Commit cd653523 authored by Julien Muchembled's avatar Julien Muchembled

Disable UDP protocol by default for OpenVPN tunnels

UDP protocol is useless if nothing is done to prevent fragmentation.
Otherwise, it is at best unefficient.

There exist routers on the internet that filter fragmented packets with specific
data. This is hard to debug because TCP connections hang randomly when there is
no OpenVPN encryption.

Now, only TCP is enabled by default. A second protocol should be there for
better performance when possible, either existing UDP one (provided it is
guaranteed there is no fragmentation) or something better (GRE ?).
parent a6be6881
log m1/ log m1/
state m1/ state m1/
babel-pidfile m1/babeld.pid babel-pidfile m1/babeld.pid
pp 1194 udp pp 1194 tcp
hello 4 hello 4
dh dh2048.pem dh dh2048.pem
ca ca.crt ca ca.crt
......
log m2/ log m2/
state m2/ state m2/
babel-pidfile m2/babeld.pid babel-pidfile m2/babeld.pid
pp 1194 udp pp 1194 tcp
hello 4 hello 4
dh dh2048.pem dh dh2048.pem
ca ca.crt ca ca.crt
......
log m3/ log m3/
state m3/ state m3/
babel-pidfile m3/babeld.pid babel-pidfile m3/babeld.pid
pp 1194 udp pp 1194 tcp
hello 4 hello 4
dh dh2048.pem dh dh2048.pem
ca ca.crt ca ca.crt
......
log m4/ log m4/
state m4/ state m4/
babel-pidfile m4/babeld.pid babel-pidfile m4/babeld.pid
pp 1194 udp pp 1194 tcp
hello 4 hello 4
dh dh2048.pem dh dh2048.pem
ca ca.crt ca ca.crt
......
log m6/ log m6/
state m6/ state m6/
babel-pidfile m6/babeld.pid babel-pidfile m6/babeld.pid
pp 1194 udp pp 1194 tcp
hello 4 hello 4
dh dh2048.pem dh dh2048.pem
ca ca.crt ca ca.crt
......
log m7/ log m7/
state m7/ state m7/
babel-pidfile m7/babeld.pid babel-pidfile m7/babeld.pid
pp 1194 udp pp 1194 tcp
hello 4 hello 4
dh dh2048.pem dh dh2048.pem
ca ca.crt ca ca.crt
......
...@@ -6,4 +6,4 @@ ca ca.crt ...@@ -6,4 +6,4 @@ ca ca.crt
cert m8/cert.crt cert m8/cert.crt
key m8/cert.key key m8/cert.key
table 0 table 0
client 10.0.1.2,1194,udp;10.0.1.3,1194,udp client 10.0.1.2,1194,tcp;10.0.1.3,1194,tcp
...@@ -156,8 +156,6 @@ ca %s ...@@ -156,8 +156,6 @@ ca %s
cert %s cert %s
key %s key %s
dh %s dh %s
# for udp only:
#pp 1194 udp
# increase re6stnet verbosity: # increase re6stnet verbosity:
#verbose 3 #verbose 3
# enable OpenVPN logging: # enable OpenVPN logging:
......
...@@ -107,8 +107,10 @@ def getConfig(): ...@@ -107,8 +107,10 @@ def getConfig():
_('--remote-gateway', action='append', dest='gw_list', _('--remote-gateway', action='append', dest='gw_list',
help="Force each tunnel to be created through one the given gateways," help="Force each tunnel to be created through one the given gateways,"
" in a round-robin fashion.") " in a round-robin fashion.")
_('--disable-proto', action='append', choices=('udp', 'tcp'), default=[], _('--disable-proto', action='append', choices=('none', 'udp', 'tcp'),
help="Do never try to create tunnels using given protocols.") default=['udp'],
help="Do never try to create tunnels using given protocols."
" 'none' has precedence over other options.")
_('--client', metavar='HOST,PORT,PROTO[;...]', _('--client', metavar='HOST,PORT,PROTO[;...]',
help="Do not run any OpenVPN server, but only 1 OpenVPN client," help="Do not run any OpenVPN server, but only 1 OpenVPN client,"
" with specified remotes. Any other option not required in this" " with specified remotes. Any other option not required in this"
...@@ -192,6 +194,8 @@ def main(): ...@@ -192,6 +194,8 @@ def main():
if config.max_clients is None: if config.max_clients is None:
config.max_clients = config.client_count * 2 config.max_clients = config.client_count * 2
if 'none' in config.disable_proto:
config.disable_proto = ()
address = [] address = []
server_tunnels = {} server_tunnels = {}
if config.client: if config.client:
...@@ -199,8 +203,13 @@ def main(): ...@@ -199,8 +203,13 @@ def main():
elif config.max_clients: elif config.max_clients:
if config.pp: if config.pp:
pp = [(int(port), proto) for port, proto in config.pp] pp = [(int(port), proto) for port, proto in config.pp]
for port, proto in pp:
if proto in config.disable_proto:
sys.exit("error: conflicting options --disable-proto %s"
" and --pp %u %s" % (proto, port, proto))
else: else:
pp = (1194, 'udp'), (1194, 'tcp') pp = [x for x in ((1194, 'udp'), (1194, 'tcp'))
if x[1] not in config.disable_proto]
ip_changed = lambda ip: [(ip, str(port), proto) for port, proto in pp] ip_changed = lambda ip: [(ip, str(port), proto) for port, proto in pp]
if config.gw_list: if config.gw_list:
gw_list = deque(config.gw_list) gw_list = deque(config.gw_list)
...@@ -306,10 +315,14 @@ def main(): ...@@ -306,10 +315,14 @@ def main():
ip('addrlabel', 'prefix', my_network, 'label', '99') ip('addrlabel', 'prefix', my_network, 'label', '99')
# prepare persistent interfaces # prepare persistent interfaces
if config.client: if config.client:
address_list = [x for x in utils.parse_address(config.client)
if x[2] not in config.disable_proto]
if not address_list:
sys.exit("error: --disable_proto option disables"
" all addresses given by --client")
cleanup.append(plib.client('re6stnet', cleanup.append(plib.client('re6stnet',
utils.parse_address(config.client), address_list, config.encrypt, '--ping-restart',
config.encrypt, '--ping-restart', str(timeout), str(timeout), *config.openvpn_args).stop)
*config.openvpn_args).stop)
elif server_tunnels: elif server_tunnels:
required('dh') required('dh')
for iface, (port, proto) in server_tunnels.iteritems(): for iface, (port, proto) in server_tunnels.iteritems():
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment