Page MenuHomeVyOS Platform

OpenVPN: IPv4 no longer working after adding IPv6 support
Closed, ResolvedPublicBUG

Description

Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: RESOLVE: Cannot resolve host address: 172.18.202.10:1195 (Address family for hostname not supported)
Apr 19 17:55:47 LR2 openvpn-vtun1[8521]: Exiting due to fatal error

Bug introduced here https://github.com/vyos/vyos-1x/commit/bb9f99853c723c5100c3fffbc592ba79f3abebfe#diff-b706c6ec71f1314215d25bf1fcec7c08R21

As soon as udp6 is replaced with udp all works nicely again.

Details

Difficulty level
Normal (likely a few hours)
Version
1.3-rolling-202004191028
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

c-po assigned this task to jjakob.Apr 19 2020, 3:59 PM
c-po created this task.
pasik added a subscriber: pasik.Apr 19 2020, 4:01 PM
jjakob changed the task status from Open to In progress.Apr 20 2020, 6:17 PM
jjakob moved this task from Need Triage to In Progress on the VyOS 1.3 Equuleus board.
jjakob changed the task status from In progress to Needs testing.Apr 20 2020, 8:04 PM

@c-po can you please test if this now works, if so the task can be closed. My testing showed that it does.

c-po added a comment.Apr 22 2020, 5:59 AM

Works for me

c-po closed this task as Resolved.Apr 22 2020, 5:59 AM
elbandi added a subscriber: elbandi.EditedApr 23 2020, 12:09 AM

This code doesnt break if ipv6 is disabled by system wide:

openvpn['protocol_real'] = openvpn['protocol'][:3]
if not is_ipv4(openvpn['local_host']) and not detect_if_systemipv6_is_disabled():
   openvpn['protocol_real'] += "6"

if openvpn['protocol'] == 'tcp-active':
   openvpn['protocol_real'] += '-client'
elif openvpn['protocol'] == 'tcp-passive':
   openvpn['protocol_real'] = '-server'

Looks good. Is detect_if_systemipv6_is_disabled() already a
system function? If so, It can be incorporated (by you if you wish, or by
me). The last line is missing += by the way.

Apr 23, 2020 2:10:08 AM elbandi (Elbandi) <phabricator@mg.vyos.io>:

elbandi added a comment.
my code is:
openvpn['protocol_real'] = openvpn['protocol'][:3]
if not is_ipv4(openvpn['local_host']) and not

detect_if_systemipv6_is_disabled():

openvpn['protocol_real'] += "6"
if openvpn['protocol'] == 'tcp-active':
openvpn['protocol_real'] += '-client'
elif openvpn['protocol'] == 'tcp-passive':
openvpn['protocol_real'] = '-server'
TASK DETAIL
https://phabricator.vyos.net/T2339
EMAIL PREFERENCES
https://phabricator.vyos.net/settings/panel/emailpreferences/
To: jjakob, elbandi
Cc: elbandi, pasik, Active contributors, Maintainers, c-po, teadur,

jack9603301, hard, pa4ka, jestabro, Alfa80, dongjunbo, hexes

c-po added a subscriber: dmbaturin.Apr 23 2020, 6:04 AM

Disabling IPv6 on the system is something not mainlined in VyOS - there are open PRs on GitHub which needs to be approved by @dmbaturin. As Disabling IPv6 would also require the CLI to disable all IPv6 inputs dynamically which is something not possible at the moment.

elbandi added a comment.EditedApr 23 2020, 12:00 PM

@jjakob detect_if_systemipv6_is_disabled just an idea, but looking to interfaces-openvpn.py, it's easy:

is_ipv6_disabled = conf.exists('system ipv6 disable')

before conf.set_level in get_config. so:

if not is_ipv4(openvpn['local_host']) and not is_ipv6_disabled:

@c-po systemwide ipv6 disable is working good in 1.3-20200324. i would be sad if it was removed :(

c-po moved this task from In Progress to Finished on the VyOS 1.3 Equuleus board.Fri, May 22, 10:37 AM

Hi,

This bug exists for remote-host as well.

Hi,
This bug exists for remote-host as well.

remote-host fix attempt:
https://github.com/vyos/vyos-1x/pull/443 (T2550#66134)

Indeed, I didn't test client mode with the IPv6 patch, I assumed openvpn would use 'proto' for the listening socket only and not for the client socket (since it could detect which family the remote-host address is, it could select the correct socket, but it honors the 'proto' in the config) so my assumption was wrong. I appreciate the help.