)]}'
{"id":"openvpn~1192","triplet_id":"openvpn~master~I83295e00d1a756dfa44050b0a4493095fb050fff","project":"openvpn","branch":"master","attention_set":{},"removed_from_attention_set":{"1000003":{"account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"last_update":"2025-10-29 07:53:15.000000000","reason":"Change was submitted"},"1000002":{"account":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"last_update":"2025-10-18 21:18:40.000000000","reason":"\u003cGERRIT_ACCOUNT_1000002\u003e replied on the change","reason_account":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"}},"1000001":{"account":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"last_update":"2025-10-29 07:53:15.000000000","reason":"Change was submitted"},"1000007":{"account":{"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"},"last_update":"2025-10-29 07:53:15.000000000","reason":"Change was submitted"},"1000006":{"account":{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},"last_update":"2025-10-29 07:53:15.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"I83295e00d1a756dfa44050b0a4493095fb050fff","subject":"Install host routes for out-of-subnet ifconfig-push addresses when DCO is enabled","status":"MERGED","created":"2025-09-15 17:39:03.000000000","updated":"2025-10-29 07:53:15.000000000","submitted":"2025-10-29 07:53:15.000000000","submitter":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"total_comment_count":61,"unresolved_comment_count":3,"has_review_started":true,"submission_id":"1192","meta_rev_id":"debaeb1f81ff1ff2a91bc8ec1b305feaa88deb31","_number":1192,"virtual_id_number":1192,"owner":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"actions":{},"labels":{"Code-Review":{"all":[{"value":0,"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},{"value":0,"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"},{"value":0,"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"}],"values":{"-2":"This shall not be submitted","-1":"I would prefer this is not submitted as is"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"description":"","default_value":0}},"removable_reviewers":[{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."}],"reviewers":{"REVIEWER":[{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},{"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"}],"CC":[{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2025-09-15 17:39:04.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"},"state":"CC"},{"updated":"2025-09-15 17:39:04.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"state":"REVIEWER"},{"updated":"2025-09-16 20:52:02.000000000","updated_by":{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},"reviewer":{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},"state":"CC"},{"updated":"2025-09-16 21:19:39.000000000","updated_by":{"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"},"reviewer":{"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"},"state":"REVIEWER"},{"updated":"2025-09-18 03:16:17.000000000","updated_by":{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},"reviewer":{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},"state":"REVIEWER"},{"updated":"2025-10-12 12:55:11.000000000","updated_by":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"reviewer":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"state":"REVIEWER"}],"messages":[{"id":"c315982fe207b0ac77c891cce79b553655261b2e","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-09-15 17:39:03.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"e2d2c119d49bf7f9d03b80ca3c6ce362f03e786b","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-09-15 17:40:48.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"322de32d90eee723ea289fab224f868a62a10006","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-09-15 17:44:45.000000000","message":"Patch Set 2: Commit message was updated.","accounts_in_message":[],"_revision_number":2},{"id":"a040451a978b7f438a217f92a9efa4462502b5e4","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-09-16 13:50:02.000000000","message":"Uploaded patch set 3.","accounts_in_message":[],"_revision_number":3},{"id":"6f13f334dcfe5240a76fd53465d62d76c2dc80d5","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-09-16 14:35:32.000000000","message":"Patch Set 3:\n\n(1 comment)","accounts_in_message":[],"_revision_number":3},{"id":"63c3c73f386f4a89fc7d6f7d1af4ddea2ed9dc54","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-09-16 14:35:42.000000000","message":"Uploaded patch set 4.","accounts_in_message":[],"_revision_number":4},{"id":"0f0831faed7eb8809c644022fb596ef50f2b73cc","author":{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},"date":"2025-09-16 20:52:02.000000000","message":"Patch Set 2:\n\n(3 comments)","accounts_in_message":[],"_revision_number":2},{"id":"7f19b9d91d6f6dc4e099579b958b3e218b83bd4f","author":{"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"},"date":"2025-09-16 21:19:39.000000000","message":"Patch Set 4: Code-Review+1\n\n(12 comments)","accounts_in_message":[],"_revision_number":4},{"id":"466e943ceedab2c95c1bf63d37b52f870353bdf0","author":{"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"},"date":"2025-09-16 21:20:33.000000000","message":"Patch Set 4:\n\n(1 comment)","accounts_in_message":[],"_revision_number":4},{"id":"58253d1d13d8e3a8668f7af17bb8e7f64567c746","author":{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},"date":"2025-09-16 21:40:03.000000000","message":"Patch Set 4:\n\n(2 comments)","accounts_in_message":[],"_revision_number":4},{"id":"9456158c5fe7fcc7e6faa1921c0c540599a7f3c6","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-09-17 10:19:40.000000000","message":"Patch Set 4:\n\n(13 comments)","accounts_in_message":[],"_revision_number":4},{"id":"de7c0b9b7e95c1505cdbf53d75d95a710056a15f","author":{"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"},"date":"2025-09-17 11:01:39.000000000","message":"Patch Set 4:\n\n(3 comments)","accounts_in_message":[],"_revision_number":4},{"id":"a97fe901c146d95db0723604285dbfc5cad51474","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-09-17 13:22:06.000000000","message":"Uploaded patch set 5.\n\nOutdated Votes:\n* Code-Review+1 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR is:MIN\")\n","accounts_in_message":[],"_revision_number":5},{"id":"35c2806c8ce94212807ca296f51844037b42952f","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-09-17 13:23:24.000000000","message":"Uploaded patch set 6.","accounts_in_message":[],"_revision_number":6},{"id":"d7e9a9d7614c74800ce75cd3306209eb42074a44","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-09-17 13:56:53.000000000","message":"Uploaded patch set 7.","accounts_in_message":[],"_revision_number":7},{"id":"593ba8556a7d1e9f990c0b124d36b7da16837b64","author":{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},"date":"2025-09-18 03:14:42.000000000","message":"Patch Set 4:\n\n(1 comment)","accounts_in_message":[],"_revision_number":4},{"id":"ac7b0057fa922fcc1aa69c693e0285a2b29d38b6","author":{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},"date":"2025-09-18 03:16:17.000000000","message":"Patch Set 7: Code-Review+1","accounts_in_message":[],"_revision_number":7},{"id":"c2fb999e9d45ad09ec660ccb1dd90783379db9a7","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-10-06 13:22:11.000000000","message":"Uploaded patch set 8: Patch Set 7 was rebased.\n\nCopied Votes:\n* Code-Review+1 (copy condition: \"changekind:NO_CHANGE OR **changekind:TRIVIAL_REBASE** OR is:MIN\")\n","accounts_in_message":[],"_revision_number":8},{"id":"d32e1e2d27f0422711138304a71ab28d7c4a7710","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-10-12 12:55:11.000000000","message":"Patch Set 8: Code-Review-2\n\n(5 comments)","accounts_in_message":[],"_revision_number":8},{"id":"a406f07d985e65b5e0771505f5b020b549e6253e","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-10-12 12:59:34.000000000","message":"Patch Set 8:\n\n(1 comment)","accounts_in_message":[],"_revision_number":8},{"id":"a067452c57cb40166e20052d2748c760959e2c5c","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-10-13 14:23:56.000000000","message":"Patch Set 8:\n\n(5 comments)","accounts_in_message":[],"_revision_number":8},{"id":"5211497128e90a05ccedede66ed1d1bfbd23d5b7","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-10-13 14:24:13.000000000","message":"Uploaded patch set 9.\n\nCopied Votes:\n* Code-Review-2 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR **is:MIN**\")\n\nOutdated Votes:\n* Code-Review+1 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR is:MIN\")\n","accounts_in_message":[],"_revision_number":9},{"id":"27510e40baf3883b75c98e2642338d8cc0bc549c","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-10-14 09:28:41.000000000","message":"Uploaded patch set 10.\n\nCopied Votes:\n* Code-Review-2 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR **is:MIN**\")\n","accounts_in_message":[],"_revision_number":10},{"id":"bb12b79f39a58df1c327dce37df206f13e803561","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-10-14 11:50:52.000000000","message":"Uploaded patch set 11: Patch Set 10 was rebased.\n\nCopied Votes:\n* Code-Review-2 (copy condition: \"changekind:NO_CHANGE OR **changekind:TRIVIAL_REBASE** OR **is:MIN**\")\n","accounts_in_message":[],"_revision_number":11},{"id":"5f4d5543fac246f19d64136d0b725997dc729601","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-10-18 21:18:40.000000000","message":"Patch Set 11: Code-Review-2\n\n(1 comment)","accounts_in_message":[],"_revision_number":11},{"id":"730e59c345a9702b29523369b7d3d3a415267275","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-10-19 09:49:39.000000000","message":"Patch Set 11:\n\n(1 comment)","accounts_in_message":[],"_revision_number":11},{"id":"3da1bb2e50ab315258a7c28ef93baec4d9816682","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-10-19 09:56:30.000000000","message":"Patch Set 11:\n\n(1 comment)","accounts_in_message":[],"_revision_number":11},{"id":"e69b0a9ce4ab3d950e2dc556199f219f3381dd8a","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-10-27 10:35:21.000000000","message":"Uploaded patch set 12.\n\nCopied Votes:\n* Code-Review-2 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR **is:MIN**\")\n","accounts_in_message":[],"_revision_number":12},{"id":"2f306b8d81e28a568f117aa97e32543470fbec52","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-10-27 12:19:42.000000000","message":"Uploaded patch set 13.\n\nCopied Votes:\n* Code-Review-2 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR **is:MIN**\")\n","accounts_in_message":[],"_revision_number":13},{"id":"32d914dc8f9bb17757e4fe2603641fdfa0c40cf1","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-10-28 13:32:29.000000000","message":"Patch Set 13: Code-Review-2\n\n(1 comment)","accounts_in_message":[],"_revision_number":13},{"id":"03d1bf3842014cd89fe9e48d05ede397e6455e0c","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-10-28 13:54:18.000000000","message":"Patch Set 13:\n\n(2 comments)","accounts_in_message":[],"_revision_number":13},{"id":"0eb283f91c911412ff85c933da2ef23a163ba6cc","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-10-28 13:55:11.000000000","message":"Patch Set 13:\n\n(6 comments)","accounts_in_message":[],"_revision_number":13},{"id":"5a42f5357a12c4a76331e1d460c5fc2227e6f2f4","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-10-28 23:24:27.000000000","message":"Uploaded patch set 14.