diff options
| author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2012-02-24 11:40:25 +0100 |
|---|---|---|
| committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2012-02-24 11:40:25 +0100 |
| commit | b48955cc85b998e387c5de75ed60ce432993f2bb (patch) | |
| tree | 7742641a545641a8df6c8feb2399b767528e3d29 | |
| parent | 2de855eb717babbd24adbe5ddf9781a8a91ee9cc (diff) | |
Last correction to the send_redirects patch.
Also added a note on the new init.d script behaviour regarding
all.send_redirects.
| -rw-r--r-- | debian/README.Debian | 13 | ||||
| -rw-r--r-- | debian/openvpn.init.d | 7 |
2 files changed, 17 insertions, 3 deletions
diff --git a/debian/README.Debian b/debian/README.Debian index 1523586..592cdf9 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -10,6 +10,7 @@ In this file: - Out of memory issues - LDAP+TLS authentication runs into file exhaustion - Possible consequences of the 'chroot' option +- Disabling all.send_redirects on tun + topology subnet setups openvpn for Debian @@ -216,4 +217,14 @@ Create an additional "dev/log" socket in the jail by "-a" option to sysklogd or Kudos to him, for finding out and proposing a solution. - -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Jul 2010 12:46:30 +0200 + +Disabling all.send_redirects on tun + topology subnet setups +------------------------------------------------------------ + +If any of your VPNs uses "dev tun" and "topology subnet" but does not use +"client-to-client", OpenVPN's init.d script will disable all.send_redirects +(set it to 0) to avoid sending ICMP redirects trough the tun interfaces (and +confusing clients). + + + -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 24 Feb 2012 11:03:50 +0100 diff --git a/debian/openvpn.init.d b/debian/openvpn.init.d index 62a6bc5..cb326bf 100644 --- a/debian/openvpn.init.d +++ b/debian/openvpn.init.d @@ -70,7 +70,10 @@ start_vpn () { # Save the default value for send_redirects before disabling it # to make sure the tun device is created with send_redirects disabled SAVED_DEFAULT_SEND_REDIRECTS=$(sysctl -n net.ipv4.conf.default.send_redirects) - sysctl -w net.ipv4.conf.default.send_redirects=0 > /dev/null + + if [ "$SAVED_DEFAULT_SEND_REDIRECTS" -ne 0 ]; then + sysctl -w net.ipv4.conf.default.send_redirects=0 > /dev/null + fi fi fi @@ -86,7 +89,7 @@ start_vpn () { [ "$OMIT_SENDSIGS" -ne 1 ] || ln -s /var/run/openvpn.$NAME.pid /run/sendsigs.omit.d/openvpn.$NAME.pid # Set the back the original default value of send_redirects if it was changed - if [ -n "$SAVED_DEFAULT_SEND_REDIRECTS" ]; then + if [ "$SAVED_DEFAULT_SEND_REDIRECTS" -ne 0 ]; then sysctl -w net.ipv4.conf.default.send_redirects=$SAVED_DEFAULT_SEND_REDIRECTS > /dev/null fi } |