From patchwork Wed Jan 29 09:41:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4099 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6a49:b0:5e7:b9eb:58e8 with SMTP id v9csp933923mat; Wed, 29 Jan 2025 01:41:45 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWJesaBtnJ8czfuDVAqfcs6xCYj1TkQMZ6z59VK4twK/Yy5xN5Pna5lf35I9kHNaTaenlsDFNXl4jA=@openvpn.net X-Google-Smtp-Source: AGHT+IFJ7UPYX9hweac+42GeUad4kaQ6oGuIN9cuwDKQua+vZ0D6Nfid0BMonGpu53RFEP0zlnOT X-Received: by 2002:a05:6830:6998:b0:718:8dc:a5e with SMTP id 46e09a7af769-7265675feecmr1254979a34.9.1738143705551; Wed, 29 Jan 2025 01:41:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1738143705; cv=none; d=google.com; s=arc-20240605; b=Ge+IZk/jTtn3FI/AiOvhyoxjwEUXtb4WwoSwccO8f4p+jPVYrCZEPWnvQMPgAq6t6q bmcCj5aJEth8rDGTn8M2KKPTx7DI0Wc+zmGPhOUlDnZBMh2uxD8SlToJOacdDawFaCoD Qh9142cdntYjBinDqeuChXKI97lq7WH884X1UBduI9D2OjPLpij9yNjHgcqxR5dobqIM 6ycgzwbS/tReTg3r3V9XVb28zulnXSAxJJv0WpDSeXgS/FURCUtCNi1deUT+siLMpXAP 3m/JqUg+33tZ42SDwK0AMqhg/jOWArBQ4Ujzux0zG3i0b149H2f9VxZofSPmwZjAgMn6 kPFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=S0L+MIPDVyxgnx/z8POkKO1657rsMXLDMB8OiSIyxIg=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=BsUJVDkX3eNzYis4oOJ3sQu8r8qym/gll9wePxh6ceiIc0Vuo1rCCJN+Qv3WO4gyK+ VFyvf9STuKJnAhM9xFftqHvfddTjBfOWP0Q/FX49iJ2zABzI2oImCrxuD7VQsbDdy2yK CPREse+hoXSoHTDHvLn3VyykrUHJSNKuHZ35D976tnlyT6+2YkgoEACnD2+S1UN5dFW9 /2xgPa813JODsFMnytk59mwhMBnb6v4xL8FEcPq/NWWislVooNoOqC6gAfPmG7Bj8qVx C9AC9DfGnoXPekzHJNsuST2H1Ua2/G02cb2oWqo0nzuAvZD8OlWXmaSiwa/behkSrJYJ s2Ng==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=S3oCAZV3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=DJPjfbjt; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-724ecf9609bsi10100901a34.205.2025.01.29.01.41.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Jan 2025 01:41:45 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=S3oCAZV3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=DJPjfbjt; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1td4Zp-00059D-7w; Wed, 29 Jan 2025 09:41:41 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1td4Zm-000596-Ug for openvpn-devel@lists.sourceforge.net; Wed, 29 Jan 2025 09:41:38 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Qafkkbck4eigl+VxzFOVkPv9rv074UORxkNvshURwR8=; b=S3oCAZV3czwKwLnvY8sEr/NYtb rsR2hDxFR/V63UDV/T+8m/KdYLJROJ3mETcHXCYwb7qjYeABga2HMnUaEpHeG1JZXcJFLvwhqy254 O0lfo0uRu8waZN4KTTlgZ5sAqEB6P99Cwc+eCWn/KI7aVYtpbEEkDm8TtBbhEzwtSf70=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Qafkkbck4eigl+VxzFOVkPv9rv074UORxkNvshURwR8=; b=DJPjfbjtS+2ZzDZBv5lf/Qebkj Rycs9WqHzMq2VJ2rl9ORXaRDFOBYY90tONlbfnLmmyugdlVimu7TFZ3cwICd+RxtIGQpdMaQoW8Yb Zj1zoI7Rq66WqQ3i0o7oAVzafcDgPnQwuoJq1P9r+82hdhZxBwFUsTzOxrhT1giy8WwQ=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1td4Zl-0003sQ-Sl for openvpn-devel@lists.sourceforge.net; Wed, 29 Jan 2025 09:41:38 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 50T9fQjK013432 for ; Wed, 29 Jan 2025 10:41:26 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 50T9fQaC013431 for openvpn-devel@lists.sourceforge.net; Wed, 29 Jan 2025 10:41:26 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 29 Jan 2025 10:41:25 +0100 Message-ID: <20250129094125.13420-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli The current persist-tun section has no mention of retaining IP/routes and its potential usage in traffic leaking protection. Spell this out to allow the user to better understand when this option can play an important role. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1td4Zl-0003sQ-Sl Subject: [Openvpn-devel] [PATCH v2] man: extend --persist-tun section X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1822575773787579233?= X-GMAIL-MSGID: =?utf-8?q?1822575773787579233?= From: Antonio Quartulli The current persist-tun section has no mention of retaining IP/routes and its potential usage in traffic leaking protection. Spell this out to allow the user to better understand when this option can play an important role. Change-Id: I6816f61b308ca9f6d1f9f687a6dc8e0aa2d044e0 Signed-off-by: Antonio Quartulli Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/819 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index fc76939..67f7e1f 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -312,6 +312,15 @@ :code:`SIGUSR1` is a restart signal similar to :code:`SIGHUP`, but which offers finer-grained control over reset options. + On Linux, this option can be useful when OpenVPN is not executed as + root and the CAP_NET_ADMIN has not been granted, because the process + would otherwise not be allowed to bring the interface down and back up. + + Alongside the above, using ``--persist-tun`` allows the tunnel interface + to retain all IP/route settings, thus allowing the user to implement + any advanced traffic leaking protection (please note that for full + protection, extra route/firewall rules must be in place). + --redirect-gateway flags Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. This is a client-side option.