1 files changed, 30 insertions, 5 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 708ac8f91..029bc1d69 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -25,6 +25,7 @@ from time import sleep
 from shutil import rmtree
 
 from vyos.config import Config
+from vyos.configdict import list_diff
 from vyos.ifconfig import VTunIf
 from vyos.template import render
 from vyos.util import call, chown, chmod_600, chmod_755
@@ -50,7 +51,8 @@ default_config_data = {
     'hash': '',
     'intf': '',
     'ipv6_autoconf': 0,
-    'ipv6_eui64_prefix': '',
+    'ipv6_eui64_prefix': [],
+    'ipv6_eui64_prefix_remove': [],
     'ipv6_forwarding': 1,
     'ipv6_dup_addr_detect': 1,
     'ipv6_local_address': [],
@@ -314,9 +316,21 @@ def get_config():
     if conf.exists('ipv6 address autoconf'):
         openvpn['ipv6_autoconf'] = 1
 
-    # Get prefix for IPv6 addressing based on MAC address (EUI-64)
+    # Get prefixes for IPv6 addressing based on MAC address (EUI-64)
     if conf.exists('ipv6 address eui64'):
-        openvpn['ipv6_eui64_prefix'] = conf.return_value('ipv6 address eui64')
+        openvpn['ipv6_eui64_prefix'] = conf.return_values('ipv6 address eui64')
+
+    # Determine currently effective EUI64 addresses - to determine which
+    # address is no longer valid and needs to be removed
+    eff_addr = conf.return_effective_values('ipv6 address eui64')
+    openvpn['ipv6_eui64_prefix_remove'] = list_diff(eff_addr, openvpn['ipv6_eui64_prefix'])
+
+    # Remove the default link-local address if set.
+    if conf.exists('ipv6 address no-default-link-local'):
+        openvpn['ipv6_eui64_prefix_remove'].append('fe80::/64')
+    else:
+        # add the link-local by default to make IPv6 work
+        openvpn['ipv6_eui64_prefix'].append('fe80::/64')
 
     # Disable IPv6 forwarding on this interface
     if conf.exists('ipv6 disable-forwarding'):
@@ -1043,13 +1057,24 @@ def apply(openvpn):
         o.set_alias(openvpn['description'])
         # IPv6 address autoconfiguration
         o.set_ipv6_autoconf(openvpn['ipv6_autoconf'])
-        # IPv6 EUI-based address
-        o.set_ipv6_eui64_address(openvpn['ipv6_eui64_prefix'])
         # IPv6 forwarding
         o.set_ipv6_forwarding(openvpn['ipv6_forwarding'])
         # IPv6 Duplicate Address Detection (DAD) tries
         o.set_ipv6_dad_messages(openvpn['ipv6_dup_addr_detect'])
 
+        # IPv6 EUI-based addresses - only in TAP mode (TUN's have no MAC)
+        # If MAC has changed, old EUI64 addresses won't get deleted,
+        # but this isn't easy to solve, so leave them.
+        # This is even more difficult as openvpn uses a random MAC for the
+        # initial interface creation, unless set by 'lladdr'.
+        # NOTE: right now the interface is always deleted. For future
+        # compatibility when tap's are not deleted, leave the del_ in
+        if openvpn['mode'] == 'tap':
+            for addr in openvpn['ipv6_eui64_prefix_remove']:
+                o.del_ipv6_eui64_address(addr)
+            for addr in openvpn['ipv6_eui64_prefix']:
+                o.add_ipv6_eui64_address(addr)
+
     except:
         pass