Hi, On Fri, Jan 26, 2018 at 02:11:52PM +0100, Jan Just Keijser wrote: > the route was added with the default GW of fe80::8 : should I be worried ?
fe80::8 is our/my tun-over-tap hack. On "proper" tun devices, there is no ARP or IPv6 neighbour discovery, so you can point routes toward the *interface* - or towards "an IP address that the system knows is on the tun interface" (which we do for IPv4, because that's how it was coded in the dark ages). Since there is no ARP, "a route towards tun" leads to "packet sent to tun fd, no further processing, let openvpn deal with it". Easy. On TAP there is "ethernet underneath", so for each route destination, an ARP or IPv6 neighbour discovery lookup needs to be done, and then the packet is sent towards that MAC address. Also fairly easy, since OpenVPN only deals with MAC address forwarding and lets the OSes on both sides sort out the L2 discovery. Now, tun-on-windows is "tun" as far as OpenVPN is concerned, and "TAP" as far as Windows is concerned - so there needs to be an explicitely named gateway address (v4 as v6), and ARP / IPv6 ND. Since OpenVPN doesn't deal with MAC stuff here, magic happens in the Windows tap driver - namely, if Windows sends an ARP request for "the ipv4 route gateway", the TAP driver answers it (openvpn tells it via ioctl() what the gateway address is, so the TAP driver knows what addresses to listen for). For IPv6, we have link-local, so I did not bother to implement a new ioctl() and logic on the OpenVPN side, but always set the next-hop route to "fe80::8" - and the tap driver knows "oh, this is magic, answer the ND query". Long story short: - for tap interfaces in tun mode, fe80::8 is what you want to see. - For tap interfaces in *tap* mode, "a real IPv6 address of the gateway on the other end" is what you want (ND goes back and forth over OpenVPN/tap layer). - LAN routes (/128 bypass routes to the VPN server, for example) should never use fe80::8 but the real link-local or global address of the gateway -> now with "it works if you have two interfaces!" :-) - your log file looks like it should :-) gert -- now what should I write here... Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
