Date: Sun, 30 Apr 2017 21:18:04 -0700 From: bsd <bsd@stuckat99.com> To: Ultima <ultima1252@gmail.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Openvpn broken when using net.add_addr_allfibs=0, routes are not adding Message-ID: <1493612284.1522295.961435048.6CBD69A6@webmail.messagingengine.com> In-Reply-To: <CANJ8om5FiuYaqQ-U56ZytBAavz0YK3WK_98DJm1HK6DWJeBuXA@mail.gmail.com> References: <1492564334.1388098.948742560.5E2E6A2A@webmail.messagingengine.com> <CANJ8om5ig9nudoD%2BAjEU72XqtB=-MvpjnKNygsp%2B3UVHBGLU0w@mail.gmail.com> <1493605733.1488526.961336144.23ECCC12@webmail.messagingengine.com> <CANJ8om5FiuYaqQ-U56ZytBAavz0YK3WK_98DJm1HK6DWJeBuXA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Thanks for helping me track down the issue. I tried all of the ifconfig commands and manually added fib 1 to each one and everything worked. I will post a bugzilla report. :) This was driving me nuts. On Sun, Apr 30, 2017, at 08:47 PM, Ultima wrote: > > Thu Mar 30 19:26:40 2017 /sbin/ifconfig tun0 10.4.17.25 10.4.0.1 mtu > > 1500 netmask 255.255.0.0 up> > ifconfig is not respecting setfib on tun interfaces. Manually adding > fib 1 at the end of the command above will properly add it to the > correct fib. I suggest posting a bug on bugzilla about this.> > this also is occuring on head r317574. > > On Sun, Apr 30, 2017 at 10:28 PM, bsd <bsd@stuckat99.com> wrote: >> __ >> Hello, >> >> I tried adding an ip for fib 1 and I am having the same results. >> >> My routing table before adding any IP's >> >> setfib 1 netstat -rn >> >> Internet: >> Destination Gateway Flags Netif Expire >> >> 127.0.0.1 lo0 UHS lo0 >> >> >> Internet6: >> Destination Gateway Flags >> Netif Expire>> ::/96 ::1 >> ::UGRS lo0>> ::1 lo0 >> ::UHS lo0>> ::ffff:0.0.0.0/96 ::1 >> :UGRS lo0>> fe80::/10 ::1 >> UGRS lo0>> >> fe80::%lo0/64 link#3 >> U lo0>> >> ff02::/16 ::1 >> UGRS lo0>> >> >> Adding an IP for fib 1, and adding the route and gateway >> >> ifconfig em0 inet 192.168.0.140/24 add fib 1 >> setfib 1 route add -net 192.168.0.0/24 -iface em0 >> >> setfib 1 route add default 192.168.0.1 >> >> >> My routing table now >> >> >> setfib 1 netstat -rn >> Routing tables (fib: 1) >> >> Internet: >> Destination Gateway Flags Netif Expire >> >> default 192.168.0.1 UGS em0 >> 127.0.0.1 lo0 UHS lo0 >> 192.168.0.0/24 00:1d:09:7d:e4:d6 US em0 >> 192.168.0.140 link#1 UHS lo0 >> >> >> Internet6: >> Destination Gateway Flags >> Netif Expire>> ::/96 ::1 >> ::UGRS lo0>> ::1 lo0 >> ::UHS lo0>> ::ffff:0.0.0.0/96 ::1 >> :UGRS lo0>> fe80::/10 ::1 >> UGRS lo0>> >> fe80::%lo0/64 link#3 >> U lo0>> >> ff02::/16 ::1 >> UGRS lo0>> >> >> A ping test for good measure >> >> ping -c 2 google.com >> PING google.com (172.217.11.78): 56 data bytes >> 64 bytes from 172.217.11.78: icmp_seq=0 ttl=55 time=27.301 ms >> 64 bytes from 172.217.11.78: icmp_seq=1 ttl=55 time=20.904 ms >> >> --- google.com ping statistics --- >> 2 packets transmitted, 2 packets received, 0.0% packet loss >> round-trip min/avg/max/stddev = 20.904/24.102/27.301/3.198 ms >> >> >> What happens when I test the vpn >> >> setfib 1 openvpn myvpn.ovpn >> >> Thu Mar 30 19:26:39 2017 OpenVPN 2.4.1 amd64-portbld-freebsd11.0 [SSL >> (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 29 2017>> Thu Mar 30 19:26:39 2017 