Re: openvpn multihome on OpenBSD?
On 2017-06-18, Harald Dunkel wrote: > Hi Stuart, > > On 06/17/17 17:09, Stuart Henderson wrote: >> >> It's trying to use a single socket for v4 and v6. That is never going >> to work on OpenBSD. >> >> Try "bind ipv6only" and see if that helps. >> > > Currently I have 2 openvpn servers listening on either IPv4 > or IPv6, each with its own address pool. Some road warriors > require a fixed IPv4 address on the tunnel, regardless if they > have IPv4 or IPv6 in their hotel room. Having a single openvpn > server for both address families would have been the best way > to stay out of troubles. OpenVPN is one of those programs that is only able to bind to one address (ftp-proxy is another example). This is easy to work with on OS which allow v4-mapped addresses because they can just bind to :: and receive v4 and v6 packets on the single socket but will fail on OpenBSD. Additionally on a UDP socket bound to :: or 0.0.0.0 on a machine which can receive packets to more than one address, it needs to lookup the destination address of incoming packets so it can send replies with the correct source address. This is what the 'multihome' option does - on OpenBSD it will be doing this with IP_RECVDSTADDR (funnily it relies on IP_RECVDSTADDR and IP_SENDSRCADDR having the same value to set the address on replies). This probably hasn't been tested on OpenBSD yet, it might work as-is, but they might not have got the cmsg bits quite right (OpenBSD is stricter about this than most OS - you may remember the problem you had with dnsmasq which iirc was related to this), Anyway: it won't be a super-clean setup but you may be able to work-around this for OpenVPN by having it listen on v6 only, bound to a specific address not :: (then you *don't* need multihome), and using NAT-PT (PF's "af-to" option) to redirect v4 traffic to it. However: you will lose the IPv4 address of clients from OpenVPN's logs, you'll only get the af-to "source" address. The better fix would be to add multiple socket support to OpenVPN. In some old posts about this it was said it's not possible in a single-instance non-threaded program: that's incorrect, but it may be a bigger change (and more work) than they'd like.
Re: openvpn multihome on OpenBSD?
Hi Stuart, On 06/17/17 17:09, Stuart Henderson wrote: > > It's trying to use a single socket for v4 and v6. That is never going > to work on OpenBSD. > > Try "bind ipv6only" and see if that helps. > Currently I have 2 openvpn servers listening on either IPv4 or IPv6, each with its own address pool. Some road warriors require a fixed IPv4 address on the tunnel, regardless if they have IPv4 or IPv6 in their hotel room. Having a single openvpn server for both address families would have been the best way to stay out of troubles. Thanx for your answer Harri
Re: openvpn multihome on OpenBSD?
On 2017-06-17, Harald Dunkel wrote: > Hi folks, > > AFAICS the openvpn 2.4.2 man page recommends a "multihome" feature > for dual stack setups, but I can't make it work on OpenBSD (the > openvpn server) in this case. .. > Sat Jun 17 15:13:43 2017 Socket Buffers: R=[212992->212992] S=[212992->212992] > Sat Jun 17 15:13:43 2017 setsockopt(IPV6_V6ONLY=0) > Sat Jun 17 15:13:43 2017 UDP link local (bound): [AF_INET6][undef]:1194 .. It's trying to use a single socket for v4 and v6. That is never going to work on OpenBSD. Try "bind ipv6only" and see if that helps.
Re: openvpn multihome on OpenBSD?
On Sat, Jun 17, 2017 at 3:41 PM, Harald Dunkel wrote: > Hi folks, > > AFAICS the openvpn 2.4.2 man page recommends a "multihome" feature > for dual stack setups, but I can't make it work on OpenBSD (the > openvpn server) in this case. > > The logfile on the client shows > > Sat Jun 17 15:13:40 2017 OpenVPN 2.4.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] > [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 17 2017 > Sat Jun 17 15:13:40 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO > 2.08 > Enter Private Key Password: ** > Sat Jun 17 15:13:43 2017 WARNING: No server certificate verification method > has been enabled. See http://openvpn.net/howto.html#mitm for more info. > Sat Jun 17 15:13:43 2017 NOTE: the current --script-security setting may > allow this configuration to call user-defined scripts > Sat Jun 17 15:13:43 2017 WARNING: this configuration may cache passwords in > memory -- use the auth-nocache option to prevent this > Sat Jun 17 15:13:43 2017 TCP/UDP: Preserving recently used remote address: > [AF_INET6]2001:db80:13b0:::60:1195 > Sat Jun 17 15:13:43 2017 Socket Buffers: R=[212992->212992] S=[212992->212992] > Sat Jun 17 15:13:43 2017 setsockopt(IPV6_V6ONLY=0) > Sat Jun 17 15:13:43 2017 UDP link local (bound): [AF_INET6][undef]:1194 > Sat Jun 17 15:13:43 2017 UDP link remote: > [AF_INET6]2001:db80:13b0:::60:1195 > Sat Jun 17 15:13:44 2017 TCP/UDP: Incoming packet rejected from > [AF_INET6]:::5.145.xx.yy:1194[10], expected peer address: > [AF_INET6]2001:db80:13b0:::60:1195 (allow this incoming source > address/port by removing --remote or adding --float) > Sat Jun 17 15:13:44 2017 or from peer address: [AF_INET]5.145.xx.yy:1195 > Sat Jun 17 15:13:48 2017 TCP/UDP: Incoming packet rejected from > [AF_INET6]:::5.145.xx.yy:1194[10], expected peer address: > [AF_INET6]2001:db80:13b0:::60:1195 (allow this incoming source > address/port by removing --remote or adding --float) > Sat Jun 17 15:13:48 2017 or from peer address: [AF_INET]5.145.xx.yy:1195 > Sat Jun 17 15:13:51 2017 TCP/UDP: Incoming packet rejected from > [AF_INET6]:::5.145.xx.yy:1194[10], expected peer address: > [AF_INET6]2001:db80:13b0:::60:1195 (allow this incoming source > address/port by removing --remote or adding --float) > Sat Jun 17 15:13:51 2017 or from peer address: [AF_INET]5.145.xx.yy:1195 > Sat Jun 17 15:13:54 2017 TCP/UDP: Incoming packet rejected from > [AF_INET6]:::5.145.xx.yy:1194[10], expected peer address: > [AF_INET6]2001:db80:13b0:::60:1195 (allow this incoming source > address/port by removing --remote or adding --float) > Sat Jun 17 15:13:54 2017 or from peer address: [AF_INET]5.145.xx.yy:1195 > Sat Jun 17 15:13:56 2017 event_wait : Interrupted system call (code=4) > Sat Jun 17 15:13:56 2017 SIGINT[hard,] received, process exiting > > > Please note the weird IPv6 addresses ":::5.145.xx.yy". 5.145.xx.yy > is the OpenBSD server's IPv4 address, but it is not running IPv4 over > IPv6. > > I tried the most recent openvpn in stable, of course. Every helpful > comment is highly appreciated > Harri > > Hey Harri, Those are ipv4-mapped ipv6 addresses (RFC 4291, https://tools.ietf.org/html/rfc4291). Sterling