openVPN client add route error

marino · Nov 11, 2009

Right now I'm only interested in setting up a VPN client. I've done that using openVPN and I'm connecting to the swissvpn.com site. My local LAN is 192.168.0.x

Here is the complete sequence shown /var/log/messages log:

Code:

Nov 11 14:27:50 draco openvpn[1786]: OpenVPN 2.1_rc20 amd64-portbld-freebsd7.2 [SSL] [LZO2] built on Nov 11 2009
Nov 11 14:27:50 draco openvpn[1786]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 11 14:27:50 draco openvpn[1786]: Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Nov 11 14:27:50 draco openvpn[1786]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Nov 11 14:27:50 draco openvpn[1786]: Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth 
SHA1,keysize 128,key-method 2,tls-client'
Nov 11 14:27:50 draco openvpn[1786]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher 
BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Nov 11 14:27:50 draco openvpn[1786]: Local Options hash (VER=V4): 'db02a8f8'
Nov 11 14:27:50 draco openvpn[1786]: Expected Remote Options hash (VER=V4): '7e068940'
Nov 11 14:27:50 draco openvpn[1787]: Attempting to establish TCP connection with 80.254.79.87:443 [nonblock]
Nov 11 14:27:51 draco openvpn[1787]: TCP connection established with 80.254.79.87:443
Nov 11 14:27:51 draco openvpn[1787]: Socket Buffers: R=[65572->65536] S=[33124->65536]
Nov 11 14:27:51 draco openvpn[1787]: TCPv4_CLIENT link local: [undef]
Nov 11 14:27:51 draco openvpn[1787]: TCPv4_CLIENT link remote: 80.254.79.87:443
Nov 11 14:27:51 draco openvpn[1787]: TLS: Initial packet from 80.254.79.87:443, sid=6403cc73 9e244097
Nov 11 14:27:51 draco openvpn[1787]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 11 14:27:54 draco openvpn[1787]: VERIFY OK: depth=1, /C=CH/ST=ZH/L=Regensdorf/O=Monzoon_Networks_AG/OU=OpenVPN_CA/CN=OpenVPN-
CA/emailAddress=operations@monzoon.net
Nov 11 14:27:54 draco openvpn[1787]: VERIFY OK: nsCertType=SERVER
Nov 11 14:27:54 draco openvpn[1787]: VERIFY OK: depth=0, /C=CH/ST=ZH/O=Monzoon_Networks_AG/OU=OpenVPN_server/CN=server
/emailAddress=operations@monzoon.net
Nov 11 14:27:56 draco openvpn[1787]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 11 14:27:56 draco openvpn[1787]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 11 14:27:56 draco openvpn[1787]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 11 14:27:56 draco openvpn[1787]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 11 14:27:56 draco openvpn[1787]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov 11 14:27:56 draco openvpn[1787]: [server] Peer Connection Initiated with 80.254.79.87:443
Nov 11 14:27:59 draco openvpn[1787]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov 11 14:27:59 draco openvpn[1787]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 
80.254.79.157,dhcp-option DNS 80.254.77.39,route-gateway 80.254.76.129,topology subnet,ping 10,ping-restart 60,socket-flags 
TCP_NODELAY,ifconfig 80.254.76.210 255.255.255.128'
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: --socket-flags option modified
Nov 11 14:27:59 draco openvpn[1787]: NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: route options modified
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: route-related options modified
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Nov 11 14:27:59 draco openvpn[1787]: ROUTE default_gateway=192.168.0.1
Nov 11 14:27:59 draco openvpn[1787]: TUN/TAP device /dev/tun0 opened
Nov 11 14:27:59 draco openvpn[1787]: /sbin/ifconfig tun0 80.254.76.210 netmask 255.255.255.128 mtu 1500 up
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 80.254.76.128 80.254.76.210 255.255.255.128
Nov 11 14:27:59 draco openvpn[1787]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 80.254.79.87 192.168.0.1 255.255.255.255
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 0.0.0.0 80.254.76.129 128.0.0.0
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 128.0.0.0 80.254.76.129 128.0.0.0
Nov 11 14:27:59 draco openvpn[1787]: Initialization Sequence Completed

note the error "ERROR: FreeBSD route add command failed: external program exited with error status: 1"

Is this line "ROUTE default_gateway=192.168.0.1" coming from the swissVPN openVPN server? So there's a conflict between it and my local LAN?

