summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2012-02-23 17:28:35 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2012-02-23 17:28:35 +0100
commit4f460c0ea0b089760deb2a4420a0931b9841f1ad (patch)
tree49385c09acca6c251c6300e1009cd5428a4d76fb
parent864a94d1f266022fdd4cfb3ecf7978f50fa412c3 (diff)
Avoid sending ICMP redirects with dev tun + subnet
When a tun-based VPN is using the subnet topology, the communication between clients can confuse the routing code that will wrongly emit ICMP redirects. Patch by Simon Deziel. (Closes: #656241)
-rw-r--r--debian/changelog8
-rw-r--r--debian/openvpn.init.d21
2 files changed, 29 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index ca675a3..c8961fc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openvpn (2.2.1-5) unstable; urgency=low
+
+ * Avoid sending ICMP redirects when using tun devices and "subnet"
+ topology. Thanks Simon Deziel for testing and the patch.
+ (Closes: #656241)
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 23 Feb 2012 17:25:54 +0100
+
openvpn (2.2.1-4) unstable; urgency=low
* Use dpkg-buildflags to fill CFLAGS in ./configure. (Closes: #655130)
diff --git a/debian/openvpn.init.d b/debian/openvpn.init.d
index d8e50ae..1f8a1cc 100644
--- a/debian/openvpn.init.d
+++ b/debian/openvpn.init.d
@@ -56,6 +56,22 @@ start_vpn () {
STATUSARG="--status /var/run/openvpn.$NAME.status $STATUSREFRESH"
fi
+ # tun using the "subnet" topology confuses the routing code that wrongly
+ # emits ICMP redirects for client to client communications
+ if grep -q '^[[:space:]]*dev[[:space:]]*tun' $CONFIG_DIR/$NAME.conf && \
+ grep -q '^[[:space:]]*topology[[:space:]]*subnet' $CONFIG_DIR/$NAME.conf ; then
+ # When using "client-to-client", OpenVPN routes the traffic itself without
+ # involving the TUN/TAP interface so no ICMP redirects are sent
+ if ! grep -q '^[[:space:]]*client-to-client' $CONFIG_DIR/$NAME.conf ; then
+ sysctl -w net.ipv4.conf.all.send_redirects=0 > /dev/null
+
+ # Save the default value for send_redirects before disabling it
+ # to make sure the tun device is created with send_redirects disabled
+ SAVED_DEFAULT_SEND_REDIRECTS=$(sysctl -n net.ipv4.conf.default.send_redirects)
+ sysctl -w net.ipv4.conf.default.send_redirects=0 > /dev/null
+ fi
+ fi
+
log_progress_msg "$NAME"
STATUS=0
@@ -66,6 +82,11 @@ start_vpn () {
--config $CONFIG_DIR/$NAME.conf || STATUS=1
[ "$OMIT_SENDSIGS" -ne 1 ] || ln -s /var/run/openvpn.$NAME.pid /run/sendsigs.omit.d/openvpn.$NAME.pid
+
+ # Set the back the original default value of send_redirects if it was changed
+ if [ -n "$SAVED_DEFAULT_SEND_REDIRECTS" ]; then
+ sysctl -w net.ipv4.conf.default.send_redirects=$SAVED_DEFAULT_SEND_REDIRECTS > /dev/null
+ fi
}
stop_vpn () {
kill `cat $PIDFILE` || true