Pulse connect VPN exists because unwanted avahi network starts

Bug #1886809 reported by Helio Loureiro on 2020-07-08
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
avahi (Ubuntu)
Medium
Unassigned

Bug Description

Pulse VPNs exists very often because avahi enforces network 192.250.0.0/0 over tun0 interface. The message error is:

rmon.error Unauthorized new route to 169.254.0.0/0.0.0.0 has been added (conflicts with our route to 0.0.0.0), disconnecting (routemon.cpp:598)

No matter the options to skip avahi on /etc/default/avahi-daemon, it always calls /etc/network/if-up.d/avahi-autoipd and raises this discovery network.

A fix can be done patching /etc/network/if-up.d/avahi-autoipd to skip any tunnel interface.

--- /etc/network/if-up.d/avahi-autoipd.dpkg-old 2020-07-08 13:25:41.834569800 +0200
+++ /etc/network/if-up.d/avahi-autoipd 2020-07-07 10:07:37.611118581 +0200
@@ -11,6 +11,10 @@

 [ -x /usr/sbin/avahi-autoipd ] || exit 0

+case "$IFACE" in
+ tun*) exit 0 ;;
+esac
+
 [ "$IFACE" != "lo" ] || exit 0
 case "$ADDRFAM" in
        inet) ;;

Helio Loureiro (helioloureiro) wrote :

I missed to system information. Here is it:

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic

# dpkg -l "avahi*"
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-========================================-=========================-=========================-=====================================================================================
ii avahi-autoipd 0.7-3.1ubuntu1.2 amd64 Avahi IPv4LL network address configuration daemon
ii avahi-daemon 0.7-3.1ubuntu1.2 amd64 Avahi mDNS/DNS-SD daemon
ii avahi-utils 0.7-3.1ubuntu1.2 amd64 Avahi browsing, publishing and discovery utilities

Helio Loureiro (helioloureiro) wrote :

The attachment "avahi-autoipd.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
tags: added: bionic focal
Trent Lloyd (lathiat) wrote :

I'm not sure it makes sense to just universally skip "tun*" interfaces (at least yet) but we may need to review the scenarios in which /etc/network/if-up.d/avahi-autoipd is executing.

Helio: Can you provider a reproducer scenario? e.g. is this ubuntu server, ubuntu desktop, what is the contents of: /etc/network/interfaces, /etc/network/interfaces.d/*, /etc/netplan/* and whether network manager is in use or not. And lastly exactly how pulse VPN is installed and configured, and how that interface is started/connected?

Additionally you may find this issue goes away with netplan versus the older-style interfaces files. In any case with as much info as possible for a reproducer I can check your exact scenario.

Helio Loureiro (helioloureiro) wrote :

This is a ubuntu desktop. A corporate laptop.

> cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

> cat /etc/network/interfaces.d/*
fish: No matches for wildcard “/etc/network/interfaces.d/*”. See `help expand`.
cat /etc/network/interfaces.d/*
    ^

> cat /etc/netplan/*
# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: NetworkManager

As you can see this is network-manager based settings.

Pulsesecure is a sort of java browser based application. Since it is a proprietary application, I'm not sure how it runs internally, but it does some basic checkings into your system to allow the connection, and establishes it. It changes all routes to use the VPN as default. Any attempt to change is detect and it considers an attempt to tamper with system, which results in connection drop. That's where the avahi causes the problem.

One extra info: I set the avahi to disable on /etc/default/avahi-daemon.

> cat /etc/default/avahi-daemon
# 1 = Try to detect unicast dns servers that serve .local and disable avahi in
# that case, 0 = Don't try to detect .local unicast dns servers, can cause
# troubles on misconfigured networks
AVAHI_DAEMON_DETECT_LOCAL=0

So even a patch o top of avahi-autoipd that reads this parameter can be enough to avoid this unwanted route to pop up.

Mathew Hodson (mhodson) on 2020-07-30
Changed in avahi (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers