Opened 5 years ago

Last modified 8 weeks ago

#556 assigned Feature Wish

bind to multiple IPv4 and IPv6 addresses

Reported by: crane Owned by: Antonio
Priority: blocker Milestone: release 2.6
Component: Networking Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: multiple port socket ip
Cc:

Description

Hi,

it looks like it is not possible not bind OpenVPN in dual stack mode on specific IPs.

If I run the server plain with udp6 he is listening on all interfaces (v4 and v6). Now I would like to restrict this to a few interfaces. But in dual stack mode an IPv4 adress in local causes the server to crash:

[openvpn.log]
Mon May 18 12:02:48 2015 us=69753 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 1 2014
Mon May 18 12:02:48 2015 us=69765 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Mon May 18 12:02:48 2015 us=73425 Diffie-Hellman initialized with 2048 bit key
Mon May 18 12:02:48 2015 us=73603 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon May 18 12:02:48 2015 us=73614 Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon May 18 12:02:48 2015 us=73619 RESOLVE: Cannot resolve host address: 10.20.30.40: Address family for hostname not supported
Mon May 18 12:02:48 2015 us=73623 Exiting due to fatal error

Either the option should support both or there should be a specific option like this:
local 10.20.30.40
local6 fe80::fc54:ff:fe54:7933

Change History (10)

comment:1 Changed 5 years ago by Gert Döring

Cc: plaisthos added
Milestone: release 2.4
Type: Bug / DefectFeature Wish
Version: 2.3.4git master branch

If you want to bind to an IPv4 address, do not use "proto udp6"... and no, you cannot currently bind to multiple specific IPv4 and/or IPv6 addresses at the same time, it's either "one!" or "all of them". Sorry.

(Feel free to contribute patches to git master, but this stuff is actually amazingly complicated, so it won't go into 2.3 no matter what - it's on our radar since quite a while, but "complicated")

comment:2 Changed 5 years ago by Gert Döring

Summary: Dual Stack with specific IPv4 not workingDual Stack: bind to multiple IPv4 and IPv6 addresses not working

changing the subject to make clear that this is not about "dual-stack *inside* the tunnel" (where we have a similar-sounding issue with "--ifconfig-push" and "ifconfig-pool-ipv6" :-) )

comment:3 Changed 4 years ago by Gert Döring

Cc: Heiko Hund added
Milestone: release 2.4release 2.5

This is not going to make 2.4 in time (due in a few weeks).

Bumping to milestone release 2.5 - d12fk is working on multi-socket listening, but it's not complete and won't make it.

comment:4 Changed 2 years ago by Antonio

For the records: a first RFC patchset has been sent to the mailing list:
https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/20180425195722.20744-1-a@unstable.cc/

This patchset enables OpenVPN to listen on multiple sockets.
Each socket can have its own IP and port (and IPs can be of different families).

Tests/reviews/feedback are higly appreciated!

comment:5 Changed 2 years ago by Antonio

Cc: plaisthos Heiko Hund removed
Component: IPv6Networking
Keywords: multiple port socket ip added; ipv6 ipv4 dualstack removed
Owner: set to Antonio
Priority: majorblocker
Status: newassigned
Summary: Dual Stack: bind to multiple IPv4 and IPv6 addresses not workingbind to multiple IPv4 and IPv6 addresses
Version: OpenVPN git master branch (Community Ed)

For the records, multiple listening socket can be configured by using multiple 'local' statements in the server config:

local <ip1|*> [portA]
local <ip2|*> [portB]

ip can be an hostname an IPv4/6 address, :: or 0.0.0.0.

comment:6 Changed 10 months ago by tincantech

cc - I'll try to find some time

comment:7 Changed 4 months ago by bsaner

This one bit me today. Has the patch been reviewed for inclusion yet?

comment:8 in reply to:  7 Changed 4 months ago by Antonio

Replying to bsaner:

This one bit me today. Has the patch been reviewed for inclusion yet?

Not yet as the patchset misses multi-protocol support (i.e. supporting UDP and TCP at the same time). However, there wasn't much traction, so development is currently on halt. But I'd like to resume it at some point.

comment:9 Changed 4 months ago by jpiszcz

+1

Workaround for my issue:

As noted above, can use this as a workaround then IPv4+IPv6 both work except it is for all IPv6 addresses:

local 192.x.x.x (if behind NAT)
local ::

-- Ignore the original post below as listening to :: works around the issue I was having.

When no local IPv6 is defined in server.conf, it only listens on IPv4?
openvpn 60941 nobody 7u IPv4 501260 0t0 UDP *:XXXX

When I define the global IPv6 address, then IPv6 connectivity works but IPv4 connectivity fails as it can only be defined on one and not the other).

Add: local 200X:.... to server.conf && openvpn restart:
Jun 8 06:47:49 atom ovpn-server[62403]: 200X:22:XX:XX TLS: Initial packet from (success)

Last edited 4 months ago by jpiszcz (previous) (diff)

comment:10 Changed 8 weeks ago by Gert Döring

Milestone: release 2.5release 2.6
Note: See TracTickets for help on using tickets.