From patchwork Fri Jun  5 13:13:11 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ralf Lici <ralf@mandelbit.com>
X-Patchwork-Id: 4993
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id
 jc29csp220923mab;
        Fri, 5 Jun 2026 06:14:04 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AFNElJ8eB1ypzDwdREV/QAvArERy6lYpWD95Kla91lBdys1Vc+QRvkQKT67iucNdOBq8nOoZEU4hhQhHu58=@openvpn.net
X-Received: by 2002:a4a:edce:0:b0:69e:41d8:f7e8 with SMTP id
 006d021491bc7-69e68b08111mr1877684eaf.7.1780665244153;
        Fri, 05 Jun 2026 06:14:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1780665244; cv=none;
        d=google.com; s=arc-20240605;
        b=RIssb6UTVfmm7tjQ3KJRJL+DHs3boIyI3S0EuVZP0uICZkxIa0hiGnFex+G/gEYyEa
         bX/aj0ns9LQtOD1R+RaB6yYZaHnMdx9DWJjRwV2TrFC1ZjE+R2HhIXzS8m2z83hJiFC+
         2sLhWFBw0Mro7nMNHuBhuX3OYL1wcpsw7FYTUFCzt9pPNikThKiSHNxL9arA+fIj37AK
         Lenr99Xgmj9giIu9KtX9E2BOd0WezH7nc6ay3RnZAs19lzjRLtB6LIe+CrP5/JtWdrSU
         qSZLZcyRuWY3ZsEgTdjThHfhVT2OtrCvM4EuwzUW+WuZY2WU6omvPq3TD1SZGE1ApDM+
         NNew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature:dkim-signature;
        bh=gkWFWc5EbMMrMwBYUjGRgFtbl436dEapzTtMcCOm3eE=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=O6Fb1wwnGPk9wn9OvSMU/mnEmjAtlL1Px4v7X3kz6g2zI3X65LQHdsaofciS7q5Lrk
         sCQJoW60kwj0611+c7LQC2QgjO0IEgcS8s7hBXSiurG5AHcc9Gr4zl9dgmluNzsZtH7d
         HxJnurbaJxXTo6fLK1mfEDuVqqJU3WVCWz/wg8cYlTjAbjkEbRWPQrfp0TAvrOc5/jgL
         QnXQfMPRXnyeBdsnROwijagQN9/4ERp0XFBsn6fFJierw+HGk2DTZZeQRAD2fl1590TT
         Xy9QOszrXAcZRsBjrEkCLdN0I3COsIhnNOM3/j1Q1DI39Bu3S0uu9zDJIRBOTrVQH2Gk
         boOw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=fBqfNqIp;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=exB90ssp;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=iSFniiJE;
       dkim=neutral (body hash did not verify) header.i=@mandelbit.com
 header.s=MBO0001 header.b=AskJCl2v;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 586e51a60fabf-440d86a0c13si6875943fac.192.2026.06.05.06.14.03
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 05 Jun 2026 06:14:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=fBqfNqIp;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=exB90ssp;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=iSFniiJE;
       dkim=neutral (body hash did not verify) header.i=@mandelbit.com
 header.s=MBO0001 header.b=AskJCl2v;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=gkWFWc5EbMMrMwBYUjGRgFtbl436dEapzTtMcCOm3eE=; b=fBqfNqIpqpQJK+XA7HB2S1Hs2W
	QFJNvpnXzARBA4RJeYG4c7wytKX5POwjOIOhgIf2OYWArdkC9528oLK0fe7luiuB0dBwsPgeyRjrB
	MX7U1UzeN/lLV9rSz6gmViQinVRTyV5liYWrVRfL39sX8Z95eFirRqB/hQYXrN+RlV2A=;
