Openvpn client doesn't install routes

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

mad_ady

Regular Contributor
I'm using openvpn on RMerlin's ASUS firmware (v 384.5) as a client (client1) with a ovpn config which pushes a route:
Code:
push "route 192.168.100.0 255.255.255.0"

The client connects correctly to the openvpn server, however, the route is not installed into the router's routing table (connection output with IP changed):
Code:
Nov 22 15:01:44 ovpn-client1[3272]: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 12 2018
Nov 22 15:01:44 ovpn-client1[3272]: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.08
Nov 22 15:01:44 ovpn-client1[3273]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 22 15:01:44 ovpn-client1[3273]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 22 15:01:44 ovpn-client1[3273]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 22 15:01:45 ovpn-client1[3273]: TCP/UDP: Preserving recently used remote address: [AF_INET]5.12.133.169:1194
Nov 22 15:01:45 ovpn-client1[3273]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Nov 22 15:01:45 ovpn-client1[3273]: UDP link local: (not bound)
Nov 22 15:01:45 ovpn-client1[3273]: UDP link remote: [AF_INET]1.2.3.4:1194
Nov 22 15:01:45 ovpn-client1[3273]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Nov 22 15:01:45 ovpn-client1[3273]: TLS: Initial packet from [AF_INET]1.2.3.4:1194, sid=761b1e37 6800fc5c
Nov 22 15:01:45 ovpn-client1[3273]: VERIFY OK: depth=1, CN=Easy-RSA CA
Nov 22 15:01:45 ovpn-client1[3273]: VERIFY KU OK
Nov 22 15:01:45 ovpn-client1[3273]: Validating certificate extended key usage
Nov 22 15:01:45 ovpn-client1[3273]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Nov 22 15:01:45 ovpn-client1[3273]: VERIFY EKU OK
Nov 22 15:01:45 ovpn-client1[3273]: VERIFY OK: depth=0, CN=server
Nov 22 15:01:45 ovpn-client1[3273]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Nov 22 15:01:45 ovpn-client1[3273]: [server] Peer Connection Initiated with [AF_INET]5.12.133.169:1194
Nov 22 15:01:46 ovpn-client1[3273]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov 22 15:01:46 ovpn-client1[3273]: PUSH: Received control message: 'PUSH_REPLY,route 172.20.20.1,topology net30,ping 10,ping-restart 120,ifconfig 172.20.20.14 172.20.20.13,peer-id 0,cipher AES-256-GCM'
Nov 22 15:01:46 ovpn-client1[3273]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 22 15:01:46 ovpn-client1[3273]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 22 15:01:46 ovpn-client1[3273]: OPTIONS IMPORT: route options modified
Nov 22 15:01:46 ovpn-client1[3273]: OPTIONS IMPORT: peer-id set
Nov 22 15:01:46 ovpn-client1[3273]: OPTIONS IMPORT: adjusting link_mtu to 1624
Nov 22 15:01:46 ovpn-client1[3273]: OPTIONS IMPORT: data channel crypto options modified
Nov 22 15:01:46 ovpn-client1[3273]: Data Channel: using negotiated cipher 'AES-256-GCM'
Nov 22 15:01:46 ovpn-client1[3273]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 22 15:01:46 ovpn-client1[3273]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 22 15:01:46 ovpn-client1[3273]: TUN/TAP device tun11 opened
Nov 22 15:01:46 ovpn-client1[3273]: TUN/TAP TX queue length set to 100
Nov 22 15:01:46 ovpn-client1[3273]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 22 15:01:46 ovpn-client1[3273]: /usr/sbin/ip link set dev tun11 up mtu 1500
Nov 22 15:01:46 ovpn-client1[3273]: /usr/sbin/ip addr add dev tun11 local 172.20.20.14 peer 172.20.20.13
Nov 22 15:01:48 ovpn-client1[3273]: /usr/sbin/ip route add 172.20.20.1/32 via 172.20.20.13
Nov 22 15:01:49 ovpn-client1[3273]: GID set to nobody
Nov 22 15:01:49 ovpn-client1[3273]: UID set to nobody
Nov 22 15:01:49 ovpn-client1[3273]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 22 15:01:49 ovpn-client1[3273]: Initialization Sequence Completed

Based on the output, it doesn't even try to install the route.
If I install it manually, it works:
Code:
route add -net 192.168.100.0/24 dev tun11

Any ideas where I should start looking into why the route isn't added on connection?
Thanks
 

john9527

Part of the Furniture
Any ideas where I should start looking into why the route isn't added on connection?

If you are using Policy (strict) mode, switch to just regular policy mode (Sorry, I don't remember the exact wording for the options).
 

mad_ady

Regular Contributor
Thanks. The option is called "Redirect internet traffic" and I set it to policy (it was off).
I added the static route and now ping works, but the routing table doesn't show the route:
Code:
[email protected]:/tmp/home/root# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
172.20.20.13    0.0.0.0         255.255.255.255 UH    0      0        0 tun11
172.22.22.0     0.0.0.0         255.255.255.0   U     0      0        0 tun22
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun21
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 ppp0
[email protected]:/tmp/home/root# ping 192.168.100.35
PING 192.168.100.35 (192.168.100.35): 56 data bytes
64 bytes from 192.168.100.35: seq=0 ttl=64 time=4.448 ms
64 bytes from 192.168.100.35: seq=1 ttl=64 time=4.422 ms
64 bytes from 192.168.100.35: seq=2 ttl=64 time=4.329 ms
^C
--- 192.168.100.35 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 4.329/4.399/4.448 ms

[email protected]:/tmp/home/root# ip route get 192.168.100.35
192.168.100.35 via 172.20.20.13 dev tun11  src 172.20.20.14
Is it because it's not injected in the routing table and it's policy routing? Or is it a different routing table?
Code:
[email protected]:/tmp/home/root# iptables -L -n -v | grep tun11
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0           
[email protected]:/tmp/home/root# iptables -t nat -L -n -v | grep tun11
    0     0 MASQUERADE  all  --  *      tun11   192.168.1.0/24       0.0.0.0/0

Thanks
 

john9527

Part of the Furniture
Or is it a different routing table?
Different table.....try

ip route show table ovpnc1

Also, if you had policy mode off, you now need to add rules for the clients that you want to route through the VPN with policy based routing.
 

mad_ady

Regular Contributor
Thanks, this explains it:
Code:
[email protected]:/tmp/home/root# cat /etc/iproute2/rt_tables
100 wan0
111 ovpnc1
112 ovpnc2
113 ovpnc3
114 ovpnc4
115 ovpnc5
200 wan1

[email protected]:/tmp/home/root# ip route show table 111
10.0.0.1 dev ppp0 scope link
172.20.20.13 dev tun11 scope link  src 172.20.20.14
172.20.20.1 via 172.20.20.13 dev tun11
172.22.22.0/24 dev tun22 scope link  src 172.22.22.1
192.168.1.0/24 dev br0 scope link  src 192.168.1.1
10.8.0.0/24 dev tun21 scope link  src 10.8.0.1
169.254.0.0/16 dev eth0 scope link  src 169.254.220.126
127.0.0.0/8 dev lo scope link
default via 172.20.20.13 dev tun11
[email protected]:/tmp/home/root# ip rule list
0:   from all lookup local
10101:   from all to 192.168.100.0/24 lookup 111
32766:   from all lookup main
32767:   from all lookup default
It seems I also have a default gateway in the 111 table, but only traffic going to 192.168.100.0/24 looks up that table, so it's fine.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top