libnice proposes candidate IP addresses which are unreachable to peer (VPN with corporate server)
Recently I came upon an issue in Pidgin with SIPE, where communications were disrupted, or could not be established in the first place, because the software was announcing IP addresses which the peer (a corporate Skype for Business server) could not reach. Indeed, communication with this corporate server is supposed to be done solely via VPN, however libnice was picking my LAN address.
I was told in https://sourceforge.net/p/sipe/bugs/362/ that this was not a bug in SIPE, but in libnice. So I'm reporting it here.
Attached is a stacktrace of the call to libnice where this happens.
This happened with libnice 0.1.14-1, the version which is used by my distribution with the most recent SIPE.
The addresses involved were the following:
192.168.178.42: LAN address. Not reachable by server. Even an STUN server would not help, as this would solely get through the NAT but not take into account that our corporate Skype server would not route its stream over the public network.
10.202.77.9: VPN address. This is the address that should be used. Even though it is syntactically in a private network (10.x.y.z), it is actually reachable from our corporate Skype for business server, without NAT.
The VPN software sets a default route through its own tunnel, removes the previous default route (to the Fritz box), and just adds a specific host route to the VPN server via the Fritz box:
$ /sbin/route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0 10.202.77.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 18.104.22.168 192.168.178.1 255.255.255.255 UGH 0 0 0 br0 192.168.178.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
So, if libnice was only proposing candidate addresses on interfaces which have a default route, it might solve this issue? Or alternatively, allow user to "blacklist" addresses using an environment variable or a configuration file.