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1wVUN2-000401-Au;
	Fri, 05 Jun 2026 13:13:56 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <ralf@mandelbit.com>) id 1wVUN0-0003zt-8I
 for openvpn-devel@lists.sourceforge.net;
 Fri, 05 Jun 2026 13:13:54 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=LMMMXx47Y3DKcxWHWxHKwB9aeLz4StXP7FFIG0zUupE=; b=exB90sspW58qLvdxpwYMnXqiNO
 WXmIBKnMDlUg5PlA7UXz1GZubEJR62c6TuJhKsVcyEMRTp7reeY98UqBOuQw05dimWHj5z5Bg7Ke0
 HkxHj2oIkizoQCsfCpoujNCTXtlWssgTaA7jz1/AIoNFHza3iYBOptv3H2nq2BfEoNeA=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=LMMMXx47Y3DKcxWHWxHKwB9aeLz4StXP7FFIG0zUupE=; b=iSFniiJE/tDam7IykJ1Y1tK1RR
 sLq3Wx5b1L8M8ItNUlPxos44Bb9cixQD0mDO139efi7rad2nu6gDg14t7keHZsJYL31JIjMPXq092
 lPyE0cRhahnDz7vNSkbYTjXzwbubij1jfLdPzzwYAFsMKKzEg0xFFzbZYpcaQjaWvrd0=;
Received: from mout-b-206.mailbox.org ([195.10.208.51])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1wVUMy-0006tX-Q8 for openvpn-devel@lists.sourceforge.net;
 Fri, 05 Jun 2026 13:13:54 +0000
Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mout-b-206.mailbox.org (Postfix) with ESMTPS id 4gX22065nfz9xHb;
 Fri,  5 Jun 2026 15:13:44 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com;
 s=MBO0001; t=1780665224;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=LMMMXx47Y3DKcxWHWxHKwB9aeLz4StXP7FFIG0zUupE=;
 b=AskJCl2vxCrEv5JlYETYEyw+rqaieD4xB47Dhe0I+bFe+LiaaqFUfO2tzq4COSkWxrM6+K
 9IqTt9tc3wVFfiIDzEUJT/013xWS2aCipnMR7dIJgBNmuhYGDCvGzP3dHuzqYHKRe6RxKC
 cXPDcQAMjX9p9OKQtyl/+nwJn5AjQwsKdDKgTBTwy8WQGPjza2uP/fEl0w2P3sSIEd4rYX
 q9RoIXJffNjzb3U8Ixkuypi/LDvgiH2Ur82ScTRw4NbCT2JfxlLVYml/2fsajLwZ0gEEX0
 Y6ZbnMTB5FRq3ODcH3PXVXLpXadUKF+1WXYVwBh2uswLc6rDTUr9yxKr6vaynw==
From: Ralf Lici <ralf@mandelbit.com>
To: openvpn-devel@lists.sourceforge.net
Date: Fri,  5 Jun 2026 15:13:11 +0200
Message-ID: 
 <c5392b0ea96d2c79c2d32470526004e2b0ff1d42.1780663425.git.ralf@mandelbit.com>
In-Reply-To: <cover.1780663425.git.ralf@mandelbit.com>
References: <cover.1780663425.git.ralf@mandelbit.com>
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-1.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  ovpn validates UDP peer remotes against the socket family
 when the remote endpoint is configured through netlink. The socket itself,
 however, remains owned by userspace and some socket options can sti [...]
 Content analysis details:   (-0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
X-Headers-End: 1wVUMy-0006tX-Q8
Subject: [Openvpn-devel] [PATCH ovpn net v2 4/4] ovpn: recheck UDP socket
 family before transmit
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: 1867162838568606316
X-GMAIL-MSGID: 1867162838568606316

