Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dco: fix source IP selection #668

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

dco: fix source IP selection #668

wants to merge 1 commit into from

Conversation

LGA1150
Copy link

@LGA1150 LGA1150 commented Jan 14, 2025

If the local option is present, DCO should use it as the source IP, or Linux may pick a different IP as the source IP, breaking the connection.

@schwabe
Copy link
Contributor

schwabe commented Jan 14, 2025

Could you add the scenario when this happens with a small config that allows us to reproduce this issue?

@LGA1150
Copy link
Author

LGA1150 commented Jan 14, 2025
edited
Loading

update: manually rebased to master branch

OS/Kernel: OpenWrt 22.03/Linux 5.10.104 (Minimal kernel config to reduce size), musl libc 1.2.2
OpenVPN: 2.6.12
DCO module: 20240712

There are 2 network interfaces wan and lan. Both have static IPs:

wan: 192.168.190.105/24
lan: 192.168.8.1/24

server.conf:

local 192.168.190.105
tls-server
allow-compression no
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/server.crt
dev tun
dh /etc/openvpn/pki/dh.pem
keepalive 10 60
key /etc/openvpn/pki/private/server.key
server 10.200.200.0 255.255.255.0
topology subnet
tun-mtu 1448
verb 5

client.ovpn:

remote 192.168.190.105
tun-mtu 1448
allow-compression no
client
dev tun
tls-client
# ca, cert, key omitted

Client is at lan side with IP 192.168.8.2.
The initial handshake went through, but once the data path is offloaded, DCO transmit path picked the lan interface IP 192.168.8.1 as the source IP, breaking the connection. Adding disable-dco to server.conf fixes it.

With some debugging I found that local option was not passed to DCO via the netlink attr OVPN_NEW_PEER_ATTR_LOCAL_IP. , so Linux picked lan interface IP as the source IP.

@LGA1150 LGA1150 changed the title dco: pass local option to DCO dco: fix source IP selection Jan 15, 2025
@LGA1150
Copy link
Author

LGA1150 commented Jan 15, 2025

Update: found a similar bug when multihome option is enabled. I will push a new patch later.

@LGA1150 LGA1150 force-pushed the fix-dco-srcip branch 2 times, most recently from 391ca69 to 9b7af93 Compare January 15, 2025 11:14
@LGA1150
Copy link
Author

LGA1150 commented Jan 16, 2025

sent to the list

@LGA1150
Copy link
Author

LGA1150 commented Jan 31, 2025

Why is CI failing?

@schwabe
Copy link
Contributor

schwabe commented Jan 31, 2025

@LGA1150 the reason should be quite obvious if you look at the step that fails. Your code does not comform to our code style:

image

@LGA1150
Copy link
Author

LGA1150 commented Feb 1, 2025

It didn't fail immediately at that step. I was looking at "Set job status" and had no idea what it meant.
Anyway I'll fix the code format.

@LGA1150
dco: fix source IP selection
85419e2 
When multihome option is enabled, OpenVPN passes ipi_addr to DCO, which
is always 0.0.0.0. It should use ipi_spec_dst instead.
When local option is present, OpenVPN does not pass it to DCO.
As a result, Linux may pick a different IP as the source IP, breaking
the connection.

Signed-off-by: Qingfang Deng <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LGA1150 @schwabe