On 2025-04-04, Stuart Henderson <stu.lists@spacehopper.org> wrote:
>
> - Java is a total pain - it relies on inet6 sockets working with v4+v6
> to be able to use dual-stack at all - otherwise you have to set a flag
> when you run a program to tell the jdk whether it should be v4-only or
> v6-only.
(and that is for client-side connections too, not just server-side)
Friday, April 04, 2025
Re: OpenVPN listening on dual-stack socket
On 2025-04-04, David Gwynne <david@gwynne.id.au> wrote:
> On Fri, Apr 04, 2025 at 07:26:34AM +1000, Stuart Longland VK4MSL wrote:
>>
>> I've kludged around this in L2 configurations by running two OpenVPN daemons
>> on different `tap` interfaces and bridging them (along with the Ethernet
>> they connect to), but I cannot do this with a `tun` device, and it's a
>> really icky way to work around an issue that shouldn't exist in 2025 anyway.
That's the way you need to do it.
Various programs including OpenVPN only support binding to a single
socket.
OpenVPN is relatively straightforward because at least you can run two
copies without too much trouble. (You also need to do this if you want
to accept connections over TCP. So, 4 instances if you want TCP and
UDP across both v4+v6).
Others I've noticed:
- Asterisk chan_sip only allows binding to a single socket; chan_pjsip
allows creating multiple transports so it can be handled there now
(with more complex config).
- MySQL/MariaDB used to be a problem but are ok now (since MySQL 8.0.13
or MariaDB 10.11 multiple bind addresses are allowed).
- Java is a total pain - it relies on inet6 sockets working with v4+v6
to be able to use dual-stack at all - otherwise you have to set a flag
when you run a program to tell the jdk whether it should be v4-only or
v6-only.
>> One daemon can do both on Linux simultaneously, it should likewise be able
>> to do both on OpenBSD.
Why? OpenBSD is not Linux.
> so linux has a feature where it will map ipv4 connections into the ipv4
> mapped address space in ipv6 and let you handle them all with a single
> ipv6 listener. have a look for the doco around the "net.ipv6.bindv6only"
> sysctl on linux for a bit more explanaion. openbsd does not implement
> this.
That selects whether IPV6_V6ONLY (as described in
https://www.rfc-editor.org/rfc/rfc3493#page-22) should be set
automatically on new sockets. Without touching the sysctl the default
is to allow v4 on inet6 sockets. Most common unix-like OS except
OpenBSD have a similar mechanism and similar default (i.e. normally
inet6 sockets are dual-stack).
OpenBSD doesn't allow this at all - it always behaves as if IPV6_V6ONLY
is set and it cannot be disabled.
Windows used to be similar to OpenBSD, but in Vista it was changed so
that you could change to dual-stack with setsockopt.
(https://learn.microsoft.com/en-us/windows/win32/winsock/dual-stack-sockets)
--
Please keep replies on the mailing list.
> On Fri, Apr 04, 2025 at 07:26:34AM +1000, Stuart Longland VK4MSL wrote:
>>
>> I've kludged around this in L2 configurations by running two OpenVPN daemons
>> on different `tap` interfaces and bridging them (along with the Ethernet
>> they connect to), but I cannot do this with a `tun` device, and it's a
>> really icky way to work around an issue that shouldn't exist in 2025 anyway.
That's the way you need to do it.
Various programs including OpenVPN only support binding to a single
socket.
OpenVPN is relatively straightforward because at least you can run two
copies without too much trouble. (You also need to do this if you want
to accept connections over TCP. So, 4 instances if you want TCP and
UDP across both v4+v6).
Others I've noticed:
- Asterisk chan_sip only allows binding to a single socket; chan_pjsip
allows creating multiple transports so it can be handled there now
(with more complex config).
- MySQL/MariaDB used to be a problem but are ok now (since MySQL 8.0.13
or MariaDB 10.11 multiple bind addresses are allowed).
- Java is a total pain - it relies on inet6 sockets working with v4+v6
to be able to use dual-stack at all - otherwise you have to set a flag
when you run a program to tell the jdk whether it should be v4-only or
v6-only.
>> One daemon can do both on Linux simultaneously, it should likewise be able
>> to do both on OpenBSD.
Why? OpenBSD is not Linux.
> so linux has a feature where it will map ipv4 connections into the ipv4
> mapped address space in ipv6 and let you handle them all with a single
> ipv6 listener. have a look for the doco around the "net.ipv6.bindv6only"
> sysctl on linux for a bit more explanaion. openbsd does not implement
> this.
That selects whether IPV6_V6ONLY (as described in
https://www.rfc-editor.org/rfc/rfc3493#page-22) should be set
automatically on new sockets. Without touching the sysctl the default
is to allow v4 on inet6 sockets. Most common unix-like OS except
OpenBSD have a similar mechanism and similar default (i.e. normally
inet6 sockets are dual-stack).
OpenBSD doesn't allow this at all - it always behaves as if IPV6_V6ONLY
is set and it cannot be disabled.
Windows used to be similar to OpenBSD, but in Vista it was changed so
that you could change to dual-stack with setsockopt.
(https://learn.microsoft.com/en-us/windows/win32/winsock/dual-stack-sockets)
--
Please keep replies on the mailing list.
Subscribe to:
Posts (Atom)