From patchwork Wed Apr 23 17:58:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "walter.openvpn--- via Openvpn-devel" X-Patchwork-Id: 4225 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:e392:b0:63e:cbae:3930 with SMTP id oe18csp3158173mab; Wed, 23 Apr 2025 10:59:21 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXd5zniBBBSJFUzjXF+1oVfz46UsF4vfWGySYSMUgqY92r898ChVA0AZ8hWW1V6SKGWK6pDFTRW9Zc=@openvpn.net X-Google-Smtp-Source: AGHT+IHRFP7SKU9kRwpgKf7o0i5yI2OMZN6H1OSABbsHjmDGmENs/BTkxZz/hslXB55ykY15zuH4 X-Received: by 2002:a05:6808:448c:b0:3f9:9076:b659 with SMTP id 5614622812f47-401c0c11beemr13418311b6e.28.1745431161693; Wed, 23 Apr 2025 10:59:21 -0700 (PDT) Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-401bf0a6b02si7058236b6e.295.2025.04.23.10.59.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Apr 2025 10:59:21 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=B7MTFv3N; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ZaFl5+Lq; dkim=neutral (body hash did not verify) header.i=@wjd.nu header.s=mail2020 header.b=suhXbrYp; arc=fail (body hash mismatch); spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1u7eNO-0005tF-4z; Wed, 23 Apr 2025 17:59:14 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1u7eNN-0005t9-Dc for openvpn-devel@lists.sourceforge.net; Wed, 23 Apr 2025 17:59:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=u1F4NExl7T4D9q28BIklA55KX+/mhKzD3rvLAsmCCbo=; b=B7MTFv3NVLB+KS1IjDQIGvgMMP /68Mw22wWtbrReL1TFIvoE4V0Or0zwfXNicna3sUq0LBUySRYVY+EQtzNNZNX1k3s15JV7eY+KLlT XTsdhXXW9KVa5O5byHH87xGfV+YqFU8o2XA+aUylNeLH+YWAYIGyIZxg5Xtsh/5q4zC4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=u1F4NExl7T4D9q28BIklA55KX+/mhKzD3rvLAsmCCbo=; b=Z aFl5+Lq8KeHkuAr6yStfK/F49qBakr8ZJmbtXlBJsA5q37RtWJYc/yFt2RscTm+HMUWInIsFUS708 WoU12YauZjEM+IuGKZ+tE9NrFZfA/0HdcMZPruvwddAb863AQHeRZsoGc56RCRXqeAtdh1rfro1V/ l859EUnrECFeWFG4=; Received: from wjd.osso.nl ([217.21.198.165]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1u7eN7-0002Kk-L8 for openvpn-devel@lists.sourceforge.net; Wed, 23 Apr 2025 17:59:13 +0000 Authentication-Results: mail.wjd.nu; arc=none smtp.remote-ip=91.194.225.4 ARC-Seal: i=1; d=wjd.nu; s=arc2024; a=rsa-sha256; cv=none; t=1745431131; b=BGmt1/YI52cY30DwDXL9K2TFAFSNDK4jL8WNRIPjJBkefJcAsjQ9i+g4hvX2MdOAn4D5 6JmA7VckxzoTICr3FIXNYphxbv0FZjpaRTTYZvtgsNvgoN5JYDAf64Lfkch4KMiZH0wDK JxOjVX9IQ7PPFeGUDg6R8J+ij2lQq+aPzIicQi+SkfzxaFfW61JXRvtqxHCtXfoMoYNiG 203UIzHHndZg6Kwe38Z21DdBH5YeN4ULmDrISA5L2NhnpWl2tLh/bh4RoS+pkuIh2UVR4 4ZXoG3NP4J1BQG0seoxw+iesPwOBVtSMmpnFUdHdIj93AQkPuh3HT/L+CgXwq10u0LQ== ARC-Message-Signature: i=1; d=wjd.nu; s=arc2024; a=rsa-sha256; c=relaxed/simple; t=1745431131; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version: Content-Transfer-Encoding; bh=gSXfRpKHAXehr/r6w2++u4Yt4/idM73P/PJaipNyeB8=; b=cE8hzXqFekIK0X3qXxPzJInRMX5fQClt2aBTfODqK0Q7DfmDb+PiLwyN4rJDNycCgmmN IWa3srL3NAVnFgZECaOrgk3mySw+ska+gDwxL23o+/dC1vb79OMA/mvf0Yo5Anbvha0jg dpneQf9zB6ACFBq7GleUz4tYJIIznILTNe67VvalTkNdxwCBLpQEoBseIkBbTyNQXE++J shq4CsYD47MOHh0TMtli8f5zaWpaGM7TVALGdWxKsajSBJyhx0Q6tcE5P11gQuRW7AVFN 2iV0GLrv5TEj8CpC9hB5eID2ApBmRsaaVLgD0RRSwTO5/uVVVN2RJYOFPwf4jCjQsLA== ARC-Authentication-Results: i=1; mail.wjd.nu; arc=none smtp.remote-ip=91.194.225.