Introduce env variables to communicate desired gateway redirection to NM.

When run under Network Manager control, OpenVPN is not allowed to
control routing.  Instead, NM uses the OpenVPN-set environment variables
("route_network_1" etc) to set up routes as requested.  This method never
worked properly for "redirect-gateway", as the information was not made
available in environment variables.

Introduce new env vars:

 route_redirect_gateway_ipv4
 route_redirect_gateway_ipv6

to communicate desired state:

 <not set> = no gateway redirection desired
 1 = "redirect-gateway for that protocol in question"
 2 = "include block-local to redirect the local LAN as well"

We intentionally do not expose all the IPv4 flags ("local", "def1", ...)
as this is really internal OpenVPN historical cruft.

Change-Id: I1e623b4a836f7216750867243299c7e4d0bd32d0
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250826184046.21434-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32686.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst
index bd5ecd482b602c2af3d565ca88fe0afc7dbf93f8..670cd33a6421c523705a0960b30cb599349248ed 100644 (file)
--- a/doc/man-sections/script-options.rst
+++ b/doc/man-sections/script-options.rst
@@ -874,6 +874,14 @@ instances.
     translations will be recorded rather than their names as denoted on the
     command line or configuration file.
 
     translations will be recorded rather than their names as denoted on the
     command line or configuration file.
 

+:code:`route_redirect_gateway_ipv4`
+
+:code:`route_redirect_gateway_ipv6`
+    Set to `1` if the corresponding default gateway should be redirected
+    into the tunnel, and to `2` if also the local LAN segment should be
+    blocked (`block-local`).  Not set otherwise.  Set prior to **--up** script
+    execution.
+

 :code:`script_context`
     Set to "init" or "restart" prior to up/down script execution. For more
     information, see documentation for ``--up``.
 :code:`script_context`
     Set to "init" or "restart" prior to up/down script execution. For more
     information, see documentation for ``--up``.

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 0b16c5a3f32f4fd47c1e21e17e35f33c1222dc0d..648d526fecb0521bf37a3fc1e9f625321d9ad490 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5720,6 +5720,8 @@ remove_option(struct context *c, struct options *options, char *p[], bool is_inl
         {
             options->routes_ipv6->flags = 0;
         }
         {
             options->routes_ipv6->flags = 0;
         }

+        env_set_del(es, "route_redirect_gateway_ipv4");
+        env_set_del(es, "route_redirect_gateway_ipv6");

     }
     else if (streq(p[0], "dns") && !p[1])
     {
     }
     else if (streq(p[0], "dns") && !p[1])
     {


@@ -6039,6 +6041,8 @@ update_option(struct context *c, struct options *options, char *p[], bool is_inl
             {
                 options->routes_ipv6->flags = 0;
             }
             {
                 options->routes_ipv6->flags = 0;
             }

+            env_set_del(es, "route_redirect_gateway_ipv4");
+            env_set_del(es, "route_redirect_gateway_ipv6");

             *update_options_found |= OPT_P_U_REDIR_GATEWAY;
         }
     }
             *update_options_found |= OPT_P_U_REDIR_GATEWAY;
         }
     }


@@ -7661,6 +7665,16 @@ add_option(struct options *options, char *p[], bool is_inline, const char *file,
                 goto err;
             }
         }
                 goto err;
             }
         }

+        if (options->routes->flags & RG_REROUTE_GW)
+        {
+            setenv_int(es, "route_redirect_gateway_ipv4",
+                       options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);
+        }
+        if (options->routes_ipv6 && (options->routes_ipv6->flags & RG_REROUTE_GW))
+        {
+            setenv_int(es, "route_redirect_gateway_ipv6",
+                       options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);
+        }

 #ifdef _WIN32
         /* we need this here to handle pushed --redirect-gateway */
         remap_redirect_gateway_flags(options);
 #ifdef _WIN32
         /* we need this here to handle pushed --redirect-gateway */
         remap_redirect_gateway_flags(options);