From owner-freebsd-questions@freebsd.org Mon May 1 02:28:56 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46FADD58B79 for ; Mon, 1 May 2017 02:28:56 +0000 (UTC) (envelope-from bsd@stuckat99.com) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0FD7C1D0D for ; Mon, 1 May 2017 02:28:55 +0000 (UTC) (envelope-from bsd@stuckat99.com) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 2CADE20975; Sun, 30 Apr 2017 22:28:54 -0400 (EDT) Received: from web6 ([10.202.2.216]) by compute5.internal (MEProxy); Sun, 30 Apr 2017 22:28:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stuckat99.com; h=cc:content-transfer-encoding:content-type:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=ID6NZmNzB87lKhbzj uK1DE6XO0T63SFzCAcErmjayFM=; b=asnWrdsGj/R/mSnT7TnoUeWsPl5ucJ6Oy G3pn+mwVCPqsgU7HSGRCoNrybMLo+6XZN3aF7NRWxe2CDxPufMHm6sq/M4QQDI/l CpMRgsGn3OcQFTYPnRs1TFBVjJu3uymmiayktjqMnjuKxsqQgAFNmIQ2E5gO1Bo0 f7qyDWa4CKKFoAzfswNoQar9VALCRKmOqdccGj/W4nn0FHzWqHsQ+y7uglzf9FtT jsLztN/StWisWSM5w4YPs/wLlz/LmF+6oa52rsL9w58HwvDzq7a4wI+W+y8/3iB8 Xn9NvJPtBkBKKcJiz7bs38WNxXlHxSDTSXwUqIi9i7aE1nh+5gRgg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=ID6NZm NzB87lKhbzjuK1DE6XO0T63SFzCAcErmjayFM=; b=cgy4oWgV5BLWho42tm7UPF b+tCtWpjA/KvyC4z9Oi86DmqqhSwcyZiyIETwygJmi7um010RfJcuqkoTz9ieGQu UgDKgG77bhhSk7mmZVFbx0kwOR4F11UAsnKYBbmtKOKW+PP0fxvStpZh+zs6PlXC RXU9bIXn6b++hd4CBaW0tg6olPvxv+u0n/uTuzoANZqmCEejJ4a4HltapKqx7wnd ESpSN6Gwu7qn7cXO3HfqbQCr7lMrLDJln7TIr1ZqnEWjaokJkQPdwA7I702yJwIr CXGbxhKWMxJakkAStG4z/c+zuMYneuEs8Kj1T0idyfOkI+Z8ax4Cle07WAnEY+NA == X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id EAFDD48006; Sun, 30 Apr 2017 22:28:53 -0400 (EDT) Message-Id: <1493605733.1488526.961336144.23ECCC12@webmail.messagingengine.com> From: bsd To: Ultima Cc: FreeBSD Mailing List MIME-Version: 1.0 X-Mailer: MessagingEngine.com Webmail Interface - ajax-88a795dc Date: Sun, 30 Apr 2017 19:28:53 -0700 Subject: Re: Openvpn broken when using net.add_addr_allfibs=0, routes are not adding References: <1492564334.1388098.948742560.5E2E6A2A@webmail.messagingengine.com> In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2017 02:28:56 -0000 Hello, I tried adding an ip for fib 1 and I am having the same results. My routing table before adding any IP's setfib 1 netstat -rn Internet: Destination Gateway Flags Netif Expire 127.0.0.1 lo0 UHS lo0 Internet6: Destination Gateway Flags Netif Expire::/96 ::1 ::UGRS lo0::1 lo0 ::UHS lo0::ffff:0.0.0.0/96 ::1 :UGRS lo0fe80::/10 ::1 UGRS lo0fe80::%lo0/64 link#3 U lo0ff02::/16 ::1 UGRS lo0 Adding an IP for fib 1, and adding the route and gateway ifconfig em0 inet 192.168.0.140/24 add fib 1 setfib 1 route add -net 192.168.0.0/24 -iface em0 setfib 1 route add default 192.168.0.1 My routing table now setfib 1 netstat -rn Routing tables (fib: 1) Internet: Destination Gateway Flags Netif Expire default 192.168.0.1 UGS em0 127.0.0.1 lo0 UHS lo0 192.168.0.0/24 00:1d:09:7d:e4:d6 US em0 192.168.0.140 link#1 UHS lo0 Internet6: Destination Gateway Flags Netif Expire::/96 ::1 ::UGRS lo0::1 lo0 ::UHS lo0::ffff:0.0.0.0/96 ::1 :UGRS lo0fe80::/10 ::1 UGRS lo0fe80::%lo0/64 link#3 U lo0ff02::/16 ::1 UGRS lo0 A ping test for good measure ping -c 2 google.com PING google.com (172.217.11.78): 56 data bytes 64 bytes from 172.217.11.78: icmp_seq=0 ttl=55 time=27.301 ms 64 bytes from 172.217.11.78: icmp_seq=1 ttl=55 time=20.904 ms --- google.com ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 20.904/24.102/27.301/3.198 ms What happens when I test the vpn setfib 1 openvpn myvpn.ovpn Thu Mar 30 19:26:39 2017 OpenVPN 2.4.1 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 29 2017Thu Mar 30 19:26:39 2017 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10Thu Mar 30 19:26:39 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authenticationThu Mar 