Opened 3 years ago

Closed 3 years ago

#850 closed Bug / Defect (fixed)

Wrong IPv6 route to VPN endpoint added

Reported by: mario.lipinski Owned by: Gert Döring
Priority: major Milestone:
Component: IPv6 Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: ipv6
Cc: selvanair, Samuli Seppänen

Description

When connecting to VPN using IPv6 and adding a route that overlaps with the VPN server, a wrong route is added.

It looks like the ip of the remote gateway on the vpn (instead of the local gateway) is added on the local interface.

Using the VPN is not possible. When removing the wrong route and adding the local gateway, everything seems to work.

Client environment is Win 10 x64.

Attachments (1)

vpn.log (12.8 KB) - added by mario.lipinski 3 years ago.

Download all attachments as: .zip

Change History (9)

Changed 3 years ago by mario.lipinski

Attachment: vpn.log added

comment:1 Changed 3 years ago by mario.lipinski

This may be related to #615

Some lines to highlight from the logs:

Fri Mar 03 22:33:48 2017 ROUTE6_GATEWAY fe80::1 I=8
Fri Mar 03 22:33:48 2017 ROUTE6: 2003:a:FFFF:3b00::/56 overlaps IPv6 remote 2003:a:FFFF:3b00::1, adding host route to VPN endpoint

Fri Mar 03 22:33:54 2017 add_route_ipv6(2003:a:FFFF:3b00::1/128 -> fe80::1 metric 1) dev Ethernet 2
Fri Mar 03 22:33:54 2017 IPv6 route addition via service succeeded

from route print:

 If Metrik Netzwerkziel             Gateway
  8     41 ::/0                     fe80::1
 46    291 2003:a:FFFF:3b00::/56     fe80::8
  8     26 2003:a:FFFF:3b00::1/128   fe80::8
Last edited 3 years ago by mario.lipinski (previous) (diff)

comment:2 Changed 3 years ago by Gert Döring

Cc: selvanair added
Owner: set to Gert Döring
Status: newaccepted

Oh, good find. The add_route_ipv6() statement does have the right next-hop and interface, but it seems that when using the interactive service to install the route, this information is getting lost/ignored.

I'm taking the ticket as the original "install host route to VPN server" and also the fe80::8 hack is mine, and copying Selva as he did much of the good work on the interactive service.

Won't find time to debug this "right now", but this should be relatively easy to pinpoint.

comment:3 Changed 3 years ago by selvanair

If I'm reading the code correctly it seems we are unconditionallly overwriting the gateway to fe80::8. The gateway should be changed to to that fake value only if it was the VPN remote, isn't it?
See ~line 3057 in route.c:

if (r->adapter_index)               /* vpn server special route */
{
    msg.iface.index = r->adapter_index;
}
 
/* In TUN mode we use a special link-local address as the next hop.
 * The tapdrvr knows about it and will answer neighbor discovery packets.
 */
if (tt->type == DEV_TYPE_TUN)
{
    inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
}

Also the log has
add_route_ipv6(2003:a:FFFF:3b00::1/128 -> fe80::1 metric 1) dev Ethernet 2
where the dev listed as "Ethernet 2" is strange as that is the tun device. However, this may be only a cosmetic issue as the interface name is used by the service only if the adapter index is NULL.

comment:4 Changed 3 years ago by Gert Döring

Selva, spot-on. The patch is fairly trivial, I think

--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -3061,8 +3061,10 @@ do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct t
 
     /* In TUN mode we use a special link-local address as the next hop.
      * The tapdrvr knows about it and will answer neighbor discovery packets.
+     * (only do this for routes actually using the tun/tap device)
      */
-    if (tt->type == DEV_TYPE_TUN)
+    if (tt->type == DEV_TYPE_TUN
+        && msg.iface.index == tt->adapter_index )
     {
         inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
     }

... totally untested so far, not even compile-tested. But this should fix things.

comment:5 Changed 3 years ago by Gert Döring

Cc: Samuli Seppänen added

Here's an installer, built on top of today's release/2.4 branch plus this patch:

https://build.openvpn.net/downloads/snapshots/openvpn-install-2.4.0-I602-ipv6hostroute.exe

@mario.lipinksi: if you could verify that this fixes the problem for you, it would be welcome.

comment:6 Changed 3 years ago by Gert Döring

Patch has been applied to the master and release/2.4 branch.

commit 27740b376c1ca89a43dcff5c8309f1e1afecc5c9 (master)
commit 46e65494194f0bba0c63be8360b56ed595949720 (release/2.4)
Author: Gert Doering
Date: Sun Mar 19 20:10:49 2017 +0100

Fix installation of IPv6 host route to VPN server when using iservice.

Signed-off-by: Gert Doering <gert@…>
Acked-by: Selva Nair <selva.nair@…>
Message-Id: <20170319191049.23970-1-gert@…>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14282.html

comment:7 Changed 3 years ago by mario.lipinski

Sorry for a bit late replay. Works for me now.

comment:8 Changed 3 years ago by Samuli Seppänen

Resolution: fixed
Status: acceptedclosed
Note: See TracTickets for help on using tickets.