\n\nCopied Votes:\n* Code-Review-2 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR **is:MIN**\")\n","accounts_in_message":[],"_revision_number":14},{"id":"d67930a8ff9442378154fe33cec940b3fede7450","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-10-29 07:06:44.000000000","message":"Patch Set 14: Code-Review+2\n\n(1 comment)","accounts_in_message":[],"_revision_number":14},{"id":"debaeb1f81ff1ff2a91bc8ec1b305feaa88deb31","tag":"autogenerated:gerrit:merged","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-10-29 07:53:15.000000000","message":"Change has been successfully pushed.","accounts_in_message":[],"_revision_number":15}],"current_revision_number":15,"current_revision":"f938d991a8222bb3304865f2cd7b368d7f8a9224","revisions":{"eca6ef1e59b0b0d80daf10f84462e507a713a874":{"kind":"REWORK","_number":1,"created":"2025-09-15 17:39:03.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/1","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/1","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/1 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/1","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"7f15db340b3d904316df7a7cc0ca7d95065f5ea6","subject":"Allow route_ipv6_match_host to be used outside of route.c"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-15 17:37:12.000000000","tz":120},"subject":"Install host routes with onlink scope iroutes for ifconfig-push routes","message":"Install host routes with onlink scope iroutes for ifconfig-push routes\n\nAdditional IP addresses for hosts that lie outside the primary network\nof the configured device need to be added to the operating system to\nensure that traffic for these IP addresses is also directed to the VPN.\n\nFor Linux it is import that these extra routes are routes with scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work.\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"1ece183c8f3786474cd9554f6c8b7ee58fab096a":{"kind":"NO_CODE_CHANGE","_number":2,"created":"2025-09-15 17:44:45.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/2","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/2","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/2 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/2","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"7f15db340b3d904316df7a7cc0ca7d95065f5ea6","subject":"Allow route_ipv6_match_host to be used outside of route.c"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"plaisthos","email":"arne-openvpn@rfc2549.org","date":"2025-09-15 17:44:45.000000000","tz":0},"subject":"Install host routes with onlink scope iroutes for ifconfig-push routes","message":"Install host routes with onlink scope iroutes for ifconfig-push routes\n\nAdditional IP addresses for hosts that lie outside the primary network\nof the configured device need to be added to the operating system to\nensure that traffic for these IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes with scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work.\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master","description":"Edit commit message"},"d8ac35e33233ca5b6138cc59673d610d8a51963d":{"kind":"REWORK","_number":3,"created":"2025-09-16 13:50:02.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/3","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/3","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/3 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/3","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/3 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"6381090da5bd159fda39f8f055736ca0394ab5bf","subject":"Allowing installing FreeBSD routes with interface instead of next-hop"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-16 13:49:45.000000000","tz":120},"subject":"Install host routes with onlink scope iroutes for ifconfig-push routes","message":"Install host routes with onlink scope iroutes for ifconfig-push routes\n\nAdditional IP addresses for hosts that lie outside the primary network\nof the configured device need to be added to the operating system to\nensure that traffic for these IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"559bb18d98ce89d8db90117af3f84a8ba5edaae9":{"kind":"REWORK","_number":4,"created":"2025-09-16 14:35:42.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/4","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/4","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/4 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/4","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/4 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"e520e4ced35b9d8a7dd071f8af2470d0543751a0","subject":"Allowing installing FreeBSD routes with interface instead of next-hop"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-16 14:35:38.000000000","tz":120},"subject":"Install host routes with onlink scope iroutes for ifconfig-push routes","message":"Install host routes with onlink scope iroutes for ifconfig-push routes\n\nAdditional IP addresses for hosts that lie outside the primary network\nof the configured device need to be added to the operating system to\nensure that traffic for these IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"1469be554dd051d35fe6dcad48b9603f9858bfec":{"kind":"REWORK","_number":5,"created":"2025-09-17 13:22:06.