Opened 6 years ago
Closed 3 years ago
#1057 closed Bug / Defect (fixed)
--multihome for v4-mapped sockets on FreeBSD fails
Reported by: | Gert Döring | Owned by: | Gert Döring |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Networking | Version: | OpenVPN git master branch (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
dual-stack bind (v6 socket)
two IPv4 addresses
incoming UDP packet
reply goes out with wrong source
we had this with Linux, seems it is also a problem on FreeBSD
TODO: find out which FreeBSD versions are affected (this came from pfsense), document shortcomings, open FreeBSD PR if needed
Change History (10)
comment:1 Changed 6 years ago by
comment:5 Changed 4 years ago by
Seems this was a FreeBSD kernel omission after all - we got a patch to test:
comment:6 Changed 4 years ago by
So. Testing the patch from Bjoern.
- unmodified 12.1-RELEASE-p3, compiled from source, with 3x IPv4 and 2x IPv6 addresses
- server with
proto udp6
andmultihome
- connecting to either IPv6 address
- connecting to IPv4 addresses always results in "response comes from the first IPv4 address on the interface" (so, secondary IPs fail)
- server with
- applying patch D24135 from above, rebuilding the kernel, rebooting
- IPv6 still works, either address
- IPv4 is completely broken, either address leads to
write UDPv6: Invalid argument (code=22)
on sendmsg()
comment:7 Changed 4 years ago by
" to a "&&" makes it work. Waiting for a new patch to do the formal ACK on it. |
comment:8 Changed 4 years ago by
The FreeBSD people have now merged this in
commit rS364018: IPV6_PKTINFO support for v4-mapped IPv6 sockets (authored by bz)
This is now in "CURRENT" (which will eventually become 13-RELEASE). I've been told that this will be pulled to stable/12 in about 1-2 weeks, and eventually hit 12.2-RELEASE.
So - if you OpenVPN users get bit by this, upgrade to 12.2-RELEASE :-)
comment:10 Changed 3 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
At last!
FreeBSD 12.2-RELEASE is out, and has this fixed - I just upgraded my test host to
FreeBSD fbsd12.ov.greenie.net 12.2-RELEASE FreeBSD 12.2-RELEASE r366954 GENERIC amd64
and can confirm that a UDP server with --multihome
does the right thing - 3 IPv4 addresses, 2 IPv6 addresses, packets get properly replied to, no matter which address or family the client picks.
Close!
(Thanks, bz@freebsd)
pfSense 2.4.2-p1 (FreeBSD 11.1-RELEASE-p6), OpenVPN 2.4.4, proto udp + multihome
Client logs
x.x.9.164 is a CARP address designated for OpenVPN, 192.168.16.10 is the external transport network address.
12:45:34.649106 IP 10.183.0.40.openvpn > x.x.9.164.openvpn: UDP, length 42
12:45:34.649241 IP 192.168.16.10.openvpn > 10.183.0.40.openvpn: UDP, length 50
Server logs
and then a handshake timeout.
Adding proto udp4 works fine
It looks like this behaviour is sort of known in pfSense, in 2.4.3 they added an option in the GUI to explicitly select IPv4-only
https://redmine.pfsense.org/issues/8298