diff mbox

[OpenWrt-Devel,2/3] packaget/network/services/openvpn: Drop ifconfig/route in favour of ip

Message ID 1453317725-93230-2-git-send-email-openwrt@daniel.thecshore.com
State Deferred
Delegated to: Felix Fietkau
Headers show

Commit Message

Daniel Dickinson Jan. 20, 2016, 7:22 p.m. UTC 
From: Daniel Dickinson <openwrt@daniel.thecshore.com>

NB: Only compile tested.

Stop depending on ifconfig/route and use busybox (or real)
iproute2 utility instead.  Depend on virtual ip package provided
by previous commit so as not to force a particular version of
the ip command.

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
---
 package/network/services/openvpn/Config-nossl.in    | 4 ----
 package/network/services/openvpn/Config-openssl.in  | 4 ----
 package/network/services/openvpn/Config-polarssl.in | 4 ----
 package/network/services/openvpn/Makefile           | 6 +++---
 4 files changed, 3 insertions(+), 15 deletions(-)

Comments

Felix Fietkau Jan. 21, 2016, 10:31 p.m. UTC | #1 
On 2016-01-20 20:22, openwrt@daniel.thecshore.com wrote:
> From: Daniel Dickinson <openwrt@daniel.thecshore.com>
> 
> NB: Only compile tested.
> 
> Stop depending on ifconfig/route and use busybox (or real)
> iproute2 utility instead.  Depend on virtual ip package provided
> by previous commit so as not to force a particular version of
> the ip command.
> 
> Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
I'll wait until somebody has properly tested this.

- Felix
Daniel Dickinson Jan. 31, 2016, 11:49 p.m. UTC | #2 
On 21/01/16 02:31 PM, Felix Fietkau wrote:
> On 2016-01-20 20:22, openwrt@daniel.thecshore.com wrote:
>> From: Daniel Dickinson <openwrt@daniel.thecshore.com>
>>
>> NB: Only compile tested.

Based on live testing it appears that openvpn upstream does not work 
properly at least with the busybox ip applet, but likely also with full 
iproute2 due to race condition (tun device goes away before ip command 
runs and sets up networking).

Regards,

Daniel

>>
>> Stop depending on ifconfig/route and use busybox (or real)
>> iproute2 utility instead.  Depend on virtual ip package provided
>> by previous commit so as not to force a particular version of
>> the ip command.
>>
>> Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
> I'll wait until somebody has properly tested this.
>
> - Felix
>
Gert Doering Feb. 1, 2016, 7:57 a.m. UTC | #3 
Hi,

On Sun, Jan 31, 2016 at 03:49:58PM -0800, Daniel Dickinson wrote:
> On 21/01/16 02:31 PM, Felix Fietkau wrote:
> > On 2016-01-20 20:22, openwrt@daniel.thecshore.com wrote:
> >> From: Daniel Dickinson <openwrt@daniel.thecshore.com>
> >>
> >> NB: Only compile tested.
> 
> Based on live testing it appears that openvpn upstream does not work 
> properly at least with the busybox ip applet, but likely also with full 
> iproute2 due to race condition (tun device goes away before ip command 
> runs and sets up networking).

That would surprise me a bit... can I have the openvpn log for that race
condition?  Is this something special in OpenWRT?  Normally, the tun device
can never "go away" unless OpenVPN tells it to - and if we do that, we do
not call ip/ifconfig on it afterwards.

(Also, for the busybox ip applet, our use of ip is not exactly esoteric -
setup ipv4/ipv6 addresses on tun if, add ipv4/ipv6 routes)

gert,
   openvpn upstream
Daniel Dickinson Feb. 8, 2016, 10 a.m. UTC | #4 
On 01/02/16 02:57 AM, Gert Doering wrote:
> Hi,
>
> On Sun, Jan 31, 2016 at 03:49:58PM -0800, Daniel Dickinson wrote:
>> On 21/01/16 02:31 PM, Felix Fietkau wrote:
>>> On 2016-01-20 20:22, openwrt@daniel.thecshore.com wrote:
>>>> From: Daniel Dickinson <openwrt@daniel.thecshore.com>
>>>>
>>>> NB: Only compile tested.
>>
>> Based on live testing it appears that openvpn upstream does not work
>> properly at least with the busybox ip applet, but likely also with full
>> iproute2 due to race condition (tun device goes away before ip command
>> runs and sets up networking).
>
> That would surprise me a bit... can I have the openvpn log for that race
> condition?  Is this something special in OpenWRT?  Normally, the tun device
> can never "go away" unless OpenVPN tells it to - and if we do that, we do
> not call ip/ifconfig on it afterwards.