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/5","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/5","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/5 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/5 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/5 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/5 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/5","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/5 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"77b17958fb614ae012df25a622e4d263f4e0c4cb","subject":"Allowing installing FreeBSD routes with interface instead of next-hop"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-17 12:30:29.000000000","tz":120},"subject":"Install host routes for ifconfig-push routes when DCO is enabled","message":"Install host routes for ifconfig-push routes when DCO is enabled\n\nifconfig-push and ifconfig-ipv6-push can configure the IP address of a\nclient. If this IP address lies inside the network that is configured\non the ovpn/tun device this works as expected as the routing table point to\nthe ovpn/tun interface. However, if the IP address\nis outside that range, the IP packets are not forwarded to the ovpn/tun\ninterface.\n\nThis patch adds logic to add host routes for these\nifconfig-push/ifconfig-ipv6-push addresses to ensure that traffic for\nthese IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work. On FreeBSD we also use interface routes as works and\nroutes that target interfaces instead of IP addresses are less brittle.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nThis setups an ifconfig-push addresses outside the --server/--server-ipv6\nnetwork and additionally configures a iroute behind that client. The\nsetenv-safe configure lwipovpn to use that additional IP addresses to allow\ntesting via ping.\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"32c59b23e13bc44d5872ec80b58d7fb55eea437c":{"kind":"REWORK","_number":6,"created":"2025-09-17 13:23:24.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/6","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/6","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/6 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/6 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/6 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/6 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/6","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/6 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"77b17958fb614ae012df25a622e4d263f4e0c4cb","subject":"Allowing installing FreeBSD routes with interface instead of next-hop"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-17 13:23:12.000000000","tz":120},"subject":"Install host routes for ifconfig-push routes when DCO is enabled","message":"Install host routes for ifconfig-push routes when DCO is enabled\n\nifconfig-push and ifconfig-ipv6-push can configure the IP address of a\nclient. If this IP address lies inside the network that is configured\non the ovpn/tun device this works as expected as the routing table point to\nthe ovpn/tun interface. However, if the IP address\nis outside that range, the IP packets are not forwarded to the ovpn/tun\ninterface.\n\nThis patch adds logic to add host routes for these\nifconfig-push/ifconfig-ipv6-push addresses to ensure that traffic for\nthese IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work. On FreeBSD we also use interface routes as works and\nroutes that target interfaces instead of IP addresses are less brittle.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nThis setups an ifconfig-push addresses outside the --server/--server-ipv6\nnetwork and additionally configures a iroute behind that client. The\nsetenv-safe configure lwipovpn to use that additional IP addresses to allow\ntesting via ping.\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"e5c2bb396b6e4d8e5e1c0cfdf16d6a2ce3bf17d0":{"kind":"REWORK","_number":7,"created":"2025-09-17 13:56:53.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/7","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/7","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/7 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/7 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/7 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/7 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/7","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/7 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"77b17958fb614ae012df25a622e4d263f4e0c4cb","subject":"Allowing installing FreeBSD routes with interface instead of next-hop"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-17 13:54:38.000000000","tz":120},"subject":"Install host routes for ifconfig-push routes when DCO is enabled","message":"Install host routes for ifconfig-push routes when DCO is enabled\n\nifconfig-push and ifconfig-ipv6-push can configure the IP address of a\nclient. If this IP address lies inside the network that is configured\non the ovpn/tun device this works as expected as the routing table point to\nthe ovpn/tun interface. However, if the IP address\nis outside that range, the IP packets are not forwarded to the ovpn/tun\ninterface.