Bug#867113: does not start as soon as server-ipv6 is set

Bernhard Schmidt Tue, 04 Jul 2017 11:39:24 -0700

Control: tags -1 + moreinfo
Control: forwarded -1 https://community.openvpn.net/openvpn/ticket/911


On 04.07.2017 09:52, Marc Haber wrote:

Hi Marc,

> On Mon, Jul 03, 2017 at 11:39:58PM +0200, Marc Haber wrote:
>> Jul  3 23:33:11 torres ovpn-server[5730]: /sbin/ip link set dev tun0 up mtu 
>> 1278
> 
> This was caused by link-mtu 1400. I upped that to 1402 which resulted in
> "/sbin/ip link set dev tun0 up mtu 1280" in the log, but still openvpn
> not coming up.
> 
> The jessie version of OpenVPN on this system logs
> 
> /sbin/ip link set dev tun0 up mtu 1344
> 
> and works fine; the buster version is as broken as stretch's.

As discussed on IRC

a) link-mtu 1400 results in tun0 mtu 1278, which is below the minimum
IPv6 MTU of 1280 Bytes. The kernel will refuse to set an IPv6 address on
that sort of interface, as demonstrated here

# ip link add link enp0s31f6 testvlan mtu 1278 type vlan id 123
# ip link set testvlan up
# ip addr add 2001:db8::1/64 dev testvlan
RTNETLINK answers: No buffer space available
# ip link set testvlan mtu 1280
# ip addr add 2001:db8::1/64 dev testvlan
#

Possibly upstream has changed the overhead calculation. There _might_ be
an upstream issue there, since all of the sudden needing 66 bytes more
than before sounds a bit fishy. I see that Gert has already opened an
appropriate bug in the upstream BTS.

b) for the case of link-mtu 1402 I cannot reproduce your problem. With
this config (which only differs very slightly from yours, the ccd
configuration and the local address have been removed) openvpn starts
just fine

==> zugschlus.conf <==
port 1194
proto udp
dev tun
ca caconcat.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
server-ipv6 2a01:238:4071:3202::/64
ifconfig-pool-persist ipp.txt
route 10.1.0.0 255.255.0.0
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
topology subnet
push "topology subnet"
link-mtu 1402


Jul 04 20:23:32 BOTOX systemd[1]: Starting OpenVPN connection to
zugschlus...
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14901]: Current Parameter Settings:
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14901]:   config =
'/etc/openvpn/zugschlus.conf'
...
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14901]:   link_mtu = 1402
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14901]:   link_mtu_defined = ENABLED
[...]
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14901]: OpenVPN 2.4.0
x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11]
[MH/PKTINFO] [AEAD] built on Jun 22 2017
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14901]: library versions: OpenSSL
1.0.2l  25 May 2017, LZO 2.08
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: Diffie-Hellman initialized
with 2048 bit key
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: WARNING: normally if you
use --mssfix and/or --fragment, you should also set --tun-mtu 1500
(currently it is 1280)
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: TLS-Auth MTU parms [ L:1402
D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: ROUTE_GATEWAY
172.16.3.1/255.255.255.192 IFACE=br0 HWADDR=64:00:6a:6a:9c:f4
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: TUN/TAP device tun0 opened
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: TUN/TAP TX queue length set
to 100
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: do_ifconfig,
tt->did_ifconfig_ipv6_setup=1
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: /sbin/ip link set dev tun0
up mtu 1280
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: /sbin/ip addr add dev tun0
10.8.0.1/24 broadcast 10.8.0.255
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: /sbin/ip -6 addr add
2a01:238:4071:3202::1/64 dev tun0
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: /sbin/ip route add
10.1.0.0/16 via 10.8.0.2
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: Data Channel MTU parms [
L:1402 D:1402 EF:122 EB:369 ET:0 EL:3 ]
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: Could not determine
IPv4/IPv6 protocol. Using AF_INET
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: Socket Buffers:
R=[212992->212992] S=[212992->212992]
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: UDPv4 link local (bound):
[AF_INET][undef]:1194
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: UDPv4 link remote: [AF_UNSPEC]
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: MULTI: multi_init called,
r=256 v=256
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: IFCONFIG POOL IPv6: (IPv4)
size=252, size_ipv6=65536, netbits=64, base_ipv6=2a01:238:4071:3202::1000
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: IFCONFIG POOL:
base=10.8.0.2 size=252, ipv6=1
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: IFCONFIG POOL LIST
Jul 04 20:23:32 BOTOX ovpn-zugschlus[14902]: Initialization Sequence
Completed

Please also note the WARNING about mssfix/fragment/tun-mtu above. The
manpage says

       --link-mtu n
              Sets an upper bound on the size of UDP packets which
              are  sent  between  OpenVPN peers.  It's best not to
              set this  parameter  unless  you  know  what  you're
              doing.

and suggests the fragment and/or mssfix parameters to resolve MTU
issues. I haven't ever used either in my configurations.

Can you try again with both versions and dump the full loglines from the
Journal starting at the OpenVPN version string as shown above? Maybe
there is something else different, since you did not show the Jessie
startup or the startup from link-mtu 1402 it is hard to tell.

Best Regards,
Bernhard

Bug#867113: does not start as soon as server-ipv6 is set

Reply via email to