Page MenuHomeVyOS Platform

OpenVPN: IPv4 no longer working after adding IPv6 support
Closed, ResolvedPublicBUG

Description

Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: RESOLVE: Cannot resolve host address: 172.18.202.10:1195 (Address family for hostname not supported)
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: Exiting due to fatal error

Bug introduced here https://github.com/vyos/vyos-1x/commit/bb9f99853c723c5100c3fffbc592ba79f3abebfe#diff-b706c6ec71f1314215d25bf1fcec7c08R21

As soon as udp6 is replaced with udp all works nicely again.

Details

Difficulty level
Normal (likely a few hours)
Version
1.3-rolling-202004191028
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

c-po created this task.
jjakob changed the task status from Open to In progress.Apr 20 2020, 6:17 PM
jjakob moved this task from Need Triage to In Progress on the VyOS 1.3 Equuleus board.
jjakob changed the task status from In progress to Needs testing.Apr 20 2020, 8:04 PM

@c-po can you please test if this now works, if so the task can be closed. My testing showed that it does.

This code doesnt break if ipv6 is disabled by system wide:

openvpn['protocol_real'] = openvpn['protocol'][:3]
if not is_ipv4(openvpn['local_host']) and not detect_if_systemipv6_is_disabled():
   openvpn['protocol_real'] += "6"

if openvpn['protocol'] == 'tcp-active':
   openvpn['protocol_real'] += '-client'
elif openvpn['protocol'] == 'tcp-passive':
   openvpn['protocol_real'] = '-server'

Looks good. Is detect_if_systemipv6_is_disabled() already a
system function? If so, It can be incorporated (by you if you wish, or by
me). The last line is missing += by the way.

Apr 23, 2020 2:10:08 AM elbandi (Elbandi) <phabricator@mg.vyos.io>:

elbandi added a comment.

my code is:

openvpn['protocol_real'] = openvpn['protocol'][:3]
if not is_ipv4(openvpn['local_host']) and not

detect_if_systemipv6_is_disabled():

openvpn['protocol_real'] += "6"

if openvpn['protocol'] == 'tcp-active':
openvpn['protocol_real'] += '-client'
elif openvpn['protocol'] == 'tcp-passive':
openvpn['protocol_real'] = '-server'

TASK DETAIL
https://phabricator.vyos.net/T2339

EMAIL PREFERENCES
https://phabricator.vyos.net/settings/panel/emailpreferences/

To: jjakob, elbandi
Cc: elbandi, pasik, Active contributors, Maintainers, c-po, teadur,

jack9603301, hard, pa4ka, jestabro, Alfa80, dongjunbo, hexes

Disabling IPv6 on the system is something not mainlined in VyOS - there are open PRs on GitHub which needs to be approved by @dmbaturin. As Disabling IPv6 would also require the CLI to disable all IPv6 inputs dynamically which is something not possible at the moment.

@jjakob detect_if_systemipv6_is_disabled just an idea, but looking to interfaces-openvpn.py, it's easy:

is_ipv6_disabled = conf.exists('system ipv6 disable')

before conf.set_level in get_config. so:

if not is_ipv4(openvpn['local_host']) and not is_ipv6_disabled:

@c-po systemwide ipv6 disable is working good in 1.3-20200324. i would be sad if it was removed :(

Hi,

This bug exists for remote-host as well.

Hi,

This bug exists for remote-host as well.

remote-host fix attempt:
https://github.com/vyos/vyos-1x/pull/443 (T2550#66134)

Indeed, I didn't test client mode with the IPv6 patch, I assumed openvpn would use 'proto' for the listening socket only and not for the client socket (since it could detect which family the remote-host address is, it could select the correct socket, but it honors the 'proto' in the config) so my assumption was wrong. I appreciate the help.

erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 6:45 AM
erkin removed a subscriber: Active contributors.