Page 1 of 1
Make --passtos work
Posted: Sat Jun 18, 2022 10:14 pm
by PMc
Is it only me who would wish that --passtos would actually work in real-life?
With version 2.5.6 it works only in test environments, but as soon as there is other traffic on the link, it works and fails randomly. (IPv6 traffic only, with IPv4 traffic there seems to be no problem)
Re: Make --passtos work
Posted: Sat Jun 18, 2022 10:46 pm
by TinCanTech
PMc wrote: ↑Sat Jun 18, 2022 10:14 pm
Is it only me who would wish that --passtos would actually work
Yes.
PMc wrote: ↑Sat Jun 18, 2022 10:14 pm
in real-life?
lol
PMc wrote: ↑Sat Jun 18, 2022 10:14 pm
With version 2.5.6 it works only in test environments, but as soon as there is other traffic on the link, it works and fails randomly. (IPv6 traffic only, with IPv4 traffic there seems to be no problem)
Could you
expand that a little .. ?
Re: Make --passtos work
Posted: Sun Jun 19, 2022 12:05 am
by PMc
TinCanTech wrote: ↑Sat Jun 18, 2022 10:46 pm
PMc wrote: ↑Sat Jun 18, 2022 10:14 pm
Is it only me who would wish that --passtos would actually work
Yes.
So it is not useful?
Actually, I was just trying to try it out, and I cannot evaluate the usefulness when it doesn't work.
PMc wrote: ↑Sat Jun 18, 2022 10:14 pm
With version 2.5.6 it works only in test environments, but as soon as there is other traffic on the link, it works and fails randomly. (IPv6 traffic only, with IPv4 traffic there seems to be no problem)
Could you
expand that a little .. ?
Hm, what kind of expansion would you need? I think this is quite obvious: tos 0x0
Or, more specifically, I configure my firewall to set codepoint 0x11 on DNS queries (I don't yet know if that helps or hurts, I just intended to find out). Then tcpdump shows tos 0x44 (IP4) or class 0x44 (IP6) for packets
outbound on tun. Then for the respective encap UDP packets
outbound on vtnet, it well shows 0x44 when the payload is IP4, and
only immediately after also for IP6 payload. As soon as some other packets traverse the tunnel, it only shows tos 0x0 for these packets - until another IP4 packet with tos 0x44 is sent. (Then again it works for a moment.)
Re: Make --passtos work
Posted: Sun Jun 19, 2022 12:28 am
by TinCanTech
Maybe worth reporting a bug ?
This is all I can find:
https://community.openvpn.net/openvpn/q ... 1&order=id
Re: Make --passtos work
Posted: Sun Jun 19, 2022 11:18 am
by PMc
TinCanTech wrote: ↑Sun Jun 19, 2022 12:28 am
Maybe worth reporting a bug ?
Either that, or going for a stroll into the source - that's how it looks to me, too.
Thank You! I found a mention of this in some mailing list. A diff of that fix might be helpful, but then it's probably too old to be really useful...
Re: Make --passtos work
Posted: Sun Jun 19, 2022 12:08 pm
by PMc
Oh crap... it's not intended to work:
Code: Select all
# openvpn --help
OpenVPN 2.5.6 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 19 2022
...
--passtos : TOS passthrough (applies to IPv4 only).
So no bug report. And feature requests go here, anyway.
Re: Make --passtos work
Posted: Sun Jun 19, 2022 1:20 pm
by PMc
The source confirms: --passtos is only done when
1. the link does IPv4
2. the payload is IPv4
In that case the tos is configured onto the sending UDP socket with setsockopt().
And there it stays for the subsequent IPv6 packets, because they do nothing to change it. Until a v4 packet without tos comes along.
Re: Make --passtos work
Posted: Mon Jun 20, 2022 7:13 pm
by TinCanTech
Works as intended then ..