I really don't have a good grasp on the concept of routing, so be gentle here. Knowing that I have no control over the openVPN server, and that I'd prefer to keep using the TUN interface rather than a bridge, is there something that I can add to the client.conf file to make this conflict go away?

Is this error even hurting anything? the VPN seems to work.

SirDice · Nov 12, 2009

It's this line that causes the error:

Code:

/sbin/route add -net 80.254.76.128 80.254.76.210 255.255.255.128

That's because 80.254.76.210 is the IP address on tun0. You need to configure it to use the next hop (most likely 80.254.76.129).

marino · Nov 12, 2009

I doubt that I can. I'm just using a variation of the client.conf file that swissvpn gave me (see below). Those 80.254.76.* addresses are coming from swissvpn's openVPN server I think. I could be wrong, I don't really understand this stuff that well. Could it be a bad configuration on the server side that I just have to live with?

Code:

dev tun
client
proto tcp-client
remote connect-openvpn.swissvpn.net 443
ca ca.crt
auth-user-pass
reneg-sec 86400
ns-cert-type server

marino · Nov 14, 2009

so nobody knows if it's a server configuration problem, or if it's something I can fix on the client side?

DutchDaemon · Nov 14, 2009

Can you re-number your LAN to a 192.168.1.x network?

marino · Nov 15, 2009

I didn't think I could, but looking at the router configuration, apparently this is possible.

However, it might not be desirable. Most of my machines are given specific IP addresses, numerous configuration files would have to be revised. It's something I'd really like to avoid.

ctaranotte · Nov 15, 2009

could you share with us your ifconfig output?

marino · Nov 18, 2009

sure, this is with openvpn active:

Code:

draco-root# ifconfig -a
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 00:1d:60:af:29:ce
	inet 192.168.0.25 netmask 0xffffff00 broadcast 192.168.0.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
tun0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
	inet 80.254.76.137 netmask 0xffffff80 broadcast 80.254.76.255
	Opened by PID 76112

ctaranotte · Nov 19, 2009

From your /var/log/messages log:

Code:

....
Nov 11 14:27:59 draco openvpn[1787]: TUN/TAP device /dev/tun0 opened
Nov 11 14:27:59 draco openvpn[1787]: /sbin/ifconfig tun0 [color="red"]80.254.76.210[/color] netmask 255.255.255.128 mtu 1500 up
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 80.254.76.128 80.254.76.210 255.255.255.128
Nov 11 14:27:59 draco openvpn[1787]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
.....

From your ifconfig output:

Code:

tun0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
	inet [color="Red"]80.254.76.137[/color] netmask 0xffffff80 broadcast 80.254.76.255
	Opened by PID 76112

your final tun0 IP (80.254.76.137) is not the one negotiated by OPENVPN (80.254.76.210).

No wonder ROUTE is exiting with error 1.

looks like an OPENVPN bug to me.

But just in case, I suggest your restart your box, post your ifconfig output, start openvpn and post again your ifconfig output together with your message.log. Let's see if something else is resetting your tun0.

EDIT: Have you tried security/openvpn-devel instead?

EDIT: Have you tried to add the route manually once OPENVPN is up and running? Something like

Code:

route add -net 80.254.76.128 80.254.76.137 255.255.255.128

marino · Nov 19, 2009

Hi ctaranotte,

I'm actually using security/openvpn-devel
You can see this in the log...

