TAP Device with no gateway

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
plumbersmate
OpenVpn Newbie
Posts: 7
Joined: Fri Jun 25, 2021 7:38 pm

TAP Device with no gateway

Post by plumbersmate » Fri Jun 25, 2021 8:16 pm

Hi there

I have OpenVPN server on a Raspberry Pi. It allows my mobile phone to connect without any problem.

I created keys etc for my Windows 10 laptop with OpenVPN Connect. I am using the same ovpn file as used on the phone.

I find that when connects it reports:
ovpnagent: request error

The log shows that the auto-generated script that configures the tap net adapter shows this:
"gateway" : "UNSPEC",

POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 400 Bad Request
ip_exception: error parsing tunnel_addresses[0].gateway IP address 'UNSPEC' : An invalid argument was supplied.
[Jun 25, 2021, 21:11:01] TUN Error: ovpnagent: request error


Is there something missing from my client or server config files?
Let me know if you need me to post any other info.

Thank you in advance.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: TAP Device with no gateway

Post by openvpn_inc » Mon Jun 28, 2021 12:21 pm

Hello plumbersmate,

In order to investigate this further, please contact us at https://openvpn.net/support and send logs of your connection attempts that show this problem. Also please let us know the exact version of OpenVPN Connect being used.

However there is just one thing I want to point out and that is that with OpenVPN generally you do not specify a gateway for the TAP adapter. Instead you set up routes that redirect traffic to the IP address of the VPN server's internal gateway address, reachable through the client's TAP adapter.

However such an error message deserves investigation and as such we'd like to see more, but we'd rather do that over a secure channel.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

plumbersmate
OpenVpn Newbie
Posts: 7
Joined: Fri Jun 25, 2021 7:38 pm

Re: TAP Device with no gateway

Post by plumbersmate » Wed Aug 11, 2021 10:38 pm

Thank you for your offer of looking into this problem.

The version of OpenVPN I am using is:

Code: Select all

openvpn-connect-3.3.1.2222_signed.msi
Note this line in the log, which I think maybe significant:

Code: Select all

"gateway" : "UNSPEC",
My log is:

Code: Select all

[Aug 11, 2021, 23:19:57] OpenVPN core 3.git::98bf7f7f win x86_64 64-bit built on Jun 14 2021 09:02:16
[Aug 11, 2021, 23:19:57] Frame=512/2048/512 mssfix-ctrl=1250
[Aug 11, 2021, 23:19:57] UNUSED OPTIONS
10 [dev-node] [VPNTap]
[Aug 11, 2021, 23:19:57] EVENT: RESOLVE [Aug 11, 2021, 23:19:57] Contacting 2.90.34.179:61111 via UDP
[Aug 11, 2021, 23:19:57] EVENT: WAIT [Aug 11, 2021, 23:19:57] WinCommandAgent: transmitting bypass route to 2.90.34.179
{
	"host" : "2.90.34.179",
	"ipv6" : false
}

[Aug 11, 2021, 23:19:57] Connecting to [mydomain.com]:61111 (2.90.34.179) via UDPv4
[Aug 11, 2021, 23:19:57] EVENT: CONNECTING [Aug 11, 2021, 23:19:57] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
[Aug 11, 2021, 23:19:57] Creds: UsernameEmpty/PasswordEmpty
[Aug 11, 2021, 23:19:57] Peer Info:
IV_VER=3.git::98bf7f7f
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=OCWindows_3.3.1-2222
IV_SSO=openurl,crtext

[Aug 11, 2021, 23:19:57] SSL Handshake: peer certificate: CN=tweedyfarm, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD

[Aug 11, 2021, 23:19:57] Session is ACTIVE
[Aug 11, 2021, 23:19:57] EVENT: GET_CONFIG [Aug 11, 2021, 23:19:57] Sending PUSH_REQUEST to server...
[Aug 11, 2021, 23:19:57] OPTIONS:
0 [topology] [subnet]
1 [route] [172.33.250.0] [255.255.255.0]
2 [ping] [10]
3 [ping-restart] [60]
4 [ifconfig] [173.67.230.2] [255.255.255.0]
5 [peer-id] [0]
6 [cipher] [AES-256-GCM]

[Aug 11, 2021, 23:19:57] PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: OpenVPN PRF
  compress: NONE
  peer ID: 0
  control channel: tls-crypt enabled
[Aug 11, 2021, 23:19:57] EVENT: ASSIGN_IP [Aug 11, 2021, 23:19:57] CAPTURED OPTIONS:
Session Name: mydomain.com
Layer: OSI_LAYER_3
Remote Address: 2.90.34.179
Tunnel Addresses:
  173.67.230.2/24 -> UNSPEC
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
  172.33.250.0/24
Exclude Routes:
DNS Servers:
Search Domains:

[Aug 11, 2021, 23:19:57] SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
	"confirm_event" : "b410000000000000",
	"destroy_event" : "8410000000000000",
	"tun" : 
	{
		"adapter_domain_suffix" : "",
		"add_routes" : 
		[
			{
				"address" : "172.33.250.0",
				"gateway" : "",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 24
			}
		],
		"block_ipv6" : false,
		"layer" : 3,
		"mtu" : 0,
		"remote_address" : 
		{
			"address" : "2.90.34.179",
			"ipv6" : false
		},
		"reroute_gw" : 
		{
			"flags" : 256,
			"ipv4" : false,
			"ipv6" : false
		},
		"route_metric_default" : -1,
		"session_name" : "mydomain.com",
		"tunnel_address_index_ipv4" : 0,
		"tunnel_address_index_ipv6" : -1,
		"tunnel_addresses" : 
		[
			{
				"address" : "173.67.230.2",
				"gateway" : "UNSPEC",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 24
			}
		]
	},
	"wintun" : false
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 400 Bad Request
ip_exception: error parsing tunnel_addresses[0].gateway IP address 'UNSPEC' : An invalid argument was supplied.
[Aug 11, 2021, 23:19:57] TUN Error: ovpnagent: request error
[Aug 11, 2021, 23:19:57] EVENT: TUN_SETUP_FAILED ovpnagent: request error[Aug 11, 2021, 23:19:57] EVENT: DISCONNECTED [Aug 11, 2021, 23:19:57] Client exception in transport_recv: tun_exception: not connected
My client ovpn file:

Code: Select all

proto udp4
dev tun
remote-cert-eku "TLS Web Server Authentication"
remote amazed.myddns.me 61111
remote-cert-tls server
cipher AES-256-GCM
ca           ca.crt
cert         laptop.crt
key          laptop.key
tls-crypt    ta.key

plumbersmate
OpenVpn Newbie
Posts: 7
Joined: Fri Jun 25, 2021 7:38 pm

Re: TAP Device with no gateway

Post by plumbersmate » Thu Aug 19, 2021 5:00 pm

I got branched off to the commercial OpenVPN site. Then was told that's not for me as I am using the Community openvpn.

So, is there someone here who can help?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TAP Device with no gateway

Post by TinCanTech » Thu Aug 19, 2021 5:55 pm

plumbersmate wrote:
Fri Jun 25, 2021 8:16 pm
Windows 10 laptop with OpenVPN Connect
plumbersmate wrote:
Thu Aug 19, 2021 5:00 pm
I got branched off to the commercial OpenVPN site. Then was told that's not for me as I am using the Community openvpn.
According to your post you are using the Corporate version of Openvpn-Connect

plumbersmate
OpenVpn Newbie
Posts: 7
Joined: Fri Jun 25, 2021 7:38 pm

Re: TAP Device with no gateway

Post by plumbersmate » Thu Dec 16, 2021 12:37 am

I am still trying to resolve this problem.
Would really appreciate any help as I have spent hours trying to resolve this, I just cannot find out why it is not working.
I am now using Windows OpenVPN version 3.3.3

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: TAP Device with no gateway

Post by openvpn_inc » Fri Dec 17, 2021 4:03 pm

Hi Mate,

You are using the proprietary ("corporate") OpenVPN Connect client. It's fully compatible with any OpenVPN server including community openvpn.

Did you open a ticket as Johan asked? Please share the last 3 digits of the ticket number here so we can be sure to see it.

Thanks and regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

plumbersmate
OpenVpn Newbie
Posts: 7
Joined: Fri Jun 25, 2021 7:38 pm

Re: TAP Device with no gateway

Post by plumbersmate » Sun Dec 19, 2021 8:35 pm

Dear Rob
I did open a ticket as requested, the ticket ending is 151
I was told:
"The issue you are describing appears to be related to the OpenVPN open source community version. I am sorry for the inconvenience, but unfortunately, I cannot help you here.
This support ticket system is for customers of our OpenVPN Access Server and OpenVPN Cloud products only, the commercial solutions based on OpenVPN."