\n\nThis patch adds logic to add host routes for these\nifconfig-push/ifconfig-ipv6-push addresses to ensure that traffic for\nthese IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work. On FreeBSD we also use interface routes as works and\nroutes that target interfaces instead of IP addresses are less brittle.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nThis setups an ifconfig-push addresses outside the --server/--server-ipv6\nnetwork and additionally configures a iroute behind that client. The\nsetenv-safe configure lwipovpn to use that additional IP addresses to allow\ntesting via ping.\n\nWindows behaves like the user space implementation. It does require these\nspecial routes but instead (like user space) needs static routes to redirect\nIP traffic for these IP addresses to the tunnel interface. E.g. in the example\nabove the server config needs to have:\n\n   route 10.234.234.0 255.255.255.0\n   route 10.11.12.0 255.255.255.0\n\n   route-ipv6 FD00:F00F:CAFE::1001/64\n   route-ipv6 FD00:F00F:D00D::77/64\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"00c603f7f895319c4048184d1f1c19cdee233fad":{"kind":"TRIVIAL_REBASE","_number":8,"created":"2025-10-06 13:22:11.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/8","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/8","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/8 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/8 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/8 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/8 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/8","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/8 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"efcf8de5393ed9e60795f804f818bc9978612f2b","subject":"Allowing installing FreeBSD routes with interface instead of next-hop"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-10-06 13:22:03.000000000","tz":120},"subject":"Install host routes for ifconfig-push routes when DCO is enabled","message":"Install host routes for ifconfig-push routes when DCO is enabled\n\nifconfig-push and ifconfig-ipv6-push can configure the IP address of a\nclient. If this IP address lies inside the network that is configured\non the ovpn/tun device this works as expected as the routing table point to\nthe ovpn/tun interface. However, if the IP address\nis outside that range, the IP packets are not forwarded to the ovpn/tun\ninterface.\n\nThis patch adds logic to add host routes for these\nifconfig-push/ifconfig-ipv6-push addresses to ensure that traffic for\nthese IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work. On FreeBSD we also use interface routes as works and\nroutes that target interfaces instead of IP addresses are less brittle.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nThis setups an ifconfig-push addresses outside the --server/--server-ipv6\nnetwork and additionally configures a iroute behind that client. The\nsetenv-safe configure lwipovpn to use that additional IP addresses to allow\ntesting via ping.\n\nWindows behaves like the user space implementation. It does require these\nspecial routes but instead (like user space) needs static routes to redirect\nIP traffic for these IP addresses to the tunnel interface. E.g. in the example\nabove the server config needs to have:\n\n   route 10.234.234.0 255.255.255.0\n   route 10.11.12.0 255.255.255.0\n\n   route-ipv6 FD00:F00F:CAFE::1001/64\n   route-ipv6 FD00:F00F:D00D::77/64\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"ccf8d4d5f84a5a50e9b5e9fd83e889dc52360319":{"kind":"REWORK","_number":9,"created":"2025-10-13 14:24:13.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/9","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/9","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/9 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/9 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/9 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/9 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/9","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/9 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"cf2d18de8b9d75a235dba8e84674361cf64b1489","subject":"Make recursive routing check more fine-grained"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-10-13 14:22:03.000000000","tz":120},"subject":"Install host routes for ifconfig-push routes when DCO is enabled","message":"Install host routes for ifconfig-push routes when DCO is enabled\n\nifconfig-push and ifconfig-ipv6-push can configure the IP address of a\nclient. If this IP address lies inside the network that is configured\non the ovpn/tun device this works as expected as the routing table point to\nthe ovpn/tun interface. However, if the IP address\nis outside that range, the IP packets are not forwarded to the ovpn/tun\ninterface.\n\nThis patch adds logic to add host routes for these\nifconfig-push/ifconfig-ipv6-push addresses to ensure that traffic for\nthese IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work. On FreeBSD we also use interface routes as works and\nroutes that target interfaces instead of IP addresses are less brittle.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nThis setups an ifconfig-push addresses outside the --server/--server-ipv6\nnetwork and additionally configures a iroute behind that client. The\nsetenv-safe configure lwipovpn to use that additional IP addresses to allow\ntesting via ping.\n\nWindows behaves like the user space implementation. It does require these\nspecial routes but instead (like user space) needs static routes to redirect\nIP traffic for these IP addresses to the tunnel interface. E.g. in the example\nabove the server config needs to have:\n\n   route 10.234.234.0 255.255.255.0\n   route 10.11.12.0 255.255.255.0\n\n   route-ipv6 FD00:F00F:CAFE::1001/64\n   route-ipv6 FD00:F00F:D00D::77/64\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"74ccc8533b385c5efceeb4b46765c87294c99ada":{"kind":"REWORK","_number":10,"created":"2025-10-14 09:28:41.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/10","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/10","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/10 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/10 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/10 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/10 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/10","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/10 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"cf2d18de8b9d75a235dba8e84674361cf64b1489","subject":"Make recursive routing check more fine-grained"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-10-14 09:28:22.000000000","tz":120},"subject":"Install host routes for ifconfig-push routes when DCO is enabled","message":"Install host routes for ifconfig-push routes when DCO is enabled\n\nifconfig-push and ifconfig-ipv6-push can configure the IP address of a\nclient. If this IP address lies inside the network that is configured\non the ovpn/tun device this works as expected as the routing table point to\nthe ovpn/tun interface. However, if the IP address\nis outside that range, the IP packets are not forwarded to the ovpn/tun\ninterface.\n\nThis patch adds logic to add host routes for these\nifconfig-push/ifconfig-ipv6-push addresses to ensure that traffic for\nthese IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work. On FreeBSD we also use interface routes as works and\nroutes that target interfaces instead of IP addresses are less brittle.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nThis setups an ifconfig-push addresses outside the --server/--server-ipv6\nnetwork and additionally configures a iroute behind that client. The\nsetenv-safe configure lwipovpn to use that additional IP addresses to allow\ntesting via ping.\n\nWindows behaves like the user space implementation. It does require these\nspecial routes but instead (like user space) needs static routes to redirect\nIP traffic for these IP addresses to the tunnel interface. E.g. in the example\nabove the server config needs to have:\n\n   route 10.234.234.0 255.255.255.0\n   route 10.11.12.0 255.255.255.0\n\n   route-ipv6 FD00:F00F:CAFE::1001/64\n   route-ipv6 FD00:F00F:D00D::77/64\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"9c78bdf6de34137c24f869d483fd962e81dccf9c":{"kind":"TRIVIAL_REBASE","_number":11,"created":"2025-10-14 11:50:52.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/11","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/11","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/11 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/11 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/11 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/11 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/11","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/11 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"b298a7418e3776972159d84c4636c829ec6f6946","subject":"dhcp: Clean up type handling of write_dhcp_*"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-10-14 11:49:36.000000000","tz":120},"subject":"Install host routes for ifconfig-push routes when DCO is enabled","message":"Install host routes for ifconfig-push routes when DCO is enabled\n\nifconfig-push and ifconfig-ipv6-push can configure the IP address of a\nclient. If this IP address lies inside the network that is configured\non the ovpn/tun device this works as expected as the routing table point to\nthe ovpn/tun interface. However, if the IP address\nis outside that range, the IP packets are not forwarded to the ovpn/tun\ninterface.\n\nThis patch adds logic to add host routes for these\nifconfig-push/ifconfig-ipv6-push addresses to ensure that traffic for\nthese IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work. On FreeBSD we also use interface routes as works and\nroutes that target interfaces instead of IP addresses are less brittle.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nThis setups an ifconfig-push addresses outside the --server/--server-ipv6\nnetwork and additionally configures a iroute behind that client. The\nsetenv-safe configure lwipovpn to use that additional IP addresses to allow\ntesting via ping.\n\nWindows behaves like the user space implementation. It does require these\nspecial routes but instead (like user space) needs static routes to redirect\nIP traffic for these IP addresses to the tunnel interface. E.g. in the example\nabove the server config needs to have:\n\n   route 10.234.234.0 255.255.255.0\n   route 10.11.12.0 255.255.255.0\n\n   route-ipv6 FD00:F00F:CAFE::1001/64\n   route-ipv6 FD00:F00F:D00D::77/64\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"076ebc539320b1fbabee03488d0f81c3e097a5ab":{"kind":"REWORK","_number":12,"created":"2025-10-27 10:35:21.