summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGert Doering <gert@greenie.muc.de>2015-09-11 17:33:44 +0200
committerGert Doering <gert@greenie.muc.de>2015-09-20 14:19:53 +0200
commitd227929b5db049ca6efbef9fb7d84be5e545b41d (patch)
tree935bddbe382129c95bbdd95999d7240c43342b54
parent1ff39cff4e644103607f0266cd4666dab18716c5 (diff)
downloadopenvpn-d227929b5db049ca6efbef9fb7d84be5e545b41d.zip
openvpn-d227929b5db049ca6efbef9fb7d84be5e545b41d.tar.gz
openvpn-d227929b5db049ca6efbef9fb7d84be5e545b41d.tar.xz
Implement '--redirect-gateway ipv6'
Add "ipv6" and "!ipv4" sub-options to "--redirect-gateway" option. This is done in the same way as in the OpenVPN 3 code base, so "--redirect-gateway ipv6" will redirect both IPv4 and IPv6 - if you want v6-only, use "--redirect-gateway ipv6 !ipv4". The actual implementation is much simpler than for IPv4 - we just add a few extra routes to the route_ipv6_option_list and leave it to init_route_ipv6_list() to figure out whether there is an overlap with IPv6 transport, and if yes, insert a host route to the VPN server via the current IPv6 default gateway. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1441985627-14822-8-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/10086
-rw-r--r--doc/openvpn.811
-rw-r--r--src/openvpn/init.c15
-rw-r--r--src/openvpn/options.c7
3 files changed, 33 insertions, 0 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 3a0d4e0..e213f5a 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1240,6 +1240,17 @@ on non-Windows clients).
Block access to local LAN when the tunnel is active, except for
the LAN gateway itself. This is accomplished by routing the local
LAN (except for the LAN gateway address) into the tunnel.
+
+.B ipv6 --
+Redirect IPv6 routing into the tunnel. This works similar to the
+.B def1
+flag, that is, more specific IPv6 routes are added (2000::/4, 3000::/4),
+covering the whole IPv6 unicast space.
+
+.B !ipv4 --
+Do not redirect IPv4 traffic - typically used in the flag pair
+.B "ipv6 !ipv4"
+to redirect IPv6-only.
.\"*********************************************************
.TP
.B \-\-link\-mtu n
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 922308d..f568d87 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1195,6 +1195,21 @@ do_init_route_ipv6_list (const struct options *options,
if (options->route_default_metric)
metric = options->route_default_metric;
+ /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
+ */
+ if ( options->routes_ipv6->flags & RG_REROUTE_GW )
+ {
+ char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
+ int i;
+
+ for (i=0; opt_list[i]; i++)
+ {
+ add_route_ipv6_to_option_list( options->routes_ipv6,
+ string_alloc (opt_list[i], options->routes_ipv6->gc),
+ NULL, NULL );
+ }
+ }
+
if (!init_route_ipv6_list (route_ipv6_list,
options->routes_ipv6,
gw,
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 581db52..5ace1f3 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5366,6 +5366,13 @@ add_option (struct options *options,
options->routes->flags |= RG_BYPASS_DNS;
else if (streq (p[j], "block-local"))
options->routes->flags |= RG_BLOCK_LOCAL;
+ else if (streq (p[j], "ipv6"))
+ {
+ rol6_check_alloc (options);
+ options->routes_ipv6->flags |= RG_REROUTE_GW;
+ }
+ else if (streq (p[j], "!ipv4"))
+ options->routes->flags &= ~RG_REROUTE_GW;
else
{
msg (msglevel, "unknown --%s flag: %s", p[0], p[j]);