Opened 7 years ago
Closed 7 years ago
#850 closed Bug / Defect (fixed)
Wrong IPv6 route to VPN endpoint added
Reported by: | mario.lipinski | Owned by: | Gert Döring |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | IPv6 | Version: | OpenVPN 2.4.0 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | ipv6 |
Cc: | Selva Nair, Samuli Seppänen |
Description
When connecting to VPN using IPv6 and adding a route that overlaps with the VPN server, a wrong route is added.
It looks like the ip of the remote gateway on the vpn (instead of the local gateway) is added on the local interface.
Using the VPN is not possible. When removing the wrong route and adding the local gateway, everything seems to work.
Client environment is Win 10 x64.
Attachments (1)
Change History (9)
Changed 7 years ago by
comment:2 Changed 7 years ago by
Cc: | Selva Nair added |
---|---|
Owner: | set to Gert Döring |
Status: | new → accepted |
Oh, good find. The add_route_ipv6() statement does have the right next-hop and interface, but it seems that when using the interactive service to install the route, this information is getting lost/ignored.
I'm taking the ticket as the original "install host route to VPN server" and also the fe80::8 hack is mine, and copying Selva as he did much of the good work on the interactive service.
Won't find time to debug this "right now", but this should be relatively easy to pinpoint.
comment:3 Changed 7 years ago by
If I'm reading the code correctly it seems we are unconditionallly overwriting the gateway to fe80::8. The gateway should be changed to to that fake value only if it was the VPN remote, isn't it?
See ~line 3057 in route.c:
if (r->adapter_index) /* vpn server special route */ { msg.iface.index = r->adapter_index; } /* In TUN mode we use a special link-local address as the next hop. * The tapdrvr knows about it and will answer neighbor discovery packets. */ if (tt->type == DEV_TYPE_TUN) { inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6); }
Also the log has
add_route_ipv6(2003:a:FFFF:3b00::1/128 -> fe80::1 metric 1) dev Ethernet 2
where the dev listed as "Ethernet 2" is strange as that is the tun device. However, this may be only a cosmetic issue as the interface name is used by the service only if the adapter index is NULL.
comment:4 Changed 7 years ago by
Selva, spot-on. The patch is fairly trivial, I think
--- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -3061,8 +3061,10 @@ do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct t /* In TUN mode we use a special link-local address as the next hop. * The tapdrvr knows about it and will answer neighbor discovery packets. + * (only do this for routes actually using the tun/tap device) */ - if (tt->type == DEV_TYPE_TUN) + if (tt->type == DEV_TYPE_TUN + && msg.iface.index == tt->adapter_index ) { inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6); }
... totally untested so far, not even compile-tested. But this should fix things.
comment:5 Changed 7 years ago by
Cc: | Samuli Seppänen added |
---|
Here's an installer, built on top of today's release/2.4 branch plus this patch:
https://build.openvpn.net/downloads/snapshots/openvpn-install-2.4.0-I602-ipv6hostroute.exe
@mario.lipinksi: if you could verify that this fixes the problem for you, it would be welcome.
comment:6 Changed 7 years ago by
Patch has been applied to the master and release/2.4 branch.
commit 27740b376c1ca89a43dcff5c8309f1e1afecc5c9 (master)
commit 46e65494194f0bba0c63be8360b56ed595949720 (release/2.4)
Author: Gert Doering
Date: Sun Mar 19 20:10:49 2017 +0100
Fix installation of IPv6 host route to VPN server when using iservice.
Signed-off-by: Gert Doering <gert@…>
Acked-by: Selva Nair <selva.nair@…>
Message-Id: <20170319191049.23970-1-gert@…>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14282.html
comment:8 Changed 7 years ago by
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
This may be related to #615
Some lines to highlight from the logs:
from route print: