Re: kern/57155: OpenVPN (tap and tun) doesn't run as expected on 10.0_BETA

To: joel.bertrand%systella.fr@localhost
Subject: Re: kern/57155: OpenVPN (tap and tun) doesn't run as expected on 10.0_BETA
From: Ryota Ozaki <ozaki-r%netbsd.org@localhost>
Date: Wed, 4 Jan 2023 16:10:19 +0900

On Tue, Jan 3, 2023 at 9:35 PM BERTRAND Joël <joel.bertrand%systella.fr@localhost> wrote:
>
> >Number:         57155
> >Category:       kern
> >Synopsis:       OpenVPN (tap and tun) doesn't run as expected on 10.0_BETA
> >Confidential:   no
> >Severity:       critical
> >Priority:       high
> >Responsible:    kern-bug-people
> >State:          open
> >Class:          sw-bug
> >Submitter-Id:   net
> >Arrival-Date:   Tue Jan 03 12:35:00 +0000 2023
> >Originator:     joel.bertrand%systella.fr@localhost
> >Release:        NetBSD 10.0_BETA
> >Organization:
> >Environment:
> System: NetBSD legendre.systella.fr 10.0_BETA NetBSD 10.0_BETA (CUSTOM)
> #3: Tue Dec 27 08:46:20 CET 2022
> root%legendre.systella.fr@localhost:/usr/src/netbsd-10/obj/sys/arch/amd64/compile/CUSTOM
> amd64
> Architecture: x86_64
> Machine: amd64
> >Description:
>
>         Let consider an OpenVPN client (VPN interface could be tap0 or
> tun0). This client is connected to an OpenVPN server through a physical
> Ethernet adapter (in my case, wm0).
>
>         Client IP address : 192.168.1.2
>         Server IP address : 192.168.1.1
>
> WAN-----192.168.1.1 (OpenVPN server, Linux)
>  |
> WAN-----192.168.1.2 (OpenVPN client, NetBSD 10.0_BETA) 192.168.10.128---LAN
>
>         VPN connection is up but :
> - OpenVPN server cannot ping client (192.168.1.2);
> - OpenVPN client cannot ping server (192.168.1.1).
>
>         If I add a second Ethernet adapter in client (to connect a LAN)
> and if I configure npf to nat IP behind client, all workstations on LAN
> can ping OpenVPN server.
>
>         Same configuration ran fine with NetBSD-9.3 kernel (and all
> kernels since -7).
>
>         tcpdump doesn't show packets. Kernel only seems to drop packets.
>
> >How-To-Repeat:
>         Configure an OpenVPN client. I have tested with an OpenVPN UDP
> configuration, but with tap and tun interface.
> >Fix:
>

I've installed NetBSD 10 on Linux KVM and tested with them.  The guest
is under NAT in my setup.  OpenVPN is installed via pkg_add.

netbsd10# uname -a
NetBSD netbsd10 10.0_BETA NetBSD 10.0_BETA (GENERIC) #0: Sat Dec 31
04:55:53 UTC 2022
mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC
amd64
netbsd10# pkg_info openvpn |head -1
Information for openvpn-2.5.7nb1:


With the simple openvpn setups below, ping between the client and the server
works for me.

[host]
openvpn --remote 192.168.122.11 --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 1

[guest]
openvpn --remote 192.168.0.100 --dev tun1 --ifconfig 10.4.0.2 10.4.0.1
--verb 1 --float --ping 10

[ping from guest]
netbsd10# ping -n -c 1 10.4.0.1
PING 10.4.0.1 (10.4.0.1): 56 data bytes
64 bytes from 10.4.0.1: icmp_seq=0 ttl=64 time=1.250718 ms

----10.4.0.1 PING Statistics----
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.250718/1.250718/1.250718/0.000000 ms


The difference of the results may come from differences between my and your
environments.  My NetBSD 10 is fresh and doesn't enable networking
services/daemons that affect the result other than openvpn.

  ozaki-r

References:
- kern/57155: OpenVPN (tap and tun) doesn't run as expected on 10.0_BETA
  - From: BERTRAND Joël

Prev by Date: Re: kern/21547 (Reading short block from ugen device can lock up USB)
Next by Date: Re: kern/57155: OpenVPN (tap and tun) doesn't run as expected on 10.0_BETA
Previous by Thread: kern/57155: OpenVPN (tap and tun) doesn't run as expected on 10.0_BETA
Next by Thread: Re: kern/57155: OpenVPN (tap and tun) doesn't run as expected on 10.0_BETA
Indexes:

Home | Main Index | Thread Index | Old Index