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wjd.nu; s=mail2020; t=1745431131; bh=gSXfRpKHAXehr/r6w2++u4Yt4/idM73P/PJaipNyeB8=; h=From:To:Subject:Date:From; b=suhXbrYpKlb3bGkULs8LgzZiLQczgrl9jYJKyWAnnKGRRKEWsy0Ez+Lzg1OdtAnev dGfOOP9V833M9T11VqYODCiymizCsnuxKGTsp0ki07wFggoTkv6ebg0PY55/Gsn0NX BpOnNAbqsx/BlFxI+132K5neUnNgeyMvESEdqVrcLyF84dqmQpDXZNtGIe7qkHE0n+ mCKC40dM0GpNQc2byUToekj/ZIqP3XM7SRWVo5KGRkFMmxWXAltIZ/2jF9uY9mYov2 YphVenCF5HpwjE2gqlBHNKDrfGq3/j9Nzf/MadoFBnNJKGjN8L9lLFAOZ3HFXFIdW+ F09/hMsO+DIyw== Received: from [10.11.12.13] (sender.local [10.11.12.13]) by wjd.osso.nl (Postfix) with ESMTPSA id 4DA5996A4B; Wed, 23 Apr 2025 19:58:51 +0200 (CEST) To: openvpn-devel@lists.sourceforge.net Date: Wed, 23 Apr 2025 19:58:43 +0200 Message-Id: <20250423175843.104553-1-walter.openvpn@wjd.nu> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Walter Doekes When you're connected to a VPN which is used as the default gateway, a connection to a second VPN will cause a tunnel-in-tunnel. If the administrator of the second VPN wants to avoid that, by pushing [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [217.21.198.165 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [217.21.198.165 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1u7eN7-0002Kk-L8 Subject: [Openvpn-devel] [PATCH] multi.c: Allow floating to a new IP right after connection setup X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: "walter.openvpn--- via Openvpn-devel" From: "walter.openvpn--- via Openvpn-devel" Reply-To: walter.openvpn@wjd.nu Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1830217225709588040?= X-GMAIL-MSGID: =?utf-8?q?1830217225709588040?= From: Walter Doekes When you're connected to a VPN which is used as the default gateway, a connection to a second VPN will cause a tunnel-in-tunnel. If the administrator of the second VPN wants to avoid that, by pushing its IP as net_gateway, this means that the client's source IP switches right after connect: the source IP switches from the first-VPN-exit-IP to the regular-ISP-exit-IP In openvpn 2.5 and below, this worked fine. Since openvpn 2.6, this triggers the "Disallow float to an address taken by another client" code. The root cause for this change of behaviour is as of yet unexplained. This change allows one to switch to the new IP, if it is still in an unconnected state. That makes the use-case mentioned above work again. Github: closes OpenVPN/openvpn#704 --- src/openvpn/multi.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index a2d3fd10..8a219ef2 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3236,8 +3236,22 @@ multi_process_float(struct multi_context *m, struct multi_instance *mi, struct tls_multi *m1 = mi->context.c2.tls_multi; struct tls_multi *m2 = ex_mi->context.c2.tls_multi; + /* if the new connection is fresh and the old one is already connected, this + * might be a legitimate move to a new IP by the original client; + * for example when the server IP is pushed as net_gateway to escape from + * a double VPN. */ + if (m1->multi_state == CAS_CONNECT_DONE && m2->multi_state == CAS_NOT_CONNECTED + && m1->locked_cert_hash_set && !m2->locked_cert_hash_set) + { + msg(M_INFO, "peer %" PRIu32 " (%s) floating from %s to %s (m2 still setting up) state=%d/%d", + m1->peer_id, + tls_common_name(m1, false), + mroute_addr_print(&mi->real, &gc), + print_link_socket_actual(&m->top.c2.from, &gc), + m1->multi_state, m2->multi_state); + } /* do not float if target address is taken by client with another cert */ - if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set)) + else if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set)) { msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s", multi_instance_string(ex_mi, false, &gc));