Openvpn broken when using net.add_addr_allfibs=0, routes are not adding
bsd
bsd at stuckat99.com
Mon May 1 04:18:07 UTC 2017
Hi,
Thanks for helping me track down the issue. I tried all of the ifconfig
commands and manually added fib 1 to each one and everything worked. I
will post a bugzilla report. :) This was driving me nuts.
On Sun, Apr 30, 2017, at 08:47 PM, Ultima wrote:
> > Thu Mar 30 19:26:40 2017 /sbin/ifconfig tun0 10.4.17.25 10.4.0.1 mtu
> > 1500 netmask 255.255.0.0 up>
> ifconfig is not respecting setfib on tun interfaces. Manually adding
> fib 1 at the end of the command above will properly add it to the
> correct fib. I suggest posting a bug on bugzilla about this.>
> this also is occuring on head r317574.
>
> On Sun, Apr 30, 2017 at 10:28 PM, bsd <bsd at stuckat99.com> wrote:
>> __
>> Hello,
>>
>> I tried adding an ip for fib 1 and I am having the same results.
>>
>> My routing table before adding any IP's
>>
>> setfib 1 netstat -rn
>>
>> Internet:
>> Destination Gateway Flags Netif Expire
>>
>> 127.0.0.1 lo0 UHS lo0
>>
>>
>> Internet6:
>> Destination Gateway Flags
>> Netif Expire>> ::/96 ::1
>> ::UGRS lo0>> ::1 lo0
>> ::UHS lo0>> ::ffff:0.0.0.0/96 ::1
>> :UGRS lo0>> fe80::/10 ::1
>> UGRS lo0>>
>> fe80::%lo0/64 link#3
>> U lo0>>
>> ff02::/16 ::1
>> UGRS lo0>>
>>
>> Adding an IP for fib 1, and adding the route and gateway
>>
>> ifconfig em0 inet 192.168.0.140/24 add fib 1
>> setfib 1 route add -net 192.168.0.0/24 -iface em0
>>
>> setfib 1 route add default 192.168.0.1
>>
>>
>> My routing table now
>>
>>
>> setfib 1 netstat -rn
>> Routing tables (fib: 1)
>>
>> Internet:
>> Destination Gateway Flags Netif Expire
>>
>> default 192.168.0.1 UGS em0
>> 127.0.0.1 lo0 UHS lo0
>> 192.168.0.0/24 00:1d:09:7d:e4:d6 US em0
>> 192.168.0.140 link#1 UHS lo0
>>
>>
>> Internet6:
>> Destination Gateway Flags
>> Netif Expire>> ::/96 ::1
>> ::UGRS lo0>> ::1 lo0
>> ::UHS lo0>> ::ffff:0.0.0.0/96 ::1
>> :UGRS lo0>> fe80::/10 ::1
>> UGRS lo0>>
>> fe80::%lo0/64 link#3
>> U lo0>>
>> ff02::/16 ::1
>> UGRS lo0>>
>>
>> A ping test for good measure
>>
>> ping -c 2 google.com
>> PING google.com (172.217.11.78): 56 data bytes
>> 64 bytes from 172.217.11.78: icmp_seq=0 ttl=55 time=27.301 ms
>> 64 bytes from 172.217.11.78: icmp_seq=1 ttl=55 time=20.904 ms
>>
>> --- google.com ping statistics ---
>> 2 packets transmitted, 2 packets received, 0.0% packet loss
>> round-trip min/avg/max/stddev = 20.904/24.102/27.301/3.198 ms
>>
>>
>> What happens when I test the vpn
>>
>> setfib 1 openvpn myvpn.ovpn
>>
>> Thu Mar 30 19:26:39 2017 OpenVPN 2.4.1 amd64-portbld-freebsd11.0 [SSL
>> (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 29 2017>> Thu Mar 30 19:26:39 2017 library versions: OpenSSL 1.0.2k-freebsd 26
>> Jan 2017, LZO 2.10>> Thu Mar 30 19:26:39 2017 Outgoing Control Channel Authentication:
>> Using 160 bit message hash 'SHA1' for HMAC authentication>> Thu Mar 30 19:26:39 2017 Incoming Control Channel Authentication:
