Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#743 closed Bug / Defect (notabug)

Pushed invalid IPv4 net30 address is accepted by Linux (not Windows) (1) / Pushed address IPv6 is validated by server IPv4 is not (2)

Reported by: debbie10t Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

(1) Linux will accept a pushed invalid net30 address for tun.

  • Server config 
    cd /etc/openvpn
dev tun108
server 10.8.0.0 255.255.255.0
server-ipv6 12fc:1918::10:8:0:0/112
keepalive 10 30
comp-lzo no
push "comp-lzo no"
push "explicit-exit-notify 3"
log defaults/vpn.log
verb 4
client-config-dir defaults/ccd
ccd-exclusive
...
  • CCD file 
    # defaultc03 - Linux
ifconfig-push 10.8.0.226 10.8.0.125
ifconfig-ipv6-push 12fc:1918::10:8:0:226/112

    # defaultc01 - Windows
ifconfig-push 10.8.0.206 10.8.0.105
ifconfig-ipv6-push 12fc:1918::10:8:0:206/112
  • Client config is as default 
    dev tun108
client
remote xxx
...

Linux client

  • Server log for Linux client 
    Thu Sep 29 14:00:25 2016 us=209869 defaultc03/x.x.x.x:3840 SENT CONTROL [defaultc03]: 'PUSH_REPLY,ifconfig-ipv6 12fc:1918::10:8:0:226/112 12fc:1918::10:8:0:1,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 0,cipher AES-256-GCM,ifconfig 10.8.0.226 10.8.0.125' (status=1)
  • LINUX Client log 
    Thu Sep 29 14:00:13 2016 us=942821 SENT CONTROL [defaults]: 'PUSH_REQUEST' (status=1)
Thu Sep 29 14:00:13 2016 us=944952 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 12fc:1918::10:8:0:226/112 12fc:1918::10:8:0:1,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 0,cipher AES-256-GCM,ifconfig 10.8.0.226 10.8.0.125'
Thu Sep 29 14:00:13 2016 us=945009 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:3 is ignored by previous <connection> blocks 
Thu Sep 29 14:00:13 2016 us=945049 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 29 14:00:13 2016 us=945056 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Sep 29 14:00:13 2016 us=945062 OPTIONS IMPORT: compression parms modified
Thu Sep 29 14:00:13 2016 us=945067 OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep 29 14:00:13 2016 us=945073 OPTIONS IMPORT: route options modified
Thu Sep 29 14:00:13 2016 us=945078 OPTIONS IMPORT: peer-id set
Thu Sep 29 14:00:13 2016 us=945083 OPTIONS IMPORT: adjusting link_mtu to 1624
Thu Sep 29 14:00:13 2016 us=945088 OPTIONS IMPORT: data channel crypto options modified
Thu Sep 29 14:00:13 2016 us=945101 Data Channel MTU parms [ L:1552 D:1552 EF:52 EB:406 ET:0 EL:3 ]
Thu Sep 29 14:00:13 2016 us=945157 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep 29 14:00:13 2016 us=945165 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep 29 14:00:13 2016 us=945291 ROUTE_GATEWAY 10.10.201.1/255.255.255.0 IFACE=eth0 HWADDR=00:15:5d:48:6e:01
Thu Sep 29 14:00:13 2016 us=946200 TUN/TAP device tun108 opened
Thu Sep 29 14:00:13 2016 us=946224 TUN/TAP TX queue length set to 100
Thu Sep 29 14:00:13 2016 us=946236 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
Thu Sep 29 14:00:13 2016 us=946254 /usr/bin/ifconfig tun108 10.8.0.226 pointopoint 10.8.0.125 mtu 1500
Thu Sep 29 14:00:13 2016 us=947017 /usr/bin/ifconfig tun108 add 12fc:1918::10:8:0:226/112
Thu Sep 29 14:00:13 2016 us=947517 /usr/bin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.125
Thu Sep 29 14:00:13 2016 us=947947 Initialization Sequence Completed
  • LINUX Client $ifconfig 
    tun108: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.226  netmask 255.255.255.255  destination 10.8.0.125
        inet6 12fc:1918::10:8:0:226  prefixlen 112  scopeid 0x0<global>
        inet6 fe80::101f:86cf:502d:9f02  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
  • LINUX Client $route -4 
    Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    0      0        0 eth0
10.8.0.1        10.8.0.125      255.255.255.255 UGH   0      0        0 tun108
10.8.0.125      0.0.0.0         255.255.255.255 UH    0      0        0 tun108
  • LINUX Client $route -6 
    Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
12fc:1918::10:8:0:0/112        [::]                       U    256 0     0 tun108
12fc:1918::10:10:201:0/112     [::]                       U    256 1     1 eth0
  • Ping client -> server 
    user@linux-client $ ping 10.8.0.1 -c 3
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=1.46 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=1.31 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=1.36 ms

