Re: [Openvpn-devel] OpenVPN 2.0 iroutes

Subject: Re: [Openvpn-devel] OpenVPN 2.0 iroutes
From: Dan Hulme <dhulme@xxxxxxxxx>
Date: Wed, 18 May 2005 10:50:21 -0700

> Regarding iroutes, it would be nice if an iroute command implied a top-level
> "route command", as I can't see why you'd ever want an iroute command
> without the corresponding route command. This would also keep the main file
> cleaner and not require restarts when new CCD files were added. It also
> makes CCD files portable from one VPN to another. If this were a security
> risk, you might have a --allow-ccd-routes flag to enable it or something.

The reason why iroute does not automatically add an equivalent system
route as well is that OpenVPN is designed to drop root privileges after
initialization, so it would not have the required privileges to add a
route after initialization. The privilege model dictates that system
routes be statically added on initialization while iroutes are added and
removed during normal VPN operation as clients connect and disconnect.

James

Ok, what if we add a directive called "--load-ccd-routes" which loads all the iroutes in the ccd dir on startup? Presumably, you wouldn't have an iroute statement without the corresponding route command, so why not create all the routes automatically? This would solve the privilege problem because it could be done before switching to a non privileged user. I can't really see any big security risk here, as you are free to remove the ccds if you don't want to load its iroute/route.

-Dan

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-05/msg00284.html on line 187

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-05/msg00284.html on line 187