Opened 7 years ago

Closed 6 years ago

#404 closed Bug / Defect (notabug)

client-to-client with ipv6

Reported by: kleer Owned by:
Priority: major Milestone:
Component: IPv6 Version: OpenVPN 2.3.3 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: client-to-client ipv6
Cc:

Description

Hi,

For an ipv6 server in tun mode, clients can see each other using ipv6 protocol whereas "client-to-client" is not enabled.
For ipv4, no problem, clients can't see each other if "client-to-client" is disabled

I made this test with the 2.3.3 release


About server :

serveur:/etc/openvpn# cat /proc/version
Linux version 2.6.26-2-686 (Debian 2.6.26-29) (dannf@…) (gcc version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Sun Mar 4 22:19:19 UTC 2012
serveur:/etc/openvpn# openvpn --version
OpenVPN 2.3.3 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 29 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@…>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no


About client 1 : Windows 7

c:\Program Files (x86)\OpenVPN\bin>openvpn.exe --version
OpenVPN 2.3.3 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Apr 14 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@…>
Compile time defines: enable_crypto=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=no enable_plugin_down_root=no enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=yes enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_special_build= with_sysroot=no


About client 2 :

root@debian7:/etc/openvpn# cat /proc/version
Linux version 3.2.0-4-686-pae (debian-kernel@…) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.54-2
root@debian7:/etc/openvpn# openvpn --version
OpenVPN 2.3.3 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 29 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@…>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no


Server config :

port 1194
proto tcp
dev tun2
tun-ipv6
ca ./keys/server_routing_ipv6/ca.crt
cert ./keys/server_routing_ipv6/server.crt
key ./keys/server_routing_ipv6/server.key
dh ./keys/server_routing_ipv6/dh2048.pem
server 172.28.2.0 255.255.255.0
server-ipv6 fec0::/112
duplicate-cn
keepalive 10 120
cipher DES-EDE3-CBC # Triple-DES
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status ./log/server_routing_ipv6/openvpn-status.log
log ./log/server_routing_ipv6/openvpn.log
log-append ./log/server_routing_ipv6/openvpn-append.log
verb 3
tcp-queue-limit 256
script-security 2
tmp-dir "./tmp/"


Client 1 config :

client
dev tun0
proto tcp
remote my.server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca client_routing_ipv6/ca.crt
cert client_routing_ipv6/client1.crt
key client_routing_ipv6/client1.key
auth-user-pass
auth-nocache
ns-cert-type server
cipher DES-EDE3-CBC
comp-lzo
verb 3


Client 2 config :

client
dev tun0
proto tcp
remote my.server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca client_routing_ipv6/ca.crt
cert client_routing_ipv6/client1.crt
key client_routing_ipv6/client1.key
auth-user-pass
auth-nocache
ns-cert-type server
cipher DES-EDE3-CBC
comp-lzo
verb 3

Change History (2)

comment:1 Changed 7 years ago by Gert Döring

not having --client-to-client will not necessarily disable client to client communication.

What it will do is change the packet flow:

With client-to-client, the flow is:

client A->openvpn server process->client B

without client-to-client, the flow is:

client A->openvpn server process->linux tun interface->linux routing/ip(6)tables->linux tun interface->openvpn server process->client B

so in the second case, you *can* stop the communication on the linux side, but it is not *automatically* stopped - this depends on ip(6)tables setup on the linux side, and whether ip forwarding is enabled or not for the protocol in question.

So unless you have ip6tables in place that should stop the packets on the linux tun side, and you can see on the linux tun side that the packets are indeed not sent to the linux side, I'd be tempted to close this as "notabug".

comment:2 Changed 6 years ago by Gert Döring

Resolution: notabug
Status: newclosed

Since I never heard anything back, and the reason why it might not work is quite easy ("iptables enabled, but ip6tables missing"), I'm now closing this bug.

Reopen if it can be demonstrated that "not having --client-to-client" is permitting client-to-client communication without(!) going to the linux tun side (which you can easily see with wireshark / tcpdump - if you see client-to-client packets on the server's tun interface, OpenVPN is handling this as documented, and ip6tables are needed to filter)

Note: See TracTickets for help on using tickets.