From patchwork Wed May 7 07:44:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Walter Doekes X-Patchwork-Id: 4239 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:e147:b0:656:592e:a137 with SMTP id nw7csp3409084mab; Wed, 7 May 2025 00:45:44 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVc82r6+EL9DpzpkAaPMGcLUJuGAp8gMfNzDfuelYo4XrJM0/eyF1eHemH5W25a65N1T4L8plQhF6k=@openvpn.net X-Google-Smtp-Source: AGHT+IFH14rOpC41HIJwK0nrLjmvGvacp6aftqLSQIMuwww8WF5wPEyGPf0DWkeR60xFAcMWX9dI X-Received: by 2002:a05:6808:158e:b0:3fe:f41d:463a with SMTP id 5614622812f47-4036f080157mr1250856b6e.10.1746603933935; Wed, 07 May 2025 00:45:33 -0700 (PDT) Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 006d021491bc7-607e7fa4ad3si6657006eaf.71.2025.05.07.00.45.33 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 May 2025 00:45:33 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=YvSmSWUV; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OFXCU1Op; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=hNhoGR6m; dkim=neutral (body hash did not verify) header.i=@wjd.nu header.s=mail2020 header.b=cG+5fG3Q; arc=fail (body hash mismatch); spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: Reply-To:From:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Subject:MIME-Version:References:In-Reply-To: Message-Id:Date:To:Sender:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=8h5kARQoClbdvx83eksQ/zaIxrOxUmfN0BnlliTrogw=; b=YvSmSWUVRSECPacSax3aNdKytP fCp1Vv6PY0B00iHKZqbV+8C1DIvsjaBHwnG8wdXvym47yabe4YZZOrgqKSeC96NPg695lvSr7dMWS p8mBFFa2QpR5GLn7fYUvOUU+xYPzZ4avjQtRCaLLQvxnK+DWmy3M9rhb/S93rIvIKork=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uCZT5-0005vB-0e; Wed, 07 May 2025 07:45:27 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uCZT3-0005up-R1 for openvpn-devel@lists.sourceforge.net; Wed, 07 May 2025 07:45:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=waaioPZCMAUHvLxgZPY5BosJIet+dArZHiJcw0uJUsg=; b=OFXCU1OpAfvjvy/MLlYFGiG41W OoVJH3hnN/TbaMn8IRr1Gdz5FO1KWrdlStkfcYfumVCYcZRoloOvdTFehb4LsNttEG2XR1W1hB2OC U5RXfOmVkiOezfP7kvMMP433UBiYFobTOjfKtVS85+ixJ/qWfj1Dug3s902ymaNaoygk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=waaioPZCMAUHvLxgZPY5BosJIet+dArZHiJcw0uJUsg=; b=hNhoGR6mwHjLyswHUgYL+KTKQA xTFMRJq+6Q8yWXAshnLxsQ+gdQ5NBJrVMfawECkxS+7qx+u/vV/vg3GBhuxOPgwbo/OJN0KGrSx2i 7v3zPF7Y4hce8ZLOGpXz04eDvbqCoIKxjZX1NclFTdxvLfUWYrqcxUlYz+jKNIlOQsZk=; Received: from wjd.osso.nl ([217.21.198.165]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1uCZSn-0003eX-C8 for openvpn-devel@lists.sourceforge.net; Wed, 07 May 2025 07:45:25 +0000 Authentication-Results: mail.wjd.nu; arc=none smtp.remote-ip=91.194.225.4 ARC-Seal: i=1; d=wjd.nu; s=arc2024; a=rsa-sha256; cv=none; t=1746603902; b=DT2PEywdbu2S20JvPePfkxzNVaUiQLUBxw7SWDXIc/q3jMtFq9yT8KL10/EbejHs875/ oEj8tT6SWYLz0vf4YOHWb8b3Ld0TEms2mHnMUXy16gtIhzHyKx8PdrFA7slqwVrnf+s1f HMZXQer/jMhHEv815VNOw+0mQ5sEmff2yBsrzp8nvgrcZCWdV9CWkwD4dVVF2KtfI4y4H bgb//J8XUhmnsJXkPy/Huk+YMxxKTdqTjJe3aaBX8Ig2IzyQ84Qf7jVahdvBGIA6c1nAD p3+hK7drPYhyQYlpqNneF+YgtDVaZHKkPZQWwgD7DAJr9BTJs8fnJfctbyS9UcyQy9A== ARC-Message-Signature: i=1; d=wjd.nu; s=arc2024; a=rsa-sha256; c=relaxed/simple; t=1746603902; h=DKIM-Signature:From:To:Cc:Subject:Date:Message-Id:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding; bh=tYMbResPa1yFoYtKplS2g8GjDNjPPBpwlVTQf6XutKc=; b=XYnJ/xaWk+uPEQVnYaA+hL97JrOj7yfP3dMl46jga1JAjC7f5WAbo7eJZ++KeJGev5Pb H3b4KyVmfY4FCuUEYpQ8/jkPT7nf+Lipg7MF908Etf6cVX8QDcZt70KfESZCT2UyKqxwU qr7SinD3iRfAXaGLih0PBct/GawUrNxuacZrxsHoDtn6UgnftRJsKlDmAiA+m0AThW1BQ 9FQBBQGd0IpL9h6uqWCrJqsqE5eCquvh5bKKXtl29dDN7cHL8S4hpxo2jCmsBhNnRLWGv sZ3/9IzTz9RO6AfqXE+FOB5nd5bOLAqsfPfdxr+KKako8gEhQDy1q4MO6IcEd1kz73A== ARC-Authentication-Results: i=1; mail.wjd.nu; arc=none smtp.remote-ip=91.194.225.