Opened 3 years ago

Last modified 2 years ago

#843 new Bug / Defect

Incorrect warning message when dropping packets because of "Recursive routing detected"

Reported by: archimede.pitagorico Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: stipa


When recursive routing is detected a packet is dropped and the following error message is printed:
drop tun packet to [AF_INET]
Here port 443 is not actually read from the packet, it is simply assumed that the destination port of the packet is the same as the one of the VPN server, but that this is not necessarily the case as I verified with tcpdump.

A possible explanation of how this is possible is here:

By the way, if this gets fixed, it would be nice to have as much info as possible on the packet in the error message.

Change History (5)

comment:1 Changed 3 years ago by Gert Döring

Well, as the error message does not say *which* port is the port it's talking about (outside or inside) it's not strictly "incorrect" - but the port information is not truly meaningful, as we cannot deliver *any* packet inside the tunnel that has the same destination IP as the VPN server.

So maybe we should just remove printing of the port number, to remove ambiguity.

comment:2 Changed 3 years ago by Gert Döring

Cc: stipa added

@stipa, what do you think?

comment:3 Changed 3 years ago by archimede.pitagorico

@cron2, I see your point. I just would like to stress the fact that, for situation like the one I described in the attached link, having more information about the inner packet is extremely helpful to diagnose and solve the problem at its root.

comment:4 Changed 3 years ago by stipa

I'll look into it.

comment:5 Changed 2 years ago by powerman

+1 for removing port number, it's misleading.

It may worth to mention --allow-recursive-routing in this warning.

Also I believe man page description for --allow-recursive-routing can be improved by mentioning reasoning from commit message: "Could be useful when packets sent by openvpn itself are not subject to the routing tables that would move packets into the tunnel."

Note: See TracTickets for help on using tickets.