TransWikia.com

OpenVPN client listening on 0.0.0.0

Super User Asked on November 12, 2021

I am testing and calibrating OpenVPN in Linux, using free VPNs initially.

According to all sources I have seen, the OpenVPN proxy should be listening on localhost:1194. In fact it consistently listens on 0.0.0.0, the origin, and a browser will only connect to OpenVPN with proxy set to this address at the usual port.

0.0.0.0 is unmentioned in man openvpn. One mention online shows this address in a server implementation, but I am running a client using a client.ovpn with no indication of 0.0.0.0. Online advice generally warns of applications listening on the origin, but more importantly, all documentation I have seen assumes OpenVPN listens on localhost:1194 and browsers should be set to this proxy.

Why is OpenVPN listening on the wrong address, and how can I fix it?

Edit:

Looking again at man openvpn I see the 0.0.0.0 mentioned as ‘default gateway’ and localhost given as management IP.

All mention I recall seeing of using commercial VPNs with OpenVPN and of using browsers with OpenVPN suggested or implied using localhost:1194. This is implied too in that most proxies listen on localhost (Tor, Privoxy, etc.). Despite the below comment, OpenVPN and VPN clients in general are indeed discussed widelyas if they are proxies – avaiable listening services, like socks or http tunnels, to which an application ports net activity.

None I saw mentioned having to enter 0.0.0.0:1194 as the working proxy, and indeed, Firefox would not work with OpenVPN unless the address:port are explicitly given.

The only tutorials I have for iptables with OpenVPN only suggest specifying dport, but never address, suggesting the port is on localhost.

All mention is in stored documents from the web for which I lack the URL, and have no time to search online right now.

Discussions of the 0.0.0.0 IP suggest that a service listening here is doing so on all interfaces, which I immediately view as problematic. I would rather restrict a listener to a specific interface, ie. localhost. For example, the following appears elsewhere on Superuser:

When a service is listening on 0.0.0.0 this means the service is
listening on all the configured network interfaces, when listening on
127.0.0.1 the service is only bound to the loopback interface (only available on the local machine)

The IP address 0.0.0.0 can have very different meanings, depending on
where it’s used.

It’s not a valid address to be given to an actual network interface,
along with any other address in the 0.0.0.0/8 subnet (i.e. any address
starting with 0.). It can’t be used as the source address on any IP
packet, unless this happens when a computer still doesn’t know its own
IP address and it’s trying to acquire one (classic example: DHCP). If
used in a routing table, it identifies the default gateway; a route to
0.0.0.0 is the default one, i.e. the one used when there is not any more specific route available to a destination address. Lastly, when
seen in the output of the netstat command (which is what you asked
for), it means that a given socket is listening on all the available
IP addresses the computer has; when a computer has more than one IP
address, a socket can be bound only to a specific address and port
pair, or to a port and all addresses; if you see an IP address there,
it means that socket is listening only on that port and that specific
address; if you see 0.0.0.0, it means it’s listening on that port on
all addresses of the machine, including the loopback one (127.0.0.1).

Similar is suggested on Lifewire with ominous tone; this is the worse for the fact that OpenVPN runs as root during its initialization phase before falling back to an unprivileged user, and no mitigation for this exists for Debian AFAIK.

https://www.lifewire.com/four-zero-ip-address-818384

As a footnote, can OpenVPN with any given server be set to listen on localhost instead?

One Answer

The IP address 0.0.0.0 means the default address.

OpenVPN is apparently set to route all traffic through the VPN, so it's listening (and answering) to all requests on the client, to route them through to the VPN.

If you set it so as to not listen on 0.0.0.0, you would lose the option of routing everything by default through the VPN.


Explanation: OpenVPN creates a virtual network adapter that for the operating system is the same as a physical one. While OpenVPN is connected, your computer has two such adapters.

In order that all internet requests will pass through its adapter, OpenVPN sets up its routing address to 0.0.0.0. This is a special meta-address whose meaning is "I handle everything".

Before OpenVPN has connected, the physical adapter advertised itself as 0.0.0.0, so it was its driver that was listening on it.

After OpenVPN connected, it removed the 0.0.0.0 from the physical adapter and took it for itself, so now the OpenVPN driver is listening on it.

The only way to make OpenVPN stop listening in 0.0.0.0 is to disconnect the VPN. It needs to be listening to it in order to be able to function.

Answered by harrymc on November 12, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP