Openvpn broken when using net.add_addr_allfibs=0, routes are not adding
bsd
bsd at stuckat99.com
Mon May 1 02:28:56 UTC 2017
Hello,
I tried adding an ip for fib 1 and I am having the same results.
My routing table before adding any IP's
setfib 1 netstat -rn
Internet:
Destination Gateway Flags Netif Expire
127.0.0.1 lo0 UHS lo0
Internet6:
Destination Gateway Flags
Netif Expire::/96 ::1
::UGRS lo0::1 lo0
::UHS lo0::ffff:0.0.0.0/96 ::1
:UGRS lo0fe80::/10 ::1 UGRS lo0fe80::%lo0/64 link#3 U lo0ff02::/16 ::1 UGRS lo0
Adding an IP for fib 1, and adding the route and gateway
ifconfig em0 inet 192.168.0.140/24 add fib 1
setfib 1 route add -net 192.168.0.0/24 -iface em0
setfib 1 route add default 192.168.0.1
My routing table now
setfib 1 netstat -rn
Routing tables (fib: 1)
Internet:
Destination Gateway Flags Netif Expire
default 192.168.0.1 UGS em0
127.0.0.1 lo0 UHS lo0
192.168.0.0/24 00:1d:09:7d:e4:d6 US em0
192.168.0.140 link#1 UHS lo0
Internet6:
Destination Gateway Flags
Netif Expire::/96 ::1
::UGRS lo0::1 lo0
::UHS lo0::ffff:0.0.0.0/96 ::1
:UGRS lo0fe80::/10 ::1 UGRS lo0fe80::%lo0/64 link#3 U lo0ff02::/16 ::1 UGRS lo0
A ping test for good measure
ping -c 2 google.com
PING google.com (172.217.11.78): 56 data bytes
64 bytes from 172.217.11.78: icmp_seq=0 ttl=55 time=27.301 ms
64 bytes from 172.217.11.78: icmp_seq=1 ttl=55 time=20.904 ms
--- google.com ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 20.904/24.102/27.301/3.198 ms
What happens when I test the vpn
setfib 1 openvpn myvpn.ovpn
Thu Mar 30 19:26:39 2017 OpenVPN 2.4.1 amd64-portbld-freebsd11.0 [SSL
(OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 29 2017Thu Mar 30 19:26:39 2017 library versions: OpenSSL 1.0.2k-freebsd 26
Jan 2017, LZO 2.10Thu Mar 30 19:26:39 2017 Outgoing Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authenticationThu Mar 30 19:26:39 2017 Incoming Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authenticationThu Mar 30 19:26:39 2017 TCP/UDP: Preserving recently used remote
address: [AF_INET]107.183.238.186:443Thu Mar 30 19:26:39 2017 Socket Buffers: R=[42080->42080] S=[9216->9216]Thu Mar 30 19:26:39 2017 UDP link local: (not bound)
Thu Mar 30 19:26:39 2017 UDP link remote: [AF_INET]107.183.238.186:443
Thu Mar 30 19:26:39 2017 TLS: Initial packet from
[AF_INET]107.183.238.186:443, sid=aba0890c 250effe8Thu Mar 30 19:26:39 2017 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia,
O=airvpn.org, CN=airvpn.org CA, emailAddress=info at airvpn.orgThu Mar 30 19:26:39 2017 VERIFY KU OK
Thu Mar 30 19:26:39 2017 Validating certificate extended key usage
Thu Mar 30 19:26:39 2017 ++ Certificate has EKU (str) TLS Web Server
Authentication, expects TLS Web Server AuthenticationThu Mar 30 19:26:39 2017 VERIFY EKU OK
Thu Mar 30 19:26:39 2017 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia,
O=airvpn.org, CN=server, emailAddress=info at airvpn.orgThu Mar 30 19:26:39 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3
DHE-RSA-AES256-GCM-SHA384, 4096 bit RSAThu Mar 30 19:26:39 2017 [server] Peer Connection Initiated with
[AF_INET]107.183.238.186:443Thu Mar 30 19:26:40 2017 SENT CONTROL [server]: 'PUSH_REQUEST'
(status=1)Thu Mar 30 19:26:40 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-
gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-
gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig
10.4.17.25 255.255.0.0'Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: timers and/or timeouts modifiedThu Mar 30 19:26:40 2017 OPTIONS IMPORT: compression parms modified
Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: --ifconfig/up options modifiedThu Mar 30 19:26:40 2017 OPTIONS IMPORT: route options modified
Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: route-related options modifiedThu Mar 30 19:26:40 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modifiedThu Mar 30 19:26:40 2017 Data Channel Encrypt: Cipher 'AES-256-CBC'
initialized with 256 bit keyThu Mar 30 19:26:40 2017 Data Channel Encrypt: Using 160 bit message
hash 'SHA1' for HMAC authenticationThu Mar 30 19:26:40 2017 Data Channel Decrypt: Cipher 'AES-256-CBC'
initialized with 256 bit keyThu Mar 30 19:26:40 2017 Data Channel Decrypt: Using 160 bit message
hash 'SHA1' for HMAC authenticationThu Mar 30 19:26:40 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0
IFACE=em0 HWADDR=00:1d:09:7d:e4:d6Thu Mar 30 19:26:40 2017 TUN/TAP device /dev/tun0 opened
Thu Mar 30 19:26:40 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Mar 30 19:26:40 2017 /sbin/ifconfig tun0 10.4.17.25 10.4.0.1 mtu
1500 netmask 255.255.0.0 upThu Mar 30 19:26:40 2017 /sbin/route add -net 10.4.0.0 10.4.0.1
255.255.0.0route: writing to routing socket: Network is unreachable
add net 10.4.0.0: gateway 10.4.0.1 fib 1: Network is unreachable
Thu Mar 30 19:26:40 2017 ERROR: FreeBSD route add command failed:
external program exited with error status: 1Thu Mar 30 19:26:45 2017 /sbin/route add -net 107.183.238.186
192.168.0.1 255.255.255.255add net 107.183.238.186: gateway 192.168.0.1 fib 1
Thu Mar 30 19:26:45 2017 /sbin/route add -net 0.0.0.0 10.4.0.1 128.0.0.0route: writing to routing socket: Network is unreachable
add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable
Thu Mar 30 19:26:45 2017 ERROR: FreeBSD route add command failed:
external program exited with error status: 1Thu Mar 30 19:26:45 2017 /sbin/route add -net 128.0.0.0 10.4.0.1
128.0.0.0route: writing to routing socket: Network is unreachable
add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable
Thu Mar 30 19:26:45 2017 ERROR: FreeBSD route add command failed:
external program exited with error status: 1Thu Mar 30 19:26:45 2017 Initialization Sequence Completed
Of course if I try this on fib 0 it works just fine and adds all
the routes.
On Sat, Apr 22, 2017, at 09:05 PM, Ultima wrote:
> The problem to me looks to be because there is no ip address on fib 1,
> but I'm not sure how openvpn can initiate the connect to the vpn with
> no ip address. Try and ping something using fib 1. The result will
> probably be no route to host. Many of the route commands are failing
> in the openvpn log because of this. If an 192.168.0.0/24 ip is added
> to the fib, this should fix the problem.>
>
> Hope this helps,
> Ultima
>
> On Tue, Apr 18, 2017 at 9:12 PM, bsd <bsd at stuckat99.com> wrote:
>> I am trying to use OpenVPN and multiple fibs on FreeBSD 11-p9.
>> The issue>> is, when I use
>> net.add_addr_allfibs=0 instead of net.add_addr_allfibs=1 in my
>> /boot/loader.conf, OpenVPN
>> fails to be able to add the routes properly and the VPN will not
>> function properly.
>>
>> OpenVPN works 100% fine when I use net.add_addr_allfibs=1 but my
>> requirements need this to be
>> set to 0 to turn off it's behavior of adding routes to all fibs.
>>
>> # /boot/loader.conf
>> net.fibs=3
>> net.add_addr_allfibs=0
>>
>> Since I am using net.add_addr_allfibs=0, I have a clean
>> routing table>> and I have to add the initial route
>> and gateway for my router manually to get fib 1 routeable to the
>> internet.
>>
>> # setfib 1 route add -net 192.168.0.0/24 -iface ue0
>> # setfib 1 route add default 192.168.0.1
>>
>> For some odd reason I must also bring up a tun device manually
>> otherwise>> OpenVPN cannot. I have set my config
>> to use tun10 for this test.
>>
>> # sysrc openvpn_if="tun10"
>> # ifconfig tun10 up
>>
>> My routing table before I start
>>
>> # setfib 1 netstat -rn
>> Routing tables (fib: 1)
>>
>> Internet:
>> Destination Gateway Flags Netif Expire
>> default 192.168.0.1 UGS ue0
>> 127.0.0.1 lo0 UHS lo0
>> 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0
>>
>> Internet6:
>> Destination Gateway
>> Flags>> Netif Expire
>> ::/96 ::1 UGRS>> lo0
>> ::1 lo0 UHS>> lo0
>> ::ffff:0.0.0.0/96 ::1 UGRS>> lo0
>> fe80::/10 ::1 UGRS>> lo0
>> fe80::%lo0/64 link#1 U
>> lo0
>> ff02::/16 ::1 UGRS>> lo0
>> [sean at rpi2 ~]$
>>
>> Let's try to conect OpenVPN
>>
>> # setfib 1 openvpn dallas.ovpn
>> Thu Oct 27 12:11:32 2016 OpenVPN 2.3.11 armv6-portbld-
>> freebsd11.0 [SSL>> (OpenSSL)] [LZO] [MH] [IPv6] built on J
>> un 25 2016
>> Thu Oct 27 12:11:32 2016 library versions: OpenSSL 1.0.2j-
>> freebsd 26>> Sep 2016, LZO 2.09
>> Thu Oct 27 12:11:32 2016 Control Channel Authentication: tls-
>> auth using>> INLINE static key file
>> Thu Oct 27 12:11:32 2016 Outgoing Control Channel
>> Authentication: Using>> 160 bit message hash 'SHA1' for HMAC a
>> uthentication
>> Thu Oct 27 12:11:32 2016 Incoming Control Channel
>> Authentication: Using>> 160 bit message hash 'SHA1' for HMAC a
>> uthentication
>> Thu Oct 27 12:11:32 2016 Socket Buffers: R=[42080->42080] S=[9216-
>> >9216]>> Thu Oct 27 12:11:32 2016 UDPv4 link local: [undef]
>> Thu Oct 27 12:11:32 2016 UDPv4 link remote:
>> [AF_INET]107.183.238.186:443>> Thu Oct 27 12:11:32 2016 TLS: Initial packet from
>> [AF_INET]107.183.238.186:443, sid=c8b24ffa a8737d61
>> Thu Oct 27 12:11:32 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia,>> O=airvpn.org, CN=airvpn.org CA, emailAddr
>> ess=info at airvpn.org
>> Thu Oct 27 12:11:32 2016 Validating certificate key usage
>> Thu Oct 27 12:11:32 2016 ++ Certificate has key usage 00a0, expects>> 00a0
>> Thu Oct 27 12:11:32 2016 VERIFY KU OK
>> Thu Oct 27 12:11:32 2016 Validating certificate extended key usage
>> Thu Oct 27 12:11:32 2016 ++ Certificate has EKU (str) TLS Web Server>> Authentication, expects TLS Web Server Au
>> thentication
>> Thu Oct 27 12:11:32 2016 VERIFY EKU OK
>> Thu Oct 27 12:11:32 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia,>> O=airvpn.org, CN=server, emailAddress=inf
>> o at airvpn.org
>> Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Cipher 'AES-256-CBC'>> initialized with 256 bit key
>> Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Using 160 bit message>> hash 'SHA1' for HMAC authentication
>> Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Cipher 'AES-256-CBC'>> initialized with 256 bit key
>> Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Using 160 bit message>> hash 'SHA1' for HMAC authentication
>> Thu Oct 27 12:11:36 2016 Control Channel: TLSv1.2, cipher
>> TLSv1/SSLv3>> DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
>> Thu Oct 27 12:11:36 2016 [server] Peer Connection Initiated with
>> [AF_INET]107.183.238.186:443
>> Thu Oct 27 12:11:39 2016 SENT CONTROL [server]: 'PUSH_REQUEST'
>> (status=1)
>> Thu Oct 27 12:11:39 2016 PUSH: Received control message:
>> 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-op
>> tion DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology
>> subnet,ping 10,ping-restart 60,ifconfig 10.4.17.
