From owner-freebsd-questions@freebsd.org Sun Apr 23 04:05:37 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0DD14D40399 for ; Sun, 23 Apr 2017 04:05:37 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C14E436D for ; Sun, 23 Apr 2017 04:05:36 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-yw0-x22a.google.com with SMTP id u70so66145553ywe.2 for ; Sat, 22 Apr 2017 21:05:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=L6xydiS3LZ4nPTvRLiBA5tAMwUDmTNCW7tIab8FAM90=; b=CImwuX/qV/YKXD8M6SAqhnU7Sm0elkFsidGRIk3OdKaPf/C9Tow3Y03iGRm1Scr+3N YnL46cGKvG8NkOUKslmedScxOqVwRys0hkQFA6bOlmzmIj21li0jdbSo63f6pc7XPfmU Z6DQmG+Tvj6KtfGaNgk+JYTDqpVXrq76vdUXrAG/qlTwktuFLTTs3uph6i3ZVrKnHJWf J5tgkkXAOeEgQnZPpACqN7uSYJJxKYjOa0vsDXTUpVIgj5bAbduUEfvYKOgmWQjUaomn 7/G8FzxuohRE8NlNP9qj2HRQqBtsLeEAgKOCLU3ARqjTwtgO2GkTVjsDcDayMfee8Uzo 243g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=L6xydiS3LZ4nPTvRLiBA5tAMwUDmTNCW7tIab8FAM90=; b=Kxdts+hqCFXNVO5vdG7oWSOWkfHeTNFtHDUcpDhRGDWAT8S0C544NHVVykUZIwED/G 4OfnjSzB3kShf1LvpoMccxwb+ID/3tp2qx4qcWIdvnYLsmwRxoJJIgsRg25tXqaQv95y RMHx2UlGbwmIp8O6ZGIGBnTGXXZcFrpdioPCSTMswVZ+R5j6P10fdo350MlDw3S2nsn0 vYnNYN94ODmQaywiFb8h7ypU8nwJR8YYRXpdey4oHKtgt3kmudKSjf5heIpXDlTQqlVy /bpynTiNJNXdj4aGL5jo+m2gH8Usm6zWGh3aZc8BA4h5+VYuozzS/AAPVMHB9MZ9PPwU ZPyw== X-Gm-Message-State: AN3rC/6glFTiTQiDB2YgrvlS1C4Zi8YPJ+wYssFjj+LdFZC5ClGR6Xu3 tsBYxyOHLahColPgsF5j91z06EBxW2Pq X-Received: by 10.129.120.86 with SMTP id t83mr179874ywc.331.1492920335688; Sat, 22 Apr 2017 21:05:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.72.144 with HTTP; Sat, 22 Apr 2017 21:05:35 -0700 (PDT) In-Reply-To: <1492564334.1388098.948742560.5E2E6A2A@webmail.messagingengine.com> References: <1492564334.1388098.948742560.5E2E6A2A@webmail.messagingengine.com> From: Ultima Date: Sun, 23 Apr 2017 00:05:35 -0400 Message-ID: Subject: Re: Openvpn broken when using net.add_addr_allfibs=0, routes are not adding To: bsd Cc: FreeBSD Mailing List Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Apr 2017 04:05:37 -0000 The problem to me looks to be because there is no ip address on fib 1, but I'm not sure how openvpn can initiate the connect to the vpn with no ip address. Try and ping something using fib 1. The result will probably be no route to host. Many of the route commands are failing in the openvpn log because of this. If an 192.168.0.0/24 ip is added to the fib, this should fix the problem. Hope this helps, Ultima On Tue, Apr 18, 2017 at 9:12 PM, bsd wrote: > I am trying to use OpenVPN and multiple fibs on FreeBSD 11-p9. The issue > is, when I use > net.add_addr_allfibs=0 instead of net.add_addr_allfibs=1 in my > /boot/loader.conf, OpenVPN > fails to be able to add the routes properly and the VPN will not > function properly. > > OpenVPN works 100% fine when I use net.add_addr_allfibs=1 but my > requirements need this to be > set to 0 to turn off it's behavior of adding routes to all fibs. > > # /boot/loader.conf > net.fibs=3 > net.add_addr_allfibs=0 > > Since I am using net.add_addr_allfibs=0, I have a clean routing table > and I have to add the initial route > and gateway for my router manually to get fib 1 routeable to the > internet. > > # setfib 1 route add -net 192.168.0.0/24 -iface ue0 > # setfib 1 route add default 192.168.0.1 > > For some odd reason I must also bring up a tun device manually otherwise > OpenVPN cannot. I have set my config > to use tun10 for this test. > > # sysrc openvpn_if="tun10" > # ifconfig tun10 up > > My routing table before I start > > # setfib 1 netstat -rn > Routing tables (fib: 1) > > Internet: > Destination Gateway Flags Netif Expire > default 192.168.0.1 UGS ue0 > 127.0.0.1 lo0 UHS lo0 > 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0 > > Internet6: > Destination Gateway Flags > Netif Expire > ::/96 ::1 UGRS > lo0 > ::1 lo0 UHS > lo0 > ::ffff:0.0.0.0/96 ::1 UGRS > lo0 > fe80::/10 ::1 UGRS > lo0 > fe80::%lo0/64 link#1 U > lo0 > ff02::/16 ::1 UGRS > lo0 > [sean@rpi2 ~]$ > > Let's try to conect OpenVPN > > # setfib 1 openvpn dallas.ovpn > Thu Oct 27 12:11:32 2016 OpenVPN 2.3.11 armv6-portbld-freebsd11.0 [SSL > (OpenSSL)] [LZO] [MH] [IPv6] built on J > un 25 2016 > Thu Oct 27 12:11:32 2016 library versions: OpenSSL 1.0.2j-freebsd 26 > Sep 2016, LZO 2.09 > Thu Oct 27 12:11:32 2016 Control Channel Authentication: tls-auth using > INLINE static key file > Thu Oct 27 12:11:32 2016 Outgoing Control Channel Authentication: Using > 160 bit message hash 'SHA1' for HMAC a > uthentication > Thu Oct 27 12:11:32 2016 Incoming Control Channel Authentication: Using > 160 bit message hash 'SHA1' for HMAC a > uthentication > Thu Oct 27 12:11:32 2016 Socket Buffers: R=[42080->42080] S=[9216->9216] > Thu Oct 27 12:11:32 2016 UDPv4 link local: [undef] > Thu