Gentoo Forums :: View topic - can't connect with openvpn

can't connect with openvpn

View unanswered posts
View posts from last 24 hours

Gentoo Forums Forum Index

Networking & Security

View previous topic :: View next topic

Author

Message

curmudgeon
Veteran
Veteran

Joined: 08 Aug 2003
Posts: 1744

Posted: Tue Jan 03, 2017 2:47 pm Post subject: can't connect with openvpn

I have literally spent more than six months trying to get this working, but to no avail. The support people at the VPN provider are completely incompetent (better add a "in my opinion" there for legal reasons), but I am wondering if something in Gentoo (particularly the setup scripts) is contributing to the problem.

Simple routing table (no VPN):

Code:

$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 3 0 0 net0
loopback localhost 255.0.0.0 UG 0 0 0 lo
192.168.0.1 0.0.0.0 255.255.255.0 U 0 0 0 net0

Configuration file (leaving out the inline files and altering the name of the remote host):

Code:

auth-retry interact
auth-user-pass
client
dev tun
cipher AES-256-CBC
explicit-exit-notify 2
ifconfig-nowarn
key-direction 1
mute 20
persist-key
persist-tun
proto udp
redirect-gateway
remote remote.vpnprovider.net 53
remote-cert-tls server
route 0.0.0.0 0.0.0.0
route-delay 2
route-method exe
verb 3

Start the vpn iwth /etc/init.d/openvpn.vpn (with the above configuration in /etc/openvpn/vpn.conf)

Here is the entire session from /var/log/messages:

Code:

Jan 3 13:55:25 system openvpn[2093]: OpenVPN 2.3.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH] [IPv6] built on Sep 17 2016
Jan 3 13:55:25 system openvpn[2093]: library versions: OpenSSL 1.0.2j 26 Sep 2016
Jan 3 13:55:38 system openvpn[2097]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 3 13:55:38 system openvpn[2097]: Control Channel Authentication: tls-auth using INLINE static key file
Jan 3 13:55:38 system openvpn[2097]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 3 13:55:38 system openvpn[2097]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan 3 13:55:38 system openvpn[2097]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jan 3 13:55:38 system openvpn[2097]: UDPv4 link local (bound): [undef]
Jan 3 13:55:38 system openvpn[2097]: UDPv4 link remote: [AF_INET]45.74.63.3:53
Jan 3 13:55:38 system openvpn[2097]: TLS: Initial packet from [AF_INET]45.74.63.3:53, sid=daf41aff 3542d48e

Jan 3 13:55:38 system openvpn[2097]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 3 13:55:39 system openvpn[2097]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=VPN, OU=IT, CN=VPN, name=VPN, emailAddress=mail@host.domain
Jan 3 13:55:39 system openvpn[2097]: Validating certificate key usage
Jan 3 13:55:39 system openvpn[2097]: ++ Certificate has key usage 00a0, expects 00a0
Jan 3 13:55:39 system openvpn[2097]: VERIFY KU OK
Jan 3 13:55:39 system openvpn[2097]: Validating certificate extended key usage
Jan 3 13:55:39 system openvpn[2097]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 3 13:55:39 system openvpn[2097]: VERIFY EKU OK
Jan 3 13:55:39 system openvpn[2097]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=VPN, OU=IT, CN=VPN, name=VPN, emailAddress=mail@host.domain
Jan 3 13:55:41 system openvpn[2097]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Jan 3 13:55:41 system openvpn[2097]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Jan 3 13:55:41 system openvpn[2097]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 3 13:55:41 system openvpn[2097]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 3 13:55:41 system openvpn[2097]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 3 13:55:41 system openvpn[2097]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 3 13:55:41 system openvpn[2097]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Jan 3 13:55:41 system openvpn[2097]: [VPN] Peer Connection Initiated with [AF_INET]45.74.63.3:53
Jan 3 13:55:43 system openvpn[2097]: SENT CONTROL [VPN]: 'PUSH_REQUEST' (status=1)
Jan 3 13:55:43 system openvpn[2097]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 45.74.63.4,dhcp-option DNS 8.8.4.4,sndbuf 393216,rcvbuf 393216,route-gateway 45.74.63.129,topology subnet,ping 10,ping-restart 120,ifconfig 45.74.63.133 255.255.255.192'
Jan 3 13:55:43 system openvpn[2097]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 3 13:55:43 system openvpn[2097]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jan 3 13:55:43 system openvpn[2097]: Socket Buffers: R=[212992->425984] S=[212992->425984]
Jan 3 13:55:43 system openvpn[2097]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 3 13:55:43 system openvpn[2097]: OPTIONS IMPORT: route options modified
Jan 3 13:55:43 system openvpn[2097]: OPTIONS IMPORT: route-related options modified
Jan 3 13:55:43 system openvpn[2097]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 3 13:55:43 system openvpn[2097]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=net0 HWADDR=00:11:22:33:44:55
Jan 3 13:55:43 system openvpn[2097]: TUN/TAP device tun0 opened
Jan 3 13:55:43 system openvpn[2097]: TUN/TAP TX queue length set to 100
Jan 3 13:55:43 system openvpn[2097]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 3 13:55:43 system openvpn[2097]: /bin/ifconfig tun0 45.74.63.133 netmask 255.255.255.192 mtu 1500 broadcast 45.74.63.191
Jan 3 13:55:43 system openvpn[2097]: /etc/openvpn/up.sh tun0 1500 1557 45.74.63.133 255.255.255.192 init
Jan 3 13:55:45 system openvpn[2097]: /bin/route add -net 45.74.63.3 netmask 255.255.255.255 gw 192.168.0.1
Jan 3 13:55:45 system openvpn[2097]: /bin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 45.74.63.129
Jan 3 13:55:45 system openvpn[2097]: /bin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 45.74.63.129
Jan 3 13:55:45 system openvpn[2097]: /bin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 45.74.63.129
Jan 3 13:55:45 system openvpn[2097]: Initialization Sequence Completed

