Currently, the OpenVPN server pushes routes, DNS and some other options to the client over the OpenVPN connection.
We could of course also move this to the client config. When the user reconnects (with eduVPN/LC app) they would get the new config, the behavior then becomes identical to WireGuard and the server does not need "apply changes" when changing e.g. routes.
For IP management we'll keep the OpenVPN-way to do that.
The ultimate goals:
- Allow client to choose whether or not to route all traffic over VPN ("default gateway");
- Allow client to choose whether or not to block local traffic.
The main complication seems to be figuring out the
@GW4@and@GW6@addresses...
- Windows
- eduVPN works great
- macOS
- Viscosity works great
- eduVPN app seems to always want to be default gateway? NOTE: need better testing before I start accusing!
- DNS works
- Linux
- NetworkManager does not pick up DNS from config file, suspect neither routes
- iOS
- We suspect same as macOS
- Android
- Not tested, but uses OpenVPN, so probably works
Linux NM issue
When you do not explicitly push anything to the client, there is still a bunch of stuff pushed:
2023-09-12 17:23:06 PUSH: Received control message: 'PUSH_REPLY, explicit-exit-notify 1, tun-ipv6, route-gateway 10.208.28.1, topology subnet, ping 10, ping-restart 60, ifconfig-ipv6 fda6:ec1f:a582:56bb::8/112 fda6:ec1f:a582:56bb::1, ifconfig 10.208.28.8 255.255.255.128, peer-id 0, cipher AES-256-GCM, protocol-flags cc-exit tls-ekm dyn-tls-crypt, tun-mtu 1500 '
Having a "complete" client config so we do not have to specify
--clientanymore, but can use--tls-clientwhich does not include--pullwould be the dream (= exactly like WireGuard).I am a bit, actually a lot, afraid we'll end up in 'unexplored terrain' where we'll hit various bugs or incompatibilities, and that won't be fun!
So perhaps limiting it to only routes and DNS would be enough, although even that will be risky.