Browse code
Use topology default of "subnet" only for server mode
The setting of --topology changes the syntax of --ifconfig.
So changing the default of --topology breaks all existing
configs that use --ifconfig but not --topology.
For P2P setups that is probably a signification percentage.
For server setups the percentage is hopefully lower since
--ifconfig is implicitly set by --server. Also more people
might have set their topology explicitly since it makes a
much bigger difference. Clients will usually get the
topology and the IP config pushed by the server.
So we decided to not switch the default for everyone to
not affect P2P setups. What we care about is to change
the default for --mode server, so we only do that now. For
people using --server this should be transparent except
for a pool reset.
Github: Openvpn/openvpn#529
Change-Id: Iefd209c0856ef395ab74055496130de00b86ead0
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240501124254.29114-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28592.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Frank Lichtenheld authored on 2024/05/01 21:42:54Showing 4 changed files
| ... | ... |
@@ -23,11 +23,12 @@ NTLMv1 authentication support for HTTP proxies has been removed. |
| 23 | 23 |
``persist-key`` option has been enabled by default. |
| 24 | 24 |
All the keys will be kept in memory across restart. |
| 25 | 25 |
|
| 26 |
-Default for ``--topology`` changed to ``subnet`` |
|
| 27 |
- Previous releases used ``net30`` as default. This only affects |
|
| 28 |
- configs with ``--dev tun`` and only IPv4. Note that this |
|
| 29 |
- changes the semantics of ``--ifconfig``, so if you have manual |
|
| 30 |
- settings for that in your config but not set ``--topology`` |
|
| 26 |
+Default for ``--topology`` changed to ``subnet`` for ``--mode server`` |
|
| 27 |
+ Previous releases always used ``net30`` as default. This only affects |
|
| 28 |
+ configs with ``--mode server`` or ``--server`` (the latter implies the |
|
| 29 |
+ former), and ``--dev tun``, and only if IPv4 is enabled. |
|
| 30 |
+ Note that this changes the semantics of ``--ifconfig``, so if you have |
|
| 31 |
+ manual settings for that in your config but not set ``--topology`` |
|
| 31 | 32 |
your config might fail to parse with the new version. Just adding |
| 32 | 33 |
``--topology net30`` to the config should fix the problem. |
| 33 | 34 |
By default ``--topology`` is pushed from server to client. |
| ... | ... |
@@ -137,6 +137,32 @@ verify_common_subnet(const char *opt, const in_addr_t a, const in_addr_t b, cons |
| 137 | 137 |
} |
| 138 | 138 |
|
| 139 | 139 |
|
| 140 |
+/** |
|
| 141 |
+ * Set --topology default depending on --mode |
|
| 142 |
+ */ |
|
| 143 |
+void |
|
| 144 |
+helper_setdefault_topology(struct options *o) |
|
| 145 |
+{
|
|
| 146 |
+ if (o->topology != TOP_UNDEF) |
|
| 147 |
+ {
|
|
| 148 |
+ return; |
|
| 149 |
+ } |
|
| 150 |
+ int dev = dev_type_enum(o->dev, o->dev_type); |
|
| 151 |
+ if (dev != DEV_TYPE_TUN) |
|
| 152 |
+ {
|
|
| 153 |
+ return; |
|
| 154 |
+ } |
|
| 155 |
+ if (o->mode == MODE_SERVER) |
|
| 156 |
+ {
|
|
| 157 |
+ o->topology = TOP_SUBNET; |
|
| 158 |
+ } |
|
| 159 |
+ else |
|
| 160 |
+ {
|
|
| 161 |
+ o->topology = TOP_NET30; |
|
| 162 |
+ } |
|
| 163 |
+} |
|
| 164 |
+ |
|
| 165 |
+ |
|
| 140 | 166 |
/* |
| 141 | 167 |
* Process server, server-bridge, and client helper |
| 142 | 168 |
* directives after the parameters themselves have been |
| ... | ... |
@@ -151,7 +177,6 @@ helper_client_server(struct options *o) |
| 151 | 151 |
* Get tun/tap/null device type |
| 152 | 152 |
*/ |
| 153 | 153 |
const int dev = dev_type_enum(o->dev, o->dev_type); |
| 154 |
- const int topology = o->topology; |
|
| 155 | 154 |
|
| 156 | 155 |
/* |
| 157 | 156 |
* |
| ... | ... |
@@ -177,11 +202,11 @@ helper_client_server(struct options *o) |
| 177 | 177 |
|
| 178 | 178 |
if (o->server_flags & SF_NOPOOL) |
| 179 | 179 |
{
|
| 180 |
- msg( M_USAGE, "--server-ipv6 is incompatible with 'nopool' option" ); |
|
| 180 |
+ msg(M_USAGE, "--server-ipv6 is incompatible with 'nopool' option"); |
|
| 181 | 181 |
} |
| 182 | 182 |
if (o->ifconfig_ipv6_pool_defined) |
| 183 | 183 |