Jan 3 13:55:45 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:55:45 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:55:48 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:55:50 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:55:53 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:55:55 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:55:55 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:00 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:00 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:03 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:05 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:05 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:08 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:10 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:10 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:13 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:15 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:16 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:18 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:21 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 13:56:21 system openvpn[2097]: NOTE: --mute triggered...

Jan 3 13:58:14 system openvpn[2097]: 75 variation(s) on previous 20 message(s) suppressed by --mute
Jan 3 13:58:14 system openvpn[2097]: SIGTERM received, sending exit notification to peer
Jan 3 13:58:16 system openvpn[2097]: /bin/route del -net 0.0.0.0 netmask 0.0.0.0
Jan 3 13:58:16 system openvpn[2097]: /bin/route del -net 45.74.63.3 netmask 255.255.255.255
Jan 3 13:58:16 system openvpn[2097]: /bin/route del -net 0.0.0.0 netmask 128.0.0.0
Jan 3 13:58:16 system openvpn[2097]: /bin/route del -net 128.0.0.0 netmask 128.0.0.0
Jan 3 13:58:16 system openvpn[2097]: /etc/openvpn/down.sh tun0 1500 1557 45.74.63.133 255.255.255.192 init
Jan 3 13:58:16 system openvpn[2097]: Closing TUN/TAP interface
Jan 3 13:58:16 system openvpn[2097]: /bin/ifconfig tun0 0.0.0.0
Jan 3 13:58:16 system openvpn[2097]: SIGTERM[soft,exit-with-notification] received, process exiting

The device is created:

Code:

$ /bin/ifconfig

[...]

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 45.74.63.133 netmask 255.255.255.192 destination 45.74.63.133
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 25 overruns 0 frame 0
TX packets 47 bytes 3900 (3.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Routing table with VPN "active" (unable to send or receive any traffic):

Code:

$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 45.74.63.129 128.0.0.0 UG 0 0 0 tun0
default 45.74.63.129 0.0.0.0 UG 0 0 0 tun0
default 192.168.0.1 0.0.0.0 UG 3 0 0 net0
45.74.63.3 192.168.0.1 255.255.255.255 UGH 0 0 0 net0
45.74.63.128 0.0.0.0 255.255.255.192 U 0 0 0 tun0
loopback localhost 255.0.0.0 UG 0 0 0 lo
128.0.0.0 45.74.63.129 128.0.0.0 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 net0

Don't understand the purpose of the 128.0.0.0 route, and why are there two default gateways - that doesn't look right? Also, 45.74.63.3 is not in the same subnet as 45.74.63.133 (with a 255.255.255.192 netmask).

Any ideas that would get this working would be greatly appreciated. Thank you in advance.

Last edited by curmudgeon on Tue Jan 03, 2017 5:10 pm; edited 1 time in total

bbgermany
Veteran
Veteran

Joined: 21 Feb 2005
Posts: 1844
Location: Oranienburg/Germany

Posted: Tue Jan 03, 2017 3:14 pm Post subject:

Hi,

could you please remove the following lines from your config:

Code:

redirect-gateway
route 0.0.0.0 0.0.0.0
route-delay 2
route-method exe

and add the following instead

Code:

pull

Please post the log afterwards again.

Thank you and greets, bb
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB

curmudgeon
Veteran
Veteran

Joined: 08 Aug 2003
Posts: 1744

Posted: Tue Jan 03, 2017 5:09 pm Post subject:

Logs from /var/log/messages:

Code:

Jan 3 16:51:23 system openvpn[3019]: OpenVPN 2.3.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH] [IPv6] built on Sep 17 2016
Jan 3 16:51:23 system openvpn[3019]: library versions: OpenSSL 1.0.2j 26 Sep 2016
Jan 3 16:51:41 system openvpn[3024]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 3 16:51:41 system openvpn[3024]: Control Channel Authentication: tls-auth using INLINE static key file
Jan 3 16:51:41 system openvpn[3024]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 3 16:51:41 system openvpn[3024]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan 3 16:51:41 system openvpn[3024]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jan 3 16:51:41 system openvpn[3024]: UDPv4 link local (bound): [undef]
Jan 3 16:51:41 system openvpn[3024]: UDPv4 link remote: [AF_INET]45.74.63.3:53
Jan 3 16:51:41 system openvpn[3024]: TLS: Initial packet from [AF_INET]45.74.63.3:53, sid=472ad2af fc6d09d0

Jan 3 16:51:41 system openvpn[3024]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 3 16:51:41 system openvpn[3024]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=VPN, OU=IT, CN=VPN, name=VPN, emailAddress=mail@host.domain
Jan 3 16:51:41 system openvpn[3024]: Validating certificate key usage
Jan 3 16:51:41 system openvpn[3024]: ++ Certificate has key usage 00a0, expects 00a0
Jan 3 16:51:41 system openvpn[3024]: VERIFY KU OK
Jan 3 16:51:41 system openvpn[3024]: Validating certificate extended key usage
Jan 3 16:51:41 system openvpn[3024]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 3 16:51:41 system openvpn[3024]: VERIFY EKU OK
Jan 3 16:51:41 system openvpn[3024]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=VPN, OU=IT, CN=VPN, name=VPN, emailAddress=mail@host.domain
Jan 3 16:51:43 system openvpn[3024]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Jan 3 16:51:43 system openvpn[3024]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Jan 3 16:51:43 system openvpn[3024]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 3 16:51:43 system openvpn[3024]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 3 16:51:43 system openvpn[3024]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 3 16:51:43 system openvpn[3024]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 3 16:51:43 system openvpn[3024]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Jan 3 16:51:43 system openvpn[3024]: [VPN] Peer Connection Initiated with [AF_INET]45.74.63.3:53
Jan 3 16:51:45 system openvpn[3024]: SENT CONTROL [VPN]: 'PUSH_REQUEST' (status=1)
Jan 3 16:51:45 system openvpn[3024]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 45.74.63.4,dhcp-option DNS 8.8.4.4,sndbuf 393216,rcvbuf 393216,route-gateway 45.74.63.129,topology subnet,ping 10,ping-restart 120,ifconfig 45.74.63.139 255.255.255.192'
Jan 3 16:51:45 system openvpn[3024]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 3 16:51:45 system openvpn[3024]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jan 3 16:51:45 system openvpn[3024]: Socket Buffers: R=[212992->425984] S=[212992->425984]
Jan 3 16:51:45 system openvpn[3024]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 3 16:51:45 system openvpn[3024]: OPTIONS IMPORT: route options modified
Jan 3 16:51:45 system openvpn[3024]: OPTIONS IMPORT: route-related options modified
Jan 3 16:51:45 system openvpn[3024]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 3 16:51:45 system openvpn[3024]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=net0 HWADDR=00:11:22:33:44:55
Jan 3 16:51:45 system openvpn[3024]: TUN/TAP device tun0 opened
Jan 3 16:51:45 system openvpn[3024]: TUN/TAP TX queue length set to 100
Jan 3 16:51:45 system openvpn[3024]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 3 16:51:45 system openvpn[3024]: /bin/ifconfig tun0 45.74.63.139 netmask 255.255.255.192 mtu 1500 broadcast 45.74.63.191
Jan 3 16:51:45 system openvpn[3024]: /etc/openvpn/up.sh tun0 1500 1557 45.74.63.139 255.255.255.192 init
Jan 3 16:51:45 system openvpn[3024]: /bin/route add -net 45.74.63.3 netmask 255.255.255.255 gw 192.168.0.1
Jan 3 16:51:45 system openvpn[3024]: /bin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 45.74.63.129
Jan 3 16:51:45 system openvpn[3024]: /bin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 45.74.63.129
Jan 3 16:51:45 system openvpn[3024]: Initialization Sequence Completed
Jan 3 16:51:46 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:46 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:46 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:49 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:49 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:52 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:52 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:52 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:54 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:54 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:57 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:57 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:59 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:51:59 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:52:02 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:52:02 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:52:04 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:52:04 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:52:04 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:52:07 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan 3 16:52:09 system openvpn[3024]: NOTE: --mute triggered...
Jan 3 16:53:58 system openvpn[3024]: 88 variation(s) on previous 20 message(s) suppressed by --mute
Jan 3 16:53:58 system openvpn[3024]: SIGTERM received, sending exit notification to peer
Jan 3 16:53:59 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:53:59 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)
Jan 3 16:54:00 system openvpn[3024]: /bin/route del -net 45.74.63.3 netmask 255.255.255.255
Jan 3 16:54:00 system openvpn[3024]: /bin/route del -net 0.0.0.0 netmask 128.0.0.0
Jan 3 16:54:00 system openvpn[3024]: /bin/route del -net 128.0.0.0 netmask 128.0.0.0
Jan 3 16:54:00 system openvpn[3024]: /etc/openvpn/down.sh tun0 1500 1557 45.74.63.139 255.255.255.192 init
Jan 3 16:54:00 system openvpn[3024]: Closing TUN/TAP interface
Jan 3 16:54:00 system openvpn[3024]: /bin/ifconfig tun0 0.0.0.0
Jan 3 16:54:00 system openvpn[3024]: SIGTERM[soft,exit-with-notification] received, process exiting

Routing table is slightly different (the second default route is gone), but I still can't send or receive traffic:

Code:

$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 45.74.63.129 128.0.0.0 UG 0 0 0 tun0
default 192.168.0.1 0.0.0.0 UG 3 0 0 net0
45.74.63.3 192.168.0.1 255.255.255.255 UGH 0 0 0 net0
45.74.63.128 0.0.0.0 255.255.255.192 U 0 0 0 tun0
loopback localhost 255.0.0.0 UG 0 0 0 lo
128.0.0.0 45.74.63.129 128.0.0.0 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 net0

Last edited by curmudgeon on Wed Jan 04, 2017 9:05 am; edited 1 time in total

szatox
Advocate

Joined: 27 Aug 2013
Posts: 3498

Posted: Tue Jan 03, 2017 9:18 pm Post subject:

Your last routing tables looks reasonably.

This looks like a trouble:

Quote:

openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

I'd try switching from TUN to TAP first

You may find some hints in logs.

bbgermany
Veteran
Veteran

Joined: 21 Feb 2005
Posts: 1844
Location: Oranienburg/Germany

Posted: Wed Jan 04, 2017 6:07 am Post subject:

szatox wrote:

Your last routing tables looks reasonably.

This looks like a trouble:

Quote:

openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

I'd try switching from TUN to TAP first

You may find some hints in logs.

This wont help fixing this issue. According to a lot of google entries, comp-lzo is the problem.

Please add to your config file the following line:

Code:

comp-lzo

and try again. Also check for the permissions on /dev/tun. Sometimes they can be the problem as well.

greets, bb
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB

curmudgeon
Veteran
Veteran

Joined: 08 Aug 2003
Posts: 1744

Posted: Wed Jan 04, 2017 9:22 am Post subject:

szatox wrote:

Your last routing tables looks reasonably.

This looks like a trouble:

Quote:

openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

I'd try switching from TUN to TAP first :) You may find some hints in logs.

Ended up with less information than before:

Log:

Code:

