Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New issue with openconnect/vpn-slice due to env change? #148

Open
mebigfatguy opened this issue Jan 21, 2024 · 2 comments
Open

New issue with openconnect/vpn-slice due to env change? #148

mebigfatguy opened this issue Jan 21, 2024 · 2 comments
Labels
ipv6 linux

Comments

@mebigfatguy
Copy link

mebigfatguy commented Jan 21, 2024
edited by dlenski
Loading

HI folks,

Looking to see if bright folks can help me, I've been using openconnect/vpn-slice for years as a simple user for years w/o issue [thanks!], but today, after a phone update (which i hotspot thru), openconnect and/or vpn-slice aren't working correctly.

openconnect seems to work correctly to the vpn if run without vpn-slice, however i now get this error when connecting

(I get the RTNETLINK answers: Invalid argument error whether vpn-slice is in the picture or not)

Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as 10.69.39.197 + 2606:b400:600:c063::16d/64, using SSL, with DTLS in progress
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
Detected MTU of 1182 bytes (was 1280)
WARNING: IPv6 address or netmask set. Support for IPv6 in vpn-slice should be considered BETA-QUALITY.
WARNING: IPv6 address or netmask set. Support for IPv6 in vpn-slice should be considered BETA-QUALITY.
RTNETLINK answers: Invalid argument
Traceback (most recent call last):
  File "/usr/local/bin/vpn-slice", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/dist-packages/vpn_slice/__main__.py", line 564, in main
    do_connect(env, args)
  File "/usr/local/lib/python3.8/dist-packages/vpn_slice/__main__.py", line 198, in do_connect
    providers.route.add_address(env.tundev, env.myaddr6)
  File "/usr/local/lib/python3.8/dist-packages/vpn_slice/linux.py", line 79, in add_address
    self._iproute('address', 'add', address, dev=device)
  File "/usr/local/lib/python3.8/dist-packages/vpn_slice/linux.py", line 50, in _iproute
    subprocess.check_call(cl)
  File "/usr/lib/python3.8/subprocess.py", line 364, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['/usr/sbin/ip', 'address', 'add', '2606:b400:600:c063::16d/64', 'dev', 'tun0']' returned non-zero exit status 2.
Script 'vpn-slice '..................' returned error 1

vpn-slice -V returns `vpn-slice 0.15``

sudo vpn-slice --self-test reports success

uname -a
Linux mbfgdell 5.4.0-169-generic #187-Ubuntu SMP Thu Nov 23 14:52:28 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Linux Mint 20.3 Una \n \l

Samsung Galaxy A53 updated to OpenUI 6.0

Any suggestions or help to diagnose/fix this issue would be appreciated.

thanks,
dave
@dlenski
Copy link
Owner

dlenski commented Apr 10, 2024
edited
Loading

(I get the RTNETLINK answers: Invalid argument error whether vpn-slice is in the picture or not)

Yeah, it's just that vpn-slice checks failures much more carefully than the default vpnc-script, which will simply ignore such errors.

Detected MTU of 1182 bytes (was 1280)

Aaaah, that's the problem. IPv6 requires an MTU of at least 1280 bytes.

Seems like iproute(8) will return this error for any IPv6-related actions you attempt to perform on an adapter that has an MTU of <1280 bytes. In order to resolve this without sloppily ignoring errors, we're going to have to detect (and warn) when MTU is too low for IPv6, and then filter out all subsequent manipulations related to IPv6.

dlenski added a commit that referenced this issue Apr 12, 2024
@dlenski
Refuse to try configuring IPv6 if MTU is <1280
c890c22 
IPv6 requires a minimum MTU of 1280.

If MTU is <1280, it appears that any-and-all IPv6-related configuration,
including setting addresses and routes, will immediately fail on
Linux, where iproute(8) gives very cryptic errors like:

    RTNETLINK answers: Invalid argument error

This will prevent vpn-slice from completing a working setup even for IPv4.

Rather than overlooking this problem or silently ignoring IPv6 configuration
issues, we should *fail* when IPv6 configuration is requested but the MTU is
too small, and request that the user add `--disable-ipv6` to the OpenConnect
command line, which should prevent OpenConnect from requesting or providing
any IPv6 configuration to vpn-slice.

Ping #148.
dlenski added a commit that referenced this issue Apr 12, 2024
@dlenski
Refuse to try configuring IPv6 if MTU is <1280
c77905f 
IPv6 requires a minimum MTU of 1280.

If MTU is <1280, it appears that any-and-all IPv6-related configuration,
including setting addresses and routes, will immediately fail on
Linux, where iproute(8) gives very cryptic errors like:

    RTNETLINK answers: Invalid argument error

This will prevent vpn-slice from completing a working setup even for IPv4.

Rather than overlooking this problem or silently ignoring IPv6 configuration
issues, we should *fail* when IPv6 configuration is requested but the MTU is
too small, and request that the user add `--disable-ipv6` to the OpenConnect
command line, which should prevent OpenConnect from requesting or providing
any IPv6 configuration to vpn-slice.

Ping #148.
dlenski added a commit that referenced this issue Apr 12, 2024
@dlenski
Refuse to try configuring IPv6 if MTU is <1280
cd40123 
IPv6 requires a minimum MTU of 1280.

If MTU is <1280, it appears that any-and-all IPv6-related configuration,
including setting addresses and routes, will immediately fail on
Linux, where iproute(8) gives very cryptic errors like:

    RTNETLINK answers: Invalid argument error

This will prevent vpn-slice from completing a working setup even for IPv4.

Rather than overlooking this problem or silently ignoring IPv6 configuration
issues, we should *fail* when IPv6 configuration is requested but the MTU is
too small, and request that the user add `--disable-ipv6` to the OpenConnect
command line, which should prevent OpenConnect from requesting or providing
any IPv6 configuration to vpn-slice.

Ping #148.
@dlenski
Copy link
Owner

dlenski commented Apr 12, 2024
edited
Loading

Detected MTU of 1182 bytes (was 1280)

Aaaah, that's the problem. IPv6 requires an MTU of at least 1280 bytes.

@mebigfatguy, please test cd40123.

If OpenConnect provides IPv6 configuration and a too-small MTU, vpn-slice will intentionally abort and will instruct you to add --disable-ipv6 to the command-line:

MTU of 789 is too small for IPv6 (minimum 1280). Invoke OpenConnect with --disable-ipv6 to configure for IPv4 only

dlenski added a commit that referenced this issue Apr 13, 2024
@dlenski
Refuse to try configuring IPv6 if MTU is <1280
c2a3699 
IPv6 requires a minimum MTU of 1280.

If MTU is <1280, it appears that any-and-all IPv6-related configuration,
including setting addresses and routes, will immediately fail on
Linux, where iproute(8) gives very cryptic errors like:

    RTNETLINK answers: Invalid argument error

This will prevent vpn-slice from completing a working setup even for IPv4.

Rather than overlooking this problem or silently ignoring IPv6 configuration
issues, we should *fail* when IPv6 configuration is requested but the MTU is
too small, and request that the user add `--disable-ipv6` to the OpenConnect
command line, which should prevent OpenConnect from requesting or providing
any IPv6 configuration to vpn-slice.

Ping #148.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ipv6 linux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dlenski @mebigfatguy