Re: [m0n0wall] Bugs to be fixed before 1.2 release?

From:	Joe Suhre <jsuhre at nullconcepts dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Cc:	marc at telenieko dot com
Subject:	Re: [m0n0wall] Bugs to be fixed before 1.2 release?
Date:	Mon, 29 Aug 2005 15:58:20 -0400

Here is my patch (attached) which Marc referred to fixing pf syncing 
with openvpn. For a description of the issue and what this fixes see the 
earlier thread in the mailing list at.  Also I'm unaware/unaffected by 
any issues with the opt interfaces in m0n0 w/ Openvpn. But if someone 
can give me some details on the issue and possibly how to create the 
issue I can look into fixing it.

Joe
-------------------------------------
Below is a e-mail to the list with details about the issue and what the 
patch fixes.

Marc,

I actually had what sounds like the same problem. I found that I could 
issue the following command from the exec.php once the tunnel is up to 
fix the issue with the firewall rules.

/sbin/ipf -y

Once I figged that out I dove into the code and found that m0n0 runs the 
above command directly after it sets up the openvpn tunnels. I can only 
assume it does this to prevent the issue we are seeing. The problem is 
that the scripts don't wait for the tunnel to completely come
up before issuing the command. So if your tunnel doesn't build quickly 
enough the ipf -y executes to early. Now the solution! I'm attaching a 
patch I've
been testing with and it seams to have solved the problem. It uses 
openvpn's --route-up CMD line ARG to run a script after the tunnel is 
up. The Script
just executes /sbin/ipf -y to make sure everything is kosher after the 
tunnel is built. The side benefit of this is that if the tunnel were to 
drop (problem with the hub)
and then later re-establish it should re-sync the FW again preventing 
issues down the road.

One thing I'm not sure of is weather or not this will fix your issue 
with the routes. What I would recommend for that is use the openvpn hub 
server to push out routing
info to the peers which greatly increases the ease of the network 
administrator to update routing info (only one place to change). 
Although this wouldn't be possible if your using m0n0 as the hub because 
this feature is not part of the interface currently.

If you want to use the patch make sure you chmod +x 
[fs-root]/usr/local/bin/ovpn-routeup.sh before building your image.

diff -ruN ./etc/inc/openvpn.inc
../../DEVEL_net45xx-1.2b9-domoveride-ovpn_ipfsync/fs/etc/inc/openvpn.inc
--- ./etc/inc/openvpn.inc	Sun Jun 19 05:58:25 2005
+++ ../../DEVEL_net45xx-1.2b9-domoveride-ovpn_ipfsync/fs/etc/inc/openvpn.inc	Fri Jul  8 11:21:11
2005
@@ -374,6 +374,9 @@
 		
 	/* Data channel encryption cipher*/
 	$ovpn_config .= "--cipher {$client[$id]['crypto']} ";
+
+	/* IP-Change Script */
+	$ovpn_config .= "--route-up /usr/local/bin/ovpn-routeup.sh ";
 	
 	//trigger_error("OVPN: $ovpn_config", E_USER_NOTICE);
 	return $ovpn_config;
diff -ruN ./usr/local/bin/ovpn-routeup.sh
../../DEVEL_net45xx-1.2b9-domoveride-ovpn_ipfsync/fs/usr/local/bin/ovpn-routeup.sh
--- ./usr/local/bin/ovpn-routeup.sh	Wed Dec 31 19:00:00 1969
+++ ../../DEVEL_net45xx-1.2b9-domoveride-ovpn_ipfsync/fs/usr/local/bin/ovpn-routeup.sh	Fri Jul  8
11:34:47 2005
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/sbin/ipf -y &>/dev/null