From patchwork Fri Mar 31 13:24:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3179 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:5492:b0:b2:b40d:92f9 with SMTP id ab18csp471588dyc; Fri, 31 Mar 2023 06:25:35 -0700 (PDT) X-Google-Smtp-Source: AK7set9AxBDLFUz8iiwKqc2ghH/C9lPCV6ubK5KcwSiTuKA5eF08DB4kNtxU5tvYzbNJI+IdRQ28 X-Received: by 2002:a05:6a20:8c18:b0:da:be69:a046 with SMTP id j24-20020a056a208c1800b000dabe69a046mr23548583pzh.51.1680269135650; Fri, 31 Mar 2023 06:25:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680269135; cv=none; d=google.com; s=arc-20160816; b=KDCO2c9GZQiESv4jxdfjoaq5ANpN9vhADlHXsgvNiBk9nHtcac+vSnjqb+EJ2KXaZY LNsNgTToHg/794y3shkeSJEzEsy9iQw6F6BFlTAoYTkwTy0M1cAvgORqhWuKxgTC+Lrk hS166aU3heFrXWjTr65pB1ZSnaZAMRczMfazUs7Y4LDky9KUufc/oYhYuXl27di5mGEu n8cY37DOKg0Tsc6oVYMTWGtMehYWify+hZLz7bCoxGGjmbZo2P0pAKODqPCGu7WxKq0w SUZ0zL45t8vGcDZFbmyaymgomkTRUF4yHgjRCOJJwJpE69Jz1NIY+2REp3RFeIZBoqGI 51WA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature; bh=x3F/edtyJ3vVAJOb9DKSOizA01RgyJSalHdfXzTPXr4=; b=BhDD38id3qjwxW/z5cLw9qbkFM7S7ZrMMyAV/V9ph4rI8fo+ny6lcjccM88V6nY7c6 RmNB5ZpXrQRUC/a+Up7FpAPoJaV8z3cW+Vw205Mz47LzCyfo+zb/YJuhz031yX1d+bg5 PP+5HIieOm79L/1I44PdFobcAlT5yOo4l5Y+JtnaR12VeJeibipXITLVDiG4jmytKzm0 3wfYmDMaudvTqbftIwSlN/WwFaq3KvISDAj/4Gc/PUTW1oFx1g9eUadOrmRHEHEI4Vok TyAPCEbac2CWFP7BUwhLrNNawJJuFHxtZ3kLdv4Yynfnqf03ov6ekAxMuUVQov9P++Xa ik9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=LKBVwraj; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=JOidbwUC; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=geCU27C9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id y9-20020aa79429000000b006280cd49406si2499458pfo.249.2023.03.31.06.25.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 31 Mar 2023 06:25:35 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=LKBVwraj; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=JOidbwUC; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=geCU27C9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1piEkP-0004PU-Mn; Fri, 31 Mar 2023 13:24:54 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1piEkJ-0004PI-SJ for openvpn-devel@lists.sourceforge.net; Fri, 31 Mar 2023 13:24:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=O4+aQ1LJlysO09wQGrh001CP036rzlua4a8V59SLSD0=; b=LKBVwrajRtCaAYK3aw32TN6z67 hw8WOuMxEiAfSHBqC2N00V+lEjVeQdBKnt+uQTAg8R+S5zLoyakFcYt4CmkSpH9ENR/116syTXWwh 1dyhTd/Wm+S8mvdV16Cx7GvTSBPuwhXEOsruAPdAm/PDoyZN1zsioDODK7r+ozssFBhI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=O4+aQ1LJlysO09wQGrh001CP036rzlua4a8V59SLSD0=; b=J OidbwUC8soGF2kjf0rGJbLLaR8uVgQVNz5YAeUPFiFawql6DWHej4E4OnT3t2iMG3OcBVPTWwl0Of i2WnNwGmDlyAwyeLiy31OKvVlBML29qczFIuHivrKx7hSAFqgNEU734a+5s9SBoDmfqAgFQKu9EE/ jWamz5XYmaFSNr0g=; Received: from mout-p-201.mailbox.org ([80.241.56.171]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1piEkE-0004OM-4k for openvpn-devel@lists.sourceforge.net; Fri, 31 Mar 2023 13:24:48 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4Pp1Gk3qxNz9sbg for ; Fri, 31 Mar 2023 15:24:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1680269070; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=O4+aQ1LJlysO09wQGrh001CP036rzlua4a8V59SLSD0=; b=geCU27C9u+kTGi79nCpoTini8dYvLLTQ3+yLSv7cMZGSHnTr0pEFvqkCLy5nnrUqYh34N2 RVQG1iTwG3iDwEa18vb5FYaYF+Di6exu+Vgofphbvxxz8NYcar/k3RhjDwcHV9cqsCpO/D cM8e640qIu47XLpFV3yZV9qyj0w6r5bOqSikMYw4fd+N5sswjfv+Skuw/HAbxeunxTH6ui PII6PPqE+lZcfAmEn3Uo0qsklgSys46IPdsrKmJVlCNJ3QzyAo0KkQCtnjGHGRm/WnSdEm Af/1YlFboR6sbcipb5BeUPsXaGwniBg9tqg38ZAe7O6gG7wDKFW7r5vtJ4xshA== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Fri, 31 Mar 2023 15:24:29 +0200 Message-Id: <20230331132429.601635-1-frank@lichtenheld.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4Pp1Gk3qxNz9sbg X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Basically -Werror for docutils. Fix all issues raised by this. The following issue classes were reported: Possible title underline, too short for the title. Treating it as ordinary text because it's so short. (:: at the start of the line directly below text, either add empty line of merge into : on previo [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.171 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1piEkE-0004OM-4k Subject: [Openvpn-devel] [PATCH] doc: run rst2* with --strict to catch warnings X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1761889889079951201?= X-GMAIL-MSGID: =?utf-8?q?1761889889079951201?= Basically -Werror for docutils. Fix all issues raised by this. The following issue classes were reported: Possible title underline, too short for the title. Treating it as ordinary text because it's so short. (:: at the start of the line directly below text, either add empty line of merge into : on previous line) Enumerated list start value not ordinal-1 (error in numbering) Change-Id: Id3b0f7be4602f70115c60e6ddb89f6ed58e94e64 Signed-off-by: Frank Lichtenheld Acked-By: Arne Schwabe --- doc/Makefile.am | 6 ++- doc/man-sections/connection-profiles.rst | 3 +- doc/man-sections/example-fingerprint.rst | 7 ++- doc/man-sections/examples.rst | 51 +++++++------------ .../virtual-routing-and-forwarding.rst | 6 ++- 5 files changed, 30 insertions(+), 43 deletions(-) diff --git a/doc/Makefile.am b/doc/Makefile.am index 13e6a64e..bb9c935d 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -68,19 +68,21 @@ openvpn-examples.5 openvpn-examples.5.html: $(openvpn_examples_sections) SUFFIXES = .8.rst .8 .8.html .5.rst .5 .5.html +RST_FLAGS = --strict + MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in .8.rst.8 .5.rst.5 : if HAVE_PYDOCUTILS - $(RST2MAN) $< > $@ + $(RST2MAN) $(RST_FLAGS) $< > $@ else @echo "Missing python-docutils - skipping man page generation ($@)" endif .8.rst.8.html .5.rst.5.html : if HAVE_PYDOCUTILS - $(RST2HTML) $< > $@ + $(RST2HTML) $(RST_FLAGS) $< > $@ else @echo "Missing python-docutils - skipping html page generation ($@)" endif diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index fd3382b2..c8816e10 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -16,8 +16,7 @@ achieves a successful connection. ``--remote-random`` can be used to initially "scramble" the connection list. -Here is an example of connection profile usage: -:: +Here is an example of connection profile usage:: client dev tun diff --git a/doc/man-sections/example-fingerprint.rst b/doc/man-sections/example-fingerprint.rst index 852cca49..7cdda190 100644 --- a/doc/man-sections/example-fingerprint.rst +++ b/doc/man-sections/example-fingerprint.rst @@ -34,8 +34,7 @@ Server setup SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff -3. Write a server configuration (`server.conf`): -:: +4. Write a server configuration (`server.conf`):: # The server certificate we created in step 1 cert server.crt @@ -65,9 +64,9 @@ Server setup # Ping every 60s, restart if no data received for 5 minutes keepalive 60 300 -4. Add at least one client as described in the client section. +5. Add at least one client as described in the client section. -5. Start the server. +6. Start the server. - On systemd based distributions move `server.crt`, `server.key` and `server.conf` to :code:`/etc/openvpn/server` and start it via systemctl diff --git a/doc/man-sections/examples.rst b/doc/man-sections/examples.rst index 31486017..94cc726a 100644 --- a/doc/man-sections/examples.rst +++ b/doc/man-sections/examples.rst @@ -63,27 +63,23 @@ you will get a weird feedback loop. Example 1: A simple tunnel without security (not recommended) ------------------------------------------------------------- -On bob: -:: +On bob:: openvpn --remote alice.example.com --dev tun1 \ --ifconfig 10.4.0.1 10.4.0.2 --verb 9 -On alice: -:: +On alice:: openvpn --remote bob.example.com --dev tun1 \ --ifconfig 10.4.0.2 10.4.0.1 --verb 9 Now verify the tunnel is working by