ovpn validates UDP peer remotes against the socket family when the
remote endpoint is configured through netlink. The socket itself,
however, remains owned by userspace and some socket options can still
change the family seen by the transmit path.

For example, IPV6_ADDRFORM can turn an AF_INET6 socket into AF_INET
after ovpn accepted an IPv6 remote. Conversely, IPV6_V6ONLY can make a
dual-stack AF_INET6 socket unable to send to an IPv4 remote.

Recheck the socket family in ovpn_udp_output before selecting the UDP
transmit path. When the peer remote family no longer matches the socket
state, emit a ratelimited warning, drop the packet with -EAFNOSUPPORT
and delete the peer with TRANSPORT_ERROR.

Peer deletion is deferred through a common transport-error work item,
because the UDP transmit path can run from non-sleepable contexts while
ovpn_peer_del may release sockets and sleep. Use the same helper for TCP
transport errors instead of keeping a TCP-only deferred delete work
item.

Fixes: 08857b5ec5d9 ("ovpn: implement basic TX path (UDP)")
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
---
Changes since v1 https://lore.kernel.org/openvpn-devel/20260526124544.425791-4-ralf@mandelbit.com/
- Emit ratelimited warnings when UDP TX detects a socket/remote address
  family mismatch.
- Delete the peer with TRANSPORT_ERROR on UDP socket/remote family
  mismatches, using deferred work because TX can run from non-sleepable
  contexts.
- Move the TCP deferred transport-error deletion work into a common
  ovpn_peer_del_transport_error helper and reuse it from TCP and UDP.
- Read sk->sk_family once before selecting the UDP TX path.
- Fix the IPV6_V6ONLY comment typo.

 drivers/net/ovpn/peer.c | 19 +++++++++++++++++++
 drivers/net/ovpn/peer.h |  5 +++--
 drivers/net/ovpn/tcp.c  | 21 +++------------------
 drivers/net/ovpn/udp.c  | 24 +++++++++++++++++++++---
 4 files changed, 46 insertions(+), 23 deletions(-)

diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c
index c02dfab51a6e..8411a4ac85d6 100644
--- a/drivers/net/ovpn/peer.c
+++ b/drivers/net/ovpn/peer.c
@@ -82,6 +82,24 @@ static void ovpn_peer_keepalive_send(struct work_struct *work)
 	local_bh_enable();
 }
 
+static void ovpn_peer_transport_error_work(struct work_struct *work)
+{
+	struct ovpn_peer *peer = container_of(work, struct ovpn_peer,
+					      transport_error_work);
+
+	ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_TRANSPORT_ERROR);
+	ovpn_peer_put(peer);
+}
+
+void ovpn_peer_del_transport_error(struct ovpn_peer *peer)
+{
+	if (WARN_ON(!ovpn_peer_hold(peer)))
+		return;
+
+	if (!schedule_work(&peer->transport_error_work))
+		ovpn_peer_put(peer);
+}
+
 /**
  * ovpn_peer_new - allocate and initialize a new peer object
  * @ovpn: the openvpn instance inside which the peer should be created
@@ -115,6 +133,7 @@ struct ovpn_peer *ovpn_peer_new(struct ovpn_priv *ovpn, u32 id)
 	kref_init(&peer->refcount);
 	ovpn_peer_stats_init(&peer->vpn_stats);
 	ovpn_peer_stats_init(&peer->link_stats);
+	INIT_WORK(&peer->transport_error_work, ovpn_peer_transport_error_work);
 	INIT_WORK(&peer->keepalive_work, ovpn_peer_keepalive_send);
 
 	ret = dst_cache_init(&peer->dst_cache, GFP_KERNEL);
diff --git a/drivers/net/ovpn/peer.h b/drivers/net/ovpn/peer.h
index 328401570cba..1b8142919da6 100644
--- a/drivers/net/ovpn/peer.h
+++ b/drivers/net/ovpn/peer.h
@@ -59,6 +59,7 @@
  * @refcount: reference counter
  * @rcu: used to free peer in an RCU safe way
  * @release_entry: entry for the socket release list
+ * @transport_error_work: work used to delete peer on transport error
  * @keepalive_work: used to schedule keepalive sending
  */
 struct ovpn_peer {
@@ -94,8 +95,6 @@ struct ovpn_peer {
 			struct proto *prot;
 			const struct proto_ops *ops;
 		} sk_cb;
-
-		struct work_struct defer_del_work;
 	} tcp;
 	struct ovpn_crypto_state crypto;
 	struct dst_cache dst_cache;
@@ -113,6 +112,7 @@ struct ovpn_peer {
 	struct kref refcount;
 	struct rcu_head rcu;
 	struct llist_node release_entry;
+	struct work_struct transport_error_work;
 	struct work_struct keepalive_work;
 };
 
@@ -142,6 +142,7 @@ static inline void ovpn_peer_put(struct ovpn_peer *peer)
 struct ovpn_peer *ovpn_peer_new(struct ovpn_priv *ovpn, u32 id);
 int ovpn_peer_add(struct ovpn_priv *ovpn, struct ovpn_peer *peer);
 int ovpn_peer_del(struct ovpn_peer *peer, enum ovpn_del_peer_reason reason);
+void ovpn_peer_del_transport_error(struct ovpn_peer *peer);
 void ovpn_peers_free(struct ovpn_priv *ovpn, struct sock *sock,
 		     enum ovpn_del_peer_reason reason);
 
diff --git a/drivers/net/ovpn/tcp.c b/drivers/net/ovpn/tcp.c
index 65054cc84be5..e98e253a3f5a 100644
--- a/drivers/net/ovpn/tcp.c
+++ b/drivers/net/ovpn/tcp.c
@@ -148,10 +148,7 @@ static void ovpn_tcp_rcv(struct strparser *strp, struct sk_buff *skb)
 	ovpn_recv(peer, skb);
 	return;
 err:
-	/* take reference for deferred peer deletion. should never fail */
-	if (WARN_ON(!ovpn_peer_hold(peer)))
-		goto err_nopeer;
-	schedule_work(&peer->tcp.defer_del_work);
+	ovpn_peer_del_transport_error(peer);
 	dev_dstats_rx_dropped(peer->ovpn->dev);
 err_nopeer:
 	kfree_skb(skb);
@@ -239,7 +236,7 @@ void ovpn_tcp_socket_wait_finish(struct ovpn_socket *sock)
 {
 	struct ovpn_peer *peer = sock->peer;
 