Code:

Nov 11 14:27:50 draco openvpn[1786]: OpenVPN 2.1_rc20 amd64-portbld-freebsd7.2 [SSL] [LZO2] built on Nov 11 2009

Here is the output to your suggested route command:

Code:

draco-root# route add -net 80.254.76.128 80.254.76.137 255.255.255.128
route: writing to routing socket: File exists
add net 80.254.76.128: gateway 80.254.76.137: route already in table

So I have openvpn configured to start at boot up (/usr/local/etc/rc.d/openvpn), so the log I posted is from immediately after boot. I was not using tun before I installed openvpn, so I don't think there are other culprits...

Let me post this all again, though, I probably posted an ifconfig from a different session.

marino · Nov 19, 2009

After reboot:

Code:

draco-marino# ifconfig tun0
tun0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
	inet [color="Red"]80.254.76.155[/color] netmask 0xffffff80 broadcast 80.254.76.255
	Opened by PID 831

Code:

Nov 19 14:02:02 draco openvpn[830]: OpenVPN 2.1_rc20 amd64-portbld-freebsd7.2 [SSL] [LZO2] built on Nov 11 2009
Nov 19 14:02:02 draco openvpn[830]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 19 14:02:02 draco openvpn[830]: Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Nov 19 14:02:02 draco openvpn[830]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Nov 19 14:02:02 draco openvpn[830]: Local Options hash (VER=V4): 'db02a8f8'
Nov 19 14:02:02 draco openvpn[830]: Expected Remote Options hash (VER=V4): '7e068940'
Nov 19 14:02:02 draco openvpn[831]: Attempting to establish TCP connection with 80.254.79.87:443 [nonblock]
Nov 19 14:02:03 draco openvpn[831]: TCP connection established with 80.254.79.87:443
Nov 19 14:02:03 draco openvpn[831]: Socket Buffers: R=[65572->65536] S=[33124->65536]
Nov 19 14:02:03 draco openvpn[831]: TCPv4_CLIENT link local: [undef]
Nov 19 14:02:03 draco openvpn[831]: TCPv4_CLIENT link remote: 80.254.79.87:443
Nov 19 14:02:04 draco openvpn[831]: TLS: Initial packet from 80.254.79.87:443, sid=a7c1bbbb 20a64ba1
Nov 19 14:02:04 draco openvpn[831]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 19 14:02:06 draco openvpn[831]: VERIFY OK: depth=1, /C=CH/ST=ZH/L=Regensdorf/O=Monzoon_Networks_AG/OU=OpenVPN_CA/CN=OpenVPN-CA/emailAddress=operations@monzoon.net
Nov 19 14:02:06 draco openvpn[831]: VERIFY OK: nsCertType=SERVER
Nov 19 14:02:06 draco openvpn[831]: VERIFY OK: depth=0, /C=CH/ST=ZH/O=Monzoon_Networks_AG/OU=OpenVPN_server/CN=server/emailAddress=operations@monzoon.net
Nov 19 14:02:08 draco openvpn[831]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 19 14:02:08 draco openvpn[831]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 19 14:02:08 draco openvpn[831]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 19 14:02:08 draco openvpn[831]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 19 14:02:08 draco openvpn[831]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov 19 14:02:08 draco openvpn[831]: [server] Peer Connection Initiated with 80.254.79.87:443
Nov 19 14:02:10 draco openvpn[831]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov 19 14:02:10 draco openvpn[831]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 80.254.79.157,dhcp-option DNS 80.254.77.39,route-gateway 80.254.76.129,topology subnet,ping 10,ping-restart 60,socket-flags TCP_NODELAY,ifconfig 80.254.76.155 255.255.255.128'
Nov 19 14:02:10 draco openvpn[831]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 19 14:02:10 draco openvpn[831]: OPTIONS IMPORT: --socket-flags option modified
Nov 19 14:02:10 draco openvpn[831]: NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)
Nov 19 14:02:10 draco openvpn[831]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 19 14:02:10 draco openvpn[831]: OPTIONS IMPORT: route options modified
Nov 19 14:02:10 draco openvpn[831]: OPTIONS IMPORT: route-related options modified
Nov 19 14:02:10 draco openvpn[831]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Nov 19 14:02:10 draco openvpn[831]: ROUTE default_gateway=192.168.0.1
Nov 19 14:02:10 draco openvpn[831]: TUN/TAP device /dev/tun0 opened
Nov 19 14:02:10 draco openvpn[831]: /sbin/ifconfig tun0 [color="Red"]80.254.76.155[/color] netmask 255.255.255.128 mtu 1500 up
Nov 19 14:02:10 draco openvpn[831]: /sbin/route add -net 80.254.76.128 80.254.76.155 255.255.255.128
Nov 19 14:02:10 draco openvpn[831]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 19 14:02:10 draco openvpn[831]: /sbin/route add -net 80.254.79.87 192.168.0.1 255.255.255.255
Nov 19 14:02:10 draco openvpn[831]: /sbin/route add -net 0.0.0.0 80.254.76.129 128.0.0.0
Nov 19 14:02:10 draco openvpn[831]: /sbin/route add -net 128.0.0.0 80.254.76.129 128.0.0.0
Nov 19 14:02:10 draco openvpn[831]: Initialization Sequence Completed

