Introduce env variables to communicate desired gateway redirection to NM.

cron2 · cron2 · commit 1cc3525b46a3 · 2025-08-27T21:02:18.000+02:00
When run under Network Manager control, OpenVPN is not allowed to control routing. Instead, NM uses the OpenVPN-set environment variables ("route_network_1" etc) to set up routes as requested. This method never worked properly for "redirect-gateway", as the information was not made available in environment variables. Introduce new env vars: route_redirect_gateway_ipv4 route_redirect_gateway_ipv6 to communicate desired state: <not set> = no gateway redirection desired 1 = "redirect-gateway for that protocol in question" 2 = "include block-local to redirect the local LAN as well" We intentionally do not expose all the IPv4 flags ("local", "def1", ...) as this is really internal OpenVPN historical cruft. Change-Id: I1e623b4a836f7216750867243299c7e4d0bd32d0 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Message-Id: <20250826184046.21434-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32686.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst
@@ -874,6 +874,14 @@ instances.
     translations will be recorded rather than their names as denoted on the
     command line or configuration file.
 
+:code:`route_redirect_gateway_ipv4`
+
+:code:`route_redirect_gateway_ipv6`
+    Set to `1` if the corresponding default gateway should be redirected
+    into the tunnel, and to `2` if also the local LAN segment should be
+    blocked (`block-local`).  Not set otherwise.  Set prior to **--up** script
+    execution.
+
 :code:`script_context`
     Set to "init" or "restart" prior to up/down script execution. For more
     information, see documentation for ``--up``.
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
@@ -5720,6 +5720,8 @@ remove_option(struct context *c, struct options *options, char *p[], bool is_inl
         {
             options->routes_ipv6->flags = 0;
         }
+        env_set_del(es, "route_redirect_gateway_ipv4");
+        env_set_del(es, "route_redirect_gateway_ipv6");
     }
     else if (streq(p[0], "dns") && !p[1])
     {
@@ -6039,6 +6041,8 @@ update_option(struct context *c, struct options *options, char *p[], bool is_inl
             {
                 options->routes_ipv6->flags = 0;
             }
+            env_set_del(es, "route_redirect_gateway_ipv4");
+            env_set_del(es, "route_redirect_gateway_ipv6");
             *update_options_found |= OPT_P_U_REDIR_GATEWAY;
         }
     }
@@ -7661,6 +7665,16 @@ add_option(struct options *options, char *p[], bool is_inline, const char *file,
                 goto err;
             }
         }
+        if (options->routes->flags & RG_REROUTE_GW)
+        {
+            setenv_int(es, "route_redirect_gateway_ipv4",
+                       options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);
+        }
+        if (options->routes_ipv6 && (options->routes_ipv6->flags & RG_REROUTE_GW))
+        {
+            setenv_int(es, "route_redirect_gateway_ipv6",
+                       options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);
+        }
 #ifdef _WIN32
         /* we need this here to handle pushed --redirect-gateway */
         remap_redirect_gateway_flags(options);

Original file line number	Diff line number	Diff line change
`@@ -5720,6 +5720,8 @@ remove_option(struct context c, struct options options, char *p[], bool is_inl`
`5720`	`5720`	`{`
`5721`	`5721`	`options->routes_ipv6->flags = 0;`
`5722`	`5722`	`}`
	`5723`	`+ env_set_del(es, "route_redirect_gateway_ipv4");`
	`5724`	`+ env_set_del(es, "route_redirect_gateway_ipv6");`
`5723`	`5725`	`}`
`5724`	`5726`	`else if (streq(p[0], "dns") && !p[1])`
`5725`	`5727`	`{`
`@@ -6039,6 +6041,8 @@ update_option(struct context c, struct options options, char *p[], bool is_inl`
`6039`	`6041`	`{`
`6040`	`6042`	`options->routes_ipv6->flags = 0;`
`6041`	`6043`	`}`
	`6044`	`+ env_set_del(es, "route_redirect_gateway_ipv4");`
	`6045`	`+ env_set_del(es, "route_redirect_gateway_ipv6");`
`6042`	`6046`	`*update_options_found \|= OPT_P_U_REDIR_GATEWAY;`
`6043`	`6047`	`}`
`6044`	`6048`	`}`
`@@ -7661,6 +7665,16 @@ add_option(struct options options, char p[], bool is_inline, const char *file,`
`7661`	`7665`	`goto err;`
`7662`	`7666`	`}`
`7663`	`7667`	`}`
	`7668`	`+ if (options->routes->flags & RG_REROUTE_GW)`
	`7669`	`+ {`
	`7670`	`+ setenv_int(es, "route_redirect_gateway_ipv4",`
	`7671`	`+ options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);`
	`7672`	`+ }`
	`7673`	`+ if (options->routes_ipv6 && (options->routes_ipv6->flags & RG_REROUTE_GW))`
	`7674`	`+ {`
	`7675`	`+ setenv_int(es, "route_redirect_gateway_ipv6",`
	`7676`	`+ options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);`
	`7677`	`+ }`
`7664`	`7678`	`#ifdef _WIN32`
`7665`	`7679`	`/* we need this here to handle pushed --redirect-gateway */`
`7666`	`7680`	`remap_redirect_gateway_flags(options);`