Project

General

Profile

Feature #753

Add OpenVPN foreign_option support

Added by Mr Horizontal about 9 years ago. Updated over 8 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
07/20/2010
Due date:
% Done:

0%

Estimated time:

Description

OpenVPN can send 'dhcp-option' commands via push replies, available via foreign_option_ environment variable in the up script. These are currently ignored by our 'up' script. Some that should be supported:
  • redirect-gateway def1
  • DNS server(s)
  • domain name

Those look to be the only ones applicable here.

History

#1 Updated by Ermal Lu├ži almost 9 years ago

  • Status changed from New to Feedback

Can you please be more specific on this?

#2 Updated by Mr Horizontal over 8 years ago

Essentially this relates to the fact when you have an interface bound to an OpenVPN tun device when the VPN is a client, the interface doesn't configure itself as normal.

Firstly, the interface has to be defined as a static IP address, which OpenVPN will change via ifconfig to it's dynamic address. It's a bit disingenuous. We should be able to set the interface to DHCP and a dynamic gateway and IP address is assigned when OpenVPN sets up the interface, even though it's not dhclient that is doing the work as a normal DHCP interface, but a script that reads all the information from OpenVPN's connection set up.

Similarly, via DHCP, there are a number of DHCP options that OpenVPN supports, such as setting up the DNS server and other stuff, which aren't pulled from the OpenVPN device when the connection is established.

While the pfSense OpenVPN server mode supports all the configuration of these options, when in client mode it doesn't.

For reference here are all the options in question:

- push "dhcp-option DOMAIN domain.com"
- push "dhcp-option DNS 10.0.0.1"
- push "dhcp-option WINS 10.0.0.2"
- push "dhcp-option NBDD 10.0.0.3"
- push "dhcp-option NTP 10.0.0.4"
- push "dhcp-option NBT 1"
- push "dhcp-option NBS DOMAIN_REALM"
- push "dhcp-option NBS DISABLE-NBT"

What is really needed is when an interface is brought up, some something like this pseudocode needs to be run:

if (interface_type openvpn) {
create_interface_from_openvpn_interface()
create_gateway_from_openvpn_interface()
set_up_dhcp_options_on_openvpn_interface()
}
else if (interface_type standard_ethernet) {
run_ifconfig_to_setup_normal_interface()
run_dhclient_to_setup_normal_interface()
}

#3 Updated by Chris Buechler over 8 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from OpenVPN 'dhcp-option' commands in push replies aren't honoured to Add OpenVPN foreign_option support
  • Status changed from Feedback to New
  • Target version deleted (2.0)
  • Affected Version deleted (2.0)

OpenVPN interface assignments work fine set to type "none" as they should be, they have an automatically handled dynamic gateway which works. The only remaining thing here is that we ignore the few options that can be pushed in our up script. Which is by design (it's not broken, it isn't there), hence this is a feature.

Also available in: Atom PDF