Opened 4 years ago
Closed 4 years ago
#1332 closed Bug / Defect (fixed)
redirect-gateway for IPv4 breaks when connecting over IPv6
| Reported by: | Gert Döring | Owned by: | Gert Döring |
|---|---|---|---|
| Priority: | blocker | Milestone: | release 2.5 |
| Component: | Networking | Version: | OpenVPN git master branch (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | ipv6, redirect-gateway |
| Cc: | Antonio Quartulli, tct |
Description
As reported on openvpn-devel by François Kooman <fkooman@…>:
After testing connecting over native IPv6 to the VPN server, it turns out the
IPv4 traffic is not routed over the VPN. This worked in older versions of
OpenVPN (2.4.x) but no longer in OpenVPN 2.5rc2. I am testing with Windows
8.1, but the same was reported on Windows 10.
This is pushed to the client regarding default gateway: redirect-gateway def1
ipv6
The log shows this "NOTE": 2020-10-02 06:20:07 NOTE: unable to redirect
IPv4 default gateway -- Cannot obtain current remote host address
IPv6 traffic *does* get routed over the VPN.
It may have something to do with this commit:
https://github.com/OpenVPN/openvpn/commit/aa34684972eb01bfa5c355d1c8a8a9d384bf0175#diff-c5fe151f7dee49748a306a4defe6bbea
See attached full client log message.
2020-10-02 06:19:59 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a01:4f8:c2c:a7af::1:1194 ... 2020-10-02 06:19:59 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify 1,redirect-gateway def1 ipv6,block-outside-dns,dhcp-option DNS 10.132.193.1,dhcp-option DNS fd0b:7113:df63:d03c::1,tun-ipv6,route-gateway 10.132.193.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fd0b:7113:df63:d03c::2/112 fd0b:7113:df63:d03c::1,ifconfig 10.132.193.2 255.255.255.248,peer-id 0,cipher AES-256-GCM' ... 2020-10-02 06:19:59 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 I=4 HWADDR=20:16:d8:d6:01:14 2020-10-02 06:19:59 GDG6: remote_host_ipv6=2a01:4f8:c2c:a7af::1 2020-10-02 06:19:59 GetBestInterfaceEx() returned if=4 2020-10-02 06:19:59 GDG6: II=4 DP=::/0 NH=fe80::e228:6dff:fe56:e55 2020-10-02 06:19:59 GDG6: Metric=256, Loopback=0, AA=1, I=0 2020-10-02 06:19:59 ROUTE6_GATEWAY fe80::e228:6dff:fe56:e55 I=4 2020-10-02 06:19:59 ROUTE6: 2000::/4 overlaps IPv6 remote 2a01:4f8:c2c:a7af::1, adding host route to VPN endpoint ... 2020-10-02 06:20:07 NOTE: unable to redirect IPv4 default gateway -- Cannot obtain current remote host address ...
Change History (6)
comment:1 Changed 4 years ago by
| Cc: | tct added |
|---|
comment:2 Changed 4 years ago by
| Cc: | tct removed |
|---|
comment:3 Changed 4 years ago by
| Cc: | tct added |
|---|
comment:5 Changed 4 years ago by
Patch has been applied to the master and release/2.5 branch.
commit 23e11e591347080efa3b933beca7f620dd059d5c (master)
commit 7b4f53095c761bde8c6b39cf645cade4c1c0c5d4 (release/2.5)
Author: Gert Doering
Date: Fri Oct 2 19:57:36 2020 +0200
Fix redirecting of IPv4 default gateway if connecting over IPv6.
I think it's fixed for good, but leave this open so I can hear from people who ran into this that it's actually fixing the issue for them (Thomas, Francois).
comment:6 Changed 4 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Bugfix confirmed on RC3 on Windows and Linux by Thomas.
route.c, redirect_default_route_to_vpn()
... else if (!(rl->spec.flags & RTSA_REMOTE_HOST)) { msg(M_WARN, "%s Cannot obtain current remote host address", err); } else ...this is a very old assumption "if we do not even know who we are talking to, how can we install a host route to make it still work after we redirect the gateway".
And indeed, I broke it it in commit aa34684972e, because we used to always set RTSA_REMOTE_HOST, even if we didn't know (sillyfying "remote_host" in route statements).