions.

Add deprecation warnings for IPv4-related config options to 2.4 branch,
so users have enough time to move their setups to work on IPv6-only
before 2.5 will be released.

This affects:

  --ifconfig
  --route
  --server
  --proto udp4/tcp4
  --ifconfig-pool

More IPv4-related options will be identified and depreciated later.

Trac: #208

Signed-off-by: Gert Doering 
---
 src/openvpn/options.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 9fef3945..46d33c0b 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5258,6 +5258,7 @@ add_option(struct options *options,
 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid 
addresses", p[1], p[2]);
 goto err;
 }
+msg(M_WARN, "DEPRECATED OPTION: --ifconfig, please update your 
configuration to use IPv6 (--ifconfig-ipv6). IPv4 support will be removed in 
OpenVPN v2.5.");
 }
 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
 {
@@ -5928,6 +5929,10 @@ add_option(struct options *options,
 }
 options->ce.proto = proto;
 options->ce.af = af;
+   if (af == AF_INET)
+{
+msg(M_WARN, "DEPRECATED OPTION: --proto %s, please update your 
configuration to use IPv6. IPv4 support will be removed in OpenVPN v2.5.", 
p[1]);
+}
 }
 else if (streq(p[0], "proto-force") && p[1] && !p[2])
 {
@@ -6151,6 +6156,7 @@ add_option(struct options *options,
 }
 else if (streq(p[0], "route") && p[1] && !p[5])
 {
+   static int route_warning_printed = 0;
 VERIFY_PERMISSION(OPT_P_ROUTE);
 rol_check_alloc(options);
 if (pull_mode)
@@ -6172,6 +6178,10 @@ add_option(struct options *options,
 }
 }
 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
+if (route_warning_printed++ < 1)
+{
+msg(M_WARN, "DEPRECATED OPTION: --route, please update your 
configuration to use IPv6 (--route-ipv6). IPv4 support will be removed in 
OpenVPN v2.5.");
+}
 }
 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
 {
@@ -6459,6 +6469,7 @@ add_option(struct options *options,
 goto err;
 }
 }
+msg(M_WARN, "DEPRECATED OPTION: --server, please update your 
configuration to use IPv6 (--server-ipv6). IPv4 support will be removed in 
OpenVPN v2.5.");
 }
 else if (streq(p[0], "server-ipv6") && p[1] && !p[3])
 {
@@ -6566,6 +6577,7 @@ add_option(struct options *options,
 {
 options->ifconfig_pool_netmask = netmask;
 }
+msg(M_WARN, "DEPRECATED OPTION: --ifconfig-pool, please update your 
configuration to use IPv6 (--ifconfig-ipv6-pool). IPv4 support will be removed 
in OpenVPN v2.5.");
 }
 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
 {
-- 
2.16.1


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel