kern/57155: OpenVPN (tap and tun) doesn't run as expected on 10.0_BETA

[BERTRAND Joël <joel.bertrand%systella.fr@localhost>]

>Number:         57155
>Category:       kern
>Synopsis:       OpenVPN (tap and tun) doesn't run as expected on 10.0_BETA
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jan 03 12:35:00 +0000 2023
>Originator:     joel.bertrand%systella.fr@localhost
>Release:        NetBSD 10.0_BETA
>Organization:
>Environment:
System: NetBSD legendre.systella.fr 10.0_BETA NetBSD 10.0_BETA (CUSTOM)
#3: Tue Dec 27 08:46:20 CET 2022
root%legendre.systella.fr@localhost:/usr/src/netbsd-10/obj/sys/arch/amd64/compile/CUSTOM
amd64
Architecture: x86_64
Machine: amd64
>Description:

        Let consider an OpenVPN client (VPN interface could be tap0 or
tun0). This client is connected to an OpenVPN server through a physical
Ethernet adapter (in my case, wm0).

        Client IP address : 192.168.1.2
        Server IP address : 192.168.1.1

WAN-----192.168.1.1 (OpenVPN server, Linux)
 |
WAN-----192.168.1.2 (OpenVPN client, NetBSD 10.0_BETA) 192.168.10.128---LAN

        VPN connection is up but :
- OpenVPN server cannot ping client (192.168.1.2);
- OpenVPN client cannot ping server (192.168.1.1).

        If I add a second Ethernet adapter in client (to connect a LAN)
and if I configure npf to nat IP behind client, all workstations on LAN
can ping OpenVPN server.

        Same configuration ran fine with NetBSD-9.3 kernel (and all
kernels since -7).

        tcpdump doesn't show packets. Kernel only seems to drop packets.

>How-To-Repeat:
        Configure an OpenVPN client. I have tested with an OpenVPN UDP
configuration, but with tap and tun interface.
>Fix: