Patch and disucssion for openvpn in server mode

[GoogleCodeExporter]

I've finally gotten openvpn in server mode working on r4320. I've had to
make some ugly hacks but I want to post them all here for discussion.
Here's my current local patch:

Index: webif/files/etc/init.d/webifopenvpn
===================================================================
--- webif/files/etc/init.d/webifopenvpn (revision 4320)
+++ webif/files/etc/init.d/webifopenvpn (working copy)
@@ -64,7 +64,8 @@
        config_get CONFIG_ovpn_client_to_client $config "client_to_client"
        config_get CONFIG_ovpn_cmdline $config "cmdline"
        config_get CONFIG_ovpn_local $config "local"
-       config_get CONFIG_ovpn_remote  $config "remote"
+       config_get CONFIG_ovpn_remote $config "remote"
+       config_get CONFIG_ovpn_iface $config "iface"
        config_get dir_name $config "dir"

        auth_incomplete=0
@@ -93,17 +94,26 @@
        esac
        [ "$auth_incomplete" != 0 ] && exit

+       if [ "$CONFIG_ovpn_mode" = "server" ]; then
+           append args "--mode server"
+           append args "--server $CONFIG_ovpn_local 255.255.255.0"
+           append args "--keepalive 10 120"
+           append args "--up $dir_name/up"
+       else
+           append args "--ifconfig $CONFIG_ovpn_local $CONFIG_ovpn_remote"
+       fi

        append_parm "proto" "--proto" "udp"
        append_parm "port" "--port" "1194"

+       append_parm "iface" "--local"
        append_parm "dev" "--dev" "tun"
        append_parm "user" "--user" "nobody"
        append_parm "group" "--group" "nogroup"
        append_parm "status" "--status" "/tmp/openvpn-status.log"
-       append_parm "verb" "--verb" "1"
+       append_parm "verb" "--verb" "3"

-       append_bool "comp_lzo" "--comp-lzo"
+       append_bool "complzo" "--comp-lzo"
        append_bool "persisttun" "--persist-tun"
        append_bool "persistkey" "--persist-key"
        append_bool "client_to_client" "--client-to-client"
@@ -137,13 +147,13 @@
                if [ "$CONFIG_ovpn_auth" = "pem" ]; then
                    append args "--tls-server"
                fi
-               append args "--ifconfig $CONFIG_ovpn_local $CONFIG_ovpn_remote"
            ;;
            *)
                report_log "unknown mode, aborting!"
                exit 0
            ;;
        esac
+       append args "--client-config-dir $dir_name/ccd"
        openvpn --daemon $args
    done
 }
@@ -152,6 +162,7 @@
    for i in $(ls /var/run/webifopenvpn.pid*); do
        webifopenvpn_pid=$(cat "$i" 2>/dev/null)
        [ -n "$webifopenvpn_pid" ] && [ -d /proc/$webifopenvpn_pid ] && kill
-TERM $webifopenvpn_pid 2>/dev/null
+       rm -f "$i"
    done
 }

Points of discussion:

CONFIG_ovpn_iface:If you have more than one default egress route using
round-robin (load balancing), you need to tell OpenVPN which one (by
address) to bind to otherwise your remotes see packets coming from both of
your interfaces and chokes. It's worth noting that this is the OpenVPN
"--local" parameter it's using which technically takes an address, not an
interface specification, but given my recently committed patch to OpenWRT
kamikaze which keeps an /etc/hosts entry for named interfaces, this works.

--server $CONFIG_ovpn_local 255.255.255.0:This appears to be a much more
sane way to run an OpenVPN "server" instance than what's currently used.
The netmask is hard coded hack of course and needs a widget in the UI
properly defined. I've not yet gotten into learning how to do UI hacks yet.

--keepalive 10 120: OpenVPN servers like to use keepalives to detect remote
death.

--up $dir_name/up:It's sometimes required to do some "tweaking" on OpenVPN
start up in exotic configurations. In my case, I'm propagating OpenVPN
routes to some policy routing tables. It would be nice to be able to
provide a script (i.e. a text area) in the UI.

comp_lzo: Typo.

--client-config-dir $dir_name/ccd:In server mode, one may need to provide
per-client specifics, such as remote routing (--iroute). The UI should
provide a way to add per client configurations. A simple text area would be
sufficient initially, but some commonly used options (i.e. remote subnet)
could be given their own UI widgets.

rm -f "$i": Need to remove PID files as processes are killed. 

Original issue reported on code.google.com by kemen04@gmail.com on 9 Jul 2008 at 8:54

[GoogleCodeExporter]

Original comment by kemen04@gmail.com on 8 Aug 2008 at 4:43

• Added labels: Milestone-Kamikaze-8.08

[GoogleCodeExporter]

Original comment by kemen04@gmail.com on 19 Aug 2009 at 8:32

• Changed state: Fixed