From patchwork Fri Dec 25 05:42:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 1557 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SNMFNKoW5l84cgAAIUCqbw (envelope-from ) for ; Fri, 25 Dec 2020 11:43:22 -0500 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id WOTfM6oW5l9jbwAAalYnBA (envelope-from ) for ; Fri, 25 Dec 2020 11:43:22 -0500 Received: from smtp36.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTPS id oEakM6oW5l8APwAA8Zzt7w (envelope-from ) for ; Fri, 25 Dec 2020 11:43:22 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp36.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=greenie.muc.de X-Suspicious-Flag: YES X-Classification-ID: 4c746544-46d0-11eb-accf-525400c11307-1-1 Received: from [216.105.38.7] ([216.105.38.7:52858] helo=lists.sourceforge.net) by smtp36.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 68/46-23998-9A616EF5; Fri, 25 Dec 2020 11:43:22 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1ksqAj-0002SD-PV; Fri, 25 Dec 2020 16:42:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ksqAi-0002S2-NW for openvpn-devel@lists.sourceforge.net; Fri, 25 Dec 2020 16:42:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Pic/5NdqxrBdCaFwQbbyZbcg3kUMVK7Jp+UpuZCgF5s=; b=HqAlI0ji3GFSGDbStpCOYSBzQm b1+y2VYy/1XCSYoJnQcIKppLL+ska7LPxUz4oQDcxzc3hmZNTT4i1vtqbz/Lj3C4++CP0XUTl4QwD ZxiH+OUigh8L8YMAczvpx4i/9m+x9TwYtuc3MDGQoIyUdQWP68umKAL8uj5d2eT5qS0E=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Pic/5NdqxrBdCaFwQbbyZbcg3kUMVK7Jp+UpuZCgF5s=; b=C cArO67TMOYTDzfGP0tono7OYupla5eL2xvHncsu6KM+YWFMqSZz14h5l59SHtIlwapuTBAtwb0FX1 3QzSvq9oYt/Us1jkm/BXwLYQjxcuxYqFSUPl+VDsNonIsYFoDZwjF3eHXCy0NvCUMe2947J+bpPXs U4SQiTYqlyEbx2KY=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1ksqAd-00CiFM-9t for openvpn-devel@lists.sourceforge.net; Fri, 25 Dec 2020 16:42:32 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.15.2/8.14.9) with ESMTP id 0BPGgFcn022819; Fri, 25 Dec 2020 17:42:15 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.15.2/8.14.9/Submit) id 0BPGgFJd022818; Fri, 25 Dec 2020 17:42:15 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 25 Dec 2020 17:42:14 +0100 Message-Id: <20201225164214.22771-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: muc.de] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1ksqAd-00CiFM-9t Subject: [Openvpn-devel] [PATCH] Clarify --block-ipv6 intent and direction. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gert Doering Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox --block-ipv6 is a fairly special-purpose option, and only blocks packet in the client->server option. This is implied by not ever mentioning the other direction in the existing documentation, but not written down. Make this explicit, avoid confusion. Also, point why this option exist (avoid IPv6 leakage from dual-stacked clients around IPv4-only VPN offerings). Trac: #1351 Signed-off-by: Gert Doering Acked-by: Richard Bonhomme --- doc/man-sections/vpn-network-options.rst | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 26682789..711dfcc8 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -21,7 +21,8 @@ routing. For this option to make sense you actually have to route traffic to the tun interface. The following example config block would send all IPv6 traffic to OpenVPN and answer all requests with no route to host, - effectively blocking IPv6. + effectively blocking IPv6 (to avoid IPv6 connections from dual-stacked + clients to leak around IPv4-only VPN services). **Client config** :: @@ -38,6 +39,12 @@ routing. --push "redirect-gateway ipv6" --block-ipv6 + Note: this option does not influence traffic sent from the server + towards the client (neither on the server nor on the client side). + This is not seen as necessary, as such traffic can be most easily + avoided by not configuring IPv6 on the server tun, or setting up a + server-side firewall rule. + --dev device TUN/TAP virtual network device which can be :code:`tunX`, :code:`tapX`, :code:`null` or an arbitrary name string (:code:`X` can be omitted for