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/12","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/12","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/12 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/12 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/12 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/12 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/12","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/12 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"9c55e84eea01b1f3ddabae82c7df8adaac7b8c35","subject":"Remove perf.c/perf.h"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-10-27 10:34:19.000000000","tz":60},"subject":"Install host routes for ifconfig-push routes when DCO is enabled","message":"Install host routes for ifconfig-push routes when DCO is enabled\n\nifconfig-push and ifconfig-ipv6-push can configure the IP address of a\nclient. If this IP address lies inside the network that is configured\non the ovpn/tun device this works as expected as the routing table point to\nthe ovpn/tun interface. However, if the IP address\nis outside that range, the IP packets are not forwarded to the ovpn/tun\ninterface.\n\nThis patch adds logic to add host routes for these\nifconfig-push/ifconfig-ipv6-push addresses to ensure that traffic for\nthese IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work. On FreeBSD we also use interface routes as works and\nroutes that target interfaces instead of IP addresses are less brittle.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nThis setups an ifconfig-push addresses outside the --server/--server-ipv6\nnetwork and additionally configures a iroute behind that client. The\nsetenv-safe configure lwipovpn to use that additional IP addresses to allow\ntesting via ping.\n\nWindows behaves like the user space implementation. It does require these\nspecial routes but instead (like user space) needs static routes to redirect\nIP traffic for these IP addresses to the tunnel interface. E.g. in the example\nabove the server config needs to have:\n\n   route 10.234.234.0 255.255.255.0\n   route 10.11.12.0 255.255.255.0\n\n   route-ipv6 FD00:F00F:CAFE::1001/64\n   route-ipv6 FD00:F00F:D00D::77/64\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"8d1416fee21b68b12e00bbbf565bf84f5792aff1":{"kind":"REWORK","_number":13,"created":"2025-10-27 12:19:42.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/13","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/13","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/13 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/13 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/13 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/13 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/13","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/13 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"9c55e84eea01b1f3ddabae82c7df8adaac7b8c35","subject":"Remove perf.c/perf.h"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-10-27 12:17:41.000000000","tz":60},"subject":"Install host routes for ifconfig-push routes when DCO is enabled","message":"Install host routes for ifconfig-push routes when DCO is enabled\n\nifconfig-push and ifconfig-ipv6-push can configure the IP address of a\nclient. If this IP address lies inside the network that is configured\non the ovpn/tun device this works as expected as the routing table point to\nthe ovpn/tun interface. However, if the IP address\nis outside that range, the IP packets are not forwarded to the ovpn/tun\ninterface.\n\nThis patch adds logic to add host routes for these\nifconfig-push/ifconfig-ipv6-push addresses to ensure that traffic for\nthese IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work. On FreeBSD we also use interface routes as works and\nroutes that target interfaces instead of IP addresses are less brittle.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nThis setups an ifconfig-push addresses outside the --server/--server-ipv6\nnetwork and additionally configures a iroute behind that client. The\nsetenv-safe configure lwipovpn to use that additional IP addresses to allow\ntesting via ping.\n\nWindows behaves like the user space implementation. It does require these\nspecial routes but instead (like user space) needs static routes to redirect\nIP traffic for these IP addresses to the tunnel interface. E.g. in the example\nabove the server config needs to have:\n\n   route 10.234.234.0 255.255.255.0\n   route 10.11.12.0 255.255.255.0\n\n   route-ipv6 FD00:F00F:CAFE::1001/64\n   route-ipv6 FD00:F00F:D00D::77/64\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"74c2d66043e45ae95a552f763af39cbc7a8740b4":{"kind":"REWORK","_number":14,"created":"2025-10-28 23:24:27.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/92/1192/14","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/14","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/14 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/14 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/14 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/14 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/14","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/14 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"9c55e84eea01b1f3ddabae82c7df8adaac7b8c35","subject":"Remove perf.c/perf.h"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-12 12:29:58.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-10-28 23:24:04.000000000","tz":60},"subject":"Install host routes for ifconfig-push routes when DCO is enabled","message":"Install host routes for ifconfig-push routes when DCO is enabled\n\nifconfig-push and ifconfig-ipv6-push can configure the IP address of a\nclient. If this IP address lies inside the network that is configured\non the ovpn/tun device this works as expected as the routing table point to\nthe ovpn/tun interface. However, if the IP address\nis outside that range, the IP packets are not forwarded to the ovpn/tun\ninterface.