Tag: patch
The attached patch prevents sending ICMP redirects on tun devices when
the "subnet" topology is used.
--- debian/openvpn.init.d 2011-06-09 18:02:14 +0000
+++ debian/openvpn.init.d 2011-12-22 17:29:48 +0000
@@ -61,6 +61,18 @@
script_security="--script-security 2"
fi
+ # the "subnet" topology (tun only) confuses the routing code that wrongly
+ # emits ICMP redirects for client to client communications
+ TUN_DEVNAME=$(sed -n 's/^[[:space:]]*dev[[:space:]]*\(tun.*\)$/\1/p' $CONFIG_DIR/$NAME.conf)
+ if test -n "$TUN_DEVNAME" && grep -q '^[[:space:]]*topology[[:space:]]*subnet' $CONFIG_DIR/$NAME.conf; then
+ # When using "client-to-client", OpenVPN routes the traffic itself without
+ # involving the TUN/TAP interface so no ICMP redirects are sent
+ if ! grep -q '^[[:space:]]*client-to-client' $CONFIG_DIR/$NAME.conf ; then
+ echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+ echo 0 > /proc/sys/net/ipv4/conf/$TUN_DEVNAME/send_redirects
+ fi
+ fi
+
STATUS=0
# Check to see if it's already started...
if test -e /var/run/openvpn.$NAME.pid ; then
