Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388760580-7548-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8167
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -35,31 +35,22 @@ over an IPv6 network ("OpenVPN over IPv6"). |
35 | 35 |
The code in 2.3.0 supersedes the IPv6 transport patches from JuanJo Ciarlante, |
36 | 36 |
formerly located at http://github.com/jjo/openvpn-ipv6 |
37 | 37 |
|
38 |
+OpenVPN 2.4.0 includes a big overhaul of the IPv6 transport patches |
|
39 |
+originally implemented for the Android client (ics-openvpn) |
|
38 | 40 |
|
39 |
-Use the following options to select IPv6 transport: |
|
41 |
+IPv4/IPv6 transport is automatically is selected when resolving addresses. |
|
42 |
+Use a 6 or 4 suffix to force IPv6/IPv4: |
|
40 | 43 |
|
41 | 44 |
--proto udp6 |
45 |
+ --proto tcp4 |
|
42 | 46 |
--proto tcp6-client |
43 |
- --proto tcp6-server |
|
47 |
+ --proto tcp4-server |
|
44 | 48 |
--proto tcp6 --client / --proto tcp6 --server |
45 | 49 |
|
46 |
-On systems that permit IPv4 connections on IPv6 sockets (Linux by |
|
47 |
-default, FreeBSD and NetBSD if you turn off the "v6only" sysctl by |
|
48 |
-running "sysctl -w net.inet6.ip6.v6only=0"), an OpenVPN server can |
|
50 |
+On systems that allow IPv4 connections on IPv6 sockets |
|
51 |
+(all systems supporting IPV6_V6ONLY setsockopt), an OpenVPN server can |
|
49 | 52 |
handle IPv4 connections on the IPv6 socket as well, making it a true |
50 |
-dual-stacked server. |
|
53 |
+dual-stacked server. Use bind ipv6only to disable this behaviour. |
|
51 | 54 |
|
52 | 55 |
On other systems, as of 2.3.0, you need to run separate server instances |
53 | 56 |
for IPv4 and IPv6. |
54 |
- |
|
55 |
-The client side code is not really "dual-stacked" yet, as it does not |
|
56 |
-automatically try both address families when connecting to a dual-stacked |
|
57 |
-server. For now, you can achieve this with <connection> stanzas in your |
|
58 |
-openvpn config: |
|
59 |
- |
|
60 |
- <connection> |
|
61 |
- remote my.dual.stack.server 1194 udp6 |
|
62 |
- </connection> |
|
63 |
- <connection> |
|
64 |
- remote my.dual.stack.server 1194 udp |
|
65 |
- </connection> |
... | ... |
@@ -183,7 +183,7 @@ tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 |
183 | 183 |
TODO for IPv6 transport support |
184 | 184 |
------------------------------- |
185 | 185 |
|
186 |
-[ Last updated: 10-Jun-2012. ] |
|
186 |
+[ Last updated: 2014-01-03. ] |
|
187 | 187 |
|
188 | 188 |
* All platforms: |
189 | 189 |
o mgmt console: as currently passes straight in_addr_t bits around |
... | ... |
@@ -191,19 +191,25 @@ TODO for IPv6 transport support |
191 | 191 |
o make possible to get AF from getaddrinfo() answer, ie allow openvpn to |
192 | 192 |
use ipv4/6 if DNS returns A/AAAA without specifying protocol. |
193 | 193 |
Hard: requires deep changes in initialization/calling logic |
194 |
+ - Done by dual stack patches |
|
194 | 195 |
|
195 | 196 |
o use AI_PASSIVE |
197 |
+ - Done by dual stack patches |
|
196 | 198 |
|
197 | 199 |
o the getaddr()/getaddr6() interface is not prepared for handling socktype |
198 | 200 |
"tagging", currently I abuse the sockflags bits for getting the ai_socktype |
199 | 201 |
downstream. |
202 |
+ - Still done by flags, seems clean enough. |
|
200 | 203 |
|
201 | 204 |
o implement comparison for mapped addesses: server in dual stack |
202 | 205 |
listening IPv6 must permit incoming streams from allowed IPv4 peer, |
203 | 206 |
currently you need to pass eg: --remote ffff::1.2.3.4 |
204 |
- |
|
207 |
+ - OpenVPN will compare all address of a remote |
|
208 |
+ but will still fail on mapped addresses |
|
205 | 209 |
|
206 | 210 |
* win32: |
207 | 211 |
o find out about mapped addresses, as I can't make it work |
208 | 212 |
with bound at ::1 and connect to 127.0.0.1 |
213 |
+ - Should be fixed by 8832c6c - "Implement listing on IPv4/IPv6 dual |
|
214 |
+ socket on all platform" |
|
209 | 215 |
|