\n\nThis patch adds logic to add host routes for these\nifconfig-push/ifconfig-ipv6-push addresses to ensure that traffic for\nthese IP addresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope link\nrather than static since otherwise routes via these IP addresses, like\niroute, will not work. On FreeBSD we also use interface routes as works and\nroutes that target interfaces instead of IP addresses are less brittle.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nThis setups an ifconfig-push addresses outside the --server/--server-ipv6\nnetwork and additionally configures a iroute behind that client. The\nsetenv-safe configure lwipovpn to use that additional IP addresses to allow\ntesting via ping.\n\nWindows behaves like the user space implementation. It does require these\nspecial routes but instead (like user space) needs static routes to redirect\nIP traffic for these IP addresses to the tunnel interface. E.g. in the example\nabove the server config needs to have:\n\n   route 10.234.234.0 255.255.255.0\n   route 10.11.12.0 255.255.255.0\n\n   route-ipv6 FD00:F00F:CAFE::1001/64\n   route-ipv6 FD00:F00F:D00D::77/64\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"f938d991a8222bb3304865f2cd7b368d7f8a9224":{"kind":"TRIVIAL_REBASE_WITH_MESSAGE_UPDATE","_number":15,"created":"2025-10-29 07:53:15.000000000","uploader":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"ref":"refs/changes/92/1192/15","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/92/1192/15","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/15 \u0026\u0026 git checkout -b change-1192 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/15 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/15 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/15 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/92/1192/15","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/92/1192/15 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"911a69dc1af20bc54557a208b6fd4e76261b2bb2","subject":"Fix logic when pushed cipher triggers tun reopen and ignore more options"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-10-29 07:06:56.000000000","tz":60},"committer":{"name":"Gert Doering","email":"gert@greenie.muc.de","date":"2025-10-29 07:49:17.000000000","tz":60},"subject":"Install host routes for out-of-subnet ifconfig-push addresses when DCO is enabled","message":"Install host routes for out-of-subnet ifconfig-push addresses when DCO is enabled\n\nifconfig-push and ifconfig-ipv6-push can configure the IP address of a\nclient. If this IP address lies inside the network that is configured\non the ovpn/tun device this works as expected as the routing table point to\nthe ovpn/tun interface.  However, if the IP address is outside that range,\nthe IP packets are not forwarded to the ovpn/tun interface and Linux\nand FreeBSD DCO implementations need a \"connected\" route so kernel\nrouting knows that the IP in question is a peer VPN IP.\n\nThis patch adds logic to add host routes for these ifconfig-push +\nifconfig-ipv6-push addresses to ensure that traffic for these IP\naddresses is also directed to the VPN.\n\nFor Linux it is important that these extra routes are routes using scope\nlink rather than static since otherwise indirect routes via these IP\naddresses, like iroute, will not work. On FreeBSD we also use interface\nroutes as that works and routes that target interfaces instead of\nnext-hop IP addresses are less brittle.\n\nTested using a server with ccd:\n\n   openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64  --client-config-dir ~/ccd [...]\n\nand a client with lwipvonpn and the following ccd file:\n\n   iroute-ipv6 FD00:F00F:CAFE::1001/64\n   ifconfig-ipv6-push FD00:F00F:D00D::77/64\n   push \"setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001\"\n   push \"setenv-safe ifconfig_ipv6_netbits_2 64\"\n\n   iroute 10.234.234.0 255.255.255.0\n   ifconfig-push 10.11.12.13 255.255.255.0\n   push \"setenv-safe ifconfig_local_2 10.234.234.12\"\n   push \"setenv-safe ifconfig_netmask_2 255.255.255.0\"\n\nThis setups an ifconfig-push addresses outside the --server/--server-ipv6\nnetwork and additionally configures a iroute behind that client. The\nsetenv-safe configure lwipovpn to use that additional IP addresses to allow\ntesting via ping.\n\nWindows behaves like the user space implementation. It does not require these\nspecial routes but instead (like user space) needs static routes to redirect\nIP traffic for these IP addresses to the tunnel interface. E.g. in the example\nabove the server config needs to have:\n\n   route 10.234.234.0 255.255.255.0\n   route 10.11.12.0 255.255.255.0\n\n   route-ipv6 FD00:F00F:CAFE::1001/64\n   route-ipv6 FD00:F00F:D00D::77/64\n\nChange-Id: I83295e00d1a756dfa44050b0a4493095fb050fff\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\nAcked-by: Gert Doering \u003cgert@greenie.muc.de\u003e\nGerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1192\nMessage-Id: \u003c20251029070701.11457-1-gert@greenie.muc.de\u003e\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33991.html\nSigned-off-by: Gert Doering \u003cgert@greenie.muc.de\u003e\n"},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[],"submit_requirements":[]}