30 19:26:39 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authenticationThu Mar 30 19:26:39 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]107.183.238.186:443Thu Mar 30 19:26:39 2017 Socket Buffers: R=[42080->42080] S=[9216->9216]Thu Mar 30 19:26:39 2017 UDP link local: (not bound) Thu Mar 30 19:26:39 2017 UDP link remote: [AF_INET]107.183.238.186:443 Thu Mar 30 19:26:39 2017 TLS: Initial packet from [AF_INET]107.183.238.186:443, sid=aba0890c 250effe8Thu Mar 30 19:26:39 2017 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.orgThu Mar 30 19:26:39 2017 VERIFY KU OK Thu Mar 30 19:26:39 2017 Validating certificate extended key usage Thu Mar 30 19:26:39 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server AuthenticationThu Mar 30 19:26:39 2017 VERIFY EKU OK Thu Mar 30 19:26:39 2017 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.orgThu Mar 30 19:26:39 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSAThu Mar 30 19:26:39 2017 [server] Peer Connection Initiated with [AF_INET]107.183.238.186:443Thu Mar 30 19:26:40 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)Thu Mar 30 19:26:40 2017 PUSH: Received control message: 'PUSH_REPLY,redirect- gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route- gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.17.25 255.255.0.0'Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: timers and/or timeouts modifiedThu Mar 30 19:26:40 2017 OPTIONS IMPORT: compression parms modified Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: --ifconfig/up options modifiedThu Mar 30 19:26:40 2017 OPTIONS IMPORT: route options modified Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: route-related options modifiedThu Mar 30 19:26:40 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifiedThu Mar 30 19:26:40 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyThu Mar 30 19:26:40 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationThu Mar 30 19:26:40 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyThu Mar 30 19:26:40 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationThu Mar 30 19:26:40 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=em0 HWADDR=00:1d:09:7d:e4:d6Thu Mar 30 19:26:40 2017 TUN/TAP device /dev/tun0 opened Thu Mar 30 19:26:40 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Thu Mar 30 19:26:40 2017 /sbin/ifconfig tun0 10.4.17.25 10.4.0.1 mtu 1500 netmask 255.255.0.0 upThu Mar 30 19:26:40 2017 /sbin/route add -net 10.4.0.0 10.4.0.1 255.255.0.0route: writing to routing socket: Network is unreachable add net 10.4.0.0: gateway 10.4.0.1 fib 1: Network is unreachable Thu Mar 30 19:26:40 2017 ERROR: FreeBSD route add command failed: external program exited with error status: 1Thu Mar 30 19:26:45 2017 /sbin/route add -net 107.183.238.186 192.168.0.1 255.255.255.255add net 107.183.238.186: gateway 192.168.0.1 fib 1 Thu Mar 30 19:26:45 2017 /sbin/route add -net 0.0.0.0 10.4.0.1 128.0.0.0route: writing to routing socket: Network is unreachable add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable Thu Mar 30 19:26:45 2017 ERROR: FreeBSD route add command failed: external program exited with error status: 1Thu Mar 30 19:26:45 2017 /sbin/route add -net 128.0.0.0 10.4.0.1 128.0.0.0route: writing to routing socket: Network is unreachable add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable Thu Mar 30 19:26:45 2017 ERROR: FreeBSD route add command failed: external program exited with error status: 1Thu Mar 30 19:26:45 2017 Initialization Sequence Completed Of course if I try this on fib 0 it works just fine and adds all the routes. On Sat, Apr 22, 2017, at 09:05 PM, Ultima wrote: > The problem to me looks to be because there is no ip address on fib 1, > but I'm not sure how openvpn can initiate the connect to the vpn with > no ip address. Try and ping something using fib 1. The result will > probably be no route to host. Many of the route commands are failing > in the openvpn log because of this. If an 192.168.0.0/24 ip is added > to the fib, this should fix the problem.> > > Hope this helps, > Ultima > > On Tue, Apr 18, 2017 at 9:12 PM, bsd wrote: >> I am trying to use OpenVPN and multiple fibs on FreeBSD 11-p9. >> The issue>> is, when I use >> net.add_addr_allfibs=0 instead of net.add_addr_allfibs=1 in my >> /boot/loader.conf, OpenVPN >> fails to be able to add the routes properly and the VPN will not >> function properly. >> >> OpenVPN works 100% fine when I use net.add_addr_allfibs=1 but my >> requirements need this to be >> set to 0 to turn off it's behavior of adding routes to all fibs. >> >> # /boot/loader.conf >> net.fibs=3 >> net.add_addr_allfibs=0 >> >> Since I am using net.add_addr_allfibs=0, I have a clean >> routing table>> and I have to add the initial route >> and gateway for my router manually to get fib 1 routeable to the >> internet. >> >> # setfib 1 route add -net 192.168.0.0/24 -iface ue0 >> # setfib 1 route add default 192.168.0.1 >> >> For some odd reason I must also bring up a tun device manually >> otherwise>> OpenVPN cannot. I have set my config >> to use tun10 for this test. >> >> # sysrc openvpn_if="tun10" >> # ifconfig tun10 up >> >> My routing table before I start >> >> # setfib 1 netstat -rn >> Routing tables (fib: 1) >> >> Internet: >> Destination Gateway Flags Netif Expire >> default 192.168.0.1 UGS ue0 >> 127.0.0.1 lo0 UHS lo0 >> 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0 >> >> Internet6: >> Destination Gateway >> Flags>> Netif Expire >> ::/96 ::1 UGRS>> lo0 >> ::1 lo0 UHS>> lo0 >> ::ffff:0.0.0.0/96 ::1 UGRS>> lo0 >> fe80::/10 ::1 UGRS>> lo0 >> fe80::%lo0/64 link#1 U >> lo0 >> ff02::/16 ::1 UGRS>> lo0 >> [sean@rpi2 ~]$ >> >> Let's try to conect OpenVPN >> >> # setfib 1 openvpn dallas.ovpn >> Thu Oct 27 12:11:32 2016 OpenVPN 2.3.11 armv6-portbld- >> freebsd11.0 [SSL>> (OpenSSL)] [LZO] [MH] [IPv6] built on J >> un 25 2016 >> Thu Oct 27 12:11:32 2016 library versions: OpenSSL 1.0.2j- >> freebsd 26>> Sep 2016, LZO 2.09 >> Thu Oct 27 12:11:32 2016 Control Channel Authentication: tls- >> auth using>> INLINE static key file >> Thu Oct 27 12:11:32 2016 Outgoing Control Channel >> Authentication: Using>> 160 bit message hash 'SHA1' for HMAC a >> uthentication >> Thu Oct 27 12:11:32 2016 Incoming Control Channel >> Authentication: Using>> 160 bit message hash 'SHA1' for HMAC a >> uthentication >> Thu Oct 27 12:11:32 2016 Socket Buffers: R=[42080->42080] S=[9216- >> >9216]>> Thu Oct 27 12:11:32 2016 UDPv4 link local: [undef] >> Thu Oct 27 12:11:32 2016 UDPv4 link remote: >> [AF_INET]107.183.238.186:443>> Thu Oct 27 12:11:32 2016 TLS: Initial packet from >> [AF_INET]107.183.238.186:443, sid=c8b24ffa a8737d61 >> Thu Oct 27 12:11:32 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia,>> O=airvpn.org, CN=airvpn.org CA, emailAddr >> ess=info@airvpn.org >> Thu Oct 27 12:11:32 2016 Validating certificate key usage >> Thu Oct 27 12:11:32 2016 ++ Certificate has key usage 00a0, expects>> 00a0 >> Thu Oct 27 12:11:32 2016 VERIFY KU OK >> Thu Oct 27 12:11:32 2016 Validating certificate extended key usage >> Thu Oct 27 12:11:32 2016 ++ Certificate has EKU (str) TLS Web Server>> Authentication, expects TLS Web Server Au >> thentication >> Thu Oct 27 12:11:32 2016 VERIFY EKU OK >> Thu Oct 27 12:11:32 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia,>> O=airvpn.org, CN=server, emailAddress=inf >> o@airvpn.org >> Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Cipher 'AES-256-CBC'>> initialized with 256 bit key >> Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Using 160 bit message>> hash 'SHA1' for HMAC authentication >> Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Cipher 'AES-256-CBC'>> initialized with 256 bit key >> Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Using 160 bit message>> hash 'SHA1' for HMAC authentication >> Thu Oct 27 12:11:36 2016 Control Channel: TLSv1.2, cipher >> TLSv1/SSLv3>> DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA >> Thu Oct 27 12:11:36 2016 [server] Peer Connection Initiated with >> [AF_INET]107.183.238.186:443 >> Thu Oct 27 12:11:39 2016 SENT CONTROL [server]: 'PUSH_REQUEST' >> (status=1) >> Thu Oct 27 12:11:39 2016 PUSH: Received control message: >> 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-op >> tion DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology >> subnet,ping 10,ping-restart 60,ifconfig 10.4.17. >> 25 255.255.0.0' >> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: timers and/or timeouts >> modified>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: LZO parms modified >> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ifconfig/up options >> modified>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route options modified >> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route-related options >> modified>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp- >> option>> options modified >> Thu Oct 27 12:11:39 2016 ROUTE_GATEWAY 192.168.0.1 >> Thu Oct 27 12:11:39 2016 TUN/TAP device tun10 exists previously, >> keep at>> program end >> Thu Oct 27 12:11:39 2016 TUN/TAP device /dev/tun10 opened >> Thu Oct 27 12:11:39 2016 do_ifconfig, tt->ipv6=0, >> tt->did_ifconfig_ipv6_setup=0 >> Thu Oct 27 12:11:39 2016 /sbin/ifconfig tun10 10.4.17.25 >> 10.4.0.1 mtu>> 1500 netmask 255.255.0.0 up >> Thu Oct 27 12:11:39 2016 /sbin/route add -net 10.4.0.0 10.4.17.25 >> 255.255.0.0 >> route: writing to routing socket: Network is unreachable >> add net 10.4.0.0: gateway 10.4.17.25 fib 1: Network is unreachable >> Thu Oct 27 12:11:39 2016 ERROR: FreeBSD route add command failed: >> external program exited with error status: 1 >> Thu Oct 27 12:11:44 2016 /sbin/route add -net 107.183.238.186 >> 192.168.0.1 255.255.255.255 >> add net 107.183.238.186: gateway 192.168.0.1 fib 1 >> Thu Oct 27 12:11:44 2016 /sbin/route add -net 0.0.0.0 10.4.0.1 >> 128.0.0.0>> route: writing to routing socket: Network is unreachable >> add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable >> Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed: >> external program exited with error status: 1 >> Thu Oct 27 12:11:44 2016 /sbin/route add -net 128.0.0.0 10.4.0.1 >> 128.0.0.0 >> route: writing to routing socket: Network is unreachable >> add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable >> Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed: >> external program exited with error status: 1 >> Thu Oct 27 12:11:44 2016 Initialization Sequence Completed >> >> The routes are failing to add and the VPN is not configured >> properly in>> the end. >> >> My routing table now. We can see that the VPN did not configure >> properly. The desired behavior is that it woul >> d set the VPN to be the default gateway and route all traffic >> over it,>> but only for FIB 1. >> >> # setfib 1 netstat -rn >> Routing tables (fib: 1) >> >> Internet: >> Destination Gateway Flags Netif Expire >> default 192.168.0.1 UGS ue0 >> 107.183.238.186/32 192.168.0.1 UGS ue0 >> 127.0.0.1 lo0 UHS lo0 >> 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0 >> >> Internet6: >> Destination Gateway >> Flags>> Netif Expire >> ::/96 ::1 UGRS>> lo0 >> ::1 lo0 UHS>> lo0 >> ::ffff:0.0.0.0/96 ::1 UGRS>> lo0 >> fe80::/10 ::1 UGRS>> lo0 >> fe80::%lo0/64 link#1 U >> lo0 >> ff02::/16 ::1 UGRS>> lo0 >> >> >> Is this a bug or have I missed something? >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions- >> unsubscribe@freebsd.org"