search

OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.25k stars 2.92k forks source link

A response is returned with a temporary address even if a fixed address is used for access when using IPv6 address. #563

Closed saga-kana closed 1 month ago

saga-kana commented 1 month ago

IMPORTANT NOTE Bugs about OpenVPN Access Server, OpenVPN Connect or any other product by OpenVPN Inc. should be directly reported to OpenVPN Inc. at https://support.openvpn.net

Describe the bug A clear and concise description of what the bug is.

A response is returned with a temporary address even if a fixed address is used for access when using IPv6 address. $temporary_addr is temporary address and $mngmtaddr is filed address.

2024-06-01 11:09:09 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2024-06-01 11:09:09 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2024-06-01 11:09:09 OpenVPN 2.6.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-06-01 11:09:09 library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
2024-06-01 11:09:09 DCO version: N/A
2024-06-01 11:09:09 TCP/UDP: Preserving recently used remote address: [AF_INET6]$mngmtaddr:1194
2024-06-01 11:09:09 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-06-01 11:09:09 UDPv6 link local: (not bound)
2024-06-01 11:09:09 UDPv6 link remote: [AF_INET6]$mngmtaddr:1194
2024-06-01 11:09:09 TCP/UDP: Incoming packet rejected from [AF_INET6]$temporary_addr:1194[10], expected peer address: [AF_INET6]$mngmtaddr:1194 (allow this incoming source address/port by removing --remote or adding --float)
2024-06-01 11:09:11 TCP/UDP: Incoming packet rejected from [AF_INET6]$temporary_addr:1194[10], expected peer address: [AF_INET6]$mngmtaddr:1194 (allow this incoming source address/port by removing --remote or adding --float)
^C2024-06-01 11:09:13 event_wait : Interrupted system call (fd=-1,code=4)
2024-06-01 11:09:13 SIGINT[hard,] received, process exiting

To Reproduce Steps to reproduce the behavior. Please make sure to not post any secrets like keys and passwords.

Server: Ubuntu 24.04 OpenVPN 2.6.9 Client: Ubuntu 24.04 OpenVPN 2.6.9

server.conf

proto udp6
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/pki/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2001:db8:0:123::/64
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

client.ovpn

client
dev tun
proto udp
remote $mngmtaddr 1194
#remote ::1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
</ca>
<cert>
</cert>
<key>
</key>
remote-cert-tls server
key-direction 1
<tls-auth>
</tls-auth>
cipher AES-256-CBC
verb 3

Expected behavior A clear and concise description of what you expected to happen.

Initialization Sequence Completed

Version information (please complete the following information): Server: Ubuntu 24.04 OpenVPN 2.6.9 Client: Ubuntu 24.04 OpenVPN 2.6.9

Additional context Add any other context about the problem here.

cron2 commented 1 month ago

Try putting multihome in the server config.

saga-kana commented 1 month ago

Thank you for replay.

I added "multihome" to server.conf and tested it but the result was same. Do I need any other network configuration besides editing server.conf?

cron2 commented 1 month ago

server log (verb 4), please? multihome should do exactly what you need: reply with the very same address the incoming packet was sent to. With UDP, this is not automatic, alas, as soon as multiple IP addresses of the same family come into play.

Or disable privacy addresses, which do not make much sense on a server anyway (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt, use_tempaddr=0)

saga-kana commented 1 month ago

I'm sorry that settings were not reflected correctly. I tried again with multihome option and succeeded to connect.

I agree with disabling privacy addresses on a server. Thank you for your advice