Openvpn broken when using net.add_addr_allfibs=0, routes are not adding
Ultima
ultima1252 at gmail.com
Sun Apr 23 04:05:37 UTC 2017
The problem to me looks to be because there is no ip address on fib 1, but
I'm not sure how openvpn can initiate the connect to the vpn with no ip
address. Try and ping something using fib 1. The result will probably be no
route to host. Many of the route commands are failing in the openvpn log
because of this. If an 192.168.0.0/24 ip is added to the fib, this should
fix the problem.
Hope this helps,
Ultima
On Tue, Apr 18, 2017 at 9:12 PM, bsd <bsd at stuckat99.com> wrote:
> I am trying to use OpenVPN and multiple fibs on FreeBSD 11-p9. The issue
> is, when I use
> net.add_addr_allfibs=0 instead of net.add_addr_allfibs=1 in my
> /boot/loader.conf, OpenVPN
> fails to be able to add the routes properly and the VPN will not
> function properly.
>
> OpenVPN works 100% fine when I use net.add_addr_allfibs=1 but my
> requirements need this to be
> set to 0 to turn off it's behavior of adding routes to all fibs.
>
> # /boot/loader.conf
> net.fibs=3
> net.add_addr_allfibs=0
>
> Since I am using net.add_addr_allfibs=0, I have a clean routing table
> and I have to add the initial route
> and gateway for my router manually to get fib 1 routeable to the
> internet.
>
> # setfib 1 route add -net 192.168.0.0/24 -iface ue0
> # setfib 1 route add default 192.168.0.1
>
> For some odd reason I must also bring up a tun device manually otherwise
> OpenVPN cannot. I have set my config
> to use tun10 for this test.
>
> # sysrc openvpn_if="tun10"
> # ifconfig tun10 up
>
> My routing table before I start
>
> # setfib 1 netstat -rn
> Routing tables (fib: 1)
>
> Internet:
> Destination Gateway Flags Netif Expire
> default 192.168.0.1 UGS ue0
> 127.0.0.1 lo0 UHS lo0
> 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0
>
> Internet6:
> Destination Gateway Flags
> Netif Expire
> ::/96 ::1 UGRS
> lo0
> ::1 lo0 UHS
> lo0
> ::ffff:0.0.0.0/96 ::1 UGRS
> lo0
> fe80::/10 ::1 UGRS
> lo0
> fe80::%lo0/64 link#1 U
> lo0
> ff02::/16 ::1 UGRS
> lo0
> [sean at rpi2 ~]$
>
> Let's try to conect OpenVPN
>
> # setfib 1 openvpn dallas.ovpn
> Thu Oct 27 12:11:32 2016 OpenVPN 2.3.11 armv6-portbld-freebsd11.0 [SSL
> (OpenSSL)] [LZO] [MH] [IPv6] built on J
> un 25 2016
> Thu Oct 27 12:11:32 2016 library versions: OpenSSL 1.0.2j-freebsd 26
> Sep 2016, LZO 2.09
> Thu Oct 27 12:11:32 2016 Control Channel Authentication: tls-auth using
> INLINE static key file
> Thu Oct 27 12:11:32 2016 Outgoing Control Channel Authentication: Using
> 160 bit message hash 'SHA1' for HMAC a
> uthentication
> Thu Oct 27 12:11:32 2016 Incoming Control Channel Authentication: Using
> 160 bit message hash 'SHA1' for HMAC a
> uthentication
> Thu Oct 27 12:11:32 2016 Socket Buffers: R=[42080->42080] S=[9216->9216]
> Thu Oct 27 12:11:32 2016 UDPv4 link local: [undef]
> Thu Oct 27 12:11:32 2016 UDPv4 link remote: [AF_INET]107.183.238.186:443
> Thu Oct 27 12:11:32 2016 TLS: Initial packet from
> [AF_INET]107.183.238.186:443, sid=c8b24ffa a8737d61
> Thu Oct 27 12:11:32 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia,
> O=airvpn.org, CN=airvpn.org CA, emailAddr
> ess=info at airvpn.org
> Thu Oct 27 12:11:32 2016 Validating certificate key usage
> Thu Oct 27 12:11:32 2016 ++ Certificate has key usage 00a0, expects
> 00a0
> Thu Oct 27 12:11:32 2016 VERIFY KU OK
> Thu Oct 27 12:11:32 2016 Validating certificate extended key usage
> Thu Oct 27 12:11:32 2016 ++ Certificate has EKU (str) TLS Web Server
> Authentication, expects TLS Web Server Au
> thentication
> Thu Oct 27 12:11:32 2016 VERIFY EKU OK
> Thu Oct 27 12:11:32 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia,
> O=airvpn.org, CN=server, emailAddress=inf
> o at airvpn.org
> Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Cipher 'AES-256-CBC'
> initialized with 256 bit key
> Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Using 160 bit message
> hash 'SHA1' for HMAC authentication
> Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Cipher 'AES-256-CBC'
> initialized with 256 bit key
> Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Using 160 bit message
> hash 'SHA1' for HMAC authentication
> Thu Oct 27 12:11:36 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3
> DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
> Thu Oct 27 12:11:36 2016 [server] Peer Connection Initiated with
> [AF_INET]107.183.238.186:443
> Thu Oct 27 12:11:39 2016 SENT CONTROL [server]: 'PUSH_REQUEST'
> (status=1)
> Thu Oct 27 12:11:39 2016 PUSH: Received control message:
> 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-op
> tion DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology
> subnet,ping 10,ping-restart 60,ifconfig 10.4.17.
> 25 255.255.0.0'
> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: timers and/or timeouts modified
> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: LZO parms modified
> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ifconfig/up options modified
> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route options modified
> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route-related options modified
> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
> options modified
> Thu Oct 27 12:11:39 2016 ROUTE_GATEWAY 192.168.0.1
> Thu Oct 27 12:11:39 2016 TUN/TAP device tun10 exists previously, keep at
> program end
> Thu Oct 27 12:11:39 2016 TUN/TAP device /dev/tun10 opened
> Thu Oct 27 12:11:39 2016 do_ifconfig, tt->ipv6=0,
> tt->did_ifconfig_ipv6_setup=0
> Thu Oct 27 12:11:39 2016 /sbin/ifconfig tun10 10.4.17.25 10.4.0.1 mtu
> 1500 netmask 255.255.0.0 up
> Thu Oct 27 12:11:39 2016 /sbin/route add -net 10.4.0.0 10.4.17.25
> 255.255.0.0
> route: writing to routing socket: Network is unreachable
> add net 10.4.0.0: gateway 10.4.17.25 fib 1: Network is unreachable
> Thu Oct 27 12:11:39 2016 ERROR: FreeBSD route add command failed:
> external program exited with error status: 1
> Thu Oct 27 12:11:44 2016 /sbin/route add -net 107.183.238.186
> 192.168.0.1 255.255.255.255
> add net 107.183.238.186: gateway 192.168.0.1 fib 1
> Thu Oct 27 12:11:44 2016 /sbin/route add -net 0.0.0.0 10.4.0.1 128.0.0.0
> route: writing to routing socket: Network is unreachable
> add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable
> Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed:
> external program exited with error status: 1
> Thu Oct 27 12:11:44 2016 /sbin/route add -net 128.0.0.0 10.4.0.1
> 128.0.0.0
> route: writing to routing socket: Network is unreachable
> add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable
> Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed:
> external program exited with error status: 1
> Thu Oct 27 12:11:44 2016 Initialization Sequence Completed
>
> The routes are failing to add and the VPN is not configured properly in
> the end.
>
> My routing table now. We can see that the VPN did not configure
> properly. The desired behavior is that it woul
> d set the VPN to be the default gateway and route all traffic over it,
> but only for FIB 1.
>
> # setfib 1 netstat -rn
> Routing tables (fib: 1)
>
> Internet:
> Destination Gateway Flags Netif Expire
> default 192.168.0.1 UGS ue0
> 107.183.238.186/32 192.168.0.1 UGS ue0
> 127.0.0.1 lo0 UHS lo0
> 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0
>
> Internet6:
> Destination Gateway Flags
> Netif Expire
> ::/96 ::1 UGRS
> lo0
> ::1 lo0 UHS
> lo0
> ::ffff:0.0.0.0/96 ::1 UGRS
> lo0
> fe80::/10 ::1 UGRS
> lo0
> fe80::%lo0/64 link#1 U
> lo0
> ff02::/16 ::1 UGRS
> lo0
>
>
> Is this a bug or have I missed something?
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list