Opened 23 months ago

Last modified 11 months ago

#1057 assigned Bug / Defect

--multihome for v4-mapped sockets on FreeBSD fails

Reported by: Gert Döring Owned by: Gert Döring
Priority: major Milestone:
Component: Networking Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


dual-stack bind (v6 socket)
two IPv4 addresses
incoming UDP packet
reply goes out with wrong source

we had this with Linux, seems it is also a problem on FreeBSD

TODO: find out which FreeBSD versions are affected (this came from pfsense), document shortcomings, open FreeBSD PR if needed

Change History (4)

comment:1 Changed 23 months ago by berni

pfSense 2.4.2-p1 (FreeBSD 11.1-RELEASE-p6), OpenVPN 2.4.4, proto udp + multihome

Client logs

2018-04-17 10:53:18 TCP/UDP: Incoming packet rejected from [AF_INET][2], expected peer address: [AF_INET]x.x.9.164:1194 (allow this incoming source address/port by removing --remote or adding --float)

x.x.9.164 is a CARP address designated for OpenVPN, is the external transport network address.

12:45:34.649106 IP > x.x.9.164.openvpn: UDP, length 42
12:45:34.649241 IP > UDP, length 50

Server logs TLS: Initial packet from [AF_INET6]::ffff: (via ::ffff:x.x.9.164%vmx0), sid=7014e677 11d4cfce

and then a handshake timeout.

Adding proto udp4 works fine

TLS: Initial packet from [AF_INET] (via [AF_INET]x.x.9.164%), sid=fdefbc01 350cbeb3

It looks like this behaviour is sort of known in pfSense, in 2.4.3 they added an option in the GUI to explicitly select IPv4-only

comment:2 Changed 23 months ago by tincantech


comment:3 Changed 14 months ago by serinalevis


Last edited 11 months ago by Eric Crist (previous) (diff)

comment:4 Changed 11 months ago by takken3


Last edited 11 months ago by Eric Crist (previous) (diff)
Note: See TracTickets for help on using tickets.