Jan 4 00:27:09 system openvpn[4846]: OpenVPN 2.3.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH] [IPv6] built on Sep 17 2016
Jan 4 00:27:09 system openvpn[4846]: library versions: OpenSSL 1.0.2j 26 Sep 2016
Jan 4 00:27:30 system openvpn[4851]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 4 00:27:30 system openvpn[4851]: Control Channel Authentication: tls-auth using INLINE static key file
Jan 4 00:27:30 system openvpn[4851]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 4 00:27:30 system openvpn[4851]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 4 00:27:30 system openvpn[4851]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jan 4 00:27:30 system /etc/init.d/openvpn.purevpn-lax[4821]: WARNING: openvpn.purevpn-lax has started, but is inactive
Jan 4 00:27:30 system openvpn[4851]: UDPv4 link local (bound): [undef]
Jan 4 00:27:30 system openvpn[4851]: UDPv4 link remote: [AF_INET]172.111.235.2:53
Jan 4 00:27:31 system openvpn[4851]: TLS: Initial packet from [AF_INET]172.111.235.2:53, sid=cdc412ca 803bceea
Jan 4 00:27:31 system openvpn[4851]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 4 00:27:31 system openvpn[4851]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=VPN, OU=IT, CN=VPN, name=VPN, emailAddress=mail@host.domain
Jan 4 00:27:31 system openvpn[4851]: Validating certificate key usage
Jan 4 00:27:31 system openvpn[4851]: ++ Certificate has key usage 00a0, expects 00a0
Jan 4 00:27:31 system openvpn[4851]: VERIFY KU OK
Jan 4 00:27:31 system openvpn[4851]: Validating certificate extended key usage
Jan 4 00:27:31 system openvpn[4851]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 4 00:27:31 system openvpn[4851]: VERIFY EKU OK
Jan 4 00:27:31 system openvpn[4851]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=VPN, OU=IT, CN=VPN, name=VPN, emailAddress=mail@host.domain
Jan 4 00:27:32 system openvpn[4851]: WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
Jan 4 00:27:32 system openvpn[4851]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1589', remote='link-mtu 1558'
Jan 4 00:27:32 system openvpn[4851]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Jan 4 00:27:32 system openvpn[4851]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Jan 4 00:27:32 system openvpn[4851]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 4 00:27:32 system openvpn[4851]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 4 00:27:32 system openvpn[4851]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 4 00:27:32 system openvpn[4851]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 4 00:27:32 system openvpn[4851]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 4 00:27:32 system openvpn[4851]: [VPN] Peer Connection Initiated with [AF_INET]172.111.235.2:53
Jan 4 00:27:34 system openvpn[4851]: SENT CONTROL [VPN]: 'PUSH_REQUEST' (status=1)
Jan 4 00:27:35 system openvpn[4851]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 172.111.235.3,dhcp-option DNS 8.8.4.4,sndbuf 393216,rcvbuf 393216,route-gateway 172.111.235.97,topology subnet,ping 10,ping-restart 120,ifconfig 172.111.235.103 255.255.255.224'
Jan 4 00:27:35 system openvpn[4851]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 4 00:27:35 system openvpn[4851]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jan 4 00:27:35 system openvpn[4851]: Socket Buffers: R=[212992->425984] S=[212992->425984]
Jan 4 00:27:35 system openvpn[4851]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 4 00:27:35 system openvpn[4851]: OPTIONS IMPORT: route options modified
Jan 4 00:27:35 system openvpn[4851]: OPTIONS IMPORT: route-related options modified
Jan 4 00:27:35 system openvpn[4851]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 4 00:27:35 system openvpn[4851]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=net0 HWADDR=00:11:22:33:44:55
Jan 4 00:27:35 system openvpn[4851]: TUN/TAP device tap0 opened
Jan 4 00:27:35 system openvpn[4851]: TUN/TAP TX queue length set to 100
Jan 4 00:27:35 system openvpn[4851]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 4 00:27:35 system openvpn[4851]: /bin/ifconfig tap0 172.111.235.103 netmask 255.255.255.224 mtu 1500 broadcast 172.111.235.127
Jan 4 00:27:35 system openvpn[4851]: /etc/openvpn/up.sh tap0 1500 1589 172.111.235.103 255.255.255.224 init
Jan 4 00:27:35 system openvpn[4851]: /bin/route add -net 172.111.235.2 netmask 255.255.255.255 gw 192.168.0.1
Jan 4 00:27:35 system openvpn[4851]: /bin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 172.111.235.97
Jan 4 00:27:35 system openvpn[4851]: /bin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 172.111.235.97
Jan 4 00:27:35 system openvpn[4851]: Initialization Sequence Completed
Jan 4 00:28:32 system kernel: CPU3: Core temperature/speed normal
Jan 4 00:31:32 system openvpn[4851]: event_wait : Interrupted system call (code=4)
Jan 4 00:31:32 system openvpn[4851]: SIGTERM received, sending exit notification to peer
Jan 4 00:31:34 system openvpn[4851]: /bin/route del -net 172.111.235.2 netmask 255.255.255.255
Jan 4 00:31:34 system openvpn[4851]: /bin/route del -net 0.0.0.0 netmask 128.0.0.0
Jan 4 00:31:34 system openvpn[4851]: /bin/route del -net 128.0.0.0 netmask 128.0.0.0
Jan 4 00:31:34 system openvpn[4851]: /etc/openvpn/down.sh tap0 1500 1589 172.111.235.103 255.255.255.224 init
Jan 4 00:31:34 system openvpn[4851]: Closing TUN/TAP interface
Jan 4 00:31:34 system openvpn[4851]: /bin/ifconfig tap0 0.0.0.0
Jan 4 00:31:34 system openvpn[4851]: SIGTERM[soft,exit-with-notification] received, process exiting

Ifconfig:

Code:

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.111.235.103 netmask 255.255.255.224 broadcast 172.111.235.127
inet6 fe80::e46f:4dff:fe42:3b14 prefixlen 64 scopeid 0x20<link>
ether e6:6f:4d:42:3b:14 txqueuelen 100 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 168 (168.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Route:

Code:

$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.111.235.97 128.0.0.0 UG 0 0 0 tap0
default 192.168.0.1 0.0.0.0 UG 3 0 0 net0
loopback localhost 255.0.0.0 UG 0 0 0 lo
128.0.0.0 172.111.235.97 128.0.0.0 UG 0 0 0 tap0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 net0
172.111.235.2 192.168.0.1 255.255.255.255 UGH 0 0 0 net0
172.111.235.96 0.0.0.0 255.255.255.224 U 0 0 0 tap0

Last edited by curmudgeon on Wed Jan 04, 2017 11:28 am; edited 1 time in total

curmudgeon
Veteran
Veteran

Joined: 08 Aug 2003
Posts: 1744

Posted: Wed Jan 04, 2017 9:50 am Post subject:

bbgermany wrote:

This wont help fixing this issue. According to a lot of google entries, comp-lzo is the problem.