I'll have to set up a test environment to replicate the situation 
because I removed the offending compile in order to get things working. 
  However while the tun device was clearly not present I am wondering if 
the problem was not that it went away but that it wasn't accessible yet 
when the ip command was run (i.e. the opposite to what I initially 
assumed (which is that ip was too late and a timeout had occurred)).  I 
didn't recall seeing anything about either bringing up or tearing down 
the tun device at the log level I was on (I think verbosity 3).

Regards,

Daniel

>
> (Also, for the busybox ip applet, our use of ip is not exactly esoteric -
> setup ipv4/ipv6 addresses on tun if, add ipv4/ipv6 routes)
>
> gert,
>     openvpn upstream
>
diff mbox

Patch

diff --git a/package/network/services/openvpn/Config-nossl.in b/package/network/services/openvpn/Config-nossl.in
index 3eaa228..24dbb03 100644
--- a/package/network/services/openvpn/Config-nossl.in
+++ b/package/network/services/openvpn/Config-nossl.in
@@ -40,10 +40,6 @@  config OPENVPN_nossl_ENABLE_PF
 	bool "Enable internal packet filter"
 	default y
 
-config OPENVPN_nossl_ENABLE_IPROUTE2
-	bool "Enable support for iproute2"
-	default n
-
 config OPENVPN_nossl_ENABLE_SMALL
 	bool "Enable size optimization"
 	default y
diff --git a/package/network/services/openvpn/Config-openssl.in b/package/network/services/openvpn/Config-openssl.in
index ac4c774..c7bd308 100644
--- a/package/network/services/openvpn/Config-openssl.in
+++ b/package/network/services/openvpn/Config-openssl.in
@@ -52,10 +52,6 @@  config OPENVPN_openssl_ENABLE_PF
 	bool "Enable internal packet filter"
 	default y
 
-config OPENVPN_openssl_ENABLE_IPROUTE2
-	bool "Enable support for iproute2"
-	default n
-
 config OPENVPN_openssl_ENABLE_SMALL
 	bool "Enable size optimization"
 	default y
diff --git a/package/network/services/openvpn/Config-polarssl.in b/package/network/services/openvpn/Config-polarssl.in
index 26692ce..501e0f3 100644
--- a/package/network/services/openvpn/Config-polarssl.in
+++ b/package/network/services/openvpn/Config-polarssl.in
@@ -52,10 +52,6 @@  config OPENVPN_polarssl_ENABLE_PF
 	bool "Enable internal packet filter"
 	default y
 
-config OPENVPN_polarssl_ENABLE_IPROUTE2
-	bool "Enable support for iproute2"
-	default n
-
 config OPENVPN_polarssl_ENABLE_SMALL
 	bool "Enable size optimization"
 	default y
diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile
index 6c68b49..8edf97a 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -32,7 +32,7 @@  define Package/openvpn/Default
   URL:=http://openvpn.net
   SUBMENU:=VPN
   MENU:=1
-  DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3)
+  DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo $(3) +ip
   VARIANT:=$(1)
   MAINTAINER:=Mirko Vogt <mirko@openwrt.org>
 endef
@@ -42,6 +42,8 @@  Package/openvpn-polarssl=$(call Package/openvpn/Default,polarssl,PolarSSL,+libpo
 Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
 
 define Package/openvpn/config/Default
+	select PACKAGE_ip if !BUSYBOX_DEFAULT_IP
+
 	source "$(SOURCE)/Config-$(1).in"
 endef
 
@@ -60,8 +62,6 @@  CONFIG_OPENVPN_NOSSL:=y
 endif
 
 CONFIGURE_VARS += \
-	IFCONFIG=/sbin/ifconfig \
-	ROUTE=/sbin/route \
 	IPROUTE=/sbin/ip \
 	NETSTAT=/sbin/netstat