From patchwork Tue Aug 26 18:40:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4374 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:904b:b0:671:5a2c:6455 with SMTP id j11csp651701mac; Tue, 26 Aug 2025 11:41:07 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUZ3osHA7CXRHsKt3zp6R/jNaC15FrCKMbXQUp/ABUML5Np5rM+V+2uZOG4Y+s3gv1+qMxdLVdGBUI=@openvpn.net X-Google-Smtp-Source: AGHT+IEv9ANtm3/A9Qx9RUMsWCwAqTnhX2AN3krdpfG8kTE8v6iJWIhZT3Td8PXwMpqgHg9YTGAd X-Received: by 2002:a05:6870:e393:b0:30b:b593:85e8 with SMTP id 586e51a60fabf-315542f8a1cmr1455763fac.19.1756233666924; Tue, 26 Aug 2025 11:41:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1756233666; cv=none; d=google.com; s=arc-20240605; b=MWNp/2txuOvLNz8XJryMfbBaHiwx9zjD6rWXbtmKqrkzW+sEIAAAHRuphezSbmrDAx A2YgbMS5IcTZfyLBnC7PJc3vIHd8Om1rCJ7qH6cfF7D03SJuwX4WqDBu0ofmc+sYjSIv DHuhKAFT5fipQbtj1+qDLPlO6Y+be5sxbRtv6a0Tm8dWEeZfHXv9BL/pf/WssYMKyMc1 iBRi9gVvrErvQX92XAuZkC7TqCZ6YCoGQugHV2ARUcRlnElBG6o/vH2d6694GK0hMC7d H/1LnIG8xjoI8eknxK3VWUbD+yWyg4jna5BEYLrzoJeAMoIYjkK1sKCrfc/l4zXSqlZk xouw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=vQJtYzcbAtHo8EMVpXbWZBeHBabAS8lRd70MbkWG5qw=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=JCgGte1/iPWTAuwwMd++V6DaRw7bdkXlCPiMru8D1TjVJ1fnCpYm7X7am/f3sZy+i3 wm7TfLSkhTDHFfu3c4iziXaNIp7ImbGb/DqoNZdOB+2h/GQPku3N3vFSAWxT1wfJLIEx P8nAJmGXKZF6h9hO5vSJByoNdc7PmYiq4ahDvidljU1hJV0Cxk44eT/XznyuhFV1e3i0 kE4C/IwiQt6IT6fw4W60WpH9Aj+WquD5p+VCbodtRKKBiyQqZ1182xgaS3KphUHWlkjH tWyriRlxyCU8I/K1seDnvtxNCP9TsqldjZC8L5nIbEDOt+6KSW+Mo+iS6c5mbue4fPEB si5Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=DyKM4QKR; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=jfdKn1JS; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VbK6sP+b; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-314f7cbfba3si2156529fac.188.2025.08.26.11.41.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Aug 2025 11:41:06 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=DyKM4QKR; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=jfdKn1JS; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VbK6sP+b; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=vQJtYzcbAtHo8EMVpXbWZBeHBabAS8lRd70MbkWG5qw=; b=DyKM4QKRdckW4aCkLTj7U/FQmx cN8cFykAj1TZliDNFPwnYNU/L1EQQ0w/3AfOt8N5/4jqELEuF9yl2phACicFprEoinUu8S0UCtGNW Dafm9pmYDzofhjdBECB6g4SGCMV7i1K+aZvCmPvGxmcID76cv/8lhW4fM+SQqTKsX6dU=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uqybN-00009m-DE; Tue, 26 Aug 2025 18:41:01 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uqybL-00009b-Q0 for openvpn-devel@lists.sourceforge.net; Tue, 26 Aug 2025 18:40:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=SndxA6Uov5jlzQokAWJaFYLYL2Tq5JYNtYeY92Wy6YA=; b=jfdKn1JSO7COnMz4UKLK0vKDCc JsZN3L32hfzp4Wz4kqwnYL3phGhQypJELnNn4FGFJv5T+h0riyaggwHmRoRDDqarJ+NYbUKY59mLc kkAS0De11mH7UrP6GsN1WCi33Te64L9XLvySQonZEb4WGAXMDjLGYuMQW3h46U8lExrs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=SndxA6Uov5jlzQokAWJaFYLYL2Tq5JYNtYeY92Wy6YA=; b=VbK6sP+bFnXPf6AfPVcPcrikNV QNQyjVtrWlmQJWrmStKJ8X22tn8e8xVxMX8MHCdTRS03zVw7HJnfW4F9X3WHyY2btJQcfuxmz+2/k ZnyOCxWhNpq4ATngZ1h9LLUjpWEicNqn2FYJCf/giADI4fMaQZSmmi+QYA2UqHZsUzuk=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uqybK-0006k3-U0 for openvpn-devel@lists.sourceforge.net; Tue, 26 Aug 2025 18:40:59 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 57QIelWB021468 for ; Tue, 26 Aug 2025 20:40:47 