<rsalvaterra>
I'm really starting to hate the vpnc script (vpnc-scripts package) we have.
<rsalvaterra>
Of course, I would hate it even more if I could even configure an OpenConnect VPN correctly, but it doesn't seem netifd is having any of it.
<rsalvaterra>
That script is so wrong, in so many different ways.
<rsalvaterra>
1) Assumes the user wants to configure all the routes the VPN provides (case in point, I have a stupid VPN connection which happily routes 10.0.0.0/8 through it).
<rsalvaterra>
2) Assumes there's only a dnsmasq instance running (and what if you don't even have dnsmasq? Surprise, surprise! )
<f00b4r0>
wireguard is so easy, /me whispers :)
<rsalvaterra>
f00b4r0: I don't control the server. :(
<f00b4r0>
change server? ;)
<rsalvaterra>
Change $dayjob, more likely. :P
<f00b4r0>
ah
<f00b4r0>
I feel ya. Been there, done that ;P
<rsalvaterra>
SSL VPNs… what the hell.
<f00b4r0>
indeed
<rsalvaterra>
And until recently it was PPtP.
<Grommish>
PPP/Slip was always the new hawtness
<rsalvaterra>
Which was actually much better, as it's much easier to configure.
<rsalvaterra>
(Corporate security is someone else's problem. :P)
<f00b4r0>
pptp, oh dear. Had to deal with that mess too recently. For $customer in Austria, where apparently they still use that for broadband access ;P
<rsalvaterra>
Insecure as it is, at least PPtP is IP at the lower layer. SSL VPNs are mostly TCP (and we all now how wonderful it is to have TCP over TCP).
<rsalvaterra>
*know
borek has joined #openwrt-devel
borek has quit [Ping timeout: 480 seconds]
borek has joined #openwrt-devel
<f00b4r0>
have to run, bbl
f00b4r0 has quit [Quit: p00f]
cbeznea1 has joined #openwrt-devel
cbeznea has quit [Ping timeout: 480 seconds]
<jow>
rsalvaterra: so you miss some kind of route filter?
<jow>
it would make sense as generic netifd facility as other proto handlers also can announce routes, e.g. dhcp provided classless routes you might want to completely or partially filter for whatever reason
<jow>
or are you complaining about the vpnc proto handler staging a default route?
<jow>
the latter can be solved by the generic option defaultroute 0 option
<rsalvaterra>
jow: To be honest, I didn't even reach that stage. Somehow I can't get OpenConnect to work at all. :/
<rsalvaterra>
I would be happy if it just created the tunnel interface, at lest that would mean it's establishing a connection.
<rsalvaterra>
I can do it manually, through the terminal, of course.
<rsalvaterra>
I do see the vpnc script blindingly applying all the provided routes, though, unless I'm misinterpreting the code.
<rsalvaterra>
Anyway, it's not just the default route, I don't want any routes except for the ones I explicitly create.
<jow>
yeah, I see
<jow>
that's a generic issue though, I believe dhcp would behave similar
<rsalvaterra>
I feel *really* tempted to hack my own ad-hoc vpnc script.
<jow>
same with the dnsmasq integration
<rsalvaterra>
The whole thing reeks of bitrot.
<jow>
handling proto handler supplied DNS info should be done in a central place, not per script
_lore_ has quit [Ping timeout: 480 seconds]
<jow>
or at the very least it should respect option peerdns 0
<rsalvaterra>
Oh, it doesn't? I thought that was generic and not a netifd proto thing.
<rsalvaterra>
Even worse…
<jow>
it is, but that vpn-script does more, it also amends the dnsmasq config
<jow>
these parts should be guarded by option peerdns 0 too
<jow>
netifd only takes care of ignoring the provided dns servers on peerdns 0
<rsalvaterra>
The script has no business touching the dnsmasq config. If it exists at all.
<rsalvaterra>
For example, I run two dnsmasq instances. That would never work.
<jow>
but it can't prevent script code from modifying confdigs elsewhere in the system...
<rsalvaterra>
Just to make sure we're on the same page, we're talking about the vpnc script in the vpnc-scripts (why plural? There's only one…) package, right?
<rsalvaterra>
For my use case, I just need for the script to configure the IP/mask and gateway for the interface.
rua has quit [Ping timeout: 480 seconds]
<aiyion>
Can someone point me to the dts file for a "Ubiquiti PicoStation M2" in ath79? I'm not sure if it's just not present, or if I'm missing something.
<aiyion>
I found 'ubnt_picostation-m', but that's for the xm device, isn't it?
Slimey has quit [Read error: Connection reset by peer]
rua has joined #openwrt-devel
<aiyion>
or are m2 and m5 both variants? of it?
<jow>
rsalvaterra: yep, I am looking at that script
Slimey has joined #openwrt-devel
<jow>
rsalvaterra: normally how it works is: a proto handler does its proto specifc thing, extracts relevant settings from env vars or whatever means, then hands over all that info tzo netifd and instructs it to setup the iface
<jow>
netifd then honours options souch as peerdns, defaultroute etc. to selectively ignore info provided by thew proto handler
_lore_ has joined #openwrt-devel
<jow>
but if a proto handler modifies system config directly, not involving netifd, then all those options have no effect, the protohandler has to honour those itself then
<csharper2005>
hauke: and what do you think about small and clear python scripts in $TOPDIR instead of firmware-utils? Is it possible or strictly prohibited?
<csharper2005>
* in $TOPDIR/scripts
goliath has joined #openwrt-devel
MaxSoniX has quit [Remote host closed the connection]
srslypascal is now known as Guest94
srslypascal has joined #openwrt-devel
Borromini has joined #openwrt-devel
Guest94 has quit [Ping timeout: 480 seconds]
rua has quit [Ping timeout: 480 seconds]
rua has joined #openwrt-devel
ekathva has quit [Remote host closed the connection]
rua has quit [Ping timeout: 480 seconds]
shibboleth has quit [Quit: shibboleth]
rua has joined #openwrt-devel
Borromini has quit [Quit: Lost terminal]
<hauke>
csharper2005: I think there are already some
<hauke>
better discuess this on the mailing list
<csharper2005>
hauke: Hi! I also have have such scripts here - https://github.com/openwrt/openwrt/pull/4195 ... I've backported the mtd patch and now have 9 commits :)) Can you advise what to do next with this?
<Zero_Chaos>
when I run wifi up with 4 phys it seems to timeout one of them (at random) pretty often. but I can just manually run the same "ubus call hostapd config_add" line that was frozen (from ps) and it works fine
<Zero_Chaos>
in openwrt-21.02 6 months ago it was fine, but now it's pretty reliably not fine with >3 phys
bluew has joined #openwrt-devel
csharper2005 has quit [Remote host closed the connection]