On 2017-06-18, Harald Dunkel <ha...@afaics.de> wrote: > Hi Stuart, > > On 06/17/17 17:09, Stuart Henderson wrote: >> >> It's trying to use a single socket for v4 and v6. That is never going >> to work on OpenBSD. >> >> Try "bind ipv6only" and see if that helps. >> > > Currently I have 2 openvpn servers listening on either IPv4 > or IPv6, each with its own address pool. Some road warriors > require a fixed IPv4 address on the tunnel, regardless if they > have IPv4 or IPv6 in their hotel room. Having a single openvpn > server for both address families would have been the best way > to stay out of troubles.
OpenVPN is one of those programs that is only able to bind to one address (ftp-proxy is another example). This is easy to work with on OS which allow v4-mapped addresses because they can just bind to :: and receive v4 and v6 packets on the single socket but will fail on OpenBSD. Additionally on a UDP socket bound to :: or 0.0.0.0 on a machine which can receive packets to more than one address, it needs to lookup the destination address of incoming packets so it can send replies with the correct source address. This is what the 'multihome' option does - on OpenBSD it will be doing this with IP_RECVDSTADDR (funnily it relies on IP_RECVDSTADDR and IP_SENDSRCADDR having the same value to set the address on replies). This probably hasn't been tested on OpenBSD yet, it might work as-is, but they might not have got the cmsg bits quite right (OpenBSD is stricter about this than most OS - you may remember the problem you had with dnsmasq which iirc was related to this), Anyway: it won't be a super-clean setup but you may be able to work-around this for OpenVPN by having it listen on v6 only, bound to a specific address not :: (then you *don't* need multihome), and using NAT-PT (PF's "af-to" option) to redirect v4 traffic to it. However: you will lose the IPv4 address of clients from OpenVPN's logs, you'll only get the af-to "source" address. The better fix would be to add multiple socket support to OpenVPN. In some old posts about this it was said it's not possible in a single-instance non-threaded program: that's incorrect, but it may be a bigger change (and more work) than they'd like.