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 57QIelNi021467 for openvpn-devel@lists.sourceforge.net; Tue, 26 Aug 2025 20:40:47 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 26 Aug 2025 20:40:38 +0200 Message-ID: <20250826184046.21434-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When run under Network Manager control, OpenVPN is not allowed to control routing. Instead, NM uses the OpenVPN-set environment variables ("route_network_1" etc) to set up routes as requested. This me [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1uqybK-0006k3-U0 Subject: [Openvpn-devel] [PATCH v1] Introduce env variables to communicate desired gateway redirection to NM. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1841544473391908220?= X-GMAIL-MSGID: =?utf-8?q?1841544473391908220?= When run under Network Manager control, OpenVPN is not allowed to control routing. Instead, NM uses the OpenVPN-set environment variables ("route_network_1" etc) to set up routes as requested. This method never worked properly for "redirect-gateway", as the information was not made available in environment variables. Introduce new env vars: route_redirect_gateway_ipv4 route_redirect_gateway_ipv6 to communicate desired state: = no gateway redirection desired 1 = "redirect-gateway for that protocol in question" 2 = "include block-local to redirect the local LAN as well" We intentionally do not expose all the IPv4 flags ("local", "def1", ...) as this is really internal OpenVPN historical cruft. Change-Id: I1e623b4a836f7216750867243299c7e4d0bd32d0 Signed-off-by: Gert Doering Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1156 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index bd5ecd4..670cd33 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -874,6 +874,14 @@ translations will be recorded rather than their names as denoted on the command line or configuration file. +:code:`route_redirect_gateway_ipv4` + +:code:`route_redirect_gateway_ipv6` + Set to `1` if the corresponding default gateway should be redirected + into the tunnel, and to `2` if also the local LAN segment should be + blocked (`block-local`). Not set otherwise. Set prior to **--up** script + execution. + :code:`script_context` Set to "init" or "restart" prior to up/down script execution. For more information, see documentation for ``--up``. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 0b16c5a..648d526 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5720,6 +5720,8 @@ { options->routes_ipv6->flags = 0; } + env_set_del(es, "route_redirect_gateway_ipv4"); + env_set_del(es, "route_redirect_gateway_ipv6"); } else if (streq(p[0], "dns") && !p[1]) { @@ -6039,6 +6041,8 @@ { options->routes_ipv6->flags = 0; } + env_set_del(es, "route_redirect_gateway_ipv4"); + env_set_del(es, "route_redirect_gateway_ipv6"); *update_options_found |= OPT_P_U_REDIR_GATEWAY; } } @@ -7661,6 +7665,16 @@ goto err; } } + if (options->routes->flags & RG_REROUTE_GW) + { + setenv_int(es, "route_redirect_gateway_ipv4", + options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1); + } + if (options->routes_ipv6 && (options->routes_ipv6->flags & RG_REROUTE_GW)) + { + setenv_int(es, "route_redirect_gateway_ipv6", + options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1); + } #ifdef _WIN32 /* we need this here to handle pushed --redirect-gateway */ remap_redirect_gateway_flags(options);