[Openvpn-devel] Document that --push-remove is generally more suitable than --push-reset

Message ID 20200908111511.9271-1-gert@greenie.muc.de
State Accepted
Headers show
Series
  • [Openvpn-devel] Document that --push-remove is generally more suitable than --push-reset
Related show

Commit Message

Gert Doering Sept. 8, 2020, 11:15 a.m.
It's a long-standing and well-known problem that --push-reset removes
"critical" options from the push list (like "topology subnet") which
will then lead to non-working client configs.  This can not be
reasonably fixed, because the list of "critical" options depends on
overall server config.

So just document the fact, and point people towards --push-remove as
a more selective tool.

Trac: #29

Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 doc/man-sections/server-options.rst | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Arne Schwabe Sept. 8, 2020, 1:09 p.m. | #1
Am 08.09.20 um 13:15 schrieb Gert Doering:
> It's a long-standing and well-known problem that --push-reset removes
> "critical" options from the push list (like "topology subnet") which
> will then lead to non-working client configs.  This can not be
> reasonably fixed, because the list of "critical" options depends on
> overall server config.
> 
> So just document the fact, and point people towards --push-remove as
> a more selective tool.
>

Acked-By: Arne Schwabe <arne@rfc2549.org>
David Sommerseth Sept. 8, 2020, 1:11 p.m. | #2
On 08/09/2020 13:15, Gert Doering wrote:
> It's a long-standing and well-known problem that --push-reset removes
> "critical" options from the push list (like "topology subnet") which
> will then lead to non-working client configs.  This can not be
> reasonably fixed, because the list of "critical" options depends on
> overall server config.
> 
> So just document the fact, and point people towards --push-remove as
> a more selective tool.
> 
> Trac: #29
> 
> Signed-off-by: Gert Doering <gert@greenie.muc.de>
> ---
>  doc/man-sections/server-options.rst | 8 ++++++++
>  1 file changed, 8 insertions(+)

Acked-By: David Sommerseth <davids@openvpn.net>

It would be good if --push-reset would actually not remove certain critical
options, but this is anyhow a good heads-up for our users.
Gert Doering Sept. 8, 2020, 4:35 p.m. | #3
Hi,

On Tue, Sep 08, 2020 at 03:11:40PM +0200, David Sommerseth wrote:
> It would be good if --push-reset would actually not remove certain critical
> options, but this is anyhow a good heads-up for our users.

Well, that ticket sat there 10 years (!!) waiting for someone to go
and implement it...  6 years it sat on your lap, 4 years on mine (or so),
so it looks like this is not going to happen any time soon.

gert
Arne Schwabe Sept. 8, 2020, 4:41 p.m. | #4
Am 08.09.20 um 18:35 schrieb Gert Doering:
> Hi,
> 
> On Tue, Sep 08, 2020 at 03:11:40PM +0200, David Sommerseth wrote:
>> It would be good if --push-reset would actually not remove certain critical
>> options, but this is anyhow a good heads-up for our users.
> 
> Well, that ticket sat there 10 years (!!) waiting for someone to go
> and implement it...  6 years it sat on your lap, 4 years on mine (or so),
> so it looks like this is not going to happen any time soon.

It also feels like a feature from a different area when pushed options
were few and not as essential to OpenVPN. It would remove/deprecate that
feature instead of trying to figure out how it should now.

Arne
Simon Rozman via Openvpn-devel Sept. 8, 2020, 5:10 p.m. | #5
Hi,

My vote would be to deprecate --push-reset
(same for --route-nopull)


André


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday 8 September 2020 18:41, Arne Schwabe <arne@rfc2549.org> wrote:

> Am 08.09.20 um 18:35 schrieb Gert Doering:
>
> > Hi,
> > On Tue, Sep 08, 2020 at 03:11:40PM +0200, David Sommerseth wrote:
> >
> > > It would be good if --push-reset would actually not remove certain critical
> > > options, but this is anyhow a good heads-up for our users.
> >
> > Well, that ticket sat there 10 years (!!) waiting for someone to go
> > and implement it... 6 years it sat on your lap, 4 years on mine (or so),
> > so it looks like this is not going to happen any time soon.
>
> It also feels like a feature from a different area when pushed options
> were few and not as essential to OpenVPN. It would remove/deprecate that
> feature instead of trying to figure out how it should now.
>
> Arne
>
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Arne Schwabe Sept. 8, 2020, 5:43 p.m. | #6
Am 08.09.20 um 19:04 schrieb André:
> Hi,
> 
> My vote would be to deprecate --push-reset
> (same for --route-nopull)
>

Route-nopull is still a very useful option that has no good replacement.
I regularly use it when the server should not mess up my routing table.

Arne
Gert Doering Sept. 9, 2020, 6:44 a.m. | #7
Patch has been applied to the master, release/2.5 and release/2.4 branch.

The 2.4 patch is "the same words, just in nroff format, to openvpn.8"

commit 5fd66510dfdef628fa95f156c5f9d80af9ae1531 (master)
commit cdeef20bc6ea4c15824427055f2ffeff53651dee (release/2.5)
commit d61cbfcde78bf65ec677d164d5d03e00f092befd (release/2.4)
Author: Gert Doering
Date:   Tue Sep 8 13:15:11 2020 +0200

     Document that --push-remove is generally more suitable than --push-reset

     Signed-off-by: Gert Doering <gert@greenie.muc.de>
     Acked-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: David Sommerseth <davids@openvpn.net>
     Message-Id: <20200908111511.9271-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20899.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index f1f0667a..2009953c 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -530,6 +530,14 @@  fast hardware. SSL/TLS authentication must be used in this mode.
   ``--client-config-dir`` configuration file. This option will ignore
   ``--push`` options at the global config file level.
 
+  *NOTE*: ``--push-reset`` is very thorough: it will remove almost
+  all options from the list of to-be-pushed options.  In many cases,
+  some of these options will need to be re-configured afterwards -
+  specifically, ``--topology subnet`` and ``--route-gateway`` will get
+  lost and this will break client configs in many cases.  Thus, for most
+  purposes, ``--push-remove`` is better suited to selectively remove
+  push options for individual clients.
+
 --server args
   A helper directive designed to simplify the configuration of OpenVPN's
   server mode. This directive will set up an OpenVPN server which will