I seem to be going around in circles.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TAP Device with no gateway

Post by TinCanTech » Sun Dec 19, 2021 8:50 pm

plumbersmate wrote:
Sun Dec 19, 2021 8:35 pm
I was told:
"The issue you are describing appears to be related to the OpenVPN open source community version. I am sorry for the inconvenience, but unfortunately, I cannot help you here.
This support ticket system is for customers of our OpenVPN Access Server and OpenVPN Cloud products only, the commercial solutions based on OpenVPN
."
If that is the best they can do then ...

How is this Community Related ?

ipaqmaster
OpenVpn Newbie
Posts: 1
Joined: Sun May 14, 2023 3:13 am

Re: TAP Device with no gateway

Post by ipaqmaster » Sun May 14, 2023 3:57 am

Signed up to leave a comment which will save others from troubleshooting this problem in future. Please see my solution for this issue in the last paragraph.

In general, the OpenVPN community forum troubleshooting experience is immensely frustrating with the sheer amount of times you search an issue online and the first result is a thread from this forum where either there's no answer in X years, or more frequently, TinCanTech shutting down a question for any number of reasons - often citing relevance.

You moderators know you can move threads in phpBB right? Instead, this thread is the first search engine result for anyone experiencing gateway=UNSPEC problems on the OpenVPN Connect Windows client. Alike MANY other top-result troubleshooting threads on this cursed forum the last reply is **frequently** a "get lost" remark due to somebody posting a thread in the wrong section (or whichever excuse we would like to pick to avoid acknowledging the problem). Don't bother moving the thread to a more relevant section, just let it become the FIRST RESULT INDEXED for when people search for this problem so they can hit a dead end immediately. Even the creator of this thread was asking for help multiple times as there's no decent documentation for this kind of hiccup unless you are already an expert in this field. The number of threads on the OpenVPN forum here that end up unanswered, dismissed and *the first search engine result for any specific problem* is way too damn high. Frankly it's an embarrassing and unacceptable state to have the forum in so frequently :(

-------------

@plumbersmate I'm sorry this comment is likely too late to help you now but I'm leaving my experience with this error and the solution I came up with because this is way better than this dead unanswered thread being the top result when people go looking for help. This should be a permitted bump because it makes this first google result potentially useful to somebody now.

Onto discussing the actual problem - Identically as @plumbersmate, all our OpenVPN clients both mobile and PC have zero issues, but the OpenVPN Connect client for Windows throws the exact same error you experienced.

I am configuring OpenVPN Connect 3.7.7.2979 with an existing OpenVPN 2.6.3 Community server for one of our business clients. In our case, our OpenVPN server (community) is pushing `redirect-gateway def1` to all clients - Despite OpenVPN Connect being the superior and pretty client with a nice UI for users **This is not enough** - In fact you could even label this as an OpenVPN Connect bug as it should be seeing `def1` and filling the gateway JSON field itself based on that push. Alas, it does not.

What is happening here is that OpenVPN Connect is building a JSON array of server information for it to pipe into the OpenVPN process it runs for tunnel configuration to occur post-connection. Even with your OpenVPN 2.6.3 server pushing `redirect-gateway def1` this is **not enough** for OpenVPN Connect to take the hint and it fills in the "gateway" json field with the string "UNSPEC". As a result, and per your logs you can see the pipe failing as it gets upset trying to interpret "gateway": "UNSPEC" which obviously doesn't fly with a "400 Bad Request" error thrown locally.

It gets worse - If one reads the man page for OpenVPN you'll see that you can push `route-gateway dhcp` or `route-gateway gateway` as well (Even just as a contingency) but OpenVPN Connect errors when you use `dhcp` too taking the string literally which is a bit of a facepalm. Yet another incompatibility / misnomer in its behaviour.

Finally, I found that setting `push route-gateway 10.55.0.1` (Use your own OpenVPN server's gateway IP, not this example IP) is enough to rectify this problem for OpenVPN Connect clients, this sets the "gateway" JSON to that IP, and it parses correctly internally for further configuration. I hope somebody finds this information helpful if they run into this problem in future, OpenVPN Connect explicitly expects a gateway IP to be set or it will fill it in with "UNSPEC" then promptly get upset when it tries to use that.

Best of luck!

Post Reply