From owner-freebsd-questions@freebsd.org Mon May 1 03:47:15 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12136D58C63 for ; Mon, 1 May 2017 03:47:15 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B1A1F93E for ; Mon, 1 May 2017 03:47:14 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-yw0-x22e.google.com with SMTP id k11so51763587ywb.1 for ; Sun, 30 Apr 2017 20:47:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XnpG30uecvwosQuwVWRvEgHek5nAoTjRo3h73oBdknI=; b=BOlDwuoegoxMESMfXmANAMfrdL0WUBIQ8vNAS8Fr6P3TGJt9D8HzPHbzUb2XE49o82 4UQ42haRwYK578zMp3W5AClYKbNyMHPj6o0tpbFuustACP7sKX/KzYyDJT9JCxrt5Bsf 7Ju245Wm/G3WXieBGAX21IEkM1LNFSJiu+KMoI8JofZkwOhKPckmIU1YNJYTKqVSKuu/ cEdRNWYtGSN8cf3mQPrntz03WF1v6SXhIZGHlhfgzdT2HpPu+/eQr51EHNikHvf3P4Fi IOo4QyOVdNAaVFwCpiF2bvd3oW8kYYfTcKJKxd3tateHntmQ2atlTpe+sLalRg10DNbB HGjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XnpG30uecvwosQuwVWRvEgHek5nAoTjRo3h73oBdknI=; b=BxQ3W1qBbMN+Lto5Je9kXk35tb5tm0EsrBDEVY5UKAVBBKx0MRdPn2IE/fEx6Srz23 AaHS5H6PK/A7ubJNGuxgYC88BJahmMhvtXsxq/xofpRGHmbdiOmS+Ce5qoLgzYxm7DEN kVBOuOPyM0uQ+C8b5U98NWdPEEW++9ZTnK5b7md2BQrS7jYDQJqxOpZ5TngEDb+y+mSa U42+yiyfhXDVrYBH3i/8Hnod4O6KZoyAO7mq0bo79LO494knePbxToeXjJCjyrqjB/zd eEmDPccn7c1ky3pLJGbtRVg3MYeMy4S+ei/I8e6vwR2roHuwo2YGfHtwjuxAXH1X6p+9 K4fg== X-Gm-Message-State: AN3rC/50KDRn7UPjflYO9cesSTLebKM0nA1F8BNwOj+qZ9xspRvxc69a e0xxBBWctf9wdC04O9gss1rcB/jLIrb6ZZE= X-Received: by 10.13.242.194 with SMTP id b185mr18601708ywf.116.1493610433501; Sun, 30 Apr 2017 20:47:13 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.72.144 with HTTP; Sun, 30 Apr 2017 20:47:13 -0700 (PDT) In-Reply-To: <1493605733.1488526.961336144.23ECCC12@webmail.messagingengine.com> References: <1492564334.1388098.948742560.5E2E6A2A@webmail.messagingengine.com> <1493605733.1488526.961336144.23ECCC12@webmail.messagingengine.com> From: Ultima Date: Sun, 30 Apr 2017 23:47:13 -0400 Message-ID: Subject: Re: Openvpn broken when using net.add_addr_allfibs=0, routes are not adding To: bsd Cc: FreeBSD Mailing List Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2017 03:47:15 -0000 > Thu Mar 30 19:26:40 2017 /sbin/ifconfig tun0 10.4.17.25 10.4.0.1 mtu 1500 netmask 255.255.0.0 up ifconfig is not respecting setfib on tun interfaces. Manually adding fib 1 at the end of the command above will properly add it to the correct fib. I suggest posting a bug on bugzilla about this. this also is occuring on head r317574. On Sun, Apr 30, 2017 at 10:28 PM, bsd wrote: > Hello, > > I tried adding an ip for fib 1 and I am having the same results. > > My routing table before adding any IP's > > setfib 1 netstat -rn > Internet: > Destination Gateway Flags Netif Expire > 127.0.0.1 lo0 UHS lo0 > > Internet6: > Destination Gateway Flags > Netif Expire > ::/96 ::1 > UGRS lo0 > ::1 lo0 > UHS lo0 > ::ffff:0.0.0.0/96 ::1 > UGRS lo0 > fe80::/10 ::1 > UGRS lo0 > fe80::%lo0/64 link#3 > U lo0 > ff02::/16 ::1 > UGRS lo0 > > Adding an IP for fib 1, and adding the route and gateway > > ifconfig em0 inet 192.168.0.140/24 add fib 1 > setfib 1 route add -net 192.168.0.0/24 -iface em0 > setfib 1 route add default 192.168.0.1 > > My routing table now > > setfib 1 netstat -rn > Routing tables (fib: 1) > > Internet: > Destination Gateway Flags Netif Expire > default 192.168.0.1 UGS em0 > 127.0.0.1 lo0 UHS lo0 > 192.168.0.0/24 00:1d:09:7d:e4:d6 US em0 > 192.168.0.140 link#1 UHS lo0 > > Internet6: > Destination Gateway Flags > Netif Expire > ::/96 ::1 > UGRS lo0 > ::1 lo0 > UHS lo0 > ::ffff:0.0.0.0/96 ::1 > UGRS lo0 > fe80::/10 ::1 > UGRS lo0 > fe80::%lo0/64 link#3 > U lo0 > ff02::/16 ::1 > UGRS lo0 > > A ping test for good measure > > ping -c 2 google.com > PING google.com (172.217.11.78): 56 data bytes > 64 bytes from 172.217.11.78: icmp_seq=0 ttl=55 time=27.301 ms > 64 bytes from 172.217.11.78: icmp_seq=1 ttl=55 time=20.904 ms > > --- google.com ping statistics --- > 2 packets transmitted, 2 packets received, 0.0% packet loss > round-trip min/avg/max/stddev = 20.904/24.102/27.301/3.198 ms > > > What happens when I test the