>> 25 255.255.0.0'
>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: timers and/or timeouts
>> modified>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: LZO parms modified
>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ifconfig/up options
>> modified>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route options modified
>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route-related options
>> modified>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-
>> option>> options modified
>> Thu Oct 27 12:11:39 2016 ROUTE_GATEWAY 192.168.0.1
>> Thu Oct 27 12:11:39 2016 TUN/TAP device tun10 exists previously,
>> keep at>> program end
>> Thu Oct 27 12:11:39 2016 TUN/TAP device /dev/tun10 opened
>> Thu Oct 27 12:11:39 2016 do_ifconfig, tt->ipv6=0,
>> tt->did_ifconfig_ipv6_setup=0
>> Thu Oct 27 12:11:39 2016 /sbin/ifconfig tun10 10.4.17.25
>> 10.4.0.1 mtu>> 1500 netmask 255.255.0.0 up
>> Thu Oct 27 12:11:39 2016 /sbin/route add -net 10.4.0.0 10.4.17.25
>> 255.255.0.0
>> route: writing to routing socket: Network is unreachable
>> add net 10.4.0.0: gateway 10.4.17.25 fib 1: Network is unreachable
>> Thu Oct 27 12:11:39 2016 ERROR: FreeBSD route add command failed:
>> external program exited with error status: 1
>> Thu Oct 27 12:11:44 2016 /sbin/route add -net 107.183.238.186
>> 192.168.0.1 255.255.255.255
>> add net 107.183.238.186: gateway 192.168.0.1 fib 1
>> Thu Oct 27 12:11:44 2016 /sbin/route add -net 0.0.0.0 10.4.0.1
>> 128.0.0.0>> route: writing to routing socket: Network is unreachable
>> add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable
>> Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed:
>> external program exited with error status: 1
>> Thu Oct 27 12:11:44 2016 /sbin/route add -net 128.0.0.0 10.4.0.1
>> 128.0.0.0
>> route: writing to routing socket: Network is unreachable
>> add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable
>> Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed:
>> external program exited with error status: 1
>> Thu Oct 27 12:11:44 2016 Initialization Sequence Completed
>>
>> The routes are failing to add and the VPN is not configured
>> properly in>> the end.
>>
>> My routing table now. We can see that the VPN did not configure
>> properly. The desired behavior is that it woul
>> d set the VPN to be the default gateway and route all traffic
>> over it,>> but only for FIB 1.
>>
>> # setfib 1 netstat -rn
>> Routing tables (fib: 1)
>>
>> Internet:
>> Destination Gateway Flags Netif Expire
>> default 192.168.0.1 UGS ue0
>> 107.183.238.186/32 192.168.0.1 UGS ue0
>> 127.0.0.1 lo0 UHS lo0
>> 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0
>>
>> Internet6:
>> Destination Gateway
>> Flags>> Netif Expire
>> ::/96 ::1 UGRS>> lo0
>> ::1 lo0 UHS>> lo0
>> ::ffff:0.0.0.0/96 ::1 UGRS>> lo0
>> fe80::/10 ::1 UGRS>> lo0
>> fe80::%lo0/64 link#1 U
>> lo0
>> ff02::/16 ::1 UGRS>> lo0
>>
>>
>> Is this a bug or have I missed something?
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-
>> unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list