-	/* NOTE: we don't wait for peer->tcp.defer_del_work to finish:
+	/* NOTE: we don't wait for peer->transport_error_work to finish:
 	 * either the worker is not running or this function
 	 * was invoked by that worker.
 	 */
@@ -282,8 +279,7 @@ static void ovpn_tcp_send_sock(struct ovpn_peer *peer, struct sock *sk)
 			/* in case of TCP error we can't recover the VPN
 			 * stream therefore we abort the connection
 			 */
-			ovpn_peer_hold(peer);
-			schedule_work(&peer->tcp.defer_del_work);
+			ovpn_peer_del_transport_error(peer);
 
 			/* we bail out immediately and keep tx_in_progress set
 			 * to true. This way we prevent more TX attempts
@@ -496,15 +492,6 @@ static void ovpn_tcp_build_protos(struct proto *new_prot,
 				  const struct proto *orig_prot,
 				  const struct proto_ops *orig_ops);
 
-static void ovpn_tcp_peer_del_work(struct work_struct *work)
-{
-	struct ovpn_peer *peer = container_of(work, struct ovpn_peer,
-					      tcp.defer_del_work);
-
-	ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_TRANSPORT_ERROR);
-	ovpn_peer_put(peer);
-}
-
 /* Set TCP encapsulation callbacks */
 int ovpn_tcp_socket_attach(struct ovpn_socket *ovpn_sock,
 			   struct ovpn_peer *peer)
@@ -537,8 +524,6 @@ int ovpn_tcp_socket_attach(struct ovpn_socket *ovpn_sock,
 		goto err;
 	}
 
-	INIT_WORK(&peer->tcp.defer_del_work, ovpn_tcp_peer_del_work);
-
 	__sk_dst_reset(ovpn_sock->sk);
 	skb_queue_head_init(&peer->tcp.user_queue);
 	skb_queue_head_init(&peer->tcp.out_queue);
diff --git a/drivers/net/ovpn/udp.c b/drivers/net/ovpn/udp.c
index 49dc15486043..b8aa7e47df8e 100644
--- a/drivers/net/ovpn/udp.c
+++ b/drivers/net/ovpn/udp.c
@@ -311,6 +311,7 @@ static int ovpn_udp6_output(struct ovpn_peer *peer, struct ovpn_bind *bind,
 static int ovpn_udp_output(struct ovpn_peer *peer, struct dst_cache *cache,
 			   struct sock *sk, struct sk_buff *skb)
 {
+	unsigned short sock_family;
 	struct ovpn_bind *bind;
 	int ret;
 
@@ -327,18 +328,35 @@ static int ovpn_udp_output(struct ovpn_peer *peer, struct dst_cache *cache,
 		goto out;
 	}
 
+	sock_family = READ_ONCE(sk->sk_family);
+	ret = -EAFNOSUPPORT;
 	switch (bind->remote.in4.sin_family) {
 	case AF_INET:
+		/* userspace might have set IPV6_V6ONLY */
+		if (unlikely(sock_family == AF_INET6 && ipv6_only_sock(sk))) {
+			net_warn_ratelimited("%s: peer %u: IPv4 remote, IPv6-only socket\n",
+					     netdev_name(peer->ovpn->dev),
+					     peer->id);
+			ovpn_peer_del_transport_error(peer);
+			break;
+		}
+
 		ret = ovpn_udp4_output(peer, bind, cache, sk, skb);
 		break;
 #if IS_ENABLED(CONFIG_IPV6)
 	case AF_INET6:
+		/* userspace might have set IPV6_ADDRFORM */
+		if (unlikely(sock_family != AF_INET6)) {
+			net_warn_ratelimited("%s: peer %u: IPv6 remote, IPv4 socket\n",
+					     netdev_name(peer->ovpn->dev),
+					     peer->id);
+			ovpn_peer_del_transport_error(peer);
+			break;
+		}
+
 		ret = ovpn_udp6_output(peer, bind, cache, sk, skb);
 		break;
 #endif
-	default:
-		ret = -EAFNOSUPPORT;
-		break;
 	}
 
 out: