strange routing behavior starting with ocserv 0.12.0

ocserv at plaga.de ocserv at plaga.de
Sun Sep 13 08:32:14 EDT 2020 

Hello everyone,

since 2015, I am a happy user of ocserv. I like that it is easy to 
configure and the aspect that a lot of computers come with pre-installed 
anyconnect clients that I can re-purpose for my use ;-) Big thanks to 
all developers/contributors for that fine and useful piece of software!

Now my problem: In one of my standard configurations, I run the ocserv 
behind of proprietary routers on a small arm-based computer. On that, I 
use armbian which is a Debian derivative with a 5.7 Linux Kernel 
optimized for Arm boards. Armbian is configured to be systemd-free and 
runs SysV init. Ports 443 UDP/TCP are portforwarded to the Arm board so 
that these are reachable from the internet. The IP configuration is static.

Configuration is minimal:
----
auth="plain[/etc/ocserv/ocpasswd]"
server-key=/etc/ocserv/mykeys/server.key
server-cert=/etc/ocserv/mykeys/server.crt

run-as-user = nobody
run-as-group = daemon

listen-host = 0.0.0.0

socket-file = /var/run/ocserv-socket
device = vpns
dns=8.8.8.8

ipv4-network = 192.168.7.32/27

# TCP and UDP port number
tcp-port = 443
udp-port = 443

route = 0.0.0.0/0.0.0.0

compression = false

max-same-clients = 10
max-clients = 10
----

On Debian 9 with ocserv Version 0.11.6 routing behavior is as expected:
- user connects
- ocserv creates a route pointing to the vpn device the user is assigned to
- after the user disconnects: the vpn route is removed

creates a route pointing to the vpn device the user is assigned to
After upgrading to Debian 10 (current armbian with Kernel 5.7.15), 
ocserv was upgraded to version 0.12.2. With the same configuration, the 
routing behavior had changed to the following:
- user connects
- ocserv creates a route pointing to the vpn device the user is assigned to
- Strange: the default route changes to the hostname of the host ocserv 
is running on
- User disconnects: vpn route is removed / the original route is restored

Obviously, the changed default route renders my IPv4 connectivity 
broken. On my system, there is no fw script.

To track down the problem, I compiled version 0.11.12 on that system. I 
can confirm that version working as expected.

I also compiled 0.12.0 on that system and can confirm that the 
unexpected behavior starts with that version. I also compiled version 
1.1.0 and can confirm the unexpected behavior for that version.

To learn about the differences of 0.11.12 and 0.12.0, I made a diff but 
was lost when I found out that a lot of changes have been made.

I would be pleased, if some reader would have a clue which change of the 
code is causing the different behavior and moreover: how I can have a 
functioning ocserv > 0.11.12.

If needed, I can compile/test patches on my side (if there is a prebuilt 
configure script -- compiling from bare git with autoconfig turned out 
to be hard ...). I can provide further information such as logs, 
configuration etc.


Kind Regards

   Sven

More information about the openconnect-devel mailing list