|
|
> Regarding iroutes, it would be nice if an iroute command implied a top-level
> "route command", as I can't see why you'd ever want an iroute command
> without the corresponding route command. This would also keep the main file
> cleaner and not require restarts when new CCD files were added. It also
> makes CCD files portable from one VPN to another. If this were a security
> risk, you might have a --allow-ccd-routes flag to enable it or something.
The reason why iroute does not automatically add an equivalent system
route as well is that OpenVPN is designed to drop root privileges after
initialization, so it would not have the required privileges to add a
route after initialization. The privilege model dictates that system
routes be statically added on initialization while iroutes are added and
removed during normal VPN operation as clients connect and disconnect.
James
Ok, what if we add a directive called "--load-ccd-routes" which loads
all the iroutes in the ccd dir on startup? Presumably, you
wouldn't have an iroute statement without the corresponding route
command, so why not create all the routes automatically? This
would solve the privilege problem because it could be done before
switching to a non privileged user. I can't really see any big
security risk here, as you are free to remove the ccds if you don't
want to load its iroute/route.
-Dan
|