Hello everyone,
since 2015, I am a happy user of ocserv. I like that it is easy to
configure and the aspect that a lot of computers come with pre-installed
anyconnect clients that I can re-purpose for my use ;-) Big thanks to
all developers/contributors for that fine and useful piece of software!
Now my problem: In one of my standard configurations, I run the ocserv
behind of proprietary routers on a small arm-based computer. On that, I
use armbian which is a Debian derivative with a 5.7 Linux Kernel
optimized for Arm boards. Armbian is configured to be systemd-free and
runs SysV init. Ports 443 UDP/TCP are portforwarded to the Arm board so
that these are reachable from the internet. The IP configuration is static.
Configuration is minimal:
----
auth="plain[/etc/ocserv/ocpasswd]"
server-key=/etc/ocserv/mykeys/server.key
server-cert=/etc/ocserv/mykeys/server.crt
run-as-user = nobody
run-as-group = daemon
listen-host = 0.0.0.0
socket-file = /var/run/ocserv-socket
device = vpns
dns=8.8.8.8
ipv4-network = 192.168.7.32/27
# TCP and UDP port number
tcp-port = 443
udp-port = 443
route = 0.0.0.0/0.0.0.0
compression = false
max-same-clients = 10
max-clients = 10
----
On Debian 9 with ocserv Version 0.11.6 routing behavior is as expected:
- user connects
- ocserv creates a route pointing to the vpn device the user is assigned to
- after the user disconnects: the vpn route is removed
creates a route pointing to the vpn device the user is assigned to
After upgrading to Debian 10 (current armbian with Kernel 5.7.15),
ocserv was upgraded to version 0.12.2. With the same configuration, the
routing behavior had changed to the following:
- user connects
- ocserv creates a route pointing to the vpn device the user is assigned to
- Strange: the default route changes to the hostname of the host ocserv
is running on
- User disconnects: vpn route is removed / the original route is restored
Obviously, the changed default route renders my IPv4 connectivity
broken. On my system, there is no fw script.
To track down the problem, I compiled version 0.11.12 on that system. I
can confirm that version working as expected.
I also compiled 0.12.0 on that system and can confirm that the
unexpected behavior starts with that version. I also compiled version
1.1.0 and can confirm the unexpected behavior for that version.
To learn about the differences of 0.11.12 and 0.12.0, I made a diff but
was lost when I found out that a lot of changes have been made.
I would be pleased, if some reader would have a clue which change of the
code is causing the different behavior and moreover: how I can have a
functioning ocserv > 0.11.12.
If needed, I can compile/test patches on my side (if there is a prebuilt
configure script -- compiling from bare git with autoconfig turned out
to be hard ...). I can provide further information such as logs,
configuration etc.
Kind Regards
Sven
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
