Opened 7 years ago
Last modified 6 years ago
#843 new Bug / Defect
Incorrect warning message when dropping packets because of "Recursive routing detected"
Reported by: | archimede.pitagorico | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.4.0 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | stipa |
Description
When recursive routing is detected a packet is dropped and the following error message is printed:
drop tun packet to [AF_INET]212.83.177.138:443
Here port 443 is not actually read from the packet, it is simply assumed that the destination port of the packet is the same as the one of the VPN server, but that this is not necessarily the case as I verified with tcpdump.
A possible explanation of how this is possible is here:
https://forums.openvpn.net/viewtopic.php?f=4&p=67980#p67980
By the way, if this gets fixed, it would be nice to have as much info as possible on the packet in the error message.
Change History (5)
comment:1 Changed 7 years ago by
comment:3 Changed 7 years ago by
@cron2, I see your point. I just would like to stress the fact that, for situation like the one I described in the attached link, having more information about the inner packet is extremely helpful to diagnose and solve the problem at its root.
comment:5 Changed 6 years ago by
+1 for removing port number, it's misleading.
It may worth to mention --allow-recursive-routing in this warning.
Also I believe man page description for --allow-recursive-routing can be improved by mentioning reasoning from commit message: "Could be useful when packets sent by openvpn itself are not subject to the routing tables that would move packets into the tunnel."
Well, as the error message does not say *which* port is the port it's talking about (outside or inside) it's not strictly "incorrect" - but the port information is not truly meaningful, as we cannot deliver *any* packet inside the tunnel that has the same destination IP as the VPN server.
So maybe we should just remove printing of the port number, to remove ambiguity.