>> Using 160 bit message hash 'SHA1' for HMAC authentication>> Thu Mar 30 19:26:39 2017 TCP/UDP: Preserving recently used remote
>> address: [AF_INET]107.183.238.186:443>> Thu Mar 30 19:26:39 2017 Socket Buffers: R=[42080->42080] S=[9216-
>> >9216]>> Thu Mar 30 19:26:39 2017 UDP link local: (not bound)
>> Thu Mar 30 19:26:39 2017 UDP link remote:
>> [AF_INET]107.183.238.186:443>> Thu Mar 30 19:26:39 2017 TLS: Initial packet from
>> [AF_INET]107.183.238.186:443, sid=aba0890c 250effe8>> Thu Mar 30 19:26:39 2017 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia,
>> O=airvpn.org, CN=airvpn.org CA, emailAddress=info at airvpn.org>> Thu Mar 30 19:26:39 2017 VERIFY KU OK
>> Thu Mar 30 19:26:39 2017 Validating certificate extended key usage
>> Thu Mar 30 19:26:39 2017 ++ Certificate has EKU (str) TLS Web Server
>> Authentication, expects TLS Web Server Authentication>> Thu Mar 30 19:26:39 2017 VERIFY EKU OK
>> Thu Mar 30 19:26:39 2017 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia,
>> O=airvpn.org, CN=server, emailAddress=info at airvpn.org>> Thu Mar 30 19:26:39 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3
>> DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA>> Thu Mar 30 19:26:39 2017 [server] Peer Connection Initiated with
>> [AF_INET]107.183.238.186:443>> Thu Mar 30 19:26:40 2017 SENT CONTROL [server]: 'PUSH_REQUEST'
>> (status=1)>> Thu Mar 30 19:26:40 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-
>> gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-
>> gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig
>> 10.4.17.25 255.255.0.0'>> Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: timers and/or timeouts
>> modified>> Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: compression parms modified
>> Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: --ifconfig/up options
>> modified>> Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: route options modified
>> Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: route-related options
>> modified>> Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-
>> option options modified>> Thu Mar 30 19:26:40 2017 Data Channel Encrypt: Cipher 'AES-256-CBC'
>> initialized with 256 bit key>> Thu Mar 30 19:26:40 2017 Data Channel Encrypt: Using 160 bit message
>> hash 'SHA1' for HMAC authentication>> Thu Mar 30 19:26:40 2017 Data Channel Decrypt: Cipher 'AES-256-CBC'
>> initialized with 256 bit key>> Thu Mar 30 19:26:40 2017 Data Channel Decrypt: Using 160 bit message
>> hash 'SHA1' for HMAC authentication>> Thu Mar 30 19:26:40 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0
>> IFACE=em0 HWADDR=00:1d:09:7d:e4:d6>> Thu Mar 30 19:26:40 2017 TUN/TAP device /dev/tun0 opened
>> Thu Mar 30 19:26:40 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
>> Thu Mar 30 19:26:40 2017 /sbin/ifconfig tun0 10.4.17.25 10.4.0.1 mtu
