Wrong IPv6 route to VPN endpoint added

[mario.lipinski]

When connecting to VPN using IPv6 and adding a route that overlaps with the VPN server, a wrong route is added.

It looks like the ip of the remote gateway on the vpn (instead of the local gateway) is added on the local interface.

Using the VPN is not possible. When removing the wrong route and adding the local gateway, everything seems to work.

Client environment is Win 10 x64.

[mario.lipinski]

This may be related to #615

Some lines to highlight from the logs:

Fri Mar 03 22:33:48 2017 ROUTE6_GATEWAY fe80::1 I=8
Fri Mar 03 22:33:48 2017 ROUTE6: 2003:a:FFFF:3b00::/56 overlaps IPv6 remote 2003:a:FFFF:3b00::1, adding host route to VPN endpoint

Fri Mar 03 22:33:54 2017 add_route_ipv6(2003:a:FFFF:3b00::1/128 -> fe80::1 metric 1) dev Ethernet 2
Fri Mar 03 22:33:54 2017 IPv6 route addition via service succeeded

from route print:

 If Metrik Netzwerkziel             Gateway
  8     41 ::/0                     fe80::1
 46    291 2003:a:FFFF:3b00::/56     fe80::8
  8     26 2003:a:FFFF:3b00::1/128   fe80::8

[Gert Döring]

Oh, good find. The add_route_ipv6() statement does have the right next-hop and interface, but it seems that when using the interactive service to install the route, this information is getting lost/ignored.

I'm taking the ticket as the original "install host route to VPN server" and also the fe80::8 hack is mine, and copying Selva as he did much of the good work on the interactive service.

Won't find time to debug this "right now", but this should be relatively easy to pinpoint.

[Selva Nair]

If I'm reading the code correctly it seems we are unconditionallly overwriting the gateway to fe80::8. The gateway should be changed to to that fake value only if it was the VPN remote, isn't it?
See ~line 3057 in route.c:

if (r->adapter_index)               /* vpn server special route */
{
    msg.iface.index = r->adapter_index;
}
 
/* In TUN mode we use a special link-local address as the next hop.
 * The tapdrvr knows about it and will answer neighbor discovery packets.
 */
if (tt->type == DEV_TYPE_TUN)
{
    inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
}

Also the log has
add_route_ipv6(2003:a:FFFF:3b00::1/128 -> fe80::1 metric 1) dev Ethernet 2
where the dev listed as "Ethernet 2" is strange as that is the tun device. However, this may be only a cosmetic issue as the interface name is used by the service only if the adapter index is NULL.

[Gert Döring]

Selva, spot-on. The patch is fairly trivial, I think

--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -3061,8 +3061,10 @@ do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct t
 
     /* In TUN mode we use a special link-local address as the next hop.
      * The tapdrvr knows about it and will answer neighbor discovery packets.
+     * (only do this for routes actually using the tun/tap device)
      */
-    if (tt->type == DEV_TYPE_TUN)
+    if (tt->type == DEV_TYPE_TUN
+        && msg.iface.index == tt->adapter_index )
     {
         inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
     }

... totally untested so far, not even compile-tested. But this should fix things.

[Gert Döring]

Here's an installer, built on top of today's release/2.4 branch plus this patch:

​https://build.openvpn.net/downloads/snapshots/openvpn-install-2.4.0-I602-ipv6hostroute.exe

@mario.lipinksi: if you could verify that this fixes the problem for you, it would be welcome.

[Gert Döring]

Patch has been applied to the master and release/2.4 branch.

commit 27740b376c1ca89a43dcff5c8309f1e1afecc5c9 (master)
commit 46e65494194f0bba0c63be8360b56ed595949720 (release/2.4)
Author: Gert Doering
Date: Sun Mar 19 20:10:49 2017 +0100

Fix installation of IPv6 host route to VPN server when using iservice.

Signed-off-by: Gert Doering <gert@…>
Acked-by: Selva Nair <selva.nair@…>
Message-Id: <20170319191049.23970-1-gert@…>
URL: ​https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14282.html

[mario.lipinski]

Sorry for a bit late replay. Works for me now.