Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] openvpn overwrites local route
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
prelude
n00b
n00b


Joined: 31 Aug 2002
Posts: 13

PostPosted: Tue May 26, 2015 9:32 am    Post subject: [solved] openvpn overwrites local route Reply with quote

I have been trying to get an openvpn running. I have used virtually the same configuration on older hardware (and older versions of software) without trouble.

When the vpn starts the server pushes routes to the clients. When this happens on most of my gentoo machines the local route gets pushed as well. ie, my local lan should be routed to eth1 but a second route is pushed through openvpn to route to tun0 and then everything breaks.

Strangely enough, this problem does not occur on one of my gentoo boxes and on the debian box i also run.

The config are exactly the same, as are the openvpn version.

server config

Code:
dev tun
proto udp
port 1194
local x.x.x.x
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 172.16.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd/
route 10.0.0.0 255.255.252.0
route 192.168.0.0 255.255.255.0
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
route 192.168.3.0 255.255.255.0
route 192.168.4.0 255.255.255.0
route 192.168.5.0 255.255.255.0
push "route 10.0.0.0 255.255.252.0"
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
client-to-client
keepalive 1 5
persist-tun
persist-key
persist-local-ip
persist-remote-ip
push "persist-key"
push "persist-tun"


client 1 (not working)
Code:
proto udp
port 1194
remote x.x.x.x
dev tun
ca ca.crt
cert client1.crt
key client1.key


openvpn version:
Code:
OpenVPN 2.3.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 24 2015
library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=no enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir=//usr/lib64/openvpn with_sysroot=no


routing table
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         x.x.x.x     0.0.0.0         UG        0 0          0 eth0
10.0.0.0        172.16.1.5      255.255.252.0   UG        0 0          0 tun0
10.0.0.0        0.0.0.0         255.255.252.0   U         0 0          0 eth1
83.128.12.0     0.0.0.0         255.255.252.0   U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
172.16.1.0      172.16.1.5      255.255.255.0   UG        0 0          0 tun0
172.16.1.5      0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.0.0     172.16.1.5      255.255.255.0   UG        0 0          0 tun0
192.168.1.0     172.16.1.5      255.255.255.0   UG        0 0          0 tun0
192.168.2.0     172.16.1.5      255.255.255.0   UG        0 0          0 tun0
192.168.3.0     172.16.1.5      255.255.255.0   UG        0 0          0 tun0
192.168.4.0     172.16.1.5      255.255.255.0   UG        0 0          0 tun0
192.168.5.0     172.16.1.5      255.255.255.0   UG        0 0          0 tun0

note that the two duplicate 10.0.0.0 entries!

client 2 (working)
Code:

proto udp
port 1194
remote x.x.x.x
dev tun
ca ca.crt
cert client2.crt
key client2.key


openvpn version:
Code:
OpenVPN 2.3.6 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 31 2014
library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=no enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir=//usr/lib/openvpn with_sysroot=no


routing table:
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         x.x.x.x     0.0.0.0         UG        0 0          0 eth0
10.0.0.0        172.16.1.9      255.255.252.0   UG        0 0          0 tun0
88.159.32.0     0.0.0.0         255.255.252.0   U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
172.16.1.0      172.16.1.9      255.255.255.0   UG        0 0          0 tun0
172.16.1.9      0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.0.0     172.16.1.9      255.255.255.0   UG        0 0          0 tun0
192.168.1.0     172.16.1.9      255.255.255.0   UG        0 0          0 tun0
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
192.168.3.0     172.16.1.9      255.255.255.0   UG        0 0          0 tun0
192.168.4.0     172.16.1.9      255.255.255.0   UG        0 0          0 tun0
192.168.5.0     172.16.1.9      255.255.255.0   UG        0 0          0 tun0

note that there is only one 192.168.2.0 route, the correct one. The server logs the following "error" for client 2, which I understand is expected behaviour since the route can/should not be pushed:
Code:

Options error: option 'route' cannot be used in this context (ccd//client2)


I am at a complete loss as to what is causing this? Manually deleting the offending route does not seem to solve the problem, stopping openvpn then leaves me with no routes to the local lan.

Thank you for any help :)
Back to top
View user's profile Send private message
prelude
n00b
n00b


Joined: 31 Aug 2002
Posts: 13

PostPosted: Wed May 27, 2015 11:34 am    Post subject: Reply with quote

Ok, so I figured it out. Turns out that my client config file in the ccd direcotry was not equal to my common name (CN).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum