Opened 3 years ago

Closed 20 months ago

#135 closed Bug / Defect (fixed)

Passtos does not work with freebsd

Reported by: vielhak Owned by:
Priority: major Milestone:
Component: Networking Version: 2.2.0
Severity: Not set (if unsure, select this one) Keywords:
Cc:

Description

Hi,

I have troubles to use the passtos feature with FreeBSD8.1.
See also http://redmine.pfsense.org/issues/1525
I use the following config (client):

dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 172.22.23.131
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote 85.182.255.196 11946
ifconfig 172.16.3.2 172.16.3.1
route 172.27.0.0 255.255.0.0
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
passtos

When I do a "ping -z5 172.27.1.13" via the tunnel, this is the decrypted packet on the destination (with TOS bits set)
11:04:49.312291 IP (tos 0x5,ECT(1), ttl 63, id 58247, offset 0, flags [none], proto ICMP (1), length 84)

172.16.3.2 > 172.27.1.13: ICMP echo request, id 51644, seq 36, length 64

an this is the encrypted tunnel packet (without TOS):
11:04:49.304835 IP (tos 0x0, ttl 64, id 58280, offset 0, flags [none], proto UDP (17), length 161)

172.22.23.131.1000 > 85.182.255.196.11946: UDP, length 133

If I use the same setup with a linux client (same OpenVPN version) everything works. So I seems to be a problem with the FreeBSD port.

Change History (4)

comment:1 Changed 3 years ago by vielhak

The problem is that FreeBSD's setsocketopt expects IP_TOS option as INT not as uint8_t. Due to that the following setsocketopt leads to an EINVAL on FreeBSD (ls->ptos is uint8_t):

static inline void
link_socket_set_tos (struct link_socket *ls)
{
  if (ls && ls->ptos_defined)
    setsockopt (ls->sd, IPPROTO_IP, IP_TOS, &ls->ptos, sizeof (ls->ptos));
}

Workaround on FreeBSD: if you use:

static inline void
link_socket_set_tos (struct link_socket *ls)
{
  if (ls && ls->ptos_defined) {
    int tos = ls->ptos;
    setsockopt (ls->sd, IPPROTO_IP, IP_TOS, &tos, sizeof (tos));
  }
}

everythings works great; see encrypted packet of "ping -z 5 172.16.3.1":

16:39:47.976342 IP (tos 0x5,ECT(1), ttl 64, id 27692, offset 0, flags [none], proto UDP (17), length 161)

172.22.23.131.1000 > 85.182.255.196.11946: UDP, length 133


comment:2 Changed 3 years ago by vielhak

Easier like pfSense did it:

change line 228 in socket.h to

#if defined(TARGET_FREEBSD)
      uint32_t ptos;
#else
      uint8_t ptos;
#endif

PS: I do not know if there are more OSes which need 32bit TOS values in setsocketopt().

comment:3 Changed 20 months ago by mandree

FreeBSD port status:

  • to be fixed in upcoming security/openvpn20 as of openvpn-2.0.9_3,
  • to be fixed in upcoming new security/openvpn22 as of openvpn-2.2.2_1,
  • no fix required for security/openvpn upgrade to openvpn-2.3.0 (fixed upstream)

comment:4 Changed 20 months ago by ecrist

  • Resolution set to fixed
  • Status changed from new to closed

I spoke with mandree, and this has been resolved.

Note: See TracTickets for help on using tickets.