OpenVPN (userspace) will tear down the P2P interface upon disconnection, assuming the --persist-tun option was not specified by the user.
So the interface is gone in any case.
By keeping the netcarrier on we are just ensuring that, if the user wanted persist-tun, the iface is not actually making decisions on its own.
Regarding a decision on its own. Ethernet interface going to the not- running state upon lost of carrier from a switch. It's hardly could be considered a decision of the interface. It's an indication of the fact.
Similarly, beeping of UPS is not its decision to make user's life miserable, it's the indication of the power line failure. I hope, at least we are both agree on that a UPS should indicate the line failure.
Back to the 'persist-tun' option. I checked the openvpn(8) man page. It gives a reasonable hints to use this option to avoid negative outcomes on internal openvpn process restart. E.g. in case of privilege dropping. It servers the same purpose as 'persist-key'. And there is no word regarding traffic leaking.
If somebody have decided that this option gives the funny side-effect and allows to cut the corners, then I cannot say anything but sorry.
With a tun interface this can be done, now you want to basically drop this feature that existed for long time and break existing setups.
Amicus Plato, sed magis amica veritas
Yes, I don't want to see this interface misbehaviour advertised as a security feature. I hope the previous email gives a detailed explanation why.
If it's going to break existing setup, then end-users can be supported with a changelog notice explaining how to properly address the risk of the traffic leaking.
At some circumstance, e.g. Android app, it could be the only way to prevent traffic leaking. But these special circumstances do not make solution generic and eligible for inclusion into the mainline code.
Why not? We are not changing the general rule, but just defining a specific behaviour for a specific driver.
Yeah. This patch is not changing the general rule. The patch breaks it and the comment in the code makes proud of it. Looks like an old joke that documented bug become a feature.
From a system administrator or a firmware developer perspective, the proposed behaviour will look like inconsistency comparing to other interface types. And this inconsistency requires to be addressed with special configuration or a dedicated script in a worst case. And I cannot see justified reason to make their life harder.
For example, I don't think a tun interface goes down when there is no socket attached to it, still packets are just going to be blackhole'd in that case. No?
Nope. Tun interface indeed will go into the non-running state on the detach event. Moreover, the tun module supports running/non-running indication change upon a command from userspace. But not every userspace application feel a desire to implement it.
I know it can be implemented in many other different ways..but I don't see a real problem with keeping this way.
At least routing protocols and network monitoring software will not be happy to see a dead interface pretending that it's still running.
They won't know that the interface is disconnected, they will possibly just see traffic being dropped.
Packet loss detection is quite complex operation. So yes, they are indeed monitoring the interface operational state to warn operator as soon as possible and take some automatic actions if we are talking about routing protocols. Some sophisticated monitoring systems even capable to generate events like 'link unstable' with higher severity if they see interface operational state flapping in a short period of time.
So yeah, for these kinds of systems, proper operational state indication is essential.
Generally speaking, saying that interface is running, when module knows for sure that a packet can not be delivered is a user misguiding.
Or a feature, wanted by the user.
A blackhole/firewall can still be added if the user prefers (and not use the persistent interface).
The solution with false-indication is not so reliable as it might look. Interface shutdown, inability of a user-space application to start, user-space application crash, user-space application restart, each of them will void the trick. Ergo, blackhole/firewall must be employed by a security concerned user. What makes the proposed feature odd.
Yeah, this is what other VPN clients call "kill switch".
Persist-tun is just one piece of the puzzle, yet important.
To summaries, I'm Ok if this change will be merged with a comment like "For future study" or "To be done" or "To be implemented". But a comment like "to prevent traffic leaking" or any other comment implying a "breakthrough security feature" will have a big NACK from my side.
What if the comment redirects the user to --persist-tun option in order to clarify the context and the wanted behaviour?
Would that help?
Nope. As it was mentioned above, the are no indication that 'persist- tun' is a 'security' feature even in the current openvpn documentation.
If the openvpn developers want to keep implementation bug-to-bug compatible, then feel free to configure the blackhole route on behalf of end-user by means of the userspace daemon. Nobody will mind.