Date: Sun, 30 Apr 2017 19:28:53 -0700 From: bsd <bsd@stuckat99.com> To: Ultima <ultima1252@gmail.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Openvpn broken when using net.add_addr_allfibs=0, routes are not adding Message-ID: <1493605733.1488526.961336144.23ECCC12@webmail.messagingengine.com> In-Reply-To: <CANJ8om5ig9nudoD%2BAjEU72XqtB=-MvpjnKNygsp%2B3UVHBGLU0w@mail.gmail.com> References: <1492564334.1388098.948742560.5E2E6A2A@webmail.messagingengine.com> <CANJ8om5ig9nudoD%2BAjEU72XqtB=-MvpjnKNygsp%2B3UVHBGLU0w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, I tried adding an ip for fib 1 and I am having the same results. My routing table before adding any IP's setfib 1 netstat -rn Internet: Destination Gateway Flags Netif Expire 127.0.0.1 lo0 UHS lo0 Internet6: Destination Gateway Flags Netif Expire::/96 ::1 ::UGRS lo0::1 lo0 ::UHS lo0::ffff:0.0.0.0/96 ::1 :UGRS lo0fe80::/10 ::1 UGRS lo0fe80::%lo0/64 link#3 U lo0ff02::/16 ::1 UGRS lo0 Adding an IP for fib 1, and adding the route and gateway ifconfig em0 inet 192.168.0.140/24 add fib 1 setfib 1 route add -net 192.168.0.0/24 -iface em0 setfib 1 route add default 192.168.0.1 My routing table now setfib 1 netstat -rn Routing tables (fib: 1) Internet: Destination Gateway Flags Netif Expire default 192.168.0.1 UGS em0 127.0.0.1 lo0 UHS lo0 192.168.0.0/24 00:1d:09:7d:e4:d6 US em0 192.168.0.140 link#1 UHS lo0 Internet6: Destination Gateway Flags Netif Expire::/96 ::1 ::UGRS lo0::1 lo0 ::UHS lo0::ffff:0.0.0.0/96 ::1 :UGRS lo0fe80::/10 ::1 UGRS lo0fe80::%lo0/64 link#3 U lo0ff02::/16 ::1 UGRS lo0 A ping test for good measure ping -c 2 google.com PING google.com (172.217.11.78): 56 data bytes 64 bytes from 172.217.11.78: icmp_seq=0 ttl=55 time=27.301 ms 64 bytes from 172.217.11.78: icmp_seq=1 ttl=55 time=20.904 ms --- google.com ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 20.904/24.102/27.301/3.198 ms What happens when I test the vpn setfib 1 openvpn myvpn.ovpn Thu Mar 30 19:26:39 2017 OpenVPN 2.4.1 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 29 2017Thu Mar 30 19:26:39 2017 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10Thu Mar 30 19:26:39 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authenticationThu Mar 30 19:26:39 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authenticationThu Mar 30 19:26:39 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]107.183.238.186:443Thu Mar 30 19:26:39 2017 Socket Buffers: R=[42080->42080] S=[9216->9216]Thu Mar 30 19:26:39 2017 UDP link local: (not bound) Thu Mar 30 19:26:39 2017 UDP link remote: [AF_INET]107.183.238.186:443 Thu Mar 30 19:26:39 2017 TLS: Initial packet from [AF_INET]107.183.238.186:443, sid=aba0890c 250effe8Thu Mar 30 19:26:39 2017 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.orgThu Mar 30 19:26:39 2017 VERIFY KU OK Thu Mar 30 19:26:39 2017 Validating certificate extended key usage Thu Mar 30 19:26:39 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server AuthenticationThu Mar 30 19:26:39 2017 VERIFY EKU OK Thu Mar 30 19:26:39 2017 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.orgThu Mar 30 19:26:39 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSAThu Mar 30 19:26:39 2017 [server] Peer Connection Initiated with [AF_INET]107.183.238.186:443Thu Mar 30 19:26:40 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)Thu Mar 30 19:26:40 2017 PUSH: Received control message: 'PUSH_REPLY,redirect- gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route- gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.17.25 255.255.0.0'Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: timers and/or timeouts modifiedThu Mar 30 19:26:40 2017 OPTIONS IMPORT: compression parms modified Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: --ifconfig/up options modifiedThu Mar 30 19:26:40 2017 OPTIONS IMPORT: route options modified Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: route-related options modifiedThu Mar 30 19:26:40 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifiedThu Mar 30 19:26:40 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyThu Mar 30 19:26:40 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationThu Mar 30 19:26:40 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyThu Mar 30 19:26:40 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationThu Mar 30 19:26:40 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=em0 HWADDR=00:1d:09:7d:e4:d6Thu Mar 30 19:26:40 2017 TUN/TAP device /dev/tun0 opened Thu Mar 30 19:26:40 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Thu Mar 30 19:26:40 2017 /sbin/ifconfig tun0 10.4.17.25 10.4.0.1 mtu 1500 netmask 255.255.0.0 upThu Mar 30 19:26:40 2017 /sbin/route add -net 10.4.0.0 10.4.0.1 255.255.0.0route: writing to routing socket: Network is unreachable add net 10.4.0.0: gateway 10.4.0.1 fib 1: Network is unreachable Thu Mar 30 19:26:40 2017 ERROR: FreeBSD route add command failed: external program exited with error status: 1Thu Mar 30 19:26:45 2017 /sbin/route add -net 107.183.238.186 192.168.0.1 255.255.255.255add net 107.183.238.186: gateway 192.168.0.1 fib 1 Thu Mar 30 19:26:45 2017 /sbin/route add -net 0.0.0.0 10.4.0.1 128.0.0.0route: writing to routing socket: Network is unreachable add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable Thu Mar 30 19:26:45 2017 ERROR: FreeBSD route add command failed: external program exited with error status: 1Thu Mar 30 19:26:45 2017 /sbin/route add -net 128.0.0.0 10.4.0.1 128.0.0.0route: writing to routing socket: Network is unreachable add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable Thu Mar 30 19:26:45 2017 ERROR: FreeBSD route add command failed: external program exited with error status: 1Thu Mar 30 19:26:45 2017 Initialization Sequence Completed Of course if I try this on fib 0 it works just fine and adds all the routes. On Sat, Apr 22, 2017, at 09:05 PM, Ultima wrote: > The problem to me looks to be because there is no ip address on fib 1, > but I'm not sure how openvpn can initiate the connect to the vpn with > no ip address. Try and ping something using fib 1. The result will > probably be no route to host. Many of the route commands are failing > in the openvpn log because of this. If an 192.168.0.0/24 ip is added > to the fib, this should fix the problem.> > > Hope this helps, > Ultima > > On Tue, Apr 18, 2017 at 9:12 PM, bsd <bsd@stuckat99.com> wrote: >> I am trying to use OpenVPN and multiple fibs on FreeBSD 11-p9. >> The issue>> is, when I use >> net.add_addr_allfibs=0 instead of net.add_addr_allfibs=1 in my >> /boot/loader.conf, OpenVPN >> fails to be able to add the routes properly and the VPN will not >> function properly. >> >> OpenVPN works 100% fine when I use net.add_addr_allfibs=1 but my >> requirements need this to be >> set to 0 to turn off it's behavior of adding routes to all fibs. >> >> # /boot/loader.conf >> net.fibs=3 >> net.add_addr_allfibs=0 >> >> Since I am using net.add_addr_allfibs=0, I have a clean >> routing table>> and I have to add the initial route >> and gateway for my router manually to get fib 1 routeable to the >> internet. >> >> # setfib 1 route add -net 192.168.0.0/24 -iface ue0 >> # setfib 1 route add default 192.168.0.1 >> >> For some odd reason I must also bring up a tun device manually >> otherwise>> OpenVPN cannot. I have set my config >> to use tun10 for this test. >> >> # sysrc openvpn_if="tun10" >> # ifconfig tun10 up >> >> My routing table before I start >> >> # setfib 1 netstat -rn >> Routing tables (fib: 1) >> >> Internet: >> Destination Gateway Flags Netif Expire >> default 192.168.0.1 UGS ue0 >> 127.0.0.1 lo0 UHS lo0 >> 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0 >> >> Internet6: >> Destination Gateway >> Flags>> Netif Expire >> ::/96 ::1 UGRS>> lo0 >> ::1 lo0 UHS>> lo0 >> ::ffff:0.0.0.0/96 ::1 UGRS>> lo0 >> fe80::/10 ::1 UGRS>> lo0 >> fe80::%lo0/64 link#1 U >> lo0 >> ff02::/16 ::1 UGRS>> lo0 >> [sean@rpi2 ~]$ >> >> Let's try to conect OpenVPN >> >> # setfib 1 openvpn dallas.ovpn >> Thu Oct 27 12:11:32 2016 OpenVPN 2.3.11 armv6-portbld- >> freebsd11.0 [SSL>> (OpenSSL)] [LZO] [MH] [IPv6] built on J >> un 25 2016 >> Thu Oct 27 12:11:32 2016 library versions: OpenSSL 1.0.2j- >> freebsd 26>> Sep 2016, LZO 2.09 >> Thu Oct 27 12:11:32 2016 Control Channel Authentication: tls- >> auth using>> INLINE static key file >> Thu Oct 27 12:11:32 2016 Outgoing Control Channel >> Authentication: Using>> 160 bit message hash 'SHA1' for HMAC a >> uthentication >> Thu Oct 27 12:11:32 2016 Incoming Control Channel >> Authentication: Using>> 160 bit message hash 'SHA1' for HMAC a >> uthentication >> Thu Oct 27 12:11:32 2016 Socket Buffers: R=[42080->42080] S=[9216- >> >9216]>> Thu Oct 27 12:11:32 2016 UDPv4 link local: [undef] >> Thu Oct 27 12:11:32 2016 UDPv4 link remote: >> [AF_INET]107.183.238.186:443>> Thu Oct 27 12:11:32 2016 TLS: Initial packet from >> [AF_INET]107.183.238.186:443, sid=c8b24ffa a8737d61 >> Thu Oct 27 12:11:32 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia,>> O=airvpn.org, CN=airvpn.org CA, emailAddr >> ess=info@airvpn.org >> Thu Oct 27 12:11:32 2016 Validating certificate key usage >> Thu Oct 27 12:11:32 2016 ++ Certificate has key usage 00a0, expects>> 00a0 >> Thu Oct 27 12:11:32 2016 VERIFY KU OK >> Thu Oct 27 12:11:32 2016 Validating certificate extended key usage >> Thu Oct 27 12:11:32 2016 ++ Certificate has EKU (str) TLS Web Server>> Authentication, expects TLS Web Server Au >> thentication >> Thu Oct 27 12:11:32 2016 VERIFY EKU OK >> Thu Oct 27 12:11:32 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia,>> O=airvpn.org, CN=server, emailAddress=inf >> o@airvpn.org >> Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Cipher 'AES-256-CBC'>> initialized with 256 bit key >> Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Using 160 bit message>> hash 'SHA1' for HMAC authentication >> Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Cipher 'AES-256-CBC'>> initialized with 256 bit key >> Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Using 160 bit message>> hash 'SHA1' for HMAC authentication >> Thu Oct 27 12:11:36 2016 Control Channel: TLSv1.2, cipher >> TLSv1/SSLv3>> DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA >> Thu Oct 27 12:11:36 2016 [server] Peer Connection Initiated with >> [AF_INET]107.183.238.186:443 >> Thu Oct 27 12:11:39 2016 SENT CONTROL [server]: 'PUSH_REQUEST' >> (status=1) >> Thu Oct 27 12:11:39 2016 PUSH: Received control message: >> 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-op >> tion DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology >> subnet,ping 10,ping-restart 60,ifconfig 10.4.17. >> 25 255.255.0.0' >> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: timers and/or timeouts >> modified>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: LZO parms modified >> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ifconfig/up options >> modified>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route options modified >> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route-related options >> modified>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp- >> option>> options modified >> Thu Oct 27 12:11:39 2016 ROUTE_GATEWAY 192.168.0.1 >> Thu Oct 27 12:11:39 2016 TUN/TAP device tun10 exists previously, >> keep at>> program end >> Thu Oct 27 12:11:39 2016 TUN/TAP device /dev/tun10 opened >> Thu Oct 27 12:11:39 2016 do_ifconfig, tt->ipv6=0, >> tt->did_ifconfig_ipv6_setup=0 >> Thu Oct 27 12:11:39 2016 /sbin/ifconfig tun10 10.4.17.25 >> 10.4.0.1 mtu>> 1500 netmask 255.255.0.0 up >> Thu Oct 27 12:11:39 2016 /sbin/route add -net 10.4.0.0 10.4.17.25 >> 255.255.0.0 >> route: writing to routing socket: Network is unreachable >> add net 10.4.0.0: gateway 10.4.17.25 fib 1: Network is unreachable >> Thu Oct 27 12:11:39 2016 ERROR: FreeBSD route add command failed: >> external program exited with error status: 1 >> Thu Oct 27 12:11:44 2016 /sbin/route add -net 107.183.238.186 >> 192.168.0.1 255.255.255.255 >> add net 107.183.238.186: gateway 192.168.0.1 fib 1 >> Thu Oct 27 12:11:44 2016 /sbin/route add -net 0.0.0.0 10.4.0.1 >> 128.0.0.0>> route: writing to routing socket: Network is unreachable >> add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable >> Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed: >> external program exited with error status: 1 >> Thu Oct 27 12:11:44 2016 /sbin/route add -net 128.0.0.0 10.4.0.1 >> 128.0.0.0 >> route: writing to routing socket: Network is unreachable >> add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable >> Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed: >> external program exited with error status: 1 >> Thu Oct 27 12:11:44 2016 Initialization Sequence Completed >> >> The routes are failing to add and the VPN is not configured >> properly in>> the end. >> >> My routing table now. We can see that the VPN did not configure >> properly. The desired behavior is that it woul >> d set the VPN to be the default gateway and route all traffic >> over it,>> but only for FIB 1. >> >> # setfib 1 netstat -rn >> Routing tables (fib: 1) >> >> Internet: >> Destination Gateway Flags Netif Expire >> default 192.168.0.1 UGS ue0 >> 107.183.238.186/32 192.168.0.1 UGS ue0 >> 127.0.0.1 lo0 UHS lo0 >> 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0 >> >> Internet6: >> Destination Gateway >> Flags>> Netif Expire >> ::/96 ::1 UGRS>> lo0 >> ::1 lo0 UHS>> lo0 >> ::ffff:0.0.0.0/96 ::1 UGRS>> lo0 >> fe80::/10 ::1 UGRS>> lo0 >> fe80::%lo0/64 link#1 U >> lo0 >> ff02::/16 ::1 UGRS>> lo0 >> >> >> Is this a bug or have I missed something? >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions- >> unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1493605733.1488526.961336144.23ECCC12>