Opened 3 years ago
Last modified 3 years ago
#1351 closed Bug / Defect
Server --block-ipv6 may leak IPv6 RS — at Initial Version
Reported by: | tct | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | release 2.6 |
Component: | Generic / unclassified | Version: | OpenVPN 2.5.0 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | tct |
Description
Passive Tunnel - A TLS tunnel which uses --keepalive 0 0
.
A passive tunnel only exchanges data packets while the tunnel is active. After a period of inactivity the client would be expected to float
on the server to re-establish the VPN.
(I understand, this may not be possible etc.. )
Trying to create a passive tunnel I discovered that the server appears to leak IPv6 RS messages. I cannot decode the packets so I have tcpdumps on the tun device to view traffic.
After the tunnel is establish then both peers go quiet. There are no further packets which egress from the client. However, the server does leak OpenVPN data packets and these coincide with IPV6 Router Solicitation messages sent from the server to the tun device.
Server tcpdump on eth0:
21:07:13.243072 IP 92.1.246.125.1807 > 10.10.201.226.55111: UDP, length 50 ^ Final packet establishing the tunnel above These following packets coincide with RS messages on tun0 below. 21:07:43.852919 IP 10.10.201.226.55111 > 92.1.246.125.1807: UDP, length 73 21:08:41.880063 IP 10.10.201.226.55111 > 92.1.246.125.1807: UDP, length 73 21:10:43.052834 IP 10.10.201.226.55111 > 92.1.246.125.1807: UDP, length 73 21:14:35.159686 IP 10.10.201.226.55111 > 92.1.246.125.1807: UDP, length 73 21:22:05.720155 IP 10.10.201.226.55111 > 92.1.246.125.1807: UDP, length 73
Server tcpdump on tun0:
21:07:43.852622 IP6 fe80::6b76:ea66:1134:52c2 > ff02::2: ICMP6, router solicitation, length 8 21:08:41.879612 IP6 fe80::6b76:ea66:1134:52c2 > ff02::2: ICMP6, router solicitation, length 8 21:10:43.052560 IP6 fe80::6b76:ea66:1134:52c2 > ff02::2: ICMP6, router solicitation, length 8 21:14:35.159258 IP6 fe80::6b76:ea66:1134:52c2 > ff02::2: ICMP6, router solicitation, length 8 21:22:05.719384 IP6 fe80::6b76:ea66:1134:52c2 > ff02::2: ICMP6, router solicitation, length 8
Client tcpdump on tun0:
21:07:43.863055 IP6 fe80::6b76:ea66:1134:52c2 > ff02::2: ICMP6, router solicitation, length 8 21:07:44.469480 IP6 fe80::14bd:1204:3091:cf04 > ff02::2: ICMP6, router solicitation, length 8 21:07:44.469610 IP6 fe80::7 > fe80::14bd:1204:3091:cf04: ICMP6, destination unreachable, unreachable route ff02::2, length 56 21:08:21.333479 IP6 fe80::14bd:1204:3091:cf04 > ff02::2: ICMP6, router solicitation, length 8 21:08:21.333678 IP6 fe80::7 > fe80::14bd:1204:3091:cf04: ICMP6, destination unreachable, unreachable route ff02::2, length 56 21:08:41.890803 IP6 fe80::6b76:ea66:1134:52c2 > ff02::2: ICMP6, router solicitation, length 8 21:09:33.013475 IP6 fe80::14bd:1204:3091:cf04 > ff02::2: ICMP6, router solicitation, length 8 21:09:33.013584 IP6 fe80::7 > fe80::14bd:1204:3091:cf04: ICMP6, destination unreachable, unreachable route ff02::2, length 56 21:11:54.325473 IP6 fe80::14bd:1204:3091:cf04 > ff02::2: ICMP6, router solicitation, length 8 21:11:54.325603 IP6 fe80::7 > fe80::14bd:1204:3091:cf04: ICMP6, destination unreachable, unreachable route ff02::2, length 56 21:16:32.853491 IP6 fe80::14bd:1204:3091:cf04 > ff02::2: ICMP6, router solicitation, length 8 21:16:32.853681 IP6 fe80::7 > fe80::14bd:1204:3091:cf04: ICMP6, destination unreachable, unreachable route ff02::2, length 56 21:26:06.293502 IP6 fe80::14bd:1204:3091:cf04 > ff02::2: ICMP6, router solicitation, length 8 21:26:06.293677 IP6 fe80::7 > fe80::14bd:1204:3091:cf04: ICMP6, destination unreachable, unreachable route ff02::2, length 56
Note: All RS messages are replied to with dest-unreach.
Client tcpdump on eth0 showed zero packets after the VPN setup is completed.