so it appears the IP addresses match as expected.

ctaranotte · Nov 20, 2009

Could you post the output of "netstat -r"?

marino · Nov 20, 2009

sure!

Code:

draco-root# [color="Blue"]/usr/local/etc/rc.d/openvpn start[/color]
Starting openvpn.
draco-root# [color="#0000ff"]ifconfig tun0[/color]
tun0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
	inet 80.254.76.237 netmask 0xffffff80 broadcast 80.254.76.255
	Opened by PID 4384
draco-root# [color="#0000ff"]netstat -r[/color]
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
0.0.0.0/1          80-254-76-129.dyna UGS         0        0   tun0 =>
default            192.168.0.1        UGS         0   784108   nfe0
80.254.76.128/25   80-254-76-237.dyna U           2        0   tun0
80.254.79.87/32    192.168.0.1        UGS         0        6   nfe0
localhost          localhost          UH          0       50    lo0
128.0.0.0/1        80-254-76-129.dyna UGS         0        0   tun0
192.168.0.0        link#1             UC          0        0   nfe0
192.168.0.1        00:24:01:32:b2:bd  UHLW        3      222   nfe0   1225
orion              00:1e:2a:cc:69:90  UHLW        1      462   nfe0   1084

Internet6:
Destination        Gateway            Flags      Netif Expire
localhost          localhost          UHL         lo0
fe80::%lo0         fe80::1%lo0        U           lo0
fe80::1%lo0        link#3             UHL         lo0
ff01:3::           fe80::1%lo0        UC          lo0
ff02::%lo0         fe80::1%lo0        UC          lo0

ctaranotte · Nov 23, 2009

what do you have any fw?

marino · Nov 24, 2009

fw = firewall?

No, I am not running any firewall. Just a router (dlink DIR-655), basic configuration.

ctaranotte · Nov 25, 2009

You need to set up a firewall on your box (not on the server) which will nat and filter all traffic through tun0.

For example, in pf.conf, you may add something like

Code:

nat on tun0 from any to any -> tun0

pass in on ne0 inet proto {tcp udp icmp} from 80.254.76.128/25 to any flags S/SA keep state
pass out on ne0 inet proto {tcp udp icmp} from any to 80.254.76.128/25 flags S/SA keep state

pass in on tun0 inet proto {tcp udp icmp} from any to any flags S/SA keep state
pass out on tun0 inet proto {tcp udp icmp} from any to any flags S/SA keep state

You can also run

Code:

tcpdump -n -i tun0

to see what's wrong.

ctaranotte · Nov 25, 2009

Almost forgot, you need also to add the following line in pf.conf:

Code:

nat on ne0 from any to any -> ne0

openVPN client add route error

marino

SirDice

Administrator

marino

marino

DutchDaemon

Administrator

marino

ctaranotte

marino

ctaranotte

marino

marino

ctaranotte

marino

ctaranotte

marino

ctaranotte

ctaranotte