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.311/1.379/1.467/0.071 ms
  • Ping server -> client 
    user@linux-server  $ ping 10.8.0.226 -c 3
PING 10.8.0.226 (10.8.0.226) 56(84) bytes of data.
64 bytes from 10.8.0.226: icmp_seq=1 ttl=64 time=1.47 ms
64 bytes from 10.8.0.226: icmp_seq=2 ttl=64 time=1.58 ms
64 bytes from 10.8.0.226: icmp_seq=3 ttl=64 time=1.42 ms

--- 10.8.0.226 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.427/1.494/1.587/0.081 ms

Push a completely ridiculous IPv4 address

  • CCD file 
    ifconfig-push 10.8.0.226 192.168.0.3
ifconfig-ipv6-push 12fc:1918::10:8::226/112
  • LINUX Client log, 
    Thu Sep 29 15:16:54 2016 us=902172 SENT CONTROL [defaults]: 'PUSH_REQUEST' (status=1)
Thu Sep 29 15:16:54 2016 us=904464 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 12fc:1918::10:8:0:226/112 12fc:1918::10:8:0:1,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 1,cipher AES-256-GCM,ifconfig 10.8.0.226 192.168.0.3'
Thu Sep 29 15:16:54 2016 us=904552 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:3 is ignored by previous <connection> blocks 
Thu Sep 29 15:16:54 2016 us=904621 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 29 15:16:54 2016 us=904648 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Sep 29 15:16:54 2016 us=904654 OPTIONS IMPORT: compression parms modified
Thu Sep 29 15:16:54 2016 us=904666 OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep 29 15:16:54 2016 us=904672 OPTIONS IMPORT: route options modified
Thu Sep 29 15:16:54 2016 us=904677 OPTIONS IMPORT: peer-id set
Thu Sep 29 15:16:54 2016 us=904690 OPTIONS IMPORT: adjusting link_mtu to 1624
Thu Sep 29 15:16:54 2016 us=904695 OPTIONS IMPORT: data channel crypto options modified
Thu Sep 29 15:16:54 2016 us=904707 Data Channel MTU parms [ L:1552 D:1552 EF:52 EB:406 ET:0 EL:3 ]
Thu Sep 29 15:16:54 2016 us=904761 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep 29 15:16:54 2016 us=904769 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep 29 15:16:54 2016 us=904889 ROUTE_GATEWAY 10.10.201.1/255.255.255.0 IFACE=eth0 HWADDR=00:15:5d:48:6e:01
Thu Sep 29 15:16:54 2016 us=905738 TUN/TAP device tun108 opened
Thu Sep 29 15:16:54 2016 us=905759 TUN/TAP TX queue length set to 100
Thu Sep 29 15:16:54 2016 us=905770 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
Thu Sep 29 15:16:54 2016 us=905787 /usr/bin/ifconfig tun108 10.8.0.226 pointopoint 192.168.0.3 mtu 1500
Thu Sep 29 15:16:54 2016 us=906557 /usr/bin/ifconfig tun108 add 12fc:1918::10:8:0:226/112
Thu Sep 29 15:16:54 2016 us=907088 /usr/bin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 192.168.0.3
Thu Sep 29 15:16:54 2016 us=907546 Initialization Sequence Completed
  • LINUX Client $ifconfig 
    tun108: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.226  netmask 255.255.255.255  destination 192.168.0.3
        inet6 fe80::35b9:6808:44db:3238  prefixlen 64  scopeid 0x20<link>
        inet6 12fc:1918::10:8:0:226  prefixlen 112  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

Ping still works !

Windows client

  • Server log for Windows client 
    Thu Sep 29 14:12:34 2016 us=846001 defaultc01/w.w.w.w:61142 SENT CONTROL [defaultc01]: 'PUSH_REPLY,ifconfig-ipv6 12fc:1918::10:8:0:206/112 12fc:1918::10:8:0:1,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 1,cipher AES-256-GCM,ifconfig 10.8.0.206 10.8.0.105' (status=1)
  • WINDOWS Client log 
    Thu Sep 29 14:11:23 2016 us=609843 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 12fc:1918::10:8:0:206/112 12fc:1918::10:8:0:1,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 1,cipher AES-256-GCM,ifconfig 10.8.0.206 10.8.0.105'
Thu Sep 29 14:11:23 2016 us=609843 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:3 is ignored by previous <connection> blocks 
Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: compression parms modified
Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: route options modified
Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: peer-id set
Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Sep 29 14:11:23 2016 us=609843 OPTIONS IMPORT: data channel crypto options modified
Thu Sep 29 14:11:23 2016 us=609843 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Thu Sep 29 14:11:23 2016 us=609843 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep 29 14:11:23 2016 us=609843 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep 29 14:11:23 2016 us=609843 interactive service msg_channel=0
Thu Sep 29 14:11:23 2016 us=609843 ROUTE_GATEWAY 10.10.101.1/255.255.255.0 I=7 HWADDR=24:b6:fd:31:bc:ca
Thu Sep 29 14:11:23 2016 us=625468 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
Thu Sep 29 14:11:23 2016 us=625468 MANAGEMENT: >STATE:1475154683,ASSIGN_IP,,10.8.0.206,,,,,12fc:1918::10:8:0:206
Thu Sep 29 14:11:23 2016 us=625468 MANAGEMENT: Client disconnected
Thu Sep 29 14:11:23 2016 us=625468 There is a problem in your selection of --ifconfig endpoints [local=10.8.0.206, remote=10.8.0.105].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info.
Thu Sep 29 14:11:23 2016 us=625468 Exiting due to fatal error

(2) Pushing an IPv6 address is validated by the server before push:

  • CCD file 
    ifconfig-push 10.8.0.226 10.8.0.125
ifconfig-ipv6-push 12fc:1918::10:8::226/112
  • Server log, no IPv6 address, IPv4 is invalid 
    Thu Sep 29 14:23:41 2016 us=116600 OPTIONS IMPORT: reading client specific options from: defaults/ccd/defaultc03
Thu Sep 29 14:23:41 2016 us=116758 Options error: IPv6 prefix '12fc:1918::10:8::226': invalid IPv6 address
Thu Sep 29 14:23:41 2016 us=116788 Options error: cannot parse --ifconfig-ipv6-push addresses
...
Thu Sep 29 14:23:42 2016 us=177034 defaultc03/92.21.54.37:1292 SENT CONTROL [defaultc03]: 'PUSH_REPLY,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 1,cipher AES-256-GCM,ifconfig 10.8.0.226 10.8.0.125' (status=1)
  • Linux Client log 
    Thu Sep 29 14:22:30 2016 us=887086 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 1,cipher AES-256-GCM,ifconfig 10.8.0.226 10.8.0.125'

Change History (2)

comment:1 Changed 8 years ago by Gert Döring

Resolution: notabug
Status: newclosed

Linux has no real concept of "net30", that is only there because windows needs a subnet - for windows, a tunnel is always "us" and "them", and there is no relationship between these addresses. So, by definition, as long as the server routes the address towards the client, it's not "invalid".

Your IPv6 address, on the other hand, is a totally different thing - this is invalid because it is *syntactically* invalid (has two "::" in it) - if you try pushing a syntactically invalid v4 address (10.11.12.13.14) I assume the IPv4 code will also tell you it's invalid.

comment:2 Changed 8 years ago by debbie10t

agreed (2) IPv4 is also verified by the server reading the CCD file, pools is used on failure

  • CCD file 
    ifconfig-push 10.10.8.0.226 192.168.0.3
ifconfig-ipv6-push 12fc:1918::10:8:0:226/112
  • Server log 
    Thu Sep 29 23:46:26 2016 us=727710 defaultc03/92.21.54.37:1563 OPTIONS IMPORT: reading client specific options from: defaults/ccd/defaultc03
Thu Sep 29 23:46:26 2016 us=728029 defaultc03/92.21.54.37:1563 RESOLVE: Cannot resolve host address: 10.10.8.0.226: (Name or service not known)
Thu Sep 29 23:46:26 2016 us=728064 defaultc03/92.21.54.37:1563 Options error: cannot parse --ifconfig-push addresses
Thu Sep 29 23:46:26 2016 us=728141 defaultc03/92.21.54.37:1563 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=12fc:1918::10:8:0:1000
Thu Sep 29 23:46:26 2016 us=728173 defaultc03/92.21.54.37:1563 MULTI_sva: push_ifconfig_ipv6 12fc:1918::10:8:0:226/112
Thu Sep 29 23:46:26 2016 us=728323 defaultc03/92.21.54.37:1563 MULTI: Learn: 10.8.0.6 -> defaultc03/92.21.54.37:1563
Thu Sep 29 23:46:26 2016 us=728362 defaultc03/92.21.54.37:1563 MULTI: primary virtual IP for defaultc03/92.21.54.37:1563: 10.8.0.6
Thu Sep 29 23:46:26 2016 us=728401 defaultc03/92.21.54.37:1563 MULTI: Learn: 12fc:1918::10:8:0:226 -> defaultc03/92.21.54.37:1563
Thu Sep 29 23:46:26 2016 us=728438 defaultc03/92.21.54.37:1563 MULTI: primary virtual IPv6 for defaultc03/92.21.54.37:1563: 12fc:1918::10:8:0:226
Thu Sep 29 23:46:27 2016 us=787687 defaultc03/92.21.54.37:1563 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 29 23:46:27 2016 us=787849 defaultc03/92.21.54.37:1563 send_push_reply(): safe_cap=940
Thu Sep 29 23:46:27 2016 us=787969 defaultc03/92.21.54.37:1563 SENT CONTROL [defaultc03]: 'PUSH_REPLY,ifconfig-ipv6 12fc:1918::10:8:0:226/112 12fc:1918::10:8:0:1,comp-lzo no,explicit-exit-notify 3,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 30,peer-id 0,cipher AES-256-GCM,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Version 0, edited 8 years ago by debbie10t (next)
Note: See TracTickets for help on using tickets.