vpn > > setfib 1 openvpn myvpn.ovpn > > Thu Mar 30 19:26:39 2017 OpenVPN 2.4.1 amd64-portbld-freebsd11.0 [SSL > (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 29 2017 > Thu Mar 30 19:26:39 2017 library versions: OpenSSL 1.0.2k-freebsd 26 Jan > 2017, LZO 2.10 > Thu Mar 30 19:26:39 2017 Outgoing Control Channel Authentication: Using > 160 bit message hash 'SHA1' for HMAC authentication > Thu Mar 30 19:26:39 2017 Incoming Control Channel Authentication: Using > 160 bit message hash 'SHA1' for HMAC authentication > Thu Mar 30 19:26:39 2017 TCP/UDP: Preserving recently used remote address: > [AF_INET]107.183.238.186:443 > Thu Mar 30 19:26:39 2017 Socket Buffers: R=[42080->42080] S=[9216->9216] > Thu Mar 30 19:26:39 2017 UDP link local: (not bound) > Thu Mar 30 19:26:39 2017 UDP link remote: [AF_INET]107.183.238.186:443 > Thu Mar 30 19:26:39 2017 TLS: Initial packet from [AF_INET] > 107.183.238.186:443, sid=aba0890c 250effe8 > Thu Mar 30 19:26:39 2017 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O= > airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org > Thu Mar 30 19:26:39 2017 VERIFY KU OK > Thu Mar 30 19:26:39 2017 Validating certificate extended key usage > Thu Mar 30 19:26:39 2017 ++ Certificate has EKU (str) TLS Web Server > Authentication, expects TLS Web Server Authentication > Thu Mar 30 19:26:39 2017 VERIFY EKU OK > Thu Mar 30 19:26:39 2017 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O= > airvpn.org, CN=server, emailAddress=info@airvpn.org > Thu Mar 30 19:26:39 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 > DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA > Thu Mar 30 19:26:39 2017 [server] Peer Connection Initiated with [AF_INET] > 107.183.238.186:443 > Thu Mar 30 19:26:40 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) > Thu Mar 30 19:26:40 2017 PUSH: Received control message: > 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS > 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping > 10,ping-restart 60,ifconfig 10.4.17.25 255.255.0.0' > Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: timers and/or timeouts modified > Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: compression parms modified > Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: --ifconfig/up options modified > Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: route options modified > Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: route-related options modified > Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option > options modified > Thu Mar 30 19:26:40 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' > initialized with 256 bit key > Thu Mar 30 19:26:40 2017 Data Channel Encrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Thu Mar 30 19:26:40 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' > initialized with 256 bit key > Thu Mar 30 19:26:40 2017 Data Channel Decrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Thu Mar 30 19:26:40 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 > IFACE=em0 HWADDR=00:1d:09:7d:e4:d6 > Thu Mar 30 19:26:40 2017 TUN/TAP device /dev/tun0 opened > Thu Mar 30 19:26:40 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 > Thu Mar 30 19:26:40 2017 /sbin/ifconfig tun0 10.4.17.25 10.4.0.1 mtu 1500 > netmask 255.255.0.0 up > Thu Mar 30 19:26:40 2017 /sbin/route add -net 10.4.0.0 10.4.0.1 255.255.0.0 > route: writing to routing socket: Network is unreachable > add net 10.4.0.0: gateway 10.4.0.1 fib 1: Network is unreachable > Thu Mar 30 19:26:40 2017 ERROR: FreeBSD route add command failed: external > program exited with error status: 1 > Thu Mar 30 19:26:45 2017 /sbin/route add -net 107.183.238.186 192.168.0.1 > 255.255.255.255 > add net 107.183.238.186: gateway 192.168.0.1 fib 1 > Thu Mar 30 19:26:45 2017 /sbin/route add -net 0.0.0.0 10.4.0.1 128.0.0.0 > route: writing to routing socket: Network is unreachable > add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable > Thu Mar 30 19:26:45 2017 ERROR: FreeBSD route add command failed: external > program exited with error status: 1 > Thu Mar 30 19:26:45 2017 /sbin/route add -net 128.0.0.0 10.4.0.1 128.0.0.0 > route: writing to routing socket: Network is unreachable > add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable > Thu Mar 30 19:26:45 2017 ERROR: FreeBSD route add command failed: external > program exited with error status: 1 > Thu Mar 30 19:26:45 2017 Initialization Sequence Completed > > > > Of course if I try this on fib 0 it works just fine and adds all the > routes. > > > > > > On Sat, Apr 22, 2017, at 09:05 PM, Ultima wrote: > > The problem to me looks to be because there is no ip address on fib 1, but > I'm not sure how openvpn can initiate the connect to the vpn with no ip > address. Try and ping something using fib 1. The result will probably be no > route to host. Many of the route commands are failing in the openvpn log > because of this. If an 192.168.0.0/24 ip is added to the fib, this should > fix the problem. > > > Hope this helps, > Ultima > > On Tue, Apr 18, 2017 at 9:12 PM, bsd wrote: > > I am trying to use OpenVPN and multiple fibs on FreeBSD 11-p9. The issue > is, when I use > net.add_addr_allfibs=0 instead of net.add_addr_allfibs=1 in my > /boot/loader.conf, OpenVPN > fails to be able to add the routes properly and the VPN will not > function properly. > > OpenVPN works 100% fine when I use net.add_addr_allfibs=1 but my > requirements need this to be > set to 0 to turn off it's behavior of adding routes to all fibs. > > # /boot/loader.conf > net.fibs=3 > net.add_addr_allfibs=0 > > Since I am using net.add_addr_allfibs=0, I have a clean routing table > and I have to add the initial route > and gateway for my router manually to get fib 1 routeable to the > internet. > > # setfib 1 route add -net 192.168.0.0/24 -iface ue0 > # setfib 1 route add default 192.168.0.1 > > For some odd reason I must also bring up a tun device manually otherwise > OpenVPN cannot. I have set my config > to use tun10 for this test. > > # sysrc openvpn_if="tun10" > # ifconfig tun10 up > > My routing table before I start > > # setfib 1 netstat -rn > Routing tables (fib: 1) > > Internet: > Destination Gateway Flags Netif Expire > default 192.168.0.1 UGS ue0 > 127.0.0.1 lo0 UHS lo0 > 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0 > > Internet6: > Destination Gateway Flags > Netif Expire > ::/96 ::1 UGRS > lo0 > ::1 lo0 UHS > lo0 > ::ffff:0.0.0.0/96 ::1 UGRS > lo0 > fe80::/10 ::1 UGRS > lo0 > fe80::%lo0/64 link#1 U > lo0 > ff02::/16 ::1 UGRS > lo0 > [sean@rpi2 ~]$ > > Let's try to conect OpenVPN > > # setfib 1 openvpn dallas.ovpn > Thu Oct 27 12:11:32 2016 OpenVPN 2.3.11 armv6-portbld-freebsd11.0 [SSL > (OpenSSL)] [LZO] [MH] [IPv6] built on J > un 25 2016 > Thu Oct 27 12:11:32 2016 library versions: OpenSSL 1.0.2j-freebsd 26 > Sep 2016, LZO 2.09 > Thu Oct 27 12:11:32 2016 Control Channel Authentication: tls-auth using > INLINE static key file > Thu Oct 27 12:11:32 2016 Outgoing Control Channel Authentication: Using > 160 bit message hash 'SHA1' for HMAC a > uthentication > Thu Oct 27 12:11:32 2016 Incoming Control Channel Authentication: Using > 160 bit message hash 'SHA1' for HMAC a > uthentication > Thu Oct 27 12:11:32 2016 Socket Buffers: R=[42080->42080] S=[9216->9216] > Thu Oct 27 12:11:32 2016 UDPv4 link local: [undef] > Thu Oct 27 12:11:32 2016 UDPv4 link remote: [AF_INET]107.183.238.186:443 > Thu Oct 27 12:11:32 2016 TLS: Initial packet from > [AF_INET]107.183.238.186:443, sid=c8b24ffa a8737d61 > Thu Oct 27 12:11:32 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, > O=airvpn.org, CN=airvpn.org CA, emailAddr > ess=info@airvpn.org > Thu Oct 27 12:11:32 2016 Validating certificate key usage > Thu Oct 27 12:11:32 2016 ++ Certificate has key usage 00a0, expects > 00a0 > Thu Oct 27 12:11:32 2016 VERIFY KU OK > Thu Oct 27 12:11:32 2016 Validating certificate extended key usage > Thu Oct 27 12:11:32 2016 ++ Certificate has EKU (str) TLS Web Server > Authentication, expects TLS Web Server Au > thentication > Thu Oct 27 12:11:32 2016 VERIFY EKU OK > Thu Oct 27 12:11:32 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, > O=airvpn.org, CN=server, emailAddress=inf > o@airvpn.org > Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' > initialized with 256 bit key > Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Using 160 bit message > hash 'SHA1' for HMAC authentication > Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' > initialized with 256 bit key > Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Using 160 bit message > hash 'SHA1' for HMAC authentication > Thu Oct 27 12:11:36 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 > DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA > Thu Oct 27 12:11:36 2016 [server] Peer Connection Initiated with > [AF_INET]107.183.238.186:443 > Thu Oct 27 12:11:39 2016 SENT CONTROL [server]: 'PUSH_REQUEST' > (status=1) > Thu Oct 27 12:11:39 2016 PUSH: Received control message: > 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-op > tion DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology > subnet,ping 10,ping-restart 60,ifconfig 10.4.17. > 25 255.255.0.0' > Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: timers and/or timeouts modified > Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: LZO parms modified > Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ifconfig/up options modified > Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route options modified > Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route-related options modified > Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option > options modified > Thu Oct 27 12:11:39 2016 ROUTE_GATEWAY 192.168.0.1 > Thu Oct 27 12:11:39 2016 TUN/TAP device tun10 exists previously, keep at > program end > Thu Oct 27 12:11:39 2016 TUN/TAP device /dev/tun10 opened > Thu Oct 27 12:11:39 2016 do_ifconfig, tt->ipv6=0, > tt->did_ifconfig_ipv6_setup=0 > Thu Oct 27 12:11:39 2016 /sbin/ifconfig tun10 10.4.17.25 10.4.0.1 mtu > 1500 netmask 255.255.0.0 up > Thu Oct 27 12:11:39 2016 /sbin/route add -net 10.4.0.0 10.4.17.25 > 255.255.0.0 > route: writing to routing socket: Network is unreachable > add net 10.4.0.0: gateway 10.4.17.25 fib 1: Network is unreachable > Thu Oct 27 12:11:39 2016 ERROR: FreeBSD route add command failed: > external program exited with error status: 1 > Thu Oct 27 12:11:44 2016 /sbin/route add -net 107.183.238.186 > 192.168.0.1 255.255.255.255 > add net 107.183.238.186: gateway 192.168.0.1 fib 1 > Thu Oct 27 12:11:44 2016 /sbin/route add -net 0.0.0.0 10.4.0.1 128.0.0.0 > route: writing to routing socket: Network is unreachable > add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable > Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed: > external program exited with error status: 1 > Thu Oct 27 12:11:44 2016 /sbin/route add -net 128.0.0.0 10.4.0.1 > 128.0.0.0 > route: writing to routing socket: Network is unreachable > add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable > Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed: > external program exited with error status: 1 > Thu Oct 27 12:11:44 2016 Initialization Sequence Completed > > The routes are failing to add and the VPN is not configured properly in > the end. > > My routing table now. We can see that the VPN did not configure > properly. The desired behavior is that it woul > d set the VPN to be the default gateway and route all traffic over it, > but only for FIB 1. > > # setfib 1 netstat -rn > Routing tables (fib: 1) > > Internet: > Destination Gateway Flags Netif Expire > default 192.168.0.1 UGS ue0 > 107.183.238.186/32 192.168.0.1 UGS ue0 > 127.0.0.1 lo0 UHS lo0 > 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0 > > Internet6: > Destination Gateway Flags > Netif Expire > ::/96 ::1 UGRS > lo0 > ::1 lo0 UHS > lo0 > ::ffff:0.0.0.0/96 ::1 UGRS > lo0 > fe80::/10 ::1 UGRS > lo0 > fe80::%lo0/64 link#1 U > lo0 > ff02::/16 ::1 UGRS > lo0 > > > Is this a bug or have I missed something? > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe > @freebsd.org" > > >