[Openvpn-users] Re: [Openvpn-devel] OpenVPN 2.0 iroutes

[James Yonan <jim@xxxxxxxxx>]

On Wed, 18 May 2005, Dan Hulme wrote:

> > 
> > 
> > > Regarding iroutes, it would be nice if an iroute command implied a 
> > top-level
> > > "route command", as I can't see why you'd ever want an iroute command
> > > without the corresponding route command. This would also keep the main 
> > file
> > > cleaner and not require restarts when new CCD files were added. It also
> > > makes CCD files portable from one VPN to another. If this were a 
> > security
> > > risk, you might have a --allow-ccd-routes flag to enable it or 
> > something.
> > 
> > The reason why iroute does not automatically add an equivalent system
> > route as well is that OpenVPN is designed to drop root privileges after
> > initialization, so it would not have the required privileges to add a
> > route after initialization. The privilege model dictates that system
> > routes be statically added on initialization while iroutes are added and
> > removed during normal VPN operation as clients connect and disconnect.
> > 
> > James
> > 
> > 
> Ok, what if we add a directive called "--load-ccd-routes" which loads all 
> the iroutes in the ccd dir on startup? Presumably, you wouldn't have an 
> iroute statement without the corresponding route command, so why not create 
> all the routes automatically? This would solve the privilege problem because 
> it could be done before switching to a non privileged user. I can't really 
> see any big security risk here, as you are free to remove the ccds if you 
> don't want to load its iroute/route.

This could certainly be done, though it would defeat the flexibility of 
being able to modify the --client-config-dir files on the fly, without 
restarting the OpenVPN process.

James


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users