Opened 9 years ago

Last modified 11 months ago

#556 assigned Feature Wish

bind to multiple IPv4 and IPv6 addresses

Reported by: crane Owned by: Antonio Quartulli
Priority: blocker Milestone: release 2.7
Component: Networking Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: multiple port socket ip
Cc:

Description

Hi,

it looks like it is not possible not bind OpenVPN in dual stack mode on specific IPs.

If I run the server plain with udp6 he is listening on all interfaces (v4 and v6). Now I would like to restrict this to a few interfaces. But in dual stack mode an IPv4 adress in local causes the server to crash:

[openvpn.log]
Mon May 18 12:02:48 2015 us=69753 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 1 2014
Mon May 18 12:02:48 2015 us=69765 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Mon May 18 12:02:48 2015 us=73425 Diffie-Hellman initialized with 2048 bit key
Mon May 18 12:02:48 2015 us=73603 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon May 18 12:02:48 2015 us=73614 Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon May 18 12:02:48 2015 us=73619 RESOLVE: Cannot resolve host address: 10.20.30.40: Address family for hostname not supported
Mon May 18 12:02:48 2015 us=73623 Exiting due to fatal error

Either the option should support both or there should be a specific option like this:
local 10.20.30.40
local6 fe80::fc54:ff:fe54:7933

Change History (16)

comment:1 Changed 9 years ago by Gert Döring

Cc: plaisthos added
Milestone: release 2.4
Type: Bug / DefectFeature Wish
Version: 2.3.4git master branch

If you want to bind to an IPv4 address, do not use "proto udp6"... and no, you cannot currently bind to multiple specific IPv4 and/or IPv6 addresses at the same time, it's either "one!" or "all of them". Sorry.

(Feel free to contribute patches to git master, but this stuff is actually amazingly complicated, so it won't go into 2.3 no matter what - it's on our radar since quite a while, but "complicated")

comment:2 Changed 9 years ago by Gert Döring

Summary: Dual Stack with specific IPv4 not workingDual Stack: bind to multiple IPv4 and IPv6 addresses not working

changing the subject to make clear that this is not about "dual-stack *inside* the tunnel" (where we have a similar-sounding issue with "--ifconfig-push" and "ifconfig-pool-ipv6" :-) )

comment:3 Changed 7 years ago by Gert Döring

Cc: Heiko Hund added
Milestone: release 2.4release 2.5

This is not going to make 2.4 in time (due in a few weeks).

Bumping to milestone release 2.5 - d12fk is working on multi-socket listening, but it's not complete and won't make it.

comment:4 Changed 6 years ago by Antonio Quartulli

For the records: a first RFC patchset has been sent to the mailing list:
https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/20180425195722.20744-1-a@unstable.cc/

This patchset enables OpenVPN to listen on multiple sockets.
Each socket can have its own IP and port (and IPs can be of different families).

Tests/reviews/feedback are higly appreciated!

comment:5 Changed 5 years ago by Antonio Quartulli

Cc: plaisthos Heiko Hund removed
Component: IPv6Networking
Keywords: multiple port socket ip added; ipv6 ipv4 dualstack removed
Owner: set to Antonio Quartulli
Priority: majorblocker
Status: newassigned
Summary: Dual Stack: bind to multiple IPv4 and IPv6 addresses not workingbind to multiple IPv4 and IPv6 addresses
Version: OpenVPN git master branch (Community Ed)

For the records, multiple listening socket can be configured by using multiple 'local' statements in the server config:

local <ip1|*> [portA]
local <ip2|*> [portB]

ip can be an hostname an IPv4/6 address, :: or 0.0.0.0.

comment:6 Changed 4 years ago by tct

cc - I'll try to find some time

comment:7 Changed 4 years ago by bsaner

This one bit me today. Has the patch been reviewed for inclusion yet?

comment:8 in reply to:  7 Changed 4 years ago by Antonio Quartulli

Replying to bsaner:

This one bit me today. Has the patch been reviewed for inclusion yet?

Not yet as the patchset misses multi-protocol support (i.e. supporting UDP and TCP at the same time). However, there wasn't much traction, so development is currently on halt. But I'd like to resume it at some point.

comment:9 Changed 4 years ago by jpiszcz

+1

Workaround for my issue:

As noted above, can use this as a workaround then IPv4+IPv6 both work except it is for all IPv6 addresses:

local 192.x.x.x (if behind NAT)
local ::

-- Ignore the original post below as listening to :: works around the issue I was having.

When no local IPv6 is defined in server.conf, it only listens on IPv4?
openvpn 60941 nobody 7u IPv4 501260 0t0 UDP *:XXXX

When I define the global IPv6 address, then IPv6 connectivity works but IPv4 connectivity fails as it can only be defined on one and not the other).

Add: local 200X:.... to server.conf && openvpn restart:
Jun 8 06:47:49 atom ovpn-server[62403]: 200X:22:XX:XX TLS: Initial packet from (success)

Last edited 4 years ago by jpiszcz (previous) (diff)

comment:10 Changed 4 years ago by Gert Döring

Milestone: release 2.5release 2.6

comment:11 in reply to:  10 ; Changed 3 years ago by harri

Replying to Gert Döring:

😢

Since upd6 doesn't imply udp on openBSD I have to run 2 instances of openvpn, maintain 2 config directories, 2 IP address pools, etc. There are a lot of downsides.

Version 2, edited 3 years ago by harri (previous) (next) (diff)

comment:12 in reply to:  11 Changed 3 years ago by Gert Döring

Replying to harri:

Since udp6 doesn't imply udp on openBSD I have to run 2 instances of openvpn, maintain 2 config directories, 2 IP address pools, etc. There are a lot of downsides.

We understand that. It's a matter of available developer time - if nobody helps with implementing this and testing the patches available so far, it takes longer...

This aside, on OpenBSD it might be possible to use pf(4) destination NAT to map the IPv4 port to the IPv6 port - so you have one instance only, and the other protocol gets NAT46'ed. I have not tried this for IPv4+IPv6 yet, but I do this to get a single instance to listen on multiple different ports (by having a primary port 1194, and map "secondary" ports via destination NAT - called rdr in FreeBSD, but OpenBSD changed the NAT syntax a bit)

comment:13 Changed 3 years ago by harri

This would break mtu-test, AFAICT.

I can live with running 2 instances of openvpn. Maybe you could improve the documentation, though. Its pretty hard to to find out that you cannot have both IPv4 and IPv6 in parallel, except for Linux.

comment:14 in reply to:  13 Changed 3 years ago by Gert Döring

Replying to harri:

This would break mtu-test, AFAICT.

Would it?

I can live with running 2 instances of openvpn. Maybe you could improve the documentation, though. Its pretty hard to to find out that you cannot have both IPv4 and IPv6 in parallel, except for Linux.

Actually it's "on all platforms except OpenBSD". All the other BSDs, including MacOS, are fine with a dual-stack socket bind...

comment:15 Changed 15 months ago by Gert Döring

Milestone: release 2.6release 2.7

bump.

Still on our wish list, but DCO got in the way for 2.6, so hopefully we can get this done before 2.7

comment:16 Changed 11 months ago by harri

Thats fine with me. I am still running 2 openvpn instances in parallel without problems.

Note: See TracTickets for help on using tickets.