From patchwork Sun Mar 11 23:37:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Teodor Milkov X-Patchwork-Id: 271 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.52]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id PRJsEIlYploNewAAIUCqbw for ; Mon, 12 Mar 2018 06:38:01 -0400 Received: from proxy2.mail.iad3a.rsapps.net ([172.27.255.52]) by director8.mail.ord1d.rsapps.net (Dovecot) with LMTP id DQ3SE4lYploTHQAAfY0hYg ; Mon, 12 Mar 2018 06:38:01 -0400 Received: from smtp27.gate.iad3a ([172.27.255.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.iad3a.rsapps.net with LMTP id YJuSF4lYplphbwAABcWvHw ; Mon, 12 Mar 2018 06:38:01 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp27.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=del.bg X-Classification-ID: 6f11e3e6-25e1-11e8-85c0-525400358560-1-1 Received: from [216.105.38.7] ([216.105.38.7:42129] helo=lists.sourceforge.net) by smtp27.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6A/DB-28911-88856AA5; Mon, 12 Mar 2018 06:38:00 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1evKpS-0001u2-Ta; Mon, 12 Mar 2018 10:37:18 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1evKpR-0001tc-2C for openvpn-devel@lists.sourceforge.net; Mon, 12 Mar 2018 10:37:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Date:Message-ID:Subject: From:To:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=7NtBSWERl9O5vB31qBcu6KSmhZelWD4041/WqqflqTU=; b=CsmphODbJDdzNtWC9k6n2VSpxT s3alCWX+ndni0V3CeNW/7SjSaTn56gcDXtpqWrhcoRdKHoJcehtxZDPTHjNr/kKNTaayiEFqV8bvp FsPV78UQ+ba5L0Vw2yji+PTwXO3P+6Lk8+roaYOlqLuFL09JIZKA9/o6H3SxKfxpz50A=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Date:Message-ID:Subject:From:To:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=7NtBSWERl9O5vB31qBcu6KSmhZelWD4041/WqqflqTU=; b=H +lhF8+Xvrzn8LREK+3VnWwBnZMrJKacmrwiEWZi7IQs+qV1lXQlhGR6Zkx5RdcLOAIv9W1vZ4n/gw CfWSv0rC0rJNtp/V2+Tbx2ISi44lFKc5d4DhSvK8cmbUb4MwSewDPzTVr83yUwpOhUNd1BdR6gED/ 1PWMBTa3fltE6lgk=; Received: from sfi-lb-mx.v20.lw.sourceforge.com ([172.30.20.201] helo=s802.sureserver.com) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1evKpK-009sEd-Ii for openvpn-devel@lists.sourceforge.net; Mon, 12 Mar 2018 10:37:13 +0000 Received: (qmail 3035 invoked by uid 1003); 12 Mar 2018 10:37:06 -0000 Received: from unknown (HELO ?213.145.98.36?) (antoniya@dni.li@213.145.98.36) by s802.sureserver.com with ESMTPA; 12 Mar 2018 10:37:06 -0000 To: openvpn-devel@lists.sourceforge.net From: Teodor Milkov Message-ID: Date: Mon, 12 Mar 2018 12:37:00 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 Content-Language: en-US X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.0 HTML_MESSAGE BODY: HTML included in message 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [213.145.98.36 listed in dnsbl.sorbs.net] X-Headers-End: 1evKpK-009sEd-Ii Subject: [Openvpn-devel] multihome broken in the presence of asymmetric routing X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-Suspicious-Flag: YES X-getmail-retrieved-from-mailbox: Inbox Hello, I have the following multihomed setup:            BGP1                        BGP2             ^                           ^             |                           | +-----------+-----------+    +----------+-----------+ | IP1.1   IP1.2   IP1.3 |    | IP2.1  IP2.2   IP3.1 | |                       |    |                      | |                       |    |                      | |          RTR1         |    |         RTR2         | |                       |    |                      | |                       |    |                      | |          vIP          |    |         vIP          | +-----------+-----------+    +----------+-----------+             |                           |             |                           |             |                           |             |            VRRP           |             +---------------------------+ I.e. two routers with BGP to multiple ISPs. VRRP running at inner side keeping one virtual IP (vIP) up at the master router. Someday I hope I'll be able to use the vIP only for openvpn server bind IP ("local" config option). Untill then, for legacy reasons, I have to use the "multihome" config option, so that clients could connect to each of the 7 IPs (IP1.1, IP1.2, IP1.3, IP2.1, IP2.2, IP2.3, vIP). Unfortunately, Linux would not respond to /some/ clients over UDP. It seems like this is due to the way "multihome" forces the output interface using IP_PKTINFO when we have asymetric path to/from vpn clients. To provide single-socket UDP multihoming, openvpn uses the IP_PKTINFO data from recvmsg() and passes it as-is to sendmsg(). Apparently ipi_ifindex behaves in an interesting way under Linux. man 7 ip states: If IP_PKTINFO is passed to sendmsg(2) and ipi_spec_dst is not zero, then it is used as the local source address for the routing table lookup and for setting up IP source route options. When ipi_ifindex is not zero, the primary local address of the interface specified by the index overwrites ipi_spec_dst for the routing table lookup. In my tests it's like /ipi_ifindex/ will override any routing table decision. But then if there is no routing table entry for the destination via that interface, the destination will be assumed to be on-link and will not be routed via a gateway. No error is returned to userspace, but if the destination does not respond to an ARP request on that link, the packet will be silently dropped. That's what I see with tcpdump on the openvpn server: arp requests for the dst address of the openvpn client. For example if a.b.c.100 is an openvpn client and x.y.z.1 is the virtual IP on the openvpn server to which the client tries to connect: 11:52:40.695830 ARP, Request who-has a.b.c.100 tell x.y.z.1, length 28 I got it working by patching socket.c in the following manner: I guess this should be confirmed by someone else too, and I haven't looked into IPv6 side at all, but the above patch works for me ™. Best regards, Teodor Milkov ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot --- openvpn-2.4.0/src/openvpn/socket.c  2016-12-26 13:51:00.000000000 +0200 +++ openvpn-2.4.0/src/openvpn/socket.c  2018-03-09 15:37:10.015832657 +0200 @@ -3379,7 +3379,7 @@              {                  struct in_pktinfo *pkti;                  pkti = (struct in_pktinfo *) CMSG_DATA(cmsg); -                pkti->ipi_ifindex = to->pi.in4.ipi_ifindex; +                pkti->ipi_ifindex = 0;                  pkti->ipi_spec_dst = to->pi.in4.ipi_spec_dst;                  pkti->ipi_addr.s_addr = 0;              }