Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

Feb  5 20:16:24 [openvpn] TUN/TAP device vpn opened
Feb  5 20:16:24 [openvpn] TUN/TAP link layer address set to f0:01:aa:00:00:02
Feb  5 20:16:24 [openvpn] /sbin/ip link set dev vpn up mtu 1500
Feb  5 20:16:24 [openvpn] /sbin/ip addr add dev vpn 10.73.1.30/24 broadcast
10.73.1.255
Feb  5 20:16:24 [openvpn] /etc/openvpn/up.sh vpn 1500 1574 10.73.1.30
255.255.255.0 init
Feb  5 20:16:24 [openvpn] Initialization Sequence Completed
Feb  5 22:53:34 [openvpn] [marples.name] Inactivity timeout (--ping-restart),
restarting
Feb  5 22:53:34 [openvpn] /etc/openvpn/down.sh vpn 1500 1574 10.73.1.30
255.255.255.0 init
Feb  5 22:53:34 [openvpn] /sbin/ip addr del dev vpn local 10.73.1.30 peer
255.255.255.0
Feb  5 22:53:34 [openvpn] Linux ip addr del failed: shell command exited with
error status: 2
Feb  5 22:53:34 [openvpn] Exiting

Basically, the ip command is wrong. The correct command is of course
/sbin/ip addr del dev vpn local 10.73.1.30/24 as iproute2 does not understand
255.255.255.0 style netmasks.
I also fail to see the point of the command, as the next command in the code
removes the interface which does the same thing anyway!

Created an attachment (id=142755) [details]
Don't bother removing ip addr from the interface

Created an attachment (id=142756) [details]
Same as above, but doesn't require existing iproute2 patch

Created an attachment (id=142774) [details]
tap-cleanup.patch

Hi Roy,

This is required in order to delete address from persistent interface and work
completely unprivileged.

Look for "Unprivileged mode" at the howto:
http://openvpn.net/howto.html

You are right! the tap interface is not handled correctly.

Can you please test this out?

Thanks!

(In reply to comment #3)
> This is required in order to delete address from persistent interface and work
> completely unprivileged.

And you've made that work only on Linux using iproute2?
Last I checked, iproute2 was optional and ifconfig was the default.
What other OS's like FreeBSD?

> And you've made that work only on Linux using iproute2?

Yes.
It was the simplest to do this for iproute2.
Does the patch works?

> Last I checked, iproute2 was optional and ifconfig was the default.

Still... No change.

> What other OS's like FreeBSD?

I don't know freebsd at all... But I got the impression that openvpn support
only ifconfig configuration, am I wrong?

BTW: Do you know how to set the privilege of tun interface in freebsd?

Fails

Feb  6 11:33:39 [openvpn] /etc/openvpn/down.sh vpn 1500 1574 10.73.1.30
255.255.255.0 init
Feb  6 11:33:39 [openvpn] /sbin/ip addr add dev vpn 10.73.1.30/24 broadcast
10.73.1.255
Feb  6 11:33:39 [openvpn] Linux ip addr del failed: shell command exited with
error status: 2

Why did you specify the broadcast? I told you the command to use above and
broadcast isn't there.

As to your other question - are you implying that you only need to remove the
address with iproute2 and not ifconfig? If so, I'd love to know why you think
so :)

Created an attachment (id=142812) [details]
tap-cleanup.patch

Roy, I am not an expert as you in the ifconfig/iproute stuff...

Have I got this right this time? The ifconfig commands seems working... But I
am not sure it is correct.

Also... Why this has an ip6 address?
config_tap1="null"

# /etc/init.d/net.tap1 start
 * Bringing up interface tap1
 *   Running preup ...
 *   Creating Tun/Tap interface tap1 ...                                       
                             [ok]
 *   null ...                                                                  
                             [ok]
 *   Waiting for IPv6 addresses ...                                            
                             [ok]

# ifconfig tap1
tap1      Link encap:Ethernet  HWaddr 00:FF:75:74:F6:A3
          inet6 addr: fe80::2ff:75ff:fe74:f6a3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:6 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

I don't even need to run the patch to see it's wrong

addr add

Shouldn't that be del?

And yes, ifconfig seems to do the right thing. Well, as best it can on Linux
anyway. For the BSD's you can do this
ifconfig tap1 inet 10.2.3.4/24 -alias

The IPv6 address is a local link address and is automagically calculated by the
kernel based on the hardware address. It's supposed to be there.

Created an attachment (id=142862) [details]
tap-cleanup.patch

True, sorry.
I could not test this at that time.

Can you please create a patch for BSD?
Is it possible to change permission of tap in BSD?

(In reply to comment #9)
> Created an attachment (id=142862) [edit] [details]
> tap-cleanup.patch

Better, but you also break non iproute2 systems by assuming the linux ifconfig
style. I'm now testing it anyway with iproute2.

> Can you please create a patch for BSD?
> Is it possible to change permission of tap in BSD?

Will take some time as I'm busy with my new daughter, but will try to.
It *is* possible to change the permissions (ie, owner mode) of the tap
interface in FreeBSD, but that's using a special config entry for devfs which
OpenVPN shouldn't be touching. Plus it's FreeBSD specific. I'll see if I can
find something for the other BSDs as I have a NetBSD box as well now.

(In reply to comment #10)

> Better, but you also break non iproute2 systems by assuming the linux ifconfig
> style. I'm now testing it anyway with iproute2.

This code is #ifdef for Linux... So it is OK...

> Will take some time as I'm busy with my new daughter, but will try to.
> It *is* possible to change the permissions (ie, owner mode) of the tap
> interface in FreeBSD, but that's using a special config entry for devfs which
> OpenVPN shouldn't be touching. Plus it's FreeBSD specific. I'll see if I can
> find something for the other BSDs as I have a NetBSD box as well now.

Great!

Fixed, thanks!