Suddenly, a new connection error

Daniel Lenski dlenski at gmail.com
Tue Feb 27 16:19:43 PST 2024 

On Sat, Jan 20, 2024 at 4:41 PM Dave Brosius <mebigfatguy at gmail.com> wrote:
> However today, when i try to connect, i get
>
> Connected as 10.69.12.166 + 2606:b400:600:c063::11c/64, using SSL,
> with DTLS in progress
> Established DTLS connection (using GnuTLS). Ciphersuite
> (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
> Detected MTU of 1182 bytes (was 1280)
> RTNETLINK answers: Invalid argument
> Error: ipv4: Invalid values in header for route get request.
> Usage: ip route { list | flush } SELECTOR
>        ip route save SELECTOR
>        ........
>        ........
>
> So I tried openconnect without vpn-slice and the problem still remains

Your tethered connection is resulting in a tunnel MTU that's smaller
than what is required for IPv6 (which requires a minimum of 1280
bytes). This is a fundamental requirement of the IPv6 protocol,
enforced by the OS (Linux in this case) and various middleboxes.

I can identify the immediate source of this error:

1. When you use vpn-slice (https://github.com/dlenski/vpn-slice), that
error is coming from:
https://github.com/dlenski/vpn-slice/blob/master/vpn_slice/__main__.py#L175
2. When you use the standard vpnc-script
(https://gitlab.com/openconnect/vpnc-scripts/-/blob/master/vpnc-script),
that error is coming from
https://gitlab.com/openconnect/vpnc-scripts/blob/master/vpnc-script#L245

… but I'm a little bit uncertain about exactly what's leading up to it.

> The only thing on my end that changed was my phone (which i'm
> hotspoting thru) got an upgrade.

I *suspect* that your new phone enables IPv6 for the tethered
interface, while the old one didn't. But I'm not 100% sure. In the
initial output of `openconnect MY.SERVER.COM`, on the "Connected to X"
line, is X an IPv4 address or an IPv6 address?

Could you add `-vvv` to both the OpenConnect arguments *and* the
`vpn-slice` arguments, e.g. `openconnect -vvv MY.SERVER.COM --script
"/path/to/vpn-slice -vvv"`?

> Anyone have any suggestions on what i can do to fix or diagnose this?

As you already discovered, `--disable-ipv6` will at least prevent you
from encountering this error, but we'd really like to have a better
error message and/or succeed in enabling IPv6.

> Am using v8.05-1

This is a very old release, from 2019.

We've made a number of MTU detection improvements since then, so it
would be good to know if you encounter the same error when testing
against the latest release, v9.12, or building from source
(https://gitlab.com/openconnect/openconnect) against the master
branch.

Thanks,
Daniel

More information about the openconnect-devel mailing list