Opened 5 years ago
Last modified 16 months ago
#1221 assigned Bug / Defect
SOCKS proxy not working with UDP+IPv6
| Reported by: | Gert Döring | Owned by: | Gert Döring |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.7 |
| Component: | Networking | Version: | OpenVPN git master branch (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: | plaisthos |
Description
The combination of "use IPv6 to talk to socks proxy *and* proto udp" does not work today.
What happens is that the openvpn client properly opens an IPv6 TCP connection (control) to the SOCKS proxy, but then requests an IPv4 socket. The v4 address returned is then put into the destination for an IPv6 socket, which leads to
Thu Oct 17 16:19:59 2019 write UDPv6: Invalid argument (code=22) Thu Oct 17 16:20:01 2019 write UDPv6: Invalid argument (code=22)
looking into socks.c, there's a somewhat easy bugfix - return a v4-mapped v6 address in this case ("if the control connection is v6, a v4 address won't work"). This will still not be the proper fix, because OpenVPN will fail in an ipv6-only network.
For a proper fix, the socks support needs to be extended to deal with UDPv6 - which is actually twofold:
- the UDP socket towards the SOCKS proxy (address requested and returned in
establish_socks_proxy_udpassoc()andrecv_socks_reply()) - sending the actual packet with an embedded target address (
socks_process_outgoing_udp()only does v4 today) - receiving the actual packet with an embedded from address (
socks_process_incoming_udp()only does v4 today)
Writing this I have the nagging suspicion that --proto udp6 --socks-proxy ... will still fail even if using v4-mapped v6 addresses... as the code would need to understand that the target machine "behind the socks proxy" can only be reached by v4 today.
This affects 2.4, git master (and very likely 2.3 as well, if explicitly requesting proto udp6).
Change History (4)
comment:1 Changed 5 years ago by
| Owner: | set to Gert Döring |
|---|---|
| Status: | new → assigned |
comment:2 Changed 4 years ago by
comment:4 Changed 16 months ago by
| Milestone: | release 2.6 → release 2.7 |
|---|
Won't make 2.6 either. But we intend to work on the routing/socket side of things for 2.7
A first workaround got merged today, and will appear in the upcoming 2.4.8 release:
commit 57623b4e40e68de983b9dfd82914dadcbe096f7b (master)
commit bdfa0d3540b7836f72dc5f2ddb8239154d152061 (release/2.4)
Author: Gert Doering
Date: Sun Oct 20 17:00:39 2019 +0200
this is not perfect (as it will ignore user config), but it is quickly done, clearly logs the issue, and permits usage of a socks proxy in a dual-stack environment by falling over to IPv4. It will not make it work in an IPv6 only environment.
I find the problem interesting, but might not have the time to actually work through the SOCKS protocol documents and src/openvpn/socks.c to implement what is missing - so, don't wait for me to get it done.