[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-devel] [PATCH] UDPv6 support (UDP/IPv6)

  • Subject: [Openvpn-devel] [PATCH] UDPv6 support (UDP/IPv6)
  • From: JuanJo Ciarlante <jjo-ipsec@xxxxxxxxxxxxxx>
  • Date: Fri, 24 Sep 2004 02:32:35 -0300
Hi ppl ...
As part of my master thesis _and_ community giveback y added UPDv6 support to
openvpn-2.0_beta11, its working AFAITested, see attached README.IPv6 for
details.

Output from my uoooooHAaaaAAA!! session:
"""
  root@carpediem openvpn-2.0_beta11-jjo # ./openvpn  --dev tun --proto udp6 \
		--remote fe80::240:5ff:feae:c851 --port 5010 --secret ../openvpn.key \
		--ifconfig 1.1.1.253 1.1.1.1
  Tue Sep 21 17:30:39 2004 OpenVPN 2.0_beta11 i686-pc-linux [SSL] [LZO] [EPOLL] built on Sep 21 2004
  Tue Sep 21 17:30:39 2004 TUN/TAP device tun0 opened
  Tue Sep 21 17:30:39 2004 /sbin/ifconfig tun0 1.1.1.253 pointopoint 1.1.1.1
  mtu 1500
  Tue Sep 21 17:30:39 2004 UDPv6 link local (bound): [AF_INET6]:::5010
  Tue Sep 21 17:30:39 2004 UDPv6 link remote: [AF_INET6]fe80::240:5ff:feae:c851:5010
  Tue Sep 21 17:30:49 2004 Peer Connection Initiated with [AF_INET6]fe80::240:5ff:feae:c851%wlan0wds0:5000
  Tue Sep 21 17:30:51 2004 Initialization Sequence Completed

  :

  jjo@carpediem jjo $ ping -c 2 1.1.1.1
  PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
  64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=16.5 ms
  64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=5.92 ms

  --- 1.1.1.1 ping statistics ---
  2 packets transmitted, 2 received, 0% packet loss, time 1001ms
  rtt min/avg/max/mdev = 5.928/11.258/16.588/5.330 ms
"""

BTW ... I've broke some basic indentation rules in order to avoid enlarging
diff size.

Patch attached, also available (GPL) under
   http://www.irrigacion.gov.ar/juanjo/ipsec/

Best regards...

--
--Juanjo

PS: Sorry for not signing this message, I've broken my mutt setup recently,
     you'll find signed MD5SUM @URL above..
     
#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar                     #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177     #

# $Id: README.IPv6,v 1.1.2.5 2004/09/24 04:53:59 jjo Exp $ #

This README covers UDP/IPv6 ( --udp6 ) support for openvpn-2.0_beta11
Also, with address family "generalization" changes came local AF_UNIX socket
support.

Available under GPLv2 from 
  http://www.irrigacion.gov.ar/juanjo/openvpn/

See "Examples" section below for usage.

* Working:
  - upd6->upd6 (AF_INET6)
  - upd4->upd6 bound (show correctly mapped address) but requires
    --float (to be fixed soon)
  - unix-dgram->unix-dgram (AF_UNIX)
    useful for implementing local proxies that can take full advantage
    of POSIX filesystem permissions ( more powerfull access mechanisms
    than inet, even for localhost)

* Examples: some succesfully tested command lines 
  BTW did you know that openvpn can succesfully negotiate to self
  with --remote localhost ? (VERY useful for fast testing)
  
  - IPv6 "normal" usage (+succesfully tested tunnel traffic) 
    server# openvpn --proto udp6 ...
      :
      Thu Sep 23 22:15:48 2004 Peer Connection Initiated with [AF_INET6]fe80::205:5dff:fef1:1ceb%wlan0wds1:5000
      :
    client# openvpn --proto udp6 --remote fe80::240:5ff:feae:c851 ...
      :
      Thu Sep 23 22:13:19 2004 Peer Connection Initiated with [AF_INET6]fe80::240:5ff:feae:c851%wlan0wds0:5000
      :

  - IPv6 server, IPv4 client (more detailed)
    server# openvpn --proto udp6 ...
      :
      Thu Sep 23 22:28:36 2004 UDPv6 link local (bound): [AF_INET6][undef]:5000
      Thu Sep 23 22:28:36 2004 UDPv6 link remote: [AF_INET6][undef]
      Thu Sep 23 22:28:50 2004 Peer Connection Initiated with [AF_INET6]::ffff:10.55.14.253:5000
      Thu Sep 23 22:28:51 2004 Initialization Sequence Completed
      Thu Sep 23 22:28:56 2004 WARNING: Actual Remote Options ('... proto UDPv4 ... ') \
                               are inconsistent with Expected Remote Options ('... proto UDPv6 ...')

    client# openvpn  --remote 10.55.14.254 ...  ### same default as now: --udp
      :
      Thu Sep 23 22:26:11 2004 UDPv4 link local (bound): [AF_INET][undef]:5000
      Thu Sep 23 22:26:11 2004 UDPv4 link remote: [AF_INET]10.55.14.254:5000
      Thu Sep 23 22:26:21 2004 Peer Connection Initiated with [AF_INET]10.55.14.254:5000
      Thu Sep 23 22:26:21 2004 WARNING: Actual Remote Options ('... proto UDPv6 ...') \
                               are inconsistent with Expected Remote Options ('... proto UDPv4 ...')
      Thu Sep 23 22:26:22 2004 Initialization Sequence Completed

  - IPv6 loopback
    alone# openvpn --proto udp6 --remote ::1 ...
      :
      Wed Sep 22 13:03:07 2004 Peer Connection Initiated with [AF_INET6]::1:5000
      :

  - AF_UNIX toself
    alone# openvpn --proto unix-dgram --local /tmp/o.s --remote /tmp/o.s --dev tun  ...
      :
      Thu Sep 23 16:37:27 2004 Peer Connection Initiated with [AF_UNIX]/tmp/o.s
      :
  
  - AF_UNIX between to diff instances
    peer1# openvpn --proto unix-dgram --local /tmp/o1.s --remote /tmp/o2.s
    peer2# openvpn --proto unix-dgram --local /tmp/o2.s --remote /tmp/o1.s
      :
      Wed Sep 22 12:49:03 2004 Peer Connection Initiated with [AF_UNIX]/tmp/o1.s
      :
  

* Main code changes summary:
  - New sockaddr type (could have been sockaddr_storage but
    it lacks simple type overloading and maybe portability)
    union sockaddr_ovpn {
    	struct sockaddr addr;
    	struct sockaddr_in in;
    	struct sockaddr_in6 in6;
    #ifdef HAVE_SYS_UN_H
    	struct sockaddr_un un;
    #endif
    };
    
    typedef union sockaddr_ovpn sockaddr_ovpn_t;
    struct link_socket_addr
    {
    	sockaddr_ovpn_t local;
    	sockaddr_ovpn_t remote;
    	sockaddr_ovpn_t actual;
    };
    
    ... leads to simple type overloading: local.addr
    local.in, local.in6 ... etc

  - several function prototypes moved from
    sockaddr_in to sockaddr args type
  - several new sockaddr functions:
    addr_copy(), addr_zero(), ...etc
    proto_is_udp(), proto_is_dgram(), proto_is_net()

* TODO:
  - call socket() lately, after getaddrinfo() to decide IPv4 or IPv6 host 
    (hence socket()) instead of needing -p {udp|udp6}
    Not actually a big trouble, given that you _do_ setup both sides
    (keys, certs, etc), using udp or udp6 is actually another setup bit.
  - Implement comparison for mapped addesses: server in dual stack listening
    IPv6 must permit incoming streams from allowed IPv4 peer (ie without --float).
  - IPv6 with actual host resolution, currently only numerical (AI_NUMERICHOST)
  - integrate both IPv4 and IPv6 addr resolution with getaddrinfo instead of
    venerable gethostbyname&friends, problem: portability across platforms, 
    across libc versions? (dunno).

--
JuanJo Ciarlante   jjo|at|mendoza.gov.ar
:                                                                  :
.                                         Linux IP Aliasing author .
.   Modular algo (AES et all) support for FreeSWAN/OpenSWAN author .
:...       plus  other scattered free software bits in the wild ...:

Attachment: openvpn-2.0_beta11-udp6-jjo-v0.2.1.patch.gz
Description: application/gunzip