Opened 5 years ago

Last modified 17 months ago

#1221 assigned Bug / Defect

SOCKS proxy not working with UDP+IPv6

Reported by: Gert Döring Owned by: Gert Döring
Priority: major Milestone: release 2.7
Component: Networking Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: plaisthos


The combination of "use IPv6 to talk to socks proxy *and* proto udp" does not work today.

What happens is that the openvpn client properly opens an IPv6 TCP connection (control) to the SOCKS proxy, but then requests an IPv4 socket. The v4 address returned is then put into the destination for an IPv6 socket, which leads to

Thu Oct 17 16:19:59 2019 write UDPv6: Invalid argument (code=22)
Thu Oct 17 16:20:01 2019 write UDPv6: Invalid argument (code=22)

looking into socks.c, there's a somewhat easy bugfix - return a v4-mapped v6 address in this case ("if the control connection is v6, a v4 address won't work"). This will still not be the proper fix, because OpenVPN will fail in an ipv6-only network.

For a proper fix, the socks support needs to be extended to deal with UDPv6 - which is actually twofold:

  • the UDP socket towards the SOCKS proxy (address requested and returned in establish_socks_proxy_udpassoc() and recv_socks_reply())
  • sending the actual packet with an embedded target address (socks_process_outgoing_udp() only does v4 today)
  • receiving the actual packet with an embedded from address (socks_process_incoming_udp() only does v4 today)

Writing this I have the nagging suspicion that --proto udp6 --socks-proxy ... will still fail even if using v4-mapped v6 addresses... as the code would need to understand that the target machine "behind the socks proxy" can only be reached by v4 today.

This affects 2.4, git master (and very likely 2.3 as well, if explicitly requesting proto udp6).

Change History (4)

comment:1 Changed 5 years ago by Gert Döring

Owner: set to Gert Döring
Status: newassigned

comment:2 Changed 5 years ago by Gert Döring

A first workaround got merged today, and will appear in the upcoming 2.4.8 release:

commit 57623b4e40e68de983b9dfd82914dadcbe096f7b (master)
commit bdfa0d3540b7836f72dc5f2ddb8239154d152061 (release/2.4)
Author: Gert Doering
Date: Sun Oct 20 17:00:39 2019 +0200

Force combinationation of --socks-proxy and --proto UDP to use IPv4.

this is not perfect (as it will ignore user config), but it is quickly done, clearly logs the issue, and permits usage of a socks proxy in a dual-stack environment by falling over to IPv4. It will not make it work in an IPv6 only environment.

I find the problem interesting, but might not have the time to actually work through the SOCKS protocol documents and src/openvpn/socks.c to implement what is missing - so, don't wait for me to get it done.

comment:3 Changed 4 years ago by Gert Döring

Milestone: release 2.5release 2.6

Won't make 2.5

comment:4 Changed 17 months ago by Gert Döring

Milestone: release 2.6release 2.7

Won't make 2.6 either. But we intend to work on the routing/socket side of things for 2.7

Note: See TracTickets for help on using tickets.