#743 closed Bug / Defect (notabug)
Pushed invalid IPv4 net30 address is accepted by Linux (not Windows) (1) / Pushed address IPv6 is validated by server IPv4 is not (2)
Reported by: | debbie10t | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN git master branch (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
(1) Linux will accept a pushed invalid net30 address for tun.
- Server config
cd /etc/openvpn dev tun108 server 10.8.0.0 255.255.255.0 server-ipv6 12fc:1918::10:8:0:0/112 keepalive 10 30 comp-lzo no push "comp-lzo no" push "explicit-exit-notify 3" log defaults/vpn.log verb 4 client-config-dir defaults/ccd ccd-exclusive ...
- CCD file
# defaultc03 - Linux ifconfig-push 10.8.0.226 10.8.0.125 ifconfig-ipv6-push 12fc:1918::10:8:0:226/112
# defaultc01 - Windows ifconfig-push 10.8.0.206 10.8.0.105 ifconfig-ipv6-push 12fc:1918::10:8:0:206/112
- Client config is as default
dev tun108 client remote xxx ...
Linux client
- Server log for Linux client
Thu Sep 29 14:00:25 2016 us=209869 defaultc03/x.x.x.x:3840 SENT CONTROL [defaultc03]: 'PUSH_REPLY,ifconfig-ipv6 12fc:1918::10:8:0:226/112 12fc:1918::10:8:0:1,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 0,cipher AES-256-GCM,ifconfig 10.8.0.226 10.8.0.125' (status=1)
- LINUX Client log
Thu Sep 29 14:00:13 2016 us=942821 SENT CONTROL [defaults]: 'PUSH_REQUEST' (status=1) Thu Sep 29 14:00:13 2016 us=944952 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 12fc:1918::10:8:0:226/112 12fc:1918::10:8:0:1,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 0,cipher AES-256-GCM,ifconfig 10.8.0.226 10.8.0.125' Thu Sep 29 14:00:13 2016 us=945009 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:3 is ignored by previous <connection> blocks Thu Sep 29 14:00:13 2016 us=945049 OPTIONS IMPORT: timers and/or timeouts modified Thu Sep 29 14:00:13 2016 us=945056 OPTIONS IMPORT: explicit notify parm(s) modified Thu Sep 29 14:00:13 2016 us=945062 OPTIONS IMPORT: compression parms modified Thu Sep 29 14:00:13 2016 us=945067 OPTIONS IMPORT: --ifconfig/up options modified Thu Sep 29 14:00:13 2016 us=945073 OPTIONS IMPORT: route options modified Thu Sep 29 14:00:13 2016 us=945078 OPTIONS IMPORT: peer-id set Thu Sep 29 14:00:13 2016 us=945083 OPTIONS IMPORT: adjusting link_mtu to 1624 Thu Sep 29 14:00:13 2016 us=945088 OPTIONS IMPORT: data channel crypto options modified Thu Sep 29 14:00:13 2016 us=945101 Data Channel MTU parms [ L:1552 D:1552 EF:52 EB:406 ET:0 EL:3 ] Thu Sep 29 14:00:13 2016 us=945157 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Sep 29 14:00:13 2016 us=945165 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Sep 29 14:00:13 2016 us=945291 ROUTE_GATEWAY 10.10.201.1/255.255.255.0 IFACE=eth0 HWADDR=00:15:5d:48:6e:01 Thu Sep 29 14:00:13 2016 us=946200 TUN/TAP device tun108 opened Thu Sep 29 14:00:13 2016 us=946224 TUN/TAP TX queue length set to 100 Thu Sep 29 14:00:13 2016 us=946236 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 Thu Sep 29 14:00:13 2016 us=946254 /usr/bin/ifconfig tun108 10.8.0.226 pointopoint 10.8.0.125 mtu 1500 Thu Sep 29 14:00:13 2016 us=947017 /usr/bin/ifconfig tun108 add 12fc:1918::10:8:0:226/112 Thu Sep 29 14:00:13 2016 us=947517 /usr/bin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.125 Thu Sep 29 14:00:13 2016 us=947947 Initialization Sequence Completed
- LINUX Client $ifconfig
tun108: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.226 netmask 255.255.255.255 destination 10.8.0.125 inet6 12fc:1918::10:8:0:226 prefixlen 112 scopeid 0x0<global> inet6 fe80::101f:86cf:502d:9f02 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
- LINUX Client $route -4