Please add to your config file the following line:

Code:

comp-lzo

and try again. Also check for the permissions on /dev/tun. Sometimes they can be the problem as well.

greets, bb

That was not particularly successful. I guess I need to recompile openvpn.

Code:

# /etc/init.d/openvpn.vpn start
* Starting openvpn.vpn ...
Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/vpn.conf:6: comp-lzo (2.3.12)
Use --help for more information.
* start-stop-daemon: failed to start `/usr/sbin/openvpn'
* Check your logs to see why startup failed [ !! ]
* WARNING: openvpn.vpn has started, but is inactive

bbgermany
Veteran
Veteran

Joined: 21 Feb 2005
Posts: 1844
Location: Oranienburg/Germany

Posted: Wed Jan 04, 2017 10:45 am Post subject:

Yeah, please recompile with lzo support. I looked at your log, and it seems, you are using PureVPN (am I right). According to the "ubuntu-guide" comp-lzo is necessary! You should also consider adding the tls.key, the ca.crt and your certfile/key (if you got those) with the following options:

Code:

ca caert.crt
cert yourcert.crt
key yourkey.key
tls-key yourtls.key 1

found at: https://webcache.googleusercontent.com/search?q=cache:gIa7zGDY1yAJ:https://support.purevpn.com/openvpn-configuration-guide-for-ubuntu+&cd=1&hl=de&ct=clnk&gl=de

Greets, bb

EDIT: Do not use the tap interface. Use the tun interface!
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB

curmudgeon
Veteran
Veteran

Joined: 08 Aug 2003
Posts: 1744

Posted: Wed Jan 04, 2017 12:02 pm Post subject:

bbgermany wrote:

Code:

ca caert.crt
cert yourcert.crt
key yourkey.key
tls-key yourtls.key 1

Recompiled. Yes, the provide is PureVPN (I do not recommend them). Saw that guide Do not have Gnome. Do not want Gnome. Do not have networkmanager. Do not want networkmanager.

I have all of the external files inline (embedded in the configuration file) per the openvpn man page.

First, will post the usual

Log:

Code:

Jan 4 11:09:48 system openvpn[25413]: OpenVPN 2.3.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan
4 2017
Jan 4 11:09:48 system openvpn[25413]: library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.08
Jan 4 11:10:01 system openvpn[25438]: NOTE: the current --script-security setting may allow this configuration to call user-defi
ned scripts
Jan 4 11:10:01 system openvpn[25438]: Control Channel Authentication: tls-auth using INLINE static key file
Jan 4 11:10:01 system openvpn[25438]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authen
tication
Jan 4 11:10:01 system openvpn[25438]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authen
tication

Jan 4 11:11:04 system openvpn[25438]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jan 4 11:11:04 system openvpn[25438]: UDPv4 link local (bound): [undef]
Jan 4 11:11:04 system openvpn[25438]: UDPv4 link remote: [AF_INET]45.74.61.2:53
Jan 4 11:11:05 system openvpn[25438]: TLS: Initial packet from [AF_INET]45.74.61.2:53, sid=02b7fbdf 3bf402cf

Jan 4 11:11:05 system openvpn[25438]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 4 11:11:06 system openvpn[25438]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Jan 4 11:11:06 system openvpn[25438]: Validating certificate key usage
Jan 4 11:11:06 system openvpn[25438]: ++ Certificate has key usage 00a0, expects 00a0
Jan 4 11:11:06 system openvpn[25438]: VERIFY KU OK
Jan 4 11:11:06 system openvpn[25438]: Validating certificate extended key usage
Jan 4 11:11:06 system openvpn[25438]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 4 11:11:06 system openvpn[25438]: VERIFY EKU OK
Jan 4 11:11:06 system openvpn[25438]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Jan 4 11:11:08 system openvpn[25438]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 4 11:11:08 system openvpn[25438]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 4 11:11:08 system openvpn[25438]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 4 11:11:08 system openvpn[25438]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 4 11:11:08 system openvpn[25438]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 4 11:11:08 system openvpn[25438]: [PureVPN] Peer Connection Initiated with [AF_INET]45.74.61.2:53

