Tag: patch The attached patch prevents sending ICMP redirects on tun devices when the "subnet" topology is used.
--- debian/openvpn.init.d 2011-06-09 18:02:14 +0000 +++ debian/openvpn.init.d 2011-12-22 17:29:48 +0000 @@ -61,6 +61,18 @@ script_security="--script-security 2" fi + # the "subnet" topology (tun only) confuses the routing code that wrongly + # emits ICMP redirects for client to client communications + TUN_DEVNAME=$(sed -n 's/^[[:space:]]*dev[[:space:]]*\(tun.*\)$/\1/p' $CONFIG_DIR/$NAME.conf) + if test -n "$TUN_DEVNAME" && grep -q '^[[:space:]]*topology[[:space:]]*subnet' $CONFIG_DIR/$NAME.conf; then + # When using "client-to-client", OpenVPN routes the traffic itself without + # involving the TUN/TAP interface so no ICMP redirects are sent + if ! grep -q '^[[:space:]]*client-to-client' $CONFIG_DIR/$NAME.conf ; then + echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects + echo 0 > /proc/sys/net/ipv4/conf/$TUN_DEVNAME/send_redirects + fi + fi + STATUS=0 # Check to see if it's already started... if test -e /var/run/openvpn.$NAME.pid ; then