library versions: OpenSSL 1.0.2k-freebsd 26 >> Jan 2017, LZO 2.10>> Thu Mar 30 19:26:39 2017 Outgoing Control Channel Authentication: >> Using 160 bit message hash 'SHA1' for HMAC authentication>> Thu Mar 30 19:26:39 2017 Incoming Control Channel Authentication: >> Using 160 bit message hash 'SHA1' for HMAC authentication>> Thu Mar 30 19:26:39 2017 TCP/UDP: Preserving recently used remote >> address: [AF_INET]107.183.238.186:443>> Thu Mar 30 19:26:39 2017 Socket Buffers: R=[42080->42080] S=[9216- >> >9216]>> Thu Mar 30 19:26:39 2017 UDP link local: (not bound) >> Thu Mar 30 19:26:39 2017 UDP link remote: >> [AF_INET]107.183.238.186:443>> Thu Mar 30 19:26:39 2017 TLS: Initial packet from >> [AF_INET]107.183.238.186:443, sid=aba0890c 250effe8>> Thu Mar 30 19:26:39 2017 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, >> O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org>> Thu Mar 30 19:26:39 2017 VERIFY KU OK >> Thu Mar 30 19:26:39 2017 Validating certificate extended key usage >> Thu Mar 30 19:26:39 2017 ++ Certificate has EKU (str) TLS Web Server >> Authentication, expects TLS Web Server Authentication>> Thu Mar 30 19:26:39 2017 VERIFY EKU OK >> Thu Mar 30 19:26:39 2017 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, >> O=airvpn.org, CN=server, emailAddress=info@airvpn.org>> Thu Mar 30 19:26:39 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 >> DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA>> Thu Mar 30 19:26:39 2017 [server] Peer Connection Initiated with >> [AF_INET]107.183.238.186:443>> Thu Mar 30 19:26:40 2017 SENT CONTROL [server]: 'PUSH_REQUEST' >> (status=1)>> Thu Mar 30 19:26:40 2017 PUSH: Received control message: 'PUSH_REPLY,redirect- >> gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route- >> gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig >> 10.4.17.25 255.255.0.0'>> Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: timers and/or timeouts >> modified>> Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: compression parms modified >> Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: --ifconfig/up options >> modified>> Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: route options modified >> Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: route-related options >> modified>> Thu Mar 30 19:26:40 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp- >> option options modified>> Thu Mar 30 19:26:40 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' >> initialized with 256 bit key>> Thu Mar 30 19:26:40 2017 Data Channel Encrypt: Using 160 bit message >> hash 'SHA1' for HMAC authentication>> Thu Mar 30 19:26:40 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' >> initialized with 256 bit key>> Thu Mar 30 19:26:40 2017 Data Channel Decrypt: Using 160 bit message >> hash 'SHA1' for HMAC authentication>> Thu Mar 30 19:26:40 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 >> IFACE=em0 HWADDR=00:1d:09:7d:e4:d6>> Thu Mar 30 19:26:40 2017 TUN/TAP device /dev/tun0 opened >> Thu Mar 30 19:26:40 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 >> Thu Mar 30 19:26:40 2017 /sbin/ifconfig tun0 10.4.17.25 10.4.0.1 mtu >> 1500 netmask 255.255.0.0 up>> Thu Mar 30 19:26:40 2017 /sbin/route add -net 10.4.0.0 10.4.0.1 >> 255.255.0.0>> >> route: writing to routing socket: Network is unreachable >> >> add net 10.4.0.0: gateway 10.4.0.1 fib 1: Network is unreachable >> Thu Mar 30 19:26:40 2017 ERROR: FreeBSD route add command failed: >> external program exited with error status: 1>> Thu Mar 30 19:26:45 2017 /sbin/route add -net 107.183.238.186 >> 192.168.0.1 255.255.255.255>> >> add net 107.183.238.186: gateway 192.168.0.1 fib 1 >> >> Thu Mar 30 19:26:45 2017 /sbin/route add -net 0.0.0.0 10.4.0.1 >> 128.0.0.0>> >> route: writing to routing socket: Network is unreachable >> add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable >> >> Thu Mar 30 19:26:45 2017 ERROR: FreeBSD route add command failed: >> external program exited with error status: 1>> Thu Mar 30 19:26:45 2017 /sbin/route add -net 128.0.0.0 10.4.0.1 >> 128.0.0.0>> >> route: writing to routing socket: Network is unreachable >> add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable >> >> Thu Mar 30 19:26:45 2017 ERROR: FreeBSD route add command failed: >> external program exited with error status: 1>> Thu Mar 30 19:26:45 2017 Initialization Sequence Completed >> >> >> Of course if I try this on fib 0 it works just fine and adds all the >> routes.>> >> >> >> >> >> On Sat, Apr 22, 2017, at 09:05 PM, Ultima wrote: >>> The problem to me looks to be because there is no ip address on fib >>> 1, but I'm not sure how openvpn can initiate the connect to the vpn >>> with no ip address. Try and ping something using fib 1. The result >>> will probably be no route to host. Many of the route commands are >>> failing in the openvpn log because of this. If an 192.168.0.0/24 ip >>> is added to the fib, this should fix the problem.>>> >>> >>> Hope this helps, >>> Ultima >>> >>> On Tue, Apr 18, 2017 at 9:12 PM, bsd <bsd@stuckat99.com> wrote: >>>> I am trying to use OpenVPN and multiple fibs on FreeBSD 11-p9. The >>>> issue>>>> is, when I use >>>> net.add_addr_allfibs=0 instead of net.add_addr_allfibs=1 in my >>>> /boot/loader.conf, OpenVPN >>>> fails to be able to add the routes properly and the VPN will not >>>> function properly. >>>> >>>> OpenVPN works 100% fine when I use net.add_addr_allfibs=1 but my >>>> requirements need this to be >>>> set to 0 to turn off it's behavior of adding routes to all fibs. >>>> >>>> # /boot/loader.conf >>>> net.fibs=3 >>>> net.add_addr_allfibs=0 >>>> >>>> Since I am using net.add_addr_allfibs=0, I have a clean routing >>>> table>>>> and I have to add the initial route >>>> and gateway for my router manually to get fib 1 routeable to the >>>> internet. >>>> >>>> # setfib 1 route add -net 192.168.0.0/24 -iface ue0 >>>> # setfib 1 route add default 192.168.0.1 >>>> >>>> For some odd reason I must also bring up a tun device manually >>>> otherwise>>>> OpenVPN cannot. I have set my config >>>> to use tun10 for this test. >>>> >>>> # sysrc openvpn_if="tun10" >>>> # ifconfig tun10 up >>>> >>>> My routing table before I start >>>> >>>> # setfib 1 netstat -rn >>>> Routing tables (fib: 1) >>>> >>>> Internet: >>>> Destination Gateway Flags Netif Expire >>>> default 192.168.0.1 UGS ue0 >>>> 127.0.0.1 lo0 UHS lo0 >>>> 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0 >>>> >>>> Internet6: >>>> Destination Gateway >>>> Flags>>>> Netif Expire >>>> ::/96 ::1 >>>> ::UGRS>>>> lo0 >>>> ::1 lo0 UHS>>>> lo0 >>>> ::ffff:0.0.0.0/96 ::1 >>>> :UGRS>>>> lo0 >>>> fe80::/10 ::1 >>>> UGRS>>>> lo0 >>>> fe80::%lo0/64 link#1 U >>>> lo0 >>>> ff02::/16 ::1 >>>> UGRS>>>> lo0 >>>> [sean@rpi2 ~]$ >>>> >>>> Let's try to conect OpenVPN >>>> >>>> # setfib 1 openvpn dallas.ovpn >>>> Thu Oct 27 12:11:32 2016 OpenVPN 2.3.11 armv6-portbld- >>>> freebsd11.0 [SSL>>>> (OpenSSL)] [LZO] [MH] [IPv6] built on J >>>> un 25 2016 >>>> Thu Oct 27 12:11:32 2016 library versions: OpenSSL 1.0.2j- >>>> freebsd 26>>>> Sep 2016, LZO 2.09 >>>> Thu Oct 27 12:11:32 2016 Control Channel Authentication: tls-auth >>>> using>>>> INLINE static key file >>>> Thu Oct 27 12:11:32 2016 Outgoing Control Channel Authentication: >>>> Using>>>> 160 bit message hash 'SHA1' for HMAC a >>>> uthentication >>>> Thu Oct 27 12:11:32 2016 Incoming Control Channel Authentication: >>>> Using>>>> 160 bit message hash 'SHA1' for HMAC a >>>> uthentication >>>> Thu Oct 27 12:11:32 2016 Socket Buffers: R=[42080->42080] S=[9216- >>>> >9216]>>>> Thu Oct 27 12:11:32 2016 UDPv4 link local: [undef] >>>> Thu Oct 27 12:11:32 2016 UDPv4 link remote: >>>> [AF_INET]107.183.238.186:443>>>> Thu Oct 27 12:11:32 2016 TLS: Initial packet from >>>> [AF_INET]107.183.238.186:443, sid=c8b24ffa a8737d61 >>>> Thu Oct 27 12:11:32 2016 VERIFY OK: depth=1, C=IT, ST=IT, >>>> L=Perugia,>>>> O=airvpn.org, CN=airvpn.org CA, emailAddr >>>> ess=info@airvpn.org >>>> Thu Oct 27 12:11:32 2016 Validating certificate key usage >>>> Thu Oct 27 12:11:32 2016 ++ Certificate has key usage 00a0, >>>> expects>>>> 00a0 >>>> Thu Oct 27 12:11:32 2016 VERIFY KU OK >>>> Thu Oct 27 12:11:32 2016 Validating certificate extended key usage>>>> Thu Oct 27 12:11:32 2016 ++ Certificate has EKU (str) TLS Web >>>> Server>>>> Authentication, expects TLS Web Server Au >>>> thentication >>>> Thu Oct 27 12:11:32 2016 VERIFY EKU OK >>>> Thu Oct 27 12:11:32 2016 VERIFY OK: depth=0, C=IT, ST=IT, >>>> L=Perugia,>>>> O=airvpn.org, CN=server, emailAddress=inf >>>> o@airvpn.org >>>> Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Cipher 'AES-256-CBC'>>>> initialized with 256 bit key >>>> Thu Oct 27 12:11:36 2016 Data Channel Encrypt: Using 160 bit >>>> message>>>> hash 'SHA1' for HMAC authentication >>>> Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Cipher 'AES-256-CBC'>>>> initialized with 256 bit key >>>> Thu Oct 27 12:11:36 2016 Data Channel Decrypt: Using 160 bit >>>> message>>>> hash 'SHA1' for HMAC authentication >>>> Thu Oct 27 12:11:36 2016 Control Channel: TLSv1.2, cipher >>>> TLSv1/SSLv3>>>> DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA >>>> Thu Oct 27 12:11:36 2016 [server] Peer Connection Initiated with >>>> [AF_INET]107.183.238.186:443 >>>> Thu Oct 27 12:11:39 2016 SENT CONTROL [server]: 'PUSH_REQUEST' >>>> (status=1) >>>> Thu Oct 27 12:11:39 2016 PUSH: Received control message: >>>> 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-op >>>> tion DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology >>>> subnet,ping 10,ping-restart 60,ifconfig 10.4.17. >>>> 25 255.255.0.0' >>>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: timers and/or timeouts >>>> modified>>>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: LZO parms modified >>>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ifconfig/up options >>>> modified>>>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route options modified >>>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: route-related options >>>> modified>>>> Thu Oct 27 12:11:39 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp- >>>> option>>>> options modified >>>> Thu Oct 27 12:11:39 2016 ROUTE_GATEWAY 192.168.0.1 >>>> Thu Oct 27 12:11:39 2016 TUN/TAP device tun10 exists previously, >>>> keep at>>>> program end >>>> Thu Oct 27 12:11:39 2016 TUN/TAP device /dev/tun10 opened >>>> Thu Oct 27 12:11:39 2016 do_ifconfig, tt->ipv6=0, >>>> tt->did_ifconfig_ipv6_setup=0 >>>> Thu Oct 27 12:11:39 2016 /sbin/ifconfig tun10 10.4.17.25 >>>> 10.4.0.1 mtu>>>> 1500 netmask 255.255.0.0 up >>>> Thu Oct 27 12:11:39 2016 /sbin/route add -net 10.4.0.0 10.4.17.25 >>>> 255.255.0.0 >>>> route: writing to routing socket: Network is unreachable >>>> add net 10.4.0.0: gateway 10.4.17.25 fib 1: Network is unreachable>>>> Thu Oct 27 12:11:39 2016 ERROR: FreeBSD route add command failed: >>>> external program exited with error status: 1 >>>> Thu Oct 27 12:11:44 2016 /sbin/route add -net 107.183.238.186 >>>> 192.168.0.1 255.255.255.255 >>>> add net 107.183.238.186: gateway 192.168.0.1 fib 1 >>>> Thu Oct 27 12:11:44 2016 /sbin/route add -net 0.0.0.0 10.4.0.1 >>>> 128.0.0.0>>>> route: writing to routing socket: Network is unreachable >>>> add net 0.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable >>>> Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed: >>>> external program exited with error status: 1 >>>> Thu Oct 27 12:11:44 2016 /sbin/route add -net 128.0.0.0 10.4.0.1 >>>> 128.0.0.0 >>>> route: writing to routing socket: Network is unreachable >>>> add net 128.0.0.0: gateway 10.4.0.1 fib 1: Network is unreachable >>>> Thu Oct 27 12:11:44 2016 ERROR: FreeBSD route add command failed: >>>> external program exited with error status: 1 >>>> Thu Oct 27 12:11:44 2016 Initialization Sequence Completed >>>> >>>> The routes are failing to add and the VPN is not configured >>>> properly in>>>> the end. >>>> >>>> My routing table now. We can see that the VPN did not configure >>>> properly. The desired behavior is that it woul >>>> d set the VPN to be the default gateway and route all traffic >>>> over it,>>>> but only for FIB 1. >>>> >>>> # setfib 1 netstat -rn >>>> Routing tables (fib: 1) >>>> >>>> Internet: >>>> Destination Gateway Flags Netif Expire >>>> default 192.168.0.1 UGS ue0 >>>> 107.183.238.186/32 192.168.0.1 UGS ue0 >>>> 127.0.0.1 lo0 UHS lo0 >>>> 192.168.0.0/24 b8:27:eb:fd:22:10 US ue0 >>>> >>>> Internet6: >>>> Destination Gateway >>>> Flags>>>> Netif Expire >>>> ::/96 ::1 >>>> ::UGRS>>>> lo0 >>>> ::1 lo0 UHS>>>> lo0 >>>> ::ffff:0.0.0.0/96 ::1 >>>> :UGRS>>>> lo0 >>>> fe80::/10 ::1 >>>> UGRS>>>> lo0 >>>> fe80::%lo0/64 link#1 U >>>> lo0 >>>> ff02::/16 ::1 >>>> UGRS>>>> lo0 >>>> >>>> >>>> Is this a bug or have I missed something? >>>> _______________________________________________ >>>> freebsd-questions@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> To unsubscribe, send any mail to "freebsd-questions- >>>> unsubscribe@freebsd.org">>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1493612284.1522295.961435048.6CBD69A6>