Opened 13 years ago
Closed 11 years ago
#135 closed Bug / Defect (fixed)
Passtos does not work with freebsd
| Reported by: | vielhak | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Networking | Version: | OpenVPN 2.2.0 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
Hi,
I have troubles to use the passtos feature with FreeBSD8.1.
See also http://redmine.pfsense.org/issues/1525
I use the following config (client):
dev ovpnc1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 172.22.23.131 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote 85.182.255.196 11946 ifconfig 172.16.3.2 172.16.3.1 route 172.27.0.0 255.255.0.0 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key passtos
When I do a "ping -z5 172.27.1.13" via the tunnel, this is the decrypted packet on the destination (with TOS bits set)
11:04:49.312291 IP (tos 0x5,ECT(1), ttl 63, id 58247, offset 0, flags [none], proto ICMP (1), length 84)
172.16.3.2 > 172.27.1.13: ICMP echo request, id 51644, seq 36, length 64
an this is the encrypted tunnel packet (without TOS):
11:04:49.304835 IP (tos 0x0, ttl 64, id 58280, offset 0, flags [none], proto UDP (17), length 161)
172.22.23.131.1000 > 85.182.255.196.11946: UDP, length 133
If I use the same setup with a linux client (same OpenVPN version) everything works. So I seems to be a problem with the FreeBSD port.
Change History (4)
comment:1 Changed 13 years ago by
comment:2 Changed 13 years ago by
Easier like pfSense did it:
change line 228 in socket.h to
#if defined(TARGET_FREEBSD)
uint32_t ptos;
#else
uint8_t ptos;
#endif
PS: I do not know if there are more OSes which need 32bit TOS values in setsocketopt().
comment:3 Changed 11 years ago by
FreeBSD port status:
- to be fixed in upcoming security/openvpn20 as of openvpn-2.0.9_3,
- to be fixed in upcoming new security/openvpn22 as of openvpn-2.2.2_1,
- no fix required for security/openvpn upgrade to openvpn-2.3.0 (fixed upstream)
comment:4 Changed 11 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
I spoke with mandree, and this has been resolved.
The problem is that FreeBSD's setsocketopt expects IP_TOS option as INT not as uint8_t. Due to that the following setsocketopt leads to an EINVAL on FreeBSD (ls->ptos is uint8_t):
static inline void link_socket_set_tos (struct link_socket *ls) { if (ls && ls->ptos_defined) setsockopt (ls->sd, IPPROTO_IP, IP_TOS, &ls->ptos, sizeof (ls->ptos)); }Workaround on FreeBSD: if you use:
static inline void link_socket_set_tos (struct link_socket *ls) { if (ls && ls->ptos_defined) { int tos = ls->ptos; setsockopt (ls->sd, IPPROTO_IP, IP_TOS, &tos, sizeof (tos)); } }everythings works great; see encrypted packet of "ping -z 5 172.16.3.1":
16:39:47.976342 IP (tos 0x5,ECT(1), ttl 64, id 27692, offset 0, flags [none], proto UDP (17), length 161)