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wjd.nu; s=mail2020; t=1746603902; bh=tYMbResPa1yFoYtKplS2g8GjDNjPPBpwlVTQf6XutKc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cG+5fG3QA+q5h9wkGtkOPRn2iZHcTTrwmIs7sdUpLwuvY2Er/GSBdl4tq+9Adf3ya lRVdD0MyRIFMldLDNlnGgUC+ZIcw04blZQFoEKmOCuehnVbiwDWvUylsNvLif3Y2W8 6nYkGkxBhnEiYPrEmJTUrqre0Ax9oXeZtfHpKQHAc57PnSBiMVsYyNZ9WJsxzgnPub 4zRoTKoI+z5uIj/RJWeJteDTwrr65ivhBhs3+nsiji+59Y0t5dJK3fz/aYOKYdFAD/ z/9dz6Wf8ViOKQQ3Xx1LWaEK/e9A9QrhnvFtcWY+oDWwBiT3KjIvgAx1ZcKwYW+ICq tJWwr8FJbNHCA== Received: from [10.11.12.13] (sender.local [10.11.12.13]) by wjd.osso.nl (Postfix) with ESMTPSA id A562F96327; Wed, 7 May 2025 09:45:02 +0200 (CEST) To: openvpn-devel@lists.sourceforge.net, "Arne Schwabe" Date: Wed, 7 May 2025 09:44:38 +0200 Message-Id: <20250507074438.1326755-1-walter.openvpn@wjd.nu> In-Reply-To: <1e8ccfd451cbf9e6d090bd6a6886e366.squirrel@mail.wjd.nu> References: <1e8ccfd451cbf9e6d090bd6a6886e366.squirrel@mail.wjd.nu> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "6901ab67b84d", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Walter Doekes When you're connected to a VPN which is used as the default gateway, a connection to a second VPN will cause a tunnel-in-tunnel traffic. If the administrator of the second VPN wants to avoid that, by [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 ARC_SIGNED Message has a ARC signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 ARC_VALID Message has a valid ARC signature X-Headers-End: 1uCZSn-0003eX-C8 Subject: [Openvpn-devel] [PATCH] multi.c: Allow floating to a new IP right after connection setup X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Walter Doekes via Openvpn-devel From: Walter Doekes Reply-To: Walter Doekes Cc: Walter Doekes Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1830217225709588040?= X-GMAIL-MSGID: =?utf-8?q?1831446966768898901?= From: Walter Doekes When you're connected to a VPN which is used as the default gateway, a connection to a second VPN will cause a tunnel-in-tunnel traffic. If the administrator of the second VPN wants to avoid that, by pushing its IP as net_gateway, this means that the client's source IP switches right after connect: the client source IP switches, from - the first-VPN-exit-IP, to the - regular-ISP-exit-IP In openvpn 2.5 and below, this worked fine. Since openvpn 2.6, specifially b364711486, this triggers the "Disallow float to an address taken by another client" code. Since that change, the traffic from the second source IP creates a second connection, which now needs special handling in the check-floating-IP code. This change allows one to switch to the new IP, if it is still in an unconnected state. That makes the use-case mentioned above work again. Github: closes OpenVPN/openvpn#704 Signed-off-by: Walter Doekes --- src/openvpn/multi.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index a2d3fd10..51a00b71 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3236,8 +3236,21 @@ multi_process_float(struct multi_context *m, struct multi_instance *mi, struct tls_multi *m1 = mi->context.c2.tls_multi; struct tls_multi *m2 = ex_mi->context.c2.tls_multi; + /* if the new connection is fresh and the old one is already connected, this + * might be a legitimate move to a new IP by the original client; + * for example when the server IP is pushed as net_gateway to escape from + * a double VPN. */ + if (m1->multi_state == CAS_CONNECT_DONE + && m2->multi_state == CAS_NOT_CONNECTED + && m1->locked_cert_hash_set + && !m2->locked_cert_hash_set + && session_id_equal(&m1->session[TM_ACTIVE].session_id, + &m2->session[TM_ACTIVE].session_id)) + { + /* allow this case */ + } /* do not float if target address is taken by client with another cert */ - if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set)) + else if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set)) { msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s", multi_instance_string(ex_mi, false, &gc));