search

OpenVPN / openvpn3

OpenVPN 3 is a C++ class library that implements the functionality of an OpenVPN client, and is protocol-compatible with the OpenVPN 2.x branch.
https://openvpn.net
Other
982 stars 388 forks source link

ipv6 block #104

Open YuriyNess opened 4 years ago

YuriyNess commented 4 years ago

Is it possible to block ipv6 requests? How to implement ipv6 block?

dsommers commented 4 years ago

This sounds more like a firewall question than OpenVPN related question. What are you trying to achieve?

cron2 commented 4 years ago

Hi,

On Fri, Mar 20, 2020 at 03:19:40AM -0700, David Sommerseth wrote:

This sounds more like a firewall question than OpenVPN related question. What are you trying to achieve?

OpenVPN 2 has "--block-ipv6" to ensure that no IPv6 packets are ever leaking around the tunnel (if the client machine has IPv6, but the VPN server has not).

gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de

schwabe commented 4 years ago

block-ipv6 will actually only send icmp6 reject if a ipv6 packet goes via the tunnel. you still need to redirect the traffic to the vpn.

The man page has an example how to use it on OpenVPN2. OpenVPN3 currently does not have a similar feature.

cron2 commented 4 years ago

Hi,

On Fri, Mar 20, 2020 at 03:44:34AM -0700, Arne Schwabe wrote:

block-ipv6 will actually only send icmp6 reject if a ipv6 packet goes via the tunnel. you still need to redirect the traffic to the vpn

--block-ipv6 --redirect-gateway ipv6

indeed :)

gert

-- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de

dsommers commented 4 years ago

The man page has an example how to use it on OpenVPN2. OpenVPN3 currently does not have a similar feature.

Ehm, which man page?

(release/2.4) $ git grep block-ip | wc -l
0
(release/2.4) $ git checkout master
(master) $ git grep block-ip
src/openvpn/options.c:    "--block-ipv6     : (Client) Instead sending IPv6 to the server generate\n"
src/openvpn/options.c:    else if (streq(p[0], "block-ipv6") && !p[1])

My master branch points at git commit e1eb630df1b3ef5df88afd51003fbec40e5d6d67 and release/2.4 at 8484f37a62ce4f1b8efe7644c6ddb28819c4f8ae

cron2 commented 4 years ago

Hi,

On Mon, Mar 23, 2020 at 03:12:20PM -0700, David Sommerseth wrote:

The man page has an example how to use it on OpenVPN2. OpenVPN3 currently does not have a similar feature.

Ehm, which man page?

Ours :-)

$ git grep block.*ip doc/openvpn.8:.B --block-ipv6 doc/openvpn.8:.B --block-ipv6 doc/openvpn.8:.B --block-ipv6 doc/openvpn.8:.B --block-ipv6

gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de

dsommers commented 4 years ago

Duh ... right! (Looking forward to get rid of *roff source files and this ugliness, but that's a different story :wink:)

But that said, I only see this in the 'master' branch, so this feature is not found in a released version yet.

The man page says:

   --block-ipv6
          On the client, instead of sending IPv6 packets over the VPN tun-
          nel,  all IPv6 packets are answered with an ICMPv6 no route host
          message. On the  server,  all  IPv6  packets  from  clients  are
          answered  with  an ICMPv6 no route to host message. This options
          is intended for cases when IPv6  should  be  blocked  and  other
          options  are  not  available.   --block-ipv6 will use the remote
          IPv6 as source address of the ICMPv6 packets if  set,  otherwise
          will use fe80::7 as source address.

          For this option to make sense you actually have to route traffic
          to the tun interface. The following example config  block  would
          send all IPv6 traffic to OpenVPN and answer all requests with no
          route to host, effectively blocking IPv6.

          # client config
          --ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1
          --redirect-gateway ipv6
          --block-ipv6

          # Server config, push a "valid" ipv6 config to  the  client  and
          block # on the server
          --push "ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1"
          --push "redirect-gateway ipv6"
          --block-ipv6

And if the goal of this issue is to block IPv6, isn't it better to just do ip6tables -I OUTPUT -j REJECT --reject-with icmp6-no-route on the client?

schwabe commented 4 years ago

@dsommers I created the patch for platforms where this is not easily possible like Android.

cron2 commented 4 years ago

Hi,

On Tue, Mar 24, 2020 at 04:59:15AM -0700, David Sommerseth wrote:

And if the goal of this issue is to block IPv6, isn't it better to just do ip6tables -I OUTPUT -j REJECT --reject-with icmp6-no-route on the client?

If all your world is Linux, certainly.

gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de