Implement '--redirect-gateway ipv6'

Add "ipv6" and "!ipv4" sub-options to "--redirect-gateway" option.

This is done in the same way as in the OpenVPN 3 code base, so
"--redirect-gateway ipv6" will redirect both IPv4 and IPv6 - if you
want v6-only, use "--redirect-gateway ipv6 !ipv4".

The actual implementation is much simpler than for IPv4 - we just
add a few extra routes to the route_ipv6_option_list and leave it to
init_route_ipv6_list() to figure out whether there is an overlap with
IPv6 transport, and if yes, insert a host route to the VPN server
via the current IPv6 default gateway.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1441985627-14822-8-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10086

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 3a0d4e0dbcf2dd2f4c8504d65ab460c21b92e2e6..e213f5afb42d92d823bbf06f19fc32553af6579e 100644 (file)
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1240,6 +1240,17 @@ on non-Windows clients).
 Block access to local LAN when the tunnel is active, except for
 the LAN gateway itself.  This is accomplished by routing the local
 LAN (except for the LAN gateway address) into the tunnel.
+
+.B ipv6 --
+Redirect IPv6 routing into the tunnel.  This works similar to the
+.B def1
+flag, that is, more specific IPv6 routes are added (2000::/4, 3000::/4),
+covering the whole IPv6 unicast space.
+
+.B !ipv4 --
+Do not redirect IPv4 traffic - typically used in the flag pair
+.B "ipv6 !ipv4"
+to redirect IPv6-only.
 .\"*********************************************************
 .TP
 .B \-\-link\-mtu n

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 922308dfa3b024820d5c52a9c7fe5f954ed07b24..f568d8745f7b61b69d641af3316cda484a264faa 100644 (file)
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1195,6 +1195,21 @@ do_init_route_ipv6_list (const struct options *options,
   if (options->route_default_metric)
     metric = options->route_default_metric;
 
+  /* redirect (IPv6) gateway to VPN?  if yes, add a few more specifics
+   */
+  if ( options->routes_ipv6->flags & RG_REROUTE_GW )
+    {
+      char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
+      int i;
+
+      for (i=0; opt_list[i]; i++)
+       {
+         add_route_ipv6_to_option_list( options->routes_ipv6,
+                     string_alloc (opt_list[i], options->routes_ipv6->gc),
+                     NULL, NULL );
+       }
+    }
+
   if (!init_route_ipv6_list (route_ipv6_list,
                        options->routes_ipv6,
                        gw,

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 581db52edfb6fad9c5a05c0b8913f1282b42810e..5ace1f34710031f5b6986cbc9db1ba966dce5aa8 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5366,6 +5366,13 @@ add_option (struct options *options,
            options->routes->flags |= RG_BYPASS_DNS;
          else if (streq (p[j], "block-local"))
            options->routes->flags |= RG_BLOCK_LOCAL;
+         else if (streq (p[j], "ipv6"))
+           {
+             rol6_check_alloc (options);
+             options->routes_ipv6->flags |= RG_REROUTE_GW;
+           }
+         else if (streq (p[j], "!ipv4"))
+           options->routes->flags &= ~RG_REROUTE_GW;
          else
            {
              msg (msglevel, "unknown --%s flag: %s", p[0], p[j]);