Servus, On Wed, Jan 18, 2017 at 04:43:22PM +0100, Thomas Schäfer wrote: > Client: > client > dev tun > proto udp6 > remote raspberrypi.XXXXXXXX.myfritz.net 1194 udp6 [..] > redirect-gateway > verb 3 > > This works perfectly as long the client has still an IPv4-connection. > > But in case of an IPv6-only-client (not system-wide disabled, just not > getting IPv4-addresses by the ISP, e.g. eduroam-IPv6) the client doesn't > set the IPv4-default route, since it can not find the old one.
I can see the problem.
The most elegant solution might be to use "redirect-gateway def1". The
"def1" flag instructs the code to not add a 0.0.0.0/0 route (replacing
and later restoring the existing default route) but to add 0.0.0.0/1 and
128.0.0.0/1 routes - which cover "the default" as well, but do not
need to interfere with the existing /0 route.
It might *still* fail, as the code might still want to check and install
a v4 /32 host route for the VPN gateway, pointing to the existing
default gateway. Which is arguably something that should not be done
if we're not talking v4 in the first place, but I'm not sure that part
of the code was ever adapted (I'd love to see a log with "def1" :-) ) -
the v6 part is smart enough to only try looking at v6 routing tables
if we're connecting over v6.
In case "def1" is not enough, please try "redirect-gateway def1 local",
which is a hack (but a documented one). "local" signals "do not install
a host route pointing to the default gateway, because the VPN server is
in the same locally connected network" (think "university wifi"). So that
should make things succeed.
If that is still not working, use brute force, and replace "redirect-gateway"
with
route 0.0.0.0/1
route 128.0.0.0/1
in the client config - that is the same thing as "def1 local" should give
you, but explicitely only the "two half-default routes".
(Whatever the outcome of your tests, I think our code should be smarter
- the v4 code is 10+ years old, and has grown over time, and parts of
it have been contributed by non-networking folks...)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
