diff mbox series

[Openvpn-devel,v2] Change default of "topology" to "subnet"

Message ID 20231201112022.15337-1-frank@lichtenheld.com
State Accepted
Headers show
Series [Openvpn-devel,v2] Change default of "topology" to "subnet" | expand

Commit Message

Frank Lichtenheld Dec. 1, 2023, 11:20 a.m. UTC 
Change-Id: Iede3e7c028cbb715e28bc88c7e583f84dadc02c8
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/421
This mail reflects revision 2 of this Change.
Acked-by according to Gerrit (reflected above):
Arne Schwabe <arne-openvpn@rfc2549.org>

Comments

Gert Doering April 3, 2024, 5:27 p.m. UTC | #1 
Sorry for being so slow in merging this.  I had to adjust my testbeds
to "not explode" and shied away from doing so :-) (all the server test
instances without "topology" defaulted to net30, and just applying this
patch would recreate the ip-pool-persist files, breaking t_client
EXPECT_IFCONFIG4_... settings).

So.

Whoever reads this - *THIS CAN BE DISRUPTIVE*.  But it's the right
way forward, given that DCO (on the server) will only work with
"--topology subnet", and it also saves on IPv4 address usage for
the pools...  and clients have been compatible with "subnet" across
all platforms since at least OpenVPN 2.2, so no excuses.


NOTE: for --server setups, this will still work, just changing the way
the pool is split, thus assigning new IP addresses to clients, and
invalidating the --ip-pool-persist file.

NOTE2: For p2p setups (no --server, just --tls-server/--tls-client or
even --secret) it will break the setup hard, as those usually use 
"--ifconfig ip1 ip2" and "ip2" will now be parsed as a netmask, with
surprising consequences.  See GH #529.


Your patch has been applied to the master branch.

commit 32e6586687a548174b88b64fe54bfae6c74d4c19
Author: Frank Lichtenheld
Date:   Fri Dec 1 12:20:22 2023 +0100

     Change default of topology to subnet

     Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
     Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
     Message-Id: <20231201112022.15337-1-frank@lichtenheld.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27627.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/Changes.rst b/Changes.rst
index 3676dce..3132c84 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -10,6 +10,15 @@ 
     ``--allow-deprecated-insecure-static-crypto`` but will be removed in
     OpenVPN 2.8.
 
+Default for ``--topology`` changed to ``subnet``
+    Previous releases used ``net30`` as default. This only affects
+    configs with ``--dev tun`` and only IPv4. Note that this
+    changes the semantics of ``--ifconfig``, so if you have manual
+    settings for that in your config but not set ``--topology``
+    your config might fail to parse with the new version. Just adding
+    ``--topology net30`` to the config should fix the problem.
+    By default ``--topology`` is pushed from server to client.
+
 Overview of changes in 2.6
 ==========================
 
diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst
index 3fa3ccf..251529f 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -495,11 +495,17 @@ 
 
   ``mode`` can be one of:
 
+  :code:`subnet`
+    Use a subnet rather than a point-to-point topology by
+    configuring the tun interface with a local IP address and subnet mask,
+    similar to the topology used in ``--dev tap`` and ethernet bridging
+    mode. This mode allocates a single IP address per connecting client and
+    works on Windows as well. This is the default.
+
   :code:`net30`
     Use a point-to-point topology, by allocating one /30 subnet
     per client. This is designed to allow point-to-point semantics when some
-    or all of the connecting clients might be Windows systems. This is the
-    default.
+    or all of the connecting clients might be Windows systems.
 
   :code:`p2p`
     Use a point-to-point topology where the remote endpoint of
@@ -508,15 +514,8 @@ 
     connecting client. Only use when none of the connecting clients are
     Windows systems.
 
-  :code:`subnet`
-    Use a subnet rather than a point-to-point topology by
-    configuring the tun interface with a local IP address and subnet mask,
-    similar to the topology used in ``--dev tap`` and ethernet bridging
-    mode. This mode allocates a single IP address per connecting client and
-    works on Windows as well.
-
   *Note:* Using ``--topology subnet`` changes the interpretation of the
-  arguments of ``--ifconfig`` to mean "address netmask", no longer "local
+  arguments of ``--ifconfig`` to mean "address netmask", and not "local
   remote".
 
 --tun-mtu args
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index d238269..764ca7b 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -800,7 +800,7 @@ 
         o->gc_owned = true;
     }
     o->mode = MODE_POINT_TO_POINT;
-    o->topology = TOP_NET30;
+    o->topology = TOP_SUBNET;
     o->ce.proto = PROTO_UDP;
     o->ce.af = AF_UNSPEC;
     o->ce.bind_ipv6_only = false;