[NAS4Free] Cannot delete routes, they reappear after restart

[babovand]

Hello dear forum.

I have a very strange problem. first let me show you an output of netstat -r

nas4free:~# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            DD-WRT             UGS         0    21230    re0
10.1.2.0           10.1.2.2           UGS         0        0   tun0
10.1.2.1           link#7             UHS         0        0    lo0
10.1.2.2           link#7             UH          0        0   tun0
localhost          link#6             UH          0      710    lo0
192.168.2.0        link#3             U           0     1709    re0
nas4free           link#3             UHS         0        0    lo0

I want to delete the route 10.1.2.0 to the 10.1.2.2 gateway so I typed.
route delete -net 10.1.2.0/24 10.1.2.2 255.255.255.0

output

nas4free:~# route delete -net 10.1.2.0/24 10.1.2.2 255.255.255.0
delete net 10.1.2.0: gateway 10.1.2.2

But as soon as I restart the server or restart my OpenVPN server the route reappears!
I've also tried route flush command without success, I added the routes with the route add command. No matter what I do I can't seem to get rid of them. The reason I want them gone is because it was a typo on my end.

I've no extra setting in my Openvpn server config that adds routes to the FreeBSD system. only push commands.

I want to delete all the 10.x.x.x entries, but as soon as I delete them, they stay deleted only until I restart the server or OpenVPN.

 

[SirDice]

This looks like a "directly connected" network. The VPN interface has address 10.1.2.2/24. The network 10.1.2.0/24 is then automatically added.

Why is that a problem?

 

[babovand]

The problem is that I am trying to run an OpenVPN server. My router is on the 192.168.2.x net. The local IP address to the server is 192.168.2.10. The internal OpenVPN pool is 10.1.2.x.

Output of ipconfig

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::12bf:48ff:fe7a:c8e3%tun0 prefixlen 64 scopeid 0x7
        [B]inet 10.1.2.1 --> 10.1.2.2[/B] netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 3115

The traffic is going nowhere, I can connect to the OpenVPN server without problem, but with no Internet access.

 

[SirDice]

Did you enable forwarding? Add to /etc/rc.conf:

gateway_enable="YES"

Also make sure your router knows where 10.1.2.0/24 is by adding a static route to it.

 

[babovand]

Gateway has always been enabled, as well as net.inet.ip.forwarding=1. I added a static route in my DD-WRT router, these are the settings.

Destination LAN NET: 10.1.2.0 (Internal IP-pool for OpenVPN)
Subnet Mask: 255.255.255.0
Gateway: 192.168.2.10 (Lan IP of the OpenVPN server)

Iam I am now able to connect to my OpenVPN server and ping to both 192.168.2.1 (my router address) and 192.168.2.10 (server), Iam I am also able to connect to them with SSH and telnet, both of them.

But I have still no internet access, When I connect to my router via telnet, Iam I am able to ping the outside world. As well from the server.

OpenVPN server.conf:

port 6521
mode server
tls-server
proto tcp-server
dev tun

client-cert-not-required
ca /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/server.crt
key /usr/local/etc/openvpn/server.key
dh /usr/local/etc/openvpn/dh1024.pem
plugin /usr/local/lib/openvpn-auth-pam.so login


server 10.1.2.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 192.168.2.1"
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120

cipher AES-128-CBC

comp-lzo
user root
group wheel
persist-key
persist-tun
verb 3
script-security 2

Forgot to say that iam I am also able to ping 10.1.2.0 from 192.168.2.1 (via telnet access) So I can confirm that I can ping 192.168.2.1 when iam I am connected to the OpenVPN server, And when im I'm not connected (connected directly to router) iam I am able to ping 10.1.2.1 (OpenVPN server)

 

[kpa]

Do you have NAT set up for the 10.1.2.0/24 network anywhere?

 

[babovand]

Do you have NAT set up for the 10.1.2.0/24 network anywhere?

As far as I can tell no, the server has no firewall/SPI/NAT enabled, this Iam I am sure of. However my router has both SPI (firewall) and NAT enabled, Iam I am able to connect to my router via telnet and ping the 10.1.2.x net, aswell as well as connect to 10.1.2.x net and ping to the 192.168.2.x net.

 

[kpa]

To reach internet from the VPN network 10.1.2.0/24 there has to be a NAT somewhere that hides the private range (source) addresses in outgoing packets. Your router very likely does not provide NAT automatically for the 10.1.2.0/24 network that it does not know about. Check if you can set the router to provide the NAT or do it on the OpenVPN server.

 

[babovand]

To reach internet from the VPN network 10.1.2.0/24 there has to be a NAT somewhere that hides the private range (source) addresses in outgoing packets. Your router very likely does not provide NAT automatically for the 10.1.2.0/24 network that it does not know about. Check if you can set the router to provide the NAT or do it on the OpenVPN server.

You are right, my Linux based router (DD-WRT) does provide NAT automatically for my OpenVPN subnet, and unfortunately I'm using Nas4Free which does not have support for NAT in the firewall/kernel.

I have not found any links on how to enable NAT on another subnet with DD-WRT. I've also tried to put this command in my firewall rules for DD-WRT without success.

iptables -t nat -A POSTROUTING -s 10.1.2.0/24 -o eth0 -j MASQUERADE

The whole story is that I'm tunneling OpenVPN traffic through Stunnel

OpenVPN client -> Stunnel client -> Stunnel Server (port 7589) -> OpenVPN server (port 6521)

The reason I'm doing this is that I have relatives and friends in a country that blocks access to YouTube and Facebook etc.

The OpenVPN connection is successful from the Internet (through stunnel) to my OpenVPN server. and Iam I am able to ping my router from that country. But no internet access. And I need to forward all the Internet traffic from the clients to my server.

It appears I'm stuck, is there anything I can do?

And also could mod change to name topic to something more appropriate for my situation