Jan 4 11:11:10 system openvpn[25438]: SENT CONTROL [PureVPN]: 'PUSH_REQUEST' (status=1)
Jan 4 11:11:12 system openvpn[25438]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 45.74.61.1,dhcp-option DNS 8.8.4.4,sndbuf 393216,rcvbuf 393216,route-gateway 45.74.61.193,topology subnet,ping 10,ping-restart 120,ifconfig 45.74.61.213 255.255.255.224'
Jan 4 11:11:12 system openvpn[25438]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 4 11:11:12 system openvpn[25438]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jan 4 11:11:12 system openvpn[25438]: Socket Buffers: R=[212992->425984] S=[212992->425984]
Jan 4 11:11:12 system openvpn[25438]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 4 11:11:12 system openvpn[25438]: OPTIONS IMPORT: route options modified
Jan 4 11:11:12 system openvpn[25438]: OPTIONS IMPORT: route-related options modified
Jan 4 11:11:12 system openvpn[25438]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 4 11:11:12 system openvpn[25438]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=net0 HWADDR=00:11:22:33:44:55
Jan 4 11:11:12 system openvpn[25438]: TUN/TAP device tun0 opened
Jan 4 11:11:12 system openvpn[25438]: TUN/TAP TX queue length set to 100
Jan 4 11:11:12 system openvpn[25438]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 4 11:11:12 system openvpn[25438]: /bin/ifconfig tun0 45.74.61.213 netmask 255.255.255.224 mtu 1500 broadcast 45.74.61.223
Jan 4 11:11:12 system openvpn[25438]: /etc/openvpn/up.sh tun0 1500 1558 45.74.61.213 255.255.255.224 init
Jan 4 11:11:12 system openvpn[25438]: /bin/route add -net 45.74.61.2 netmask 255.255.255.255 gw 192.168.0.1
Jan 4 11:11:12 system openvpn[25438]: /bin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 45.74.61.193
Jan 4 11:11:12 system openvpn[25438]: /bin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 45.74.61.193
Jan 4 11:11:12 system openvpn[25438]: Initialization Sequence Completed

Jan 4 11:15:18 system openvpn[25438]: event_wait : Interrupted system call (code=4)
Jan 4 11:15:18 system openvpn[25438]: SIGTERM received, sending exit notification to peer
Jan 4 11:15:21 system openvpn[25438]: /bin/route del -net 45.74.61.2 netmask 255.255.255.255
Jan 4 11:15:21 system openvpn[25438]: /bin/route del -net 0.0.0.0 netmask 128.0.0.0
Jan 4 11:15:21 system openvpn[25438]: /bin/route del -net 128.0.0.0 netmask 128.0.0.0
Jan 4 11:15:21 system openvpn[25438]: /etc/openvpn/down.sh tun0 1500 1558 45.74.61.213 255.255.255.224 init
Jan 4 11:15:21 system openvpn[25438]: Closing TUN/TAP interface
Jan 4 11:15:21 system openvpn[25438]: /bin/ifconfig tun0 0.0.0.0
Jan 4 11:15:21 system openvpn[25438]: SIGTERM[soft,exit-with-notification] received, process exiting

Ifconfig:

Code:

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 45.74.61.213 netmask 255.255.255.224 destination 45.74.61.213
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 43 bytes 3341 (3.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 35 bytes 2784 (2.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Side question - are inet and destination supposed to be the same? Looks wrong to me.

Route:

Code:

$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 45.74.61.193 128.0.0.0 UG 0 0 0 tun0
default 192.168.0.1 0.0.0.0 UG 0 0 0 net0
45.74.61.2 192.168.0.1 255.255.255.255 UGH 0 0 0 net0
45.74.61.192 0.0.0.0 255.255.255.224 U 0 0 0 tun0
loopback localhost 255.0.0.0 UG 0 0 0 lo
128.0.0.0 45.74.61.193 128.0.0.0 UG 0 0 0 tun0
192.168.0.1 0.0.0.0 255.255.255.0 U 0 0 0 net0

That still looks wrong (45.74.61.2 is not on the same subnet as 45.74.61.192/255.255.255.224).

Is there any reason for making two routes (0.0.0.0/128.0.0.0 and 128.0.0.0/128.0.0.0) instead of just 0.0.0.0/0.0.0.0?

One more question here - what is supposed to happen with DNS? I see the push option for it in the log, but it is not taking effect. Is the script supposed to reset resolv.conf (like dhcp does)?

It does seem there was a connection established, but it is completely unusable:

Code:

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=221 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=45 time=221 ms
64 bytes from 8.8.8.8: icmp_seq=13 ttl=45 time=221 ms
64 bytes from 8.8.8.8: icmp_seq=14 ttl=45 time=221 ms
64 bytes from 8.8.8.8: icmp_seq=16 ttl=45 time=220 ms
64 bytes from 8.8.8.8: icmp_seq=17 ttl=45 time=222 ms
64 bytes from 8.8.8.8: icmp_seq=19 ttl=45 time=220 ms
64 bytes from 8.8.8.8: icmp_seq=20 ttl=45 time=220 ms
64 bytes from 8.8.8.8: icmp_seq=28 ttl=45 time=221 ms
^C
--- 8.8.8.8 ping statistics ---
29 packets transmitted, 9 received, 68% packet loss, time 28062ms
rtt min/avg/max/mdev = 220.172/221.169/222.280/0.781 ms

bbgermany
Veteran
Veteran

Joined: 21 Feb 2005
Posts: 1844
Location: Oranienburg/Germany

Posted: Wed Jan 04, 2017 12:30 pm Post subject:

Hi, you dont need gnome or even like in the guide unity. It just for picking the correct options for your config file. You could try using traceroute instead of ping for checking, if your traffic is going through the tunnel instead of your normal interface. according to your inet/destination output. im not really sure, whether its correct or not. im checking when im home, i can try out with a connection there. for dns check /etc/resolv.conf. maybe its modified by openvpn. greets, bb _________________ Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600 Notebook: Dell XPS 13 9370, 16GB, 1TB Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB Server #2: Ryzen 4800H, 32GB, 22TB

curmudgeon
Veteran
Veteran

Joined: 08 Aug 2003
Posts: 1744

Posted: Wed Jan 04, 2017 1:17 pm Post subject:

bbgermany wrote:

you dont need gnome or even like in the guide unity. It just for picking the correct options for your config file. You could try using traceroute instead of ping for checking, if your traffic is going through the tunnel instead of your normal interface.

according to your inet/destination output. im not really sure, whether its correct or not. im checking when im home, i can try out with a connection there.

for dns check /etc/resolv.conf. maybe its modified by openvpn.

greets, bb

I am more convinced than ever that there is some problem on their end.

This is what the device (and routing table) SHOULD look like (using a different provider):

Code:

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.6.22 netmask 255.255.255.255 destination 10.10.6.21
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 116 (116.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

$ /bin/route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.10.6.21 0.0.0.0 UG 0 0 0 tun0
10.10.6.1 10.10.6.21 255.255.255.255 UGH 0 0 0 tun0
10.10.6.21 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
104.247.220.10 192.168.0.1 255.255.255.255 UGH 0 0 0 net0
loopback localhost 255.0.0.0 UG 0 0 0 lo
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 net0

I found the option (in /etc/conf.d/openvpn) to conrol whether or not openvpn updates resolv.conf.

szatox
Advocate

Joined: 27 Aug 2013
Posts: 3498

Posted: Wed Jan 04, 2017 10:12 pm Post subject:

Quote:

Is there any reason for making two routes (0.0.0.0/128.0.0.0 and 128.0.0.0/128.0.0.0) instead of just 0.0.0.0/0.0.0.0?

Yes. Routes with longer masks are prioritized over routes with shorter masks. This allows you to shadow your actual default route out when you're connected to VPN and then restore old setting. The single hold route (mask 32) has the longest mask possible and will always be prioritized over anything else, which lets you maintain the tunnel over public network rather than tunnel it in your tunnel in your tunnel in your tunnel in your [[ TTL=0 -> DROP ]]

bbgermany
Veteran
Veteran

Joined: 21 Feb 2005
Posts: 1844
Location: Oranienburg/Germany

Posted: Thu Jan 05, 2017 6:30 am Post subject:

curmudgeon wrote:

...

This is what the device (and routing table) SHOULD look like (using a different provider):

Code:

I found the option (in /etc/conf.d/openvpn) to conrol whether or not openvpn updates resolv.conf.

As you can see with the different provider, you only have one default-route instead of two. have you checked the trafficway via traceroute already? this should show you, which hops/gateways are used for accessing the destination server.

i have an ipv6 provider and for v4 it looks like this:

Code:

root@server:~# traceroute 8.8.8.8 -n
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.0.254 0.471 ms 0.604 ms 0.780 ms
2 192.168.0.254 1.076 ms 1.701 ms 1.962 ms
root@server:~#

for ipv6 via a tunnel:

Code:

root@server:~# traceroute6 2a00:1450:4001:817::2003 -n
»traceroute« zu 2a00:1450:4001:817::2003 (2a00:1450:4001:817::2003) von IPV6-Adress, Port 33434, von Port 50331, maximal 30 Sprünge, 60 Byte Pakete
1 2001:6f8:900:XXXX 22.712 ms 22.681 ms 22.783 ms
2 2001:6f8:862:1::c2e9:c729 22.839 ms 22.812 ms 23.149 ms
3 2001:6f8:862:1::c2e9:c72c 23.643 ms 23.177 ms 23.371 ms
4 2001:7f8::1b1b:0:1 43.154 ms 32.918 ms 89.490 ms
5 2001:7f8::3b41:0:1 33.071 ms 32.798 ms 33.663 ms
6 2001:4860:0:1::19f7 33.425 ms 33.719 ms 33.592 ms
7 2001:4860:0:1::1b39 33.922 ms 33.630 ms 33.218 ms
8 2a00:1450:4001:817::2003 33.499 ms 33.510 ms 33.046 ms
root@server:~#

As you can see, it uses different gateways (please ignore that one is ipv4 and one is ipv6, its just for demontration).

greets, bb
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB

Display posts from previous:

	Gentoo Forums Forum Index Networking & Security	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy