Opened 10 years ago

Closed 8 years ago

#135 closed Bug / Defect (fixed)

Passtos does not work with freebsd

Reported by: vielhak Owned by:
Priority: major Milestone:
Component: Networking Version: OpenVPN 2.2.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:



I have troubles to use the passtos feature with FreeBSD8.1.
See also
I use the following config (client):

dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/
#user nobody
#group nobody
script-security 3
keepalive 10 60
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
lport 0
management /var/etc/openvpn/client1.sock unix
remote 11946
ca /var/etc/openvpn/
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key

When I do a "ping -z5" via the tunnel, this is the decrypted packet on the destination (with TOS bits set)
11:04:49.312291 IP (tos 0x5,ECT(1), ttl 63, id 58247, offset 0, flags [none], proto ICMP (1), length 84) > ICMP echo request, id 51644, seq 36, length 64

an this is the encrypted tunnel packet (without TOS):
11:04:49.304835 IP (tos 0x0, ttl 64, id 58280, offset 0, flags [none], proto UDP (17), length 161) > UDP, length 133

If I use the same setup with a linux client (same OpenVPN version) everything works. So I seems to be a problem with the FreeBSD port.

Change History (4)

comment:1 Changed 10 years ago by vielhak

The problem is that FreeBSD's setsocketopt expects IP_TOS option as INT not as uint8_t. Due to that the following setsocketopt leads to an EINVAL on FreeBSD (ls->ptos is uint8_t):

static inline void
link_socket_set_tos (struct link_socket *ls)
  if (ls && ls->ptos_defined)
    setsockopt (ls->sd, IPPROTO_IP, IP_TOS, &ls->ptos, sizeof (ls->ptos));

Workaround on FreeBSD: if you use:

static inline void
link_socket_set_tos (struct link_socket *ls)
  if (ls && ls->ptos_defined) {
    int tos = ls->ptos;
    setsockopt (ls->sd, IPPROTO_IP, IP_TOS, &tos, sizeof (tos));

everythings works great; see encrypted packet of "ping -z 5":

16:39:47.976342 IP (tos 0x5,ECT(1), ttl 64, id 27692, offset 0, flags [none], proto UDP (17), length 161) > UDP, length 133

comment:2 Changed 10 years ago by vielhak

Easier like pfSense did it:

change line 228 in socket.h to

#if defined(TARGET_FREEBSD)
      uint32_t ptos;
      uint8_t ptos;

PS: I do not know if there are more OSes which need 32bit TOS values in setsocketopt().

comment:3 Changed 9 years ago by mandree

FreeBSD port status:

  • to be fixed in upcoming security/openvpn20 as of openvpn-2.0.9_3,
  • to be fixed in upcoming new security/openvpn22 as of openvpn-2.2.2_1,
  • no fix required for security/openvpn upgrade to openvpn-2.3.0 (fixed upstream)

comment:4 Changed 8 years ago by Eric Crist

Resolution: fixed
Status: newclosed

I spoke with mandree, and this has been resolved.

Note: See TracTickets for help on using tickets.