OpenVPN sets broken routes and disables IPv6

Bug Reports
1

REPRODUCIBILITY: Always
OS VERSION: 5.0.0.77
HARDWARE: Jolla C2
UI LANGUAGE: English
REGRESSION:

DESCRIPTION:

When using openvpn the interface configuration is not done by openvpn itself but using a different method. IPv6 is disabled regardless of the ‘Disable IPv6’ configuration and a IPv4 route to the DNS server pushed by the VPNAC and a default route is configured directly to the interface instead via the gateway. This causes that arp requests for any ip address are sent instead of sending the packets to the gateway. Removing that incorrect default route and setting it correctly fixes the issue temporarily, but the incorrect route keeps reappearing after some time.

PRECONDITIONS:

A VPNAC setup with openvpn (assume its IP address is 2001:db8:1000::1) in server mode using the following configuration:

/etc/openvpn/openvpn.conf

cd /etc/openvpn
mode server
tls-server
port 10666
proto udp6
dev tap
ca CA.crt
crl-verify CA.crl
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
verify-client-cert require
ifconfig-ipv6 fe80::1:1/64 fe80::1:1
ifconfig 192.0.2.254 255.255.255.0

client-config-dir clientinfo
client-to-client
keepalive 10 30
cipher AES-256-CBC
user nobody
group nogroup
push "tun-ipv6"

/etc/openvpn/clientinfo/sailfish

push "ifconfig 192.0.2.1 255.255.255.0"
push "ifconfig-ipv6 fd00:cafe:1337::1/64 fe80::1:1"
push "ifconfig-ipv6 fe80::1000:1/64 fe80::1:1"
push "redirect-gateway def1 ipv6"
push "route-ipv6-gateway fe80::1:1"
push "route-gateway 192.0.2.254"
push "dns server 1 address 2001:db8:123:456::1"
push "dns server 2 address 198.51.100.10"

A certificate with ‘sailfish’ as CN issued to the C2

STEPS TO REPRODUCE:

Setup a VPNAC as stated under preconditions

  1. Go to VPN settings, add a new VPN and select OpenVPN

  2. Tap skip

  3. Type in ‘OpenVPN’ as name, 2001:db8:1000::1 as address and select CA.crt as certificate

  4. Tap advanced

  5. Select key and certificate

  6. Set protocol to UDP

  7. Port 10666

  8. Set Disable IPv6 to no

  9. Type AES-256-CBC as cypher algorithm

  10. Set device type to TAP

  11. leave the rest as it is

  12. Connect the vpn

EXPECTED RESULT:

A vpn0 interface appear configured with 192.0.2.1/24, fd00:cafe:1337::1/64 and fe80::1000:1/64

Following routes configured:

  • default via 192.0.2.254 dev vpn0
  • default via fe80::1:1 dev vpn0
  • 2001:db8::1000:1 via fe80::1 dev seth_lte0

ACTUAL RESULT:

A vpn0 interface with 192.0.2.1/24, 169.254.12.34/16 and disabled (via sysctl) IPv6 appears

Following routes:

  • default dev vpn0
  • 198.51.100.10 dev vpn0
  • default via fe80::1 dev seth_lte0

MODIFICATIONS:

Developer mode turned on to access the terminal

ADDITIONAL INFORMATION:

Using tcpdump reveals, that only ARP requests are received on the server (and other connected clients) like

ARP, Request who-has 198.51.100.10 tell 192.0.2.1, length 28
1 Like