From: Ralf Lici <ralf@mandelbit.com>

IPv6 link-local addresses are not globally routable and are therefore
absent in the unicast routing table. This causes legitimate packets with
link-local source addresses to fail standard RPF checks within ovpn.

Introduce an exception to explicitly allow such packets as link-local
addresses are essential for core IPv6 link-level operations like NDP,
which must function correctly within the virtual tunnel interface.

Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
---
 drivers/net/ovpn/peer.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c
index 9ad50f1ac2c3..8fb6e43ecff7 100644
--- a/drivers/net/ovpn/peer.c
+++ b/drivers/net/ovpn/peer.c
@@ -882,6 +882,13 @@ bool ovpn_peer_check_by_src(struct ovpn_priv *ovpn, struct sk_buff *skb,
 		rcu_read_unlock();
 		break;
 	case htons(ETH_P_IPV6):
+		/* Link-local addresses are not globally routable and thus
+		 * would always fail a standard RPF lookup. Allow them as
+		 * they are essential for IPv6 link operations (e.g. NDP)
+		 */
+		if (ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)
+			return true;
+
 		addr6 = ovpn_nexthop_from_rt6(ovpn, ipv6_hdr(skb)->saddr);
 		rcu_read_lock();
 		match = (peer == ovpn_peer_get_by_vpn_addr6(ovpn, &addr6));
-- 
2.51.0