{
|
| 184 |
- msg( M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly"); |
|
| 184 |
+ msg(M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly"); |
|
| 185 | 185 |
} |
| 186 | 186 |
|
| 187 | 187 |
o->mode = MODE_SERVER; |
| ... | ... |
@@ -207,7 +232,7 @@ helper_client_server(struct options *o) |
| 207 | 207 |
o->server_netbits_ipv6 < 112 ? 0x1000 : 2); |
| 208 | 208 |
o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; |
| 209 | 209 |
|
| 210 |
- push_option( o, "tun-ipv6", M_USAGE ); |
|
| 210 |
+ push_option(o, "tun-ipv6", M_USAGE); |
|
| 211 | 211 |
} |
| 212 | 212 |
|
| 213 | 213 |
/* |
| ... | ... |
@@ -305,8 +330,10 @@ helper_client_server(struct options *o) |
| 305 | 305 |
|
| 306 | 306 |
o->mode = MODE_SERVER; |
| 307 | 307 |
o->tls_server = true; |
| 308 |
+ /* Need to know topology now */ |
|
| 309 |
+ helper_setdefault_topology(o); |
|
| 308 | 310 |
|
| 309 |
- if (topology == TOP_NET30 || topology == TOP_P2P) |
|
| 311 |
+ if (o->topology == TOP_NET30 || o->topology == TOP_P2P) |
|
| 310 | 312 |
{
|
| 311 | 313 |
o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc); |
| 312 | 314 |
o->ifconfig_remote_netmask = print_in_addr_t(o->server_network + 2, 0, &o->gc); |
| ... | ... |
@@ -324,12 +351,12 @@ helper_client_server(struct options *o) |
| 324 | 324 |
{
|
| 325 | 325 |
push_option(o, print_opt_route(o->server_network, o->server_netmask, &o->gc), M_USAGE); |
| 326 | 326 |
} |
| 327 |
- else if (topology == TOP_NET30) |
|
| 327 |
+ else if (o->topology == TOP_NET30) |
|
| 328 | 328 |
{
|
| 329 | 329 |
push_option(o, print_opt_route(o->server_network + 1, 0, &o->gc), M_USAGE); |
| 330 | 330 |
} |
| 331 | 331 |
} |
| 332 |
- else if (topology == TOP_SUBNET) |
|
| 332 |
+ else if (o->topology == TOP_SUBNET) |
|
| 333 | 333 |
{
|
| 334 | 334 |
o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc); |
| 335 | 335 |
o->ifconfig_remote_netmask = print_in_addr_t(o->server_netmask, 0, &o->gc); |
| ... | ... |
@@ -354,9 +381,9 @@ helper_client_server(struct options *o) |
| 354 | 354 |
ASSERT(0); |
| 355 | 355 |
} |
| 356 | 356 |
|
| 357 |
- push_option(o, print_opt_topology(topology, &o->gc), M_USAGE); |
|
| 357 |
+ push_option(o, print_opt_topology(o->topology, &o->gc), M_USAGE); |
|
| 358 | 358 |
|
| 359 |
- if (topology == TOP_NET30 && !(o->server_flags & SF_NOPOOL)) |
|
| 359 |
+ if (o->topology == TOP_NET30 && !(o->server_flags & SF_NOPOOL)) |
|
| 360 | 360 |
{
|
| 361 | 361 |
msg(M_WARN, "WARNING: --topology net30 support for server " |
| 362 | 362 |
"configs with IPv4 pools will be removed in a future " |
| ... | ... |
@@ -394,7 +421,7 @@ helper_client_server(struct options *o) |
| 394 | 394 |
} |
| 395 | 395 |
|
| 396 | 396 |
/* set push-ifconfig-constraint directive */ |
| 397 |
- if ((dev == DEV_TYPE_TAP || topology == TOP_SUBNET)) |
|
| 397 |
+ if ((dev == DEV_TYPE_TAP || o->topology == TOP_SUBNET)) |
|
| 398 | 398 |
{
|
| 399 | 399 |
o->push_ifconfig_constraint_defined = true; |
| 400 | 400 |
o->push_ifconfig_constraint_network = o->server_network; |
| ... | ... |
@@ -796,7 +796,7 @@ init_options(struct options *o, const bool init_gc) |
| 796 | 796 |
o->gc_owned = true; |
| 797 | 797 |
} |
| 798 | 798 |
o->mode = MODE_POINT_TO_POINT; |
| 799 |
- o->topology = TOP_SUBNET; |
|
| 799 |
+ o->topology = TOP_UNDEF; |
|
| 800 | 800 |
o->ce.proto = PROTO_UDP; |
| 801 | 801 |
o->ce.af = AF_UNSPEC; |
| 802 | 802 |
o->ce.bind_ipv6_only = false; |
| ... | ... |
@@ -3478,6 +3478,7 @@ options_postprocess_verify(const struct options *o) |
| 3478 | 3478 |
} |
| 3479 | 3479 |
} |
| 3480 | 3480 |
|
| 3481 |
+ |
|
| 3481 | 3482 |
/** |
| 3482 | 3483 |
* Checks for availibility of Chacha20-Poly1305 and sets |
| 3483 | 3484 |
* the ncp_cipher to either AES-256-GCM:AES-128-GCM or |
| ... | ... |
@@ -3680,6 +3681,8 @@ options_postprocess_mutate(struct options *o, struct env_set *es) |
| 3680 | 3680 |
* sequences of options. |
| 3681 | 3681 |
*/ |
| 3682 | 3682 |
helper_client_server(o); |
| 3683 |
+ /* must be called after helpers that might set --mode */ |
|
| 3684 |
+ helper_setdefault_topology(o); |
|
| 3683 | 3685 |
helper_keepalive(o); |
| 3684 | 3686 |
helper_tcp_nodelay(o); |
| 3685 | 3687 |
|