pinging across the tunnel. -On bob: -:: +On bob:: ping 10.4.0.2 -On alice: -:: +On alice:: ping 10.4.0.1 @@ -96,13 +92,13 @@ Example 2: A tunnel with self-signed certificates and fingerprint ----------------------------------------------------------------- First build a self-signed certificate on bob and display its fingerprint. + :: openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout bob.pem -out bob.pem -nodes -sha256 -days 3650 -subj '/CN=bob' openssl x509 -noout -sha256 -fingerprint -in bob.pem -and the same on alice: -:: +and the same on alice:: openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout alice.pem -out alice.pem -nodes -sha256 -days 3650 -subj '/CN=alice' openssl x509 -noout -sha256 -fingerprint -in alice.pem @@ -113,30 +109,26 @@ that contain both self-signed certificate and key and show the fingerprint of th Transfer the fingerprints over a secure medium such as by using the ``scp``\(1) or ``ssh``\(1) program. -On bob: -:: +On bob:: openvpn --ifconfig 10.4.0.1 10.4.0.2 --tls-server --dev tun --dh none \ --cert bob.pem --key bob.pem --cipher AES-256-GCM \ --peer-fingerprint "$fingerprint_of_alices_cert" -On alice: -:: +On alice:: openvpn --remote bob.example.com --tls-client --dev tun1 \ --ifconfig 10.4.0.2 10.4.0.1 --cipher AES-256-GCM \ - --cert alice.pem --key alice.pem + --cert alice.pem --key alice.pem \ --peer-fingerprint "$fingerprint_of_bobs_cert" Now verify the tunnel is working by pinging across the tunnel. -On bob: -:: +On bob:: ping 10.4.0.2 -On alice: -:: +On alice:: ping 10.4.0.1 @@ -170,8 +162,7 @@ For Diffie Hellman parameters you can use the included file and keys included in the OpenVPN distribution are totally insecure and should be used for testing only. -On bob: -:: +On bob:: openvpn --remote alice.example.com --dev tun1 \ --ifconfig 10.4.0.1 10.4.0.2 \ @@ -179,8 +170,7 @@ On bob: --cert client.crt --key client.key \ --reneg-sec 60 --verb 5 -On alice: -:: +On alice:: openvpn --remote bob.example.com --dev tun1 \ --ifconfig 10.4.0.2 10.4.0.1 \ @@ -190,13 +180,11 @@ On alice: Now verify the tunnel is working by pinging across the tunnel. -On bob: -:: +On bob:: ping 10.4.0.2 -On alice: -:: +On alice:: ping 10.4.0.1 @@ -221,8 +209,7 @@ networks. We will assume that bob's private subnet is *10.0.0.0/24* and alice's is *10.0.1.0/24*. First, ensure that IP forwarding is enabled on both peers. On Linux, -enable routing: -:: +enable routing:: echo 1 > /proc/sys/net/ipv4/ip_forward @@ -235,13 +222,11 @@ systems guide on how to configure the firewall. You typically want to allow traffic coming from and going to the tun/tap adapter OpenVPN is configured to use. -On bob: -:: +On bob:: route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2 -On alice: -:: +On alice:: route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1 diff --git a/doc/man-sections/virtual-routing-and-forwarding.rst b/doc/man-sections/virtual-routing-and-forwarding.rst index 28c13eee..db5f1abc 100644 --- a/doc/man-sections/virtual-routing-and-forwarding.rst +++ b/doc/man-sections/virtual-routing-and-forwarding.rst @@ -23,11 +23,13 @@ VRF setup with iproute2 ``````````````````````` Create VRF :code:`vrf_external` and map it to routing table :code:`1023` + :: ip link add vrf_external type vrf table 1023 Move :code:`eth0` into :code:`vrf_external` + :: ip link set master vrf_external dev eth0 @@ -42,8 +44,7 @@ VRF setup with ifupdown For Debian based Distributions :code:`ifupdown2` provides an almost drop-in replacement for :code:`ifupdown` including VRFs and other features. A configuration for an interface :code:`eth0` being part of VRF -code:`vrf_external` could look like this: -:: +code:`vrf_external` could look like this:: auto eth0 iface eth0 @@ -61,6 +62,7 @@ code:`vrf_external` could look like this: OpenVPN configuration ````````````````````` The OpenVPN configuration needs to contain this line: + :: bind-dev vrf_external