Oct 27 12:11:32 2016 UDPv4 link remote: [AF_INET]107.183.238.186:443 > Thu Oct 27 12:11:32 2016 TLS: Initial packet from > [AF_INET]107.183.238.186:443, sid=c8b24ffa a8737d61 > Thu Oct 27 12:11:32 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, > O=airvpn.org, CN=airvpn.org CA, emailAddr > ess=info@airvpn.org > Thu Oct 27 12:11:32 2016 Validating certificate key usage > Thu Oct 27 12:11:32 2016 ++ Certificate has key usage 00a0, expects > 00a0 > Thu Oct 27 12:11:32 2016 VERIFY KU OK > Thu Oct 27 12:11:32 2016 Validating certificate extended key usage > Thu Oct 27 12:11:32 2016 ++ Certificate has EKU (str) TLS Web Server > Authentication, expects TLS Web Server Au > thentication > Thu Oct 27 12:11:32 2016 VERIFY EKU OK > Thu Oct 27 12:11:32 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, > O=airvpn.org, CN=server, emailAddress=inf > o@airvpn.org > Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' > initialized with 256 bit key > Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Using 160 bit message > hash 'SHA1' for HMAC authentication > Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' > initialized with 256 bit key > Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Using 160 bit message > hash 'SHA1' for HMAC authentication > Thu Oct 27 12:11:36 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 > DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA > Thu Oct 27 12:11:36 2016 [server] Peer Connection Initiated with > [AF_INET]107.183.238.186:443 > Thu Oct 27 12:11:39 2016 SENT CONTROL [server]: 'PUSH_REQUEST' > (status=1) > Thu Oct 27 12:11:39 2016 PUSH: Received control message: > 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-op > tion DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology > subnet,ping 10,ping-restart 60,ifconfig 10.4.17. > 25 255.255.0.0' > Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: timers and/or timeouts modified > Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: LZO parms modified > Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ifconfig/up options modified > Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route options modified > Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route-related options modified > Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option > options modified > Thu Oct 27 12:11:39 2016 ROUTE_GATEWAY 192.168.0.1 > Thu Oct 27 12:11:39 2016 TUN/TAP device tun10 exists previously, keep at > program end > Thu Oct 27 12:11:39 2016 TUN/TAP device /dev/tun10 opened > Thu Oct 27 12:11:39 2016 do_ifconfig, tt->ipv6=0, > tt->did_ifconfig_ipv6_setup=0 > Thu Oct 27 12:11:39 2016 /sbin/ifconfig tun10 10.4.17.25 10.4.0.1 mtu > 1500 netmask 255.255.0.0 up > Thu Oct 27 12:11:39 2016 /sbin/route add -net 10.4.0.0 10.4.17.25 > 255.255.0.0 > route: writing to routing socket: Network is unreachable > add net 10.4.0.0: gateway 10.4.17.25 fib 1: Network is unreachable > Thu Oct 27 12:11:39 2016 ERROR: FreeBSD route add command failed: > external program exited with error status: 1 > Thu Oct 27 12:11:44 2016 /sbin/route add -net 107.183.238.186 > 192.168.0.1 255.255.255.255 > add net 107.183.238.186: gateway 192.168.0.1 fib 1 > Thu Oct 27 12:11:44 2016 /sbin/route add -net 0.0.0.0 10.4.0.1 128.0.0.0 > route: writing to routing socket: Network is unreachable > add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable > Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed: > external program exited with error status: 1 > Thu Oct 27 12:11:44 2016 /sbin/route add -net 128.0.0.0 10.4.0.1 > 128.0.0.0 > route: writing to routing socket: Network is unreachable > add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable > Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed: > external program exited with error status: 1 > Thu Oct 27 12:11:44 2016 Initialization Sequence Completed > > The routes are failing to add and the VPN is not configured properly in > the end. > > My routing table now. We can see that the VPN did not configure > properly. The desired behavior is that it woul > d set the VPN to be the default gateway and route all traffic over it, > but only for FIB 1. > > # setfib 1 netstat -rn > Routing tables (fib: 1) > > Internet: > Destination Gateway Flags Netif Expire > default 192.168.0.1 UGS ue0 > 107.183.238.186/32 192.168.0.1 UGS ue0 > 127.0.0.1 lo0 UHS lo0 > 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0 > > Internet6: > Destination Gateway Flags > Netif Expire > ::/96 ::1 UGRS > lo0 > ::1 lo0 UHS > lo0 > ::ffff:0.0.0.0/96 ::1 UGRS > lo0 > fe80::/10 ::1 UGRS > lo0 > fe80::%lo0/64 link#1 U > lo0 > ff02::/16 ::1 UGRS > lo0 > > > Is this a bug or have I missed something? > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >