Opened 8 years ago
Closed 4 years ago
#846 closed Bug / Defect (fixed-external)
[FreeBSD] UDP multihome uses wrong IP address if alias is on the same subnet as for main IP address
Reported by: | Dystopian | Owned by: | Gert Döring |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.4.0 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | multihome alias, freebsd, v4-mapped |
Cc: |
Description
Server:
FreeBSD 10.3-RELEASE i386
OpenVPN 2.4.0 from packages, i386-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD]
ifconfig vtnet0 inet 192.168.1.6/24
ifconfig vtnet0 inet 192.168.1.7/32 alias # note the same subnet
openvpn --multihome --cipher none --auth none --secret key.txt --dev tun --topology p2p --ifconfig 10.0.0.1 10.0.0.2
Client 192.168.1.5:
openvpn --cipher none --auth none --secret key.txt --dev tun --topology p2p --ifconfig 10.0.0.2 10.0.0.1 --remote 192.168.1.7
tcpdump -nti vtnet0
IP 192.168.1.5.1194 > 192.168.1.7.1194: UDP, length 25
IP 192.168.1.6.1194 > 192.168.1.5.1194: UDP, length 164
Tested also on 10.3-RELEASE amd64 server, the same result.
If using different subnet for alias (e.g. 192.168.0.*), it's OK.
The problem is fixed if "--proto udp4" option is used. The main difference in server log then is absence of such line:
Could not determine IPv4/IPv6 protocol. Using AF_INET6
Change History (9)
comment:1 Changed 8 years ago by
comment:2 Changed 8 years ago by
--verb 5
us=437012 Peer Connection Initiated with [AF_INET6]::ffff:192.168.1.5:1194 (via ::ffff:192.168.1.7%vtnet0)
us=437088 Initialization Sequence Completed
WRW
comment:3 Changed 8 years ago by
OK, so the receiving side code path (both FreeBSD side and OpenVPN side) is good - that's at least something :-)
For the sending side (which is what ensures that the UDP source is also set to that value) - anything interesting in the log, like an error from sendmsg()? Or does everything look nice, except that it's not doing the right thing?
comment:4 Changed 8 years ago by
Nothing from sendmsg.
verb 5 doesn't show anything about sending.
Here verb 11 (I hope it's what you need):
us=100810 SENT OCC_REPLY us=100901 ENCRYPT TO: 00000008 58aacb2f 287f346b d4ef7a81 2d56b8d3 afc5459c 0156342c 6465762[more...] us=100932 PO_CTL rwflags=0x0003 ev=4 arg=0x080e53cc us=100960 PO_CTL rwflags=0x0000 ev=3 arg=0x080e4674 us=100993 I/O WAIT Tr|Tw|SR|SW [1/231634] us=101085 PO_WAIT[0,0] fd=4 rev=0x00000004 rwflags=0x0002 arg=0x080e53cc us=101116 event_wait returned 1 us=101145 I/O WAIT status=0x0002 us=101276 UDPv6 WRITE [164] to [AF_INET6]::ffff:192.168.1.5:1194 (via ::ffff:192.168.1.7%vtnet0): DATA 00000008 58aacb2f 287f346b d4ef7a81 2d56b8d3 afc5459c 0156342c 6465762[more...] us=101421 UDPv6 write returned 164 us=101471 PO_CTL rwflags=0x0001 ev=4 arg=0x080e53cc us=101507 PO_CTL rwflags=0x0001 ev=3 arg=0x080e4674 us=101540 I/O WAIT TR|Tw|SR|Sw [1/231634]
comment:5 Changed 8 years ago by
I don't know how to subscribe to the ticket and I didn't receive any emails on new comments.
If you need more info from me send me email please.
comment:6 Changed 8 years ago by
anyone who adds to a trac ticket is "auto-subscribed" - you didn't hear anything because I did not find time to investigate what is happening there.
From your logs, everything looks reasonable - we figure out what the right address should be, and there are no errors on sendmsg(). So it's not something straightforward... - debug time.
comment:7 Changed 8 years ago by
Don't think I complain on slow ticket resolving, I just meant I received only 1 email from ticket beginning - after my previous comment. I would like to receive emails after all comments except mine.
comment:8 Changed 8 years ago by
Owner: | set to Gert Döring |
---|---|
Status: | new → accepted |
comment:9 Changed 4 years ago by
Keywords: | freebsd v4-mapped added |
---|---|
Resolution: | → fixed-external |
Status: | accepted → closed |
So, that topic came back, and I forgot about this ticket in the meantime - the other one is #1057
The problem here is that --proto udp
will create a dual-stack IPv6 socket, which can also handle IPv4 addresses but the code path in the kernel to set the source address for IPv4 packets leaving via such a socket was just missing. Like, FreeBSD had no code to do that, so picked the first interface IP.
For --proto udp4
, it's a different kernel code path, so it works.
For IPv6 addresses, --proto udp
and --multihome
also works.
In the context of #1057, a FreeBSD bug was opened, addressed, tested and merged - so 12.2-RELEASE will have this fixed.
So - sorry for ignoring this ticket for such a long time, but in the end, things got debugged and fixed (and, unfortunately, there is nothing in OpenVPN to work around this, except use proto udp4
, as you already discovered). Closing this ticket now.
There should be something in the server log about the IP address seen in the incoming packet - so please show the parts of the server log with "--verb 3" when the connection comes in.
I have tested
--multihome
with v4 and v6 on FreeBSD, but it's possible that it breaks for v4-mapped addresses on dual-stacked v6 sockets (which I have not tested) - we've seen that on Linux, and it turned out to be a linux kernel omission (the ancilliary data path was completely missing for the v4-mapped v6-socket case) - the fact that it works if you force IPv4 is an indication. But let's see the log first.