#1332 closed Bug / Defect (fixed)

redirect-gateway for IPv4 breaks when connecting over IPv6

Reported by: Gert Döring Owned by: Gert Döring
Priority: blocker Milestone: release 2.5
Component: Networking Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: ipv6, redirect-gateway
Cc: Antonio, tct

Description

As reported on openvpn-devel by François Kooman <fkooman@…>:

After testing connecting over native IPv6 to the VPN server, it turns out the
IPv4 traffic is not routed over the VPN. This worked in older versions of
OpenVPN (2.4.x) but no longer in OpenVPN 2.5rc2. I am testing with Windows
8.1, but the same was reported on Windows 10.

This is pushed to the client regarding default gateway: redirect-gateway def1
ipv6
The log shows this "NOTE": 2020-10-02 06:20:07 NOTE: unable to redirect
IPv4 default gateway -- Cannot obtain current remote host address

IPv6 traffic *does* get routed over the VPN.

It may have something to do with this commit:
https://github.com/OpenVPN/openvpn/commit/aa34684972eb01bfa5c355d1c8a8a9d384bf0175#diff-c5fe151f7dee49748a306a4defe6bbea

See attached full client log message.

2020-10-02 06:19:59 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a01:4f8:c2c:a7af::1:1194
...
2020-10-02 06:19:59 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify 1,redirect-gateway def1 ipv6,block-outside-dns,dhcp-option DNS 10.132.193.1,dhcp-option DNS fd0b:7113:df63:d03c::1,tun-ipv6,route-gateway 10.132.193.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fd0b:7113:df63:d03c::2/112 fd0b:7113:df63:d03c::1,ifconfig 10.132.193.2 255.255.255.248,peer-id 0,cipher AES-256-GCM'
...
2020-10-02 06:19:59 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 I=4 HWADDR=20:16:d8:d6:01:14
2020-10-02 06:19:59 GDG6: remote_host_ipv6=2a01:4f8:c2c:a7af::1
2020-10-02 06:19:59 GetBestInterfaceEx() returned if=4
2020-10-02 06:19:59 GDG6: II=4 DP=::/0 NH=fe80::e228:6dff:fe56:e55
2020-10-02 06:19:59 GDG6: Metric=256, Loopback=0, AA=1, I=0
2020-10-02 06:19:59 ROUTE6_GATEWAY fe80::e228:6dff:fe56:e55 I=4
2020-10-02 06:19:59 ROUTE6: 2000::/4 overlaps IPv6 remote 2a01:4f8:c2c:a7af::1, adding host route to VPN endpoint
...
2020-10-02 06:20:07 NOTE: unable to redirect IPv4 default gateway -- Cannot obtain current remote host address
...

Change History (6)

comment:1 Changed 14 months ago by tct

Cc: tct added

comment:2 Changed 14 months ago by Gert Döring

Cc: tct removed

route.c, redirect_default_route_to_vpn()

...
        else if (!(rl->spec.flags & RTSA_REMOTE_HOST))
        {
            msg(M_WARN, "%s Cannot obtain current remote host address", err);
        }
        else
...

this is a very old assumption "if we do not even know who we are talking to, how can we install a host route to make it still work after we redirect the gateway".

And indeed, I broke it it in commit aa34684972e, because we used to always set RTSA_REMOTE_HOST, even if we didn't know (sillyfying "remote_host" in route statements).

comment:3 Changed 14 months ago by Gert Döring

Cc: tct added

comment:5 Changed 14 months ago by Gert Döring

Patch has been applied to the master and release/2.5 branch.

commit 23e11e591347080efa3b933beca7f620dd059d5c (master)
commit 7b4f53095c761bde8c6b39cf645cade4c1c0c5d4 (release/2.5)
Author: Gert Doering
Date: Fri Oct 2 19:57:36 2020 +0200

Fix redirecting of IPv4 default gateway if connecting over IPv6.

I think it's fixed for good, but leave this open so I can hear from people who ran into this that it's actually fixing the issue for them (Thomas, Francois).

comment:6 Changed 14 months ago by Gert Döring

Resolution: fixed
Status: assignedclosed

Bugfix confirmed on RC3 on Windows and Linux by Thomas.

Note: See TracTickets for help on using tickets.