From patchwork Wed Nov 26 13:04:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4636 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6c3:b0:7b1:439f:bdf with SMTP id j3csp3317983maw; Wed, 26 Nov 2025 05:04:40 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWeZxhDhpJ+Gf6/LzoD2fZpefxvFUiyBYIvLOPR/a5K8Re09OvLbYiZ3VJmAWzG6OllqNqfACEBuIU=@openvpn.net X-Google-Smtp-Source: AGHT+IE1baF24oImc7YZAbx1nUeQe3/kSVtxIaHD+oH46rcEb64sVP7+kMe8/SJA4I33BhBh+nCd X-Received: by 2002:a05:6870:70a4:b0:3e8:973e:e011 with SMTP id 586e51a60fabf-3ed1ffd81b2mr3191537fac.47.1764162280108; Wed, 26 Nov 2025 05:04:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1764162280; cv=none; d=google.com; s=arc-20240605; b=JvIvU+hMOKF5d5MQkinhe5ArG9xpOiM/6rfJHRIZ2ctD9w8e/gMe5LvRQrtFHM3Lmm MZZU6ODoKBHQPW3TmAKhEyQ6gdRM/YjH6WBBu7u4xM9y+vOOExr5MyYeZgizbEFxURiL J08S7iPW6mLEJ3utXp/5ovbrmMaqV9oyMRnvMeXqOrIg9TgfYlrUUh88oslF3bNMy7K0 Zhqj1lg4K97fBNFFk7Ye3p1rRyRhd7+LPOOcFnykgacsbCae4zQ14BVFNiLMPop5tx/K h5ZJssApc9v7RB0MlBaB808TLgM3jYppSy9kffzqZEELdPCB8WWvVdZOsWGPtlB18SVc wAvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=o/TCoiynFdqAIXsoZlnwz/LSr+E1MS17KxHXixvbXhQ=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=gb139tTBFaa7l25tE6YvMDqJlYQ5eg7Fw4SdDLBcroaWgLeakojARnlGgo3jMXZoeo e83YvbjlrpWWnH2hqQ5DWWxZD+1ODWIq5lAzsIBVtMssj/ZVrfe7a5QS/yG6XAa7g06h 7O0kViodd0z3NbOsUceaHmz9uBU+WGWPLyk0uSMBOgVX/f99a6iMZX0Q8MgwBfda3QaB 8q3VtS1x6qSbhITDExVdWyDbdbzA6MiU1pPYLIuqd4UCJOvqztXQE6oS+OfUHlGlFe6L CJOqW9ld22nzZrl0d5C665ce/KMyFfCDlLlNpnQlACFA8kqTbYZYoNSsBVWL+PJ7lCgD uIAg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=OM+pc4mU; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=GA2ZXB9h; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mXat7MWv; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3eca1b6397dsi3190414fac.1203.2025.11.26.05.04.39 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Nov 2025 05:04:40 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=OM+pc4mU; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=GA2ZXB9h; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mXat7MWv; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=o/TCoiynFdqAIXsoZlnwz/LSr+E1MS17KxHXixvbXhQ=; b=OM+pc4mUsJNMZGlfQ7DEpAh3aC 4Fuq25zerpUu0zg6sd/Z9R4inKCVRviEXh0MkK1u/KhAeQdEvrb2gczGBZFbyFKTJi9uxFF1kkfDU 8S3BdeH/rc5ZuQmhZgRbn/RWNsJAlUP/LKVlR284FH5vBPaplJ4+S2EAg5pmtxR+2MuA=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vOFCC-00042E-6P; Wed, 26 Nov 2025 13:04:32 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vOFC7-000424-Is for openvpn-devel@lists.sourceforge.net; Wed, 26 Nov 2025 13:04:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=BooHtFhc7mBO54zlTSHsFYo7Jw+4dQgid/dZTTkdb+E=; b=GA2ZXB9hBLD10I28D7hHlQ34jM EEPL1drQlUyAbuVht1/Y7qtipqaymyxvHOOHwSo5pPuM88LdJk/W2hvmtzho1hGJ3ev9y3awfJ87t MeA1V+tKk6JV2DmKZO++eTGNimEeA6dx7gQaDYfa2tK7b4GgAhjFYaBawaTpPmiySxZ0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=BooHtFhc7mBO54zlTSHsFYo7Jw+4dQgid/dZTTkdb+E=; b=mXat7MWvLUykT4dPtjn6TA8Ijj zQIdBXgrIzNiGIGqxdojglMhntsMwSOSI/bq6WAaaUHbx4oCfnazcIpQX+EDUtk5FXoSJupmftECU mn+4j7xvfhHZDuBMfWQ6VVUduTEKbXHW9d0eCUt86WPkvBJKHD1FwenfKiDw+JbIC+0o=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vOFC3-00015v-0k for openvpn-devel@lists.sourceforge.net; Wed, 26 Nov 2025 13:04:24 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5AQD4BJH019108 for ; Wed, 26 Nov 2025 14:04:11 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5AQD4B2m019107 for openvpn-devel@lists.sourceforge.net; Wed, 26 Nov 2025 14:04:11 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 26 Nov 2025 14:04:03 +0100 Message-ID: <20251126130410.19091-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Traditional OpenVPN ``--multihome`` behaviour is to send packets out the same interface that they were received on (copy ipi_ifindex from ingress to egress packet info). For some scenarios this makes [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vOFC3-00015v-0k Subject: [Openvpn-devel] [PATCH v5] Change '--multihome' behaviour regarding egress interface selection. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1849858226885465543?= X-GMAIL-MSGID: =?utf-8?q?1849858226885465543?= Traditional OpenVPN ``--multihome`` behaviour is to send packets out the same interface that they were received on (copy ipi_ifindex from ingress to egress packet info). For some scenarios this makes sense, for other scenarios it is breaking connectivity when there are no routes pointing out the ingress interface (intentionally asymmetric traffic). For 2.7.0, change the default(!) to always send out packets with ipi_ifindex = 0, to follow normal system interface selection rules. Add a flag ``--multihome same-interface`` to restore the pre-2.7 behavior of copying ipi_ifindex from ingress to egress packets. There are use cases for this, and we want to give users a chance to read the release notes and adjust their setups to "not break after upgrading to 2.7.0". Github: OpenVPN/openvpn#855 Github: OpenVPN/openvpn#554 v2: fix whitespace v3: turn logic around - new default is "egress ifindex 0" now v4: typo fixed in commit message v5: fix invalid rst in Changes.rst Change-Id: Id429241e1b17a8ff51d9019efc357c910f3bde4c Signed-off-by: Gert Doering Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1383 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1383 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/Changes.rst b/Changes.rst index 9077064..40984f5 100644 --- a/Changes.rst +++ b/Changes.rst @@ -326,6 +326,12 @@ Win-DCO as well), add printing of the hwid to all adapter outputs, and change the default adapter type created to `ovpn-dco`. +- the default for ``multihome`` egress interface handling has changed. + 2.7.0 will default to ipi_ifindex=0, that is, leave the decision to the + routing/policy setup of the operating system. The pre-2.7 behaviour + (force egress = ingress interface) can be achieved with the new + ``--multihome same-interface`` sub-option. + Deprecated features ------------------- ``--opt-verify`` feature removed diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 739be22..3760694 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -342,7 +342,7 @@ by ``--ifconfig-ipv6``, OpenVPN will install a /128 host route for the ``ipv6addr`` IP address. ---multihome +--multihome [same-interface] Configure a multi-homed UDP server. This option needs to be used when a server has more than one IP address (e.g. multiple interfaces, or secondary IP addresses), and is not using ``--local`` to force binding @@ -353,12 +353,18 @@ default. *Notes:* - - This option is only relevant for UDP servers. - - If you do an IPv6+IPv4 dual-stack bind on a Linux machine with - multiple IPv4 address, connections to IPv4 addresses will not - work right on kernels before 3.15, due to missing kernel - support for the IPv4-mapped case (some distributions have - ported this to earlier kernel versions, though). + - This option is only relevant for UDP servers. + - Starting with 2.7.0, OpenVPN will ignore the incoming interface of + the packet, and leave selection of the outgoing interface to the + normal routing/policy mechanisms of the OS ("set ipi_ifindex=0"). + - if the ``same-interface`` flag is added, OpenVPN will copy the + incoming interface index to the outgoing interface index, + trying to send the packet out over the same interface where it came + in on (= restoring earlier OpenVPN behaviour). This might not work + if there are no usable routes on that interface. + - the \*BSD systems use a different API for IPv4 that does not provide + the interface index anyway (IP_RECVDSTADDR), so there the difference + applies only to IPv6. --iroute args Generate an internal route to a specific client. The ``netmask`` diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4794315..62f84dd 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6335,10 +6335,18 @@ options->mlock = true; } #if ENABLE_IP_PKTINFO - else if (streq(p[0], "multihome") && !p[1]) + else if (streq(p[0], "multihome") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->sockflags |= SF_USE_IP_PKTINFO; + if (p[1] && streq(p[1], "same-interface")) + { + options->sockflags |= SF_PKTINFO_COPY_IIF; + } + else if (p[1]) + { + msg(msglevel, "Unknown parameter to --multihome: %s", p[1]); + } } #endif else if (streq(p[0], "verb") && p[1] && !p[2]) diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 8b6e35e..747c7a7 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -2393,7 +2393,8 @@ { #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) struct in_pktinfo *pkti = (struct in_pktinfo *)CMSG_DATA(cmsg); - from->pi.in4.ipi_ifindex = pkti->ipi_ifindex; + from->pi.in4.ipi_ifindex = + (sock->sockflags & SF_PKTINFO_COPY_IIF) ? pkti->ipi_ifindex : 0; from->pi.in4.ipi_spec_dst = pkti->ipi_spec_dst; #elif defined(IP_RECVDSTADDR) from->pi.in4 = *(struct in_addr *)CMSG_DATA(cmsg); @@ -2406,7 +2407,8 @@ && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in6_pktinfo))) { struct in6_pktinfo *pkti6 = (struct in6_pktinfo *)CMSG_DATA(cmsg); - from->pi.in6.ipi6_ifindex = pkti6->ipi6_ifindex; + from->pi.in6.ipi6_ifindex = + (sock->sockflags & SF_PKTINFO_COPY_IIF) ? pkti6->ipi6_ifindex : 0; from->pi.in6.ipi6_addr = pkti6->ipi6_addr; } else if (cmsg != NULL) diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 832d62e..7cf5b72 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -195,6 +195,7 @@ #define SF_GETADDRINFO_DGRAM (1 << 4) #define SF_DCO_WIN (1 << 5) #define SF_PREPEND_SA (1 << 6) +#define SF_PKTINFO_COPY_IIF (1 << 7) unsigned int sockflags; int mark; const char *bind_dev;