Re: kern/57155: OpenVPN (tap and tun) doesn't run as expected on 10.0_BETA

[Ryota Ozaki <ozaki-r%netbsd.org@localhost>]

The following reply was made to PR kern/57155; it has been noted by GNATS.

From: Ryota Ozaki <ozaki-r%netbsd.org@localhost>
To: joel.bertrand%systella.fr@localhost
Cc: gnats-bugs%netbsd.org@localhost, kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, 
	netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/57155: OpenVPN (tap and tun) doesn't run as expected on 10.0_BETA
Date: Wed, 4 Jan 2023 16:10:19 +0900

 On Tue, Jan 3, 2023 at 9:35 PM BERTRAND Jo=C3=ABl <joel.bertrand@systella.f=
 r> wrote:
 >
 > >Number:         57155
 > >Category:       kern
 > >Synopsis:       OpenVPN (tap and tun) doesn't run as expected on 10.0_BE=
 TA
 > >Confidential:   no
 > >Severity:       critical
 > >Priority:       high
 > >Responsible:    kern-bug-people
 > >State:          open
 > >Class:          sw-bug
 > >Submitter-Id:   net
 > >Arrival-Date:   Tue Jan 03 12:35:00 +0000 2023
 > >Originator:     joel.bertrand%systella.fr@localhost
 > >Release:        NetBSD 10.0_BETA
 > >Organization:
 > >Environment:
 > System: NetBSD legendre.systella.fr 10.0_BETA NetBSD 10.0_BETA (CUSTOM)
 > #3: Tue Dec 27 08:46:20 CET 2022
 > root%legendre.systella.fr@localhost:/usr/src/netbsd-10/obj/sys/arch/amd64/compile/C=
 USTOM
 > amd64
 > Architecture: x86_64
 > Machine: amd64
 > >Description:
 >
 >         Let consider an OpenVPN client (VPN interface could be tap0 or
 > tun0). This client is connected to an OpenVPN server through a physical
 > Ethernet adapter (in my case, wm0).
 >
 >         Client IP address : 192.168.1.2
 >         Server IP address : 192.168.1.1
 >
 > WAN-----192.168.1.1 (OpenVPN server, Linux)
 >  |
 > WAN-----192.168.1.2 (OpenVPN client, NetBSD 10.0_BETA) 192.168.10.128---L=
 AN
 >
 >         VPN connection is up but :
 > - OpenVPN server cannot ping client (192.168.1.2);
 > - OpenVPN client cannot ping server (192.168.1.1).
 >
 >         If I add a second Ethernet adapter in client (to connect a LAN)
 > and if I configure npf to nat IP behind client, all workstations on LAN
 > can ping OpenVPN server.
 >
 >         Same configuration ran fine with NetBSD-9.3 kernel (and all
 > kernels since -7).
 >
 >         tcpdump doesn't show packets. Kernel only seems to drop packets.
 >
 > >How-To-Repeat:
 >         Configure an OpenVPN client. I have tested with an OpenVPN UDP
 > configuration, but with tap and tun interface.
 > >Fix:
 >
 
 I've installed NetBSD 10 on Linux KVM and tested with them.  The guest
 is under NAT in my setup.  OpenVPN is installed via pkg_add.
 
 netbsd10# uname -a
 NetBSD netbsd10 10.0_BETA NetBSD 10.0_BETA (GENERIC) #0: Sat Dec 31
 04:55:53 UTC 2022
 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC
 amd64
 netbsd10# pkg_info openvpn |head -1
 Information for openvpn-2.5.7nb1:
 
 
 With the simple openvpn setups below, ping between the client and the serve=
 r
 works for me.
 
 [host]
 openvpn --remote 192.168.122.11 --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --v=
 erb 1
 
 [guest]
 openvpn --remote 192.168.0.100 --dev tun1 --ifconfig 10.4.0.2 10.4.0.1
 --verb 1 --float --ping 10
 
 [ping from guest]
 netbsd10# ping -n -c 1 10.4.0.1
 PING 10.4.0.1 (10.4.0.1): 56 data bytes
 64 bytes from 10.4.0.1: icmp_seq=3D0 ttl=3D64 time=3D1.250718 ms
 
 ----10.4.0.1 PING Statistics----
 1 packets transmitted, 1 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev =3D 1.250718/1.250718/1.250718/0.000000 ms
 
 
 The difference of the results may come from differences between my and your
 environments.  My NetBSD 10 is fresh and doesn't enable networking
 services/daemons that affect the result other than openvpn.
 
   ozaki-r