>> 1500 netmask 255.255.0.0 up>> Thu Mar 30 19:26:40 2017 /sbin/route add -net 10.4.0.0 10.4.0.1
>> 255.255.0.0>>
>> route: writing to routing socket: Network is unreachable
>>
>> add net 10.4.0.0: gateway 10.4.0.1 fib 1: Network is unreachable
>> Thu Mar 30 19:26:40 2017 ERROR: FreeBSD route add command failed:
>> external program exited with error status: 1>> Thu Mar 30 19:26:45 2017 /sbin/route add -net 107.183.238.186
>> 192.168.0.1 255.255.255.255>>
>> add net 107.183.238.186: gateway 192.168.0.1 fib 1
>>
>> Thu Mar 30 19:26:45 2017 /sbin/route add -net 0.0.0.0 10.4.0.1
>> 128.0.0.0>>
>> route: writing to routing socket: Network is unreachable
>> add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable
>>
>> Thu Mar 30 19:26:45 2017 ERROR: FreeBSD route add command failed:
>> external program exited with error status: 1>> Thu Mar 30 19:26:45 2017 /sbin/route add -net 128.0.0.0 10.4.0.1
>> 128.0.0.0>>
>> route: writing to routing socket: Network is unreachable
>> add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable
>>
>> Thu Mar 30 19:26:45 2017 ERROR: FreeBSD route add command failed:
>> external program exited with error status: 1>> Thu Mar 30 19:26:45 2017 Initialization Sequence Completed
>>
>>
>> Of course if I try this on fib 0 it works just fine and adds all the
>> routes.>>
>>
>>
>>
>>
>> On Sat, Apr 22, 2017, at 09:05 PM, Ultima wrote:
>>> The problem to me looks to be because there is no ip address on fib
>>> 1, but I'm not sure how openvpn can initiate the connect to the vpn
>>> with no ip address. Try and ping something using fib 1. The result
>>> will probably be no route to host. Many of the route commands are
>>> failing in the openvpn log because of this. If an 192.168.0.0/24 ip
>>> is added to the fib, this should fix the problem.>>>
>>>
>>> Hope this helps,
>>> Ultima
>>>
>>> On Tue, Apr 18, 2017 at 9:12 PM, bsd <bsd at stuckat99.com> wrote:
>>>> I am trying to use OpenVPN and multiple fibs on FreeBSD 11-p9. The
>>>> issue>>>> is, when I use
>>>> net.add_addr_allfibs=0 instead of net.add_addr_allfibs=1 in my
>>>> /boot/loader.conf, OpenVPN
>>>> fails to be able to add the routes properly and the VPN will not
>>>> function properly.
>>>>
>>>> OpenVPN works 100% fine when I use net.add_addr_allfibs=1 but my
>>>> requirements need this to be
>>>> set to 0 to turn off it's behavior of adding routes to all fibs.
>>>>
>>>> # /boot/loader.conf
>>>> net.fibs=3
>>>> net.add_addr_allfibs=0
>>>>
>>>> Since I am using net.add_addr_allfibs=0, I have a clean routing
>>>> table>>>> and I have to add the initial route
>>>> and gateway for my router manually to get fib 1 routeable to the
>>>> internet.
>>>>
>>>> # setfib 1 route add -net 192.168.0.0/24 -iface ue0
>>>> # setfib 1 route add default 192.168.0.1
>>>>
>>>> For some odd reason I must also bring up a tun device manually
>>>> otherwise>>>> OpenVPN cannot. I have set my config
>>>> to use tun10 for this test.
>>>>
>>>> # sysrc openvpn_if="tun10"
>>>> # ifconfig tun10 up
>>>>
>>>> My routing table before I start
>>>>
>>>> # setfib 1 netstat -rn
>>>> Routing tables (fib: 1)
>>>>
>>>> Internet:
>>>> Destination Gateway Flags Netif Expire
>>>> default 192.168.0.1 UGS ue0
>>>> 127.0.0.1 lo0 UHS lo0
>>>> 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0
>>>>
>>>> Internet6:
>>>> Destination Gateway
>>>> Flags>>>> Netif Expire
>>>> ::/96 ::1
>>>> ::UGRS>>>> lo0
>>>> ::1 lo0 UHS>>>> lo0
>>>> ::ffff:0.0.0.0/96 ::1
>>>> :UGRS>>>> lo0
>>>> fe80::/10 ::1
>>>> UGRS>>>> lo0
>>>> fe80::%lo0/64 link#1 U
>>>> lo0
>>>> ff02::/16 ::1
>>>> UGRS>>>> lo0
>>>> [sean at rpi2 ~]$
>>>>
>>>> Let's try to conect OpenVPN
>>>>
>>>> # setfib 1 openvpn dallas.ovpn
>>>> Thu Oct 27 12:11:32 2016 OpenVPN 2.3.11 armv6-portbld-
>>>> freebsd11.0 [SSL>>>> (OpenSSL)] [LZO] [MH] [IPv6] built on J
>>>> un 25 2016
>>>> Thu Oct 27 12:11:32 2016 library versions: OpenSSL 1.0.2j-
>>>> freebsd 26>>>> Sep 2016, LZO 2.09
>>>> Thu Oct 27 12:11:32 2016 Control Channel Authentication: tls-auth
>>>> using>>>> INLINE static key file
>>>> Thu Oct 27 12:11:32 2016 Outgoing Control Channel Authentication:
>>>> Using>>>> 160 bit message hash 'SHA1' for HMAC a
>>>> uthentication
>>>> Thu Oct 27 12:11:32 2016 Incoming Control Channel Authentication:
>>>> Using>>>> 160 bit message hash 'SHA1' for HMAC a
>>>> uthentication
>>>> Thu Oct 27 12:11:32 2016 Socket Buffers: R=[42080->42080] S=[9216-
>>>> >9216]>>>> Thu Oct 27 12:11:32 2016 UDPv4 link local: [undef]
>>>> Thu Oct 27 12:11:32 2016 UDPv4 link remote:
>>>> [AF_INET]107.183.238.186:443>>>> Thu Oct 27 12:11:32 2016 TLS: Initial packet from
>>>> [AF_INET]107.183.238.186:443, sid=c8b24ffa a8737d61
>>>> Thu Oct 27 12:11:32 2016 VERIFY OK: depth=1, C=IT, ST=IT,
>>>> L=Perugia,>>>> O=airvpn.org, CN=airvpn.org CA, emailAddr
>>>> ess=info at airvpn.org
>>>> Thu Oct 27 12:11:32 2016 Validating certificate key usage
>>>> Thu Oct 27 12:11:32 2016 ++ Certificate has key usage 00a0,
>>>> expects>>>> 00a0
>>>> Thu Oct 27 12:11:32 2016 VERIFY KU OK
>>>> Thu Oct 27 12:11:32 2016 Validating certificate extended key usage>>>> Thu Oct 27 12:11:32 2016 ++ Certificate has EKU (str) TLS Web
>>>> Server>>>> Authentication, expects TLS Web Server Au
>>>> thentication
>>>> Thu Oct 27 12:11:32 2016 VERIFY EKU OK
>>>> Thu Oct 27 12:11:32 2016 VERIFY OK: depth=0, C=IT, ST=IT,
>>>> L=Perugia,>>>> O=airvpn.org, CN=server, emailAddress=inf
>>>> o at airvpn.org
>>>> Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Cipher 'AES-256-CBC'>>>> initialized with 256 bit key
>>>> Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Using 160 bit
>>>> message>>>> hash 'SHA1' for HMAC authentication
>>>> Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Cipher 'AES-256-CBC'>>>> initialized with 256 bit key
>>>> Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Using 160 bit
>>>> message>>>> hash 'SHA1' for HMAC authentication
>>>> Thu Oct 27 12:11:36 2016 Control Channel: TLSv1.2, cipher
>>>> TLSv1/SSLv3>>>> DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
>>>> Thu Oct 27 12:11:36 2016 [server] Peer Connection Initiated with
>>>> [AF_INET]107.183.238.186:443
>>>> Thu Oct 27 12:11:39 2016 SENT CONTROL [server]: 'PUSH_REQUEST'
>>>> (status=1)
>>>> Thu Oct 27 12:11:39 2016 PUSH: Received control message:
>>>> 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-op
>>>> tion DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology
>>>> subnet,ping 10,ping-restart 60,ifconfig 10.4.17.
