v1.11 OpenVPN observations

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

pbix
Developer
Posts: 1373
Joined: Fri Aug 21, 2009 5:09 pm

v1.11 OpenVPN observations

Post by pbix »

Been looking at how OpenVPN is working in v1.11 and have run across a few things that puzzle me. In the below example the server LAN is 192.168.2.0 and the client LAN is 192.168.5.0 and we want these two to route both ways.

There is an option in the Gargoyle interface to allow access to the LAN behind the client. In my example this LAN is 192.168.5.0. As result of this option the following appears in the server.conf file:

Code: Select all

push "topology subnet"
push "route-gateway 10.8.0.1"
route 192.168.5.0 255.255.255.0 10.8.0.2
And in the syslog I see the following:

Code: Select all

Sun Mar  3 14:27:32 2019 daemon.notice openvpn(custom_config)[7271]: /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Sun Mar  3 14:27:32 2019 daemon.notice openvpn(custom_config)[7271]: /sbin/route add -net 192.168.5.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Mar  3 14:27:32 2019 daemon.warn openvpn(custom_config)[7271]: Could not determine IPv4/IPv6 protocol. Using AF_INET
I cannot see how this can work because at the time the server is coming up the client has not yet established the connection so there is no 10.8.0.2 network yet.

Even though there is no error shown in the logfile there is also no route added to the route table.

Code: Select all

root@Gargoyle:/etc/openvpn# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         c-73-251-108-1. 0.0.0.0         UG    0      0        0 eth1
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
73.271.108.0    *               255.255.252.0   U     0      0        0 eth1
192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan
So I cannot access the 192.168.5.0 network until I manually add a route to it after everything is up.

I do not remember this being an issue in v1.10. Has something broken?

This looks ominous. Might be a kernel issue.
https://forums.openvpn.net/viewtopic.php?t=25771
Solved in kernel 4.20.13
Linksys WRT1900ACv2
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM

Lantis
Moderator
Posts: 7175
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia
Contact:

Re: v1.11 OpenVPN observations

Post by Lantis »

I don't see this behaviour.
When i define a client with a routed subnet behind it, i get a route defined in the routing table straight away.

It is ok to define a *dead* route. It tells the router how to find the address, but does not guarantee that it will find it.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
https://lantisproject.com/blog

Lantis
Moderator
Posts: 7175
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia
Contact:

Re: v1.11 OpenVPN observations

Post by Lantis »

This being said... I'm betting you have a version of Openvpn installed that isn't 2.4.4 release 2 don't you... So this could be causing a slight issue.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
https://lantisproject.com/blog

pbix
Developer
Posts: 1373
Joined: Fri Aug 21, 2009 5:09 pm

Re: v1.11 OpenVPN observations

Post by pbix »

I am using the version of OpenVPN which was included in the build. How do I tell which version it is? Running "OpenVPN --help" displays "Usage message not available".

This is a NETGEAR WNDR3700v2 running 1.11.0 downloaded from the website last week.

I see you are correct that it is possible to add a route before it comes up. Its just weird that the logfile shows this command being executed but nothing appears it the route table and no errors in the logfile.
Linksys WRT1900ACv2
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM

Lantis
Moderator
Posts: 7175
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia
Contact:

Re: v1.11 OpenVPN observations

Post by Lantis »

"openvpn --version"

The 3700v2 should be ok. I thought we were still talking about one of your routers which required a plugin install.

I'm still having a look to see if anything obvious comes up, but so far not able to reproduce.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
https://lantisproject.com/blog

ispyisail
Moderator
Posts: 5218
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: v1.11 OpenVPN observations

Post by ispyisail »

Been looking at how OpenVPN is working in v1.11 and have run across a few things that puzzle me. In the below example the server LAN is 192.168.2.0 and the client LAN is 192.168.5.0 and we want these two to route both ways.
Have you been using "gargoyle-OpenVPN" previous to 1.11.0?

Just trying to work out if its a setup problem or changes to 1.11.0

https://www.gargoyle-router.com/wiki/do ... reversevpn

ivklim
Posts: 9
Joined: Mon May 28, 2018 1:35 am

Re: v1.11 OpenVPN observations

Post by ivklim »

i can confirm the same issue with v1.11 ovpn route on server for hosts behind the client

1. I have done multiply setup of point-to-point based on gargoyle 1.10 (and previous) openvpn and the settings for server and clients are same in 1.11.
2. my current setup with 1.11
192.168.2.0 /24 -> 192.168.2.1: gargoyle-ovpn-server <---> 192.168.1.1: gargoyle-ovpn-server <- 192.168.1.0
10.1.0.1 is ip on server side tunnel and 10.1.0.2 is ip on client site
after tunnel is up i can ping from 192.168.1.0 to 192.168.2.0
but there is no ping in reverse direction

traceroute to 192.168.1.13 (192.168.1.13), 64 hops max
1 192.168.2.1 0.946ms 0.922ms 0.907ms
2 92.96.253.2 2.405ms 2.249ms 5.415ms
3 * ^C

but there is route to 192.168.1.0 through 10.1.0.2 in OVPN server.conv.

if manually add route
/sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.0.2
then
ping appears
traceroute to 192.168.1.13 (192.168.1.13), 64 hops max
1 192.168.2.1 0.919ms 0.913ms 0.873ms
2 10.1.0.2 9.272ms 7.070ms 8.283ms
3 192.168.1.13 6.851ms 7.447ms 7.714ms

it is really strange, even after start the router i can see in initial stage the required route in route table (from gui) but then the route disappeared and not appears any more.

I was made 2 fresh setup with WDR1900ac and then i ve changed hardware to brand new archer c7 ver.5 and found the same behaviour.

So it looks like some issue with 1.11
Kindly help, it is in production now and i need to add the route manually any time after restart.

openvpn --version
OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]

1.11.X (Built 20190405-0155 git@4685bd7f)
Model:TP-LINK Archer C7 v5
(i faced the same issue with 1.11.0)

log is attached.

ispyisail
Moderator
Posts: 5218
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: v1.11 OpenVPN observations

Post by ispyisail »

@ivklim
Can you post config screen shots?

Its really helpful

Thanks

ivklim
Posts: 9
Joined: Mon May 28, 2018 1:35 am

Re: v1.11 OpenVPN observations

Post by ivklim »

kindly find the link to download, i can not post it directly coz of size
https://we.tl/t-dHIQUDWpf2




the route to 192.168.1.0 has been added manually

as u can see there is another network behind vpn tunnel - 192.168.14.0 and there is no route to it.

ivklim
Posts: 9
Joined: Mon May 28, 2018 1:35 am

Re: v1.11 OpenVPN observations

Post by ivklim »

please looking for help

Post Reply