Message ID | 20200908111511.9271-1-gert@greenie.muc.de |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel] Document that --push-remove is generally more suitable than --push-reset | expand |
Am 08.09.20 um 13:15 schrieb Gert Doering: > It's a long-standing and well-known problem that --push-reset removes > "critical" options from the push list (like "topology subnet") which > will then lead to non-working client configs. This can not be > reasonably fixed, because the list of "critical" options depends on > overall server config. > > So just document the fact, and point people towards --push-remove as > a more selective tool. > Acked-By: Arne Schwabe <arne@rfc2549.org>
On 08/09/2020 13:15, Gert Doering wrote: > It's a long-standing and well-known problem that --push-reset removes > "critical" options from the push list (like "topology subnet") which > will then lead to non-working client configs. This can not be > reasonably fixed, because the list of "critical" options depends on > overall server config. > > So just document the fact, and point people towards --push-remove as > a more selective tool. > > Trac: #29 > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > --- > doc/man-sections/server-options.rst | 8 ++++++++ > 1 file changed, 8 insertions(+) Acked-By: David Sommerseth <davids@openvpn.net> It would be good if --push-reset would actually not remove certain critical options, but this is anyhow a good heads-up for our users.
Hi, On Tue, Sep 08, 2020 at 03:11:40PM +0200, David Sommerseth wrote: > It would be good if --push-reset would actually not remove certain critical > options, but this is anyhow a good heads-up for our users. Well, that ticket sat there 10 years (!!) waiting for someone to go and implement it... 6 years it sat on your lap, 4 years on mine (or so), so it looks like this is not going to happen any time soon. gert
Am 08.09.20 um 18:35 schrieb Gert Doering: > Hi, > > On Tue, Sep 08, 2020 at 03:11:40PM +0200, David Sommerseth wrote: >> It would be good if --push-reset would actually not remove certain critical >> options, but this is anyhow a good heads-up for our users. > > Well, that ticket sat there 10 years (!!) waiting for someone to go > and implement it... 6 years it sat on your lap, 4 years on mine (or so), > so it looks like this is not going to happen any time soon. It also feels like a feature from a different area when pushed options were few and not as essential to OpenVPN. It would remove/deprecate that feature instead of trying to figure out how it should now. Arne
Hi, My vote would be to deprecate --push-reset (same for --route-nopull) André Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday 8 September 2020 18:41, Arne Schwabe <arne@rfc2549.org> wrote: > Am 08.09.20 um 18:35 schrieb Gert Doering: > > > Hi, > > On Tue, Sep 08, 2020 at 03:11:40PM +0200, David Sommerseth wrote: > > > > > It would be good if --push-reset would actually not remove certain critical > > > options, but this is anyhow a good heads-up for our users. > > > > Well, that ticket sat there 10 years (!!) waiting for someone to go > > and implement it... 6 years it sat on your lap, 4 years on mine (or so), > > so it looks like this is not going to happen any time soon. > > It also feels like a feature from a different area when pushed options > were few and not as essential to OpenVPN. It would remove/deprecate that > feature instead of trying to figure out how it should now. > > Arne > > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Am 08.09.20 um 19:04 schrieb André: > Hi, > > My vote would be to deprecate --push-reset > (same for --route-nopull) > Route-nopull is still a very useful option that has no good replacement. I regularly use it when the server should not mess up my routing table. Arne
Patch has been applied to the master, release/2.5 and release/2.4 branch. The 2.4 patch is "the same words, just in nroff format, to openvpn.8" commit 5fd66510dfdef628fa95f156c5f9d80af9ae1531 (master) commit cdeef20bc6ea4c15824427055f2ffeff53651dee (release/2.5) commit d61cbfcde78bf65ec677d164d5d03e00f092befd (release/2.4) Author: Gert Doering Date: Tue Sep 8 13:15:11 2020 +0200 Document that --push-remove is generally more suitable than --push-reset Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20200908111511.9271-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20899.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index f1f0667a..2009953c 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -530,6 +530,14 @@ fast hardware. SSL/TLS authentication must be used in this mode. ``--client-config-dir`` configuration file. This option will ignore ``--push`` options at the global config file level. + *NOTE*: ``--push-reset`` is very thorough: it will remove almost + all options from the list of to-be-pushed options. In many cases, + some of these options will need to be re-configured afterwards - + specifically, ``--topology subnet`` and ``--route-gateway`` will get + lost and this will break client configs in many cases. Thus, for most + purposes, ``--push-remove`` is better suited to selectively remove + push options for individual clients. + --server args A helper directive designed to simplify the configuration of OpenVPN's server mode. This directive will set up an OpenVPN server which will
It's a long-standing and well-known problem that --push-reset removes "critical" options from the push list (like "topology subnet") which will then lead to non-working client configs. This can not be reasonably fixed, because the list of "critical" options depends on overall server config. So just document the fact, and point people towards --push-remove as a more selective tool. Trac: #29 Signed-off-by: Gert Doering <gert@greenie.muc.de> --- doc/man-sections/server-options.rst | 8 ++++++++ 1 file changed, 8 insertions(+)