>>>> 25 255.255.0.0'
>>>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: timers and/or timeouts
>>>> modified>>>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: LZO parms modified
>>>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ifconfig/up options
>>>> modified>>>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route options modified
>>>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route-related options
>>>> modified>>>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-
>>>> option>>>> options modified
>>>> Thu Oct 27 12:11:39 2016 ROUTE_GATEWAY 192.168.0.1
>>>> Thu Oct 27 12:11:39 2016 TUN/TAP device tun10 exists previously,
>>>> keep at>>>> program end
>>>> Thu Oct 27 12:11:39 2016 TUN/TAP device /dev/tun10 opened
>>>> Thu Oct 27 12:11:39 2016 do_ifconfig, tt->ipv6=0,
>>>> tt->did_ifconfig_ipv6_setup=0
>>>> Thu Oct 27 12:11:39 2016 /sbin/ifconfig tun10 10.4.17.25
>>>> 10.4.0.1 mtu>>>> 1500 netmask 255.255.0.0 up
>>>> Thu Oct 27 12:11:39 2016 /sbin/route add -net 10.4.0.0 10.4.17.25
>>>> 255.255.0.0
>>>> route: writing to routing socket: Network is unreachable
>>>> add net 10.4.0.0: gateway 10.4.17.25 fib 1: Network is unreachable>>>> Thu Oct 27 12:11:39 2016 ERROR: FreeBSD route add command failed:
>>>> external program exited with error status: 1
>>>> Thu Oct 27 12:11:44 2016 /sbin/route add -net 107.183.238.186
>>>> 192.168.0.1 255.255.255.255
>>>> add net 107.183.238.186: gateway 192.168.0.1 fib 1
>>>> Thu Oct 27 12:11:44 2016 /sbin/route add -net 0.0.0.0 10.4.0.1
>>>> 128.0.0.0>>>> route: writing to routing socket: Network is unreachable
>>>> add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable
>>>> Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed:
>>>> external program exited with error status: 1
>>>> Thu Oct 27 12:11:44 2016 /sbin/route add -net 128.0.0.0 10.4.0.1
>>>> 128.0.0.0
>>>> route: writing to routing socket: Network is unreachable
>>>> add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable
>>>> Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed:
>>>> external program exited with error status: 1
>>>> Thu Oct 27 12:11:44 2016 Initialization Sequence Completed
>>>>
>>>> The routes are failing to add and the VPN is not configured
>>>> properly in>>>> the end.
>>>>
>>>> My routing table now. We can see that the VPN did not configure
>>>> properly. The desired behavior is that it woul
>>>> d set the VPN to be the default gateway and route all traffic
>>>> over it,>>>> but only for FIB 1.
>>>>
>>>> # setfib 1 netstat -rn
>>>> Routing tables (fib: 1)
>>>>
>>>> Internet:
>>>> Destination Gateway Flags Netif Expire
>>>> default 192.168.0.1 UGS ue0
>>>> 107.183.238.186/32 192.168.0.1 UGS ue0
>>>> 127.0.0.1 lo0 UHS lo0
>>>> 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0
>>>>
>>>> Internet6:
>>>> Destination Gateway
>>>> Flags>>>> Netif Expire
>>>> ::/96 ::1
>>>> ::UGRS>>>> lo0
>>>> ::1 lo0 UHS>>>> lo0
>>>> ::ffff:0.0.0.0/96 ::1
>>>> :UGRS>>>> lo0
>>>> fe80::/10 ::1
>>>> UGRS>>>> lo0
>>>> fe80::%lo0/64 link#1 U
>>>> lo0
>>>> ff02::/16 ::1
>>>> UGRS>>>> lo0
>>>>
>>>>
>>>> Is this a bug or have I missed something?
>>>> _______________________________________________
>>>> freebsd-questions at freebsd.org mailing list
>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> To unsubscribe, send any mail to "freebsd-questions-
>>>> unsubscribe at freebsd.org">>
More information about the freebsd-questions
mailing list