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default gateway 0.0.0.0 UG 0 0 0 eth0 10.8.0.1 10.8.0.125 255.255.255.255 UGH 0 0 0 tun108 10.8.0.125 0.0.0.0 255.255.255.255 UH 0 0 0 tun108
- LINUX Client $route -6
Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If 12fc:1918::10:8:0:0/112 [::] U 256 0 0 tun108 12fc:1918::10:10:201:0/112 [::] U 256 1 1 eth0
- Ping client -> server
user@linux-client $ ping 10.8.0.1 -c 3 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=1.46 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=1.31 ms 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=1.36 ms --- 10.8.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 1.311/1.379/1.467/0.071 ms
- Ping server -> client
user@linux-server $ ping 10.8.0.226 -c 3 PING 10.8.0.226 (10.8.0.226) 56(84) bytes of data. 64 bytes from 10.8.0.226: icmp_seq=1 ttl=64 time=1.47 ms 64 bytes from 10.8.0.226: icmp_seq=2 ttl=64 time=1.58 ms 64 bytes from 10.8.0.226: icmp_seq=3 ttl=64 time=1.42 ms --- 10.8.0.226 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 1.427/1.494/1.587/0.081 ms
Push a completely ridiculous IPv4 address
- CCD file
ifconfig-push 10.8.0.226 192.168.0.3 ifconfig-ipv6-push 12fc:1918::10:8::226/112
- LINUX Client log,
Thu Sep 29 15:16:54 2016 us=902172 SENT CONTROL [defaults]: 'PUSH_REQUEST' (status=1) Thu Sep 29 15:16:54 2016 us=904464 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 12fc:1918::10:8:0:226/112 12fc:1918::10:8:0:1,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 1,cipher AES-256-GCM,ifconfig 10.8.0.226 192.168.0.3' Thu Sep 29 15:16:54 2016 us=904552 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:3 is ignored by previous <connection> blocks Thu Sep 29 15:16:54 2016 us=904621 OPTIONS IMPORT: timers and/or timeouts modified Thu Sep 29 15:16:54 2016 us=904648 OPTIONS IMPORT: explicit notify parm(s) modified Thu Sep 29 15:16:54 2016 us=904654 OPTIONS IMPORT: compression parms modified Thu Sep 29 15:16:54 2016 us=904666 OPTIONS IMPORT: --ifconfig/up options modified Thu Sep 29 15:16:54 2016 us=904672 OPTIONS IMPORT: route options modified Thu Sep 29 15:16:54 2016 us=904677 OPTIONS IMPORT: peer-id set Thu Sep 29 15:16:54 2016 us=904690 OPTIONS IMPORT: adjusting link_mtu to 1624 Thu Sep 29 15:16:54 2016 us=904695 OPTIONS IMPORT: data channel crypto options modified Thu Sep 29 15:16:54 2016 us=904707 Data Channel MTU parms [ L:1552 D:1552 EF:52 EB:406 ET:0 EL:3 ] Thu Sep 29 15:16:54 2016 us=904761 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Sep 29 15:16:54 2016 us=904769 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Sep 29 15:16:54 2016 us=904889 ROUTE_GATEWAY 10.10.201.1/255.255.255.0 IFACE=eth0 HWADDR=00:15:5d:48:6e:01 Thu Sep 29 15:16:54 2016 us=905738 TUN/TAP device tun108 opened Thu Sep 29 15:16:54 2016 us=905759 TUN/TAP TX queue length set to 100 Thu Sep 29 15:16:54 2016 us=905770 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 Thu Sep 29 15:16:54 2016 us=905787 /usr/bin/ifconfig tun108 10.8.0.226 pointopoint 192.168.0.3 mtu 1500 Thu Sep 29 15:16:54 2016 us=906557 /usr/bin/ifconfig tun108 add 12fc:1918::10:8:0:226/112 Thu Sep 29 15:16:54 2016 us=907088 /usr/bin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 192.168.0.3 Thu Sep 29 15:16:54 2016 us=907546 Initialization Sequence Completed
- LINUX Client $ifconfig
tun108: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.226 netmask 255.255.255.255 destination 192.168.0.3 inet6 fe80::35b9:6808:44db:3238 prefixlen 64 scopeid 0x20<link> inet6 12fc:1918::10:8:0:226 prefixlen 112 scopeid 0x0<global> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
Ping still works !
Windows client
- Server log for Windows client
Thu Sep 29 14:12:34 2016 us=846001 defaultc01/w.w.w.w:61142 SENT CONTROL [defaultc01]: 'PUSH_REPLY,ifconfig-ipv6 12fc:1918::10:8:0:206/112 12fc:1918::10:8:0:1,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 1,cipher AES-256-GCM,ifconfig 10.8.0.206 10.8.0.105' (status=1)
- WINDOWS Client log
Thu Sep 29 14:11:23 2016 us=609843 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 12fc:1918::10:8:0:206/112 12fc:1918::10:8:0:1,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 1,cipher AES-256-GCM,ifconfig 10.8.0.206 10.8.0.105' Thu Sep 29 14:11:23 2016 us=609843 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:3 is ignored by previous <connection> blocks Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: timers and/or timeouts modified Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: explicit notify parm(s) modified Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: compression parms modified Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: --ifconfig/up options modified Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: route options modified Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: peer-id set Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: adjusting link_mtu to 1625 Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: data channel crypto options modified Thu Sep 29 14:11:23 2016 us=609843 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ] Thu Sep 29 14:11:23 2016 us=609843 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Sep 29 14:11:23 2016 us=609843 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Sep 29 14:11:23 2016 us=609843 interactive service msg_channel=0 Thu Sep 29 14:11:23 2016 us=609843 ROUTE_GATEWAY 10.10.101.1/255.255.255.0 I=7 HWADDR=24:b6:fd:31:bc:ca Thu Sep 29 14:11:23 2016 us=625468 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 Thu Sep 29 14:11:23 2016 us=625468 MANAGEMENT: >STATE:1475154683,ASSIGN_IP,,10.8.0.206,,,,,12fc:1918::10:8:0:206 Thu Sep 29 14:11:23 2016 us=625468 MANAGEMENT: Client disconnected Thu Sep 29 14:11:23 2016 us=625468 There is a problem in your selection of --ifconfig endpoints [local=10.8.0.206, remote=10.8.0.105]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info. Thu Sep 29 14:11:23 2016 us=625468 Exiting due to fatal error
(2) Pushing an IPv6 address is validated by the server before push:
- CCD file
ifconfig-push 10.8.0.226 10.8.0.125 ifconfig-ipv6-push 12fc:1918::10:8::226/112
- Server log, no IPv6 address, IPv4 is invalid
Thu Sep 29 14:23:41 2016 us=116600 OPTIONS IMPORT: reading client specific options from: defaults/ccd/defaultc03 Thu Sep 29 14:23:41 2016 us=116758 Options error: IPv6 prefix '12fc:1918::10:8::226': invalid IPv6 address Thu Sep 29 14:23:41 2016 us=116788 Options error: cannot parse --ifconfig-ipv6-push addresses ... Thu Sep 29 14:23:42 2016 us=177034 defaultc03/92.21.54.37:1292 SENT CONTROL [defaultc03]: 'PUSH_REPLY,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 1,cipher AES-256-GCM,ifconfig 10.8.0.226 10.8.0.125' (status=1)
- Linux Client log
Thu Sep 29 14:22:30 2016 us=887086 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 1,cipher AES-256-GCM,ifconfig 10.8.0.226 10.8.0.125'
Change History (2)
comment:1 Changed 8 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
comment:2 Changed 8 years ago by
agreed (2) IPv4 is also verified by the server reading the CCD file, pools is used on failure
- CCD file
ifconfig-push 10.10.8.0.226 192.168.0.3 ifconfig-ipv6-push 12fc:1918::10:8:0:226/112
- Server log
Thu Sep 29 23:46:26 2016 us=727710 defaultc03/92.21.54.37:1563 OPTIONS IMPORT: reading client specific options from: defaults/ccd/defaultc03 Thu Sep 29 23:46:26 2016 us=728029 defaultc03/92.21.54.37:1563 RESOLVE: Cannot resolve host address: 10.10.8.0.226: (Name or service not known) Thu Sep 29 23:46:26 2016 us=728064 defaultc03/92.21.54.37:1563 Options error: cannot parse --ifconfig-push addresses Thu Sep 29 23:46:26 2016 us=728141 defaultc03/92.21.54.37:1563 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=12fc:1918::10:8:0:1000 Thu Sep 29 23:46:26 2016 us=728173 defaultc03/92.21.54.37:1563 MULTI_sva: push_ifconfig_ipv6 12fc:1918::10:8:0:226/112 Thu Sep 29 23:46:26 2016 us=728323 defaultc03/92.21.54.37:1563 MULTI: Learn: 10.8.0.6 -> defaultc03/92.21.54.37:1563 Thu Sep 29 23:46:26 2016 us=728362 defaultc03/92.21.54.37:1563 MULTI: primary virtual IP for defaultc03/92.21.54.37:1563: 10.8.0.6 Thu Sep 29 23:46:26 2016 us=728401 defaultc03/92.21.54.37:1563 MULTI: Learn: 12fc:1918::10:8:0:226 -> defaultc03/92.21.54.37:1563 Thu Sep 29 23:46:26 2016 us=728438 defaultc03/92.21.54.37:1563 MULTI: primary virtual IPv6 for defaultc03/92.21.54.37:1563: 12fc:1918::10:8:0:226 Thu Sep 29 23:46:27 2016 us=787687 defaultc03/92.21.54.37:1563 PUSH: Received control message: 'PUSH_REQUEST' Thu Sep 29 23:46:27 2016 us=787849 defaultc03/92.21.54.37:1563 send_push_reply(): safe_cap=940 Thu Sep 29 23:46:27 2016 us=787969 defaultc03/92.21.54.37:1563 SENT CONTROL [defaultc03]: 'PUSH_REPLY,ifconfig-ipv6 12fc:1918::10:8:0:226/112 12fc:1918::10:8:0:1,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 0,cipher AES-256-GCM,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Version 0, edited 8 years ago
by
(next)
Note: See
TracTickets for help on using
tickets.
Linux has no real concept of "net30", that is only there because windows needs a subnet - for windows, a tunnel is always "us" and "them", and there is no relationship between these addresses. So, by definition, as long as the server routes the address towards the client, it's not "invalid".
Your IPv6 address, on the other hand, is a totally different thing - this is invalid because it is *syntactically* invalid (has two "::" in it) - if you try pushing a syntactically invalid v4 address (10.11.12.13.14) I assume the IPv4 code will also tell you it's invalid.