Weird route while using OpenVPN in OPNsense

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
herakles
OpenVpn Newbie
Posts: 3
Joined: Thu Sep 16, 2021 8:43 am

Weird route while using OpenVPN in OPNsense

Post by herakles » Thu Sep 16, 2021 8:58 am

Hi!

This post is duplicated in the OPNsense Forum at https://forum.opnsense.org/index.php?ac ... ic=24762.0. I am anyway posting this also here, as I do not know, if this problem originates from OPNsense or OpenVPN, so please be gracious regarding this "double post".

I am using OpenVPN in OPNsense in such a way, that I have an external VPN-Server, that OPNsense connects to. OPNsense acts as a router inside a LAN and provides this LAN to other OpenVPN clients.

What I see on OPNsense is the following routing table while being connected to the OpenVPN Server:

Code: Select all

root@OPNsense:~ # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.178.1      UGS        igb1
8.8.4.4            192.168.178.1      UGHS       igb1
10.8.0.0/24        10.8.0.1           UGS      ovpnc1
10.8.0.0&0xa080001 10.8.0.1           UGS      ovpnc1
10.8.0.1           link#8             UH       ovpnc1
10.8.0.10          link#8             UHS         lo0
127.0.0.1          link#5             UH          lo0
192.168.2.0/24     link#3             U          igb2
192.168.2.1        link#3             UHS         lo0
192.168.123.0/24   link#1             U          igb0
192.168.123.1      link#1             UHS         lo0
192.168.178.0/24   link#2             U          igb1
192.168.178.1      00:0d:b9:5a:0e:69  UHS        igb1
192.168.178.39     link#2             UHS         lo0
Problematic is route

Code: Select all

10.8.0.0&0xa080001 10.8.0.1           UGS      ovpnc1
This results in certain adresses being misrouted. Take for example IP-addresses from 142.x.x.x to 143.x.x.x, which in result will be misrouted to the VPN, although they should take the default route.

I do not know, why this route is created. On a Windows client, I do not see this route, only on the OPNsense machine.

This is the OpenVPN client config on the OPNsense machine:

Code: Select all

root@OPNsense:~ # cat /var/etc/openvpn/client1.conf
dev ovpnc1
verb 3
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 192.168.178.39
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote x.x.x.x yyyyy
auth-user-pass /var/etc/openvpn/client1.up
ca /var/etc/openvpn/client1.ca
comp-lzo adaptive
And this is the OpenVPN server config:

Code: Select all

X@Y:~$ cat /etc/openvpn/server.conf
client-to-client
topology subnet
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.123.0 255.255.255.0"
push "dhcp-option DNS 192.168.123.1"
push "dhcp-option WINS 192.168.123.10"

route 192.168.123.0 255.255.255.0

dev tun

management 127.0.0.1 1195

server 10.8.0.0 255.255.255.0

dh /etc/openvpn/dh3072.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key

client-config-dir /etc/openvpn/ccd

max-clients 20

comp-lzo

persist-tun
persist-key

verb 3

keepalive 10 60
reneg-sec 0

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
client-cert-not-required
username-as-common-name
#duplicate-cn

status /tmp/ovpn_status_2_result 30
status-version 2
proto udp
port yyyyy
cipher AES-256-CBC
auth SHA512

mssfix 1431
How can I get rid of this route?

Best regards and thanks in advance,
Dennis

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Weird route while using OpenVPN in OPNsense

Post by TinCanTech » Thu Sep 16, 2021 1:09 pm


herakles
OpenVpn Newbie
Posts: 3
Joined: Thu Sep 16, 2021 8:43 am

Re: Weird route while using OpenVPN in OPNsense

Post by herakles » Mon Sep 20, 2021 12:16 pm

Hi!

This post is duplicated in the OPNsense Forum at https://forum.opnsense.org/index.php?ac ... ic=24762.0
I am anyway posting this also here, as I do not know, if this problem originates from OPNsense or OpenVPN, so please be gracious regarding this "double post".

I am using OpenVPN in OPNsense in such a way, that I have an external VPN-Server, that OPNsense connects to. OPNsense acts as a router inside a LAN and provides this LAN to other OpenVPN clients.

What I see on OPNsense is the following routing table while being connected to the OpenVPN Server:

Code: Select all

root@OPNsense:~ # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.178.1      UGS        igb1
8.8.4.4            192.168.178.1      UGHS       igb1
10.8.0.0/24        10.8.0.1           UGS      ovpnc1
10.8.0.0&0xa080001 10.8.0.1           UGS      ovpnc1
10.8.0.1           link#8             UH       ovpnc1
10.8.0.10          link#8             UHS         lo0
127.0.0.1          link#5             UH          lo0
192.168.2.0/24     link#3             U          igb2
192.168.2.1        link#3             UHS         lo0
192.168.123.0/24   link#1             U          igb0
192.168.123.1      link#1             UHS         lo0
192.168.178.0/24   link#2             U          igb1
192.168.178.1      00:0d:b9:5a:0e:69  UHS        igb1
192.168.178.39     link#2             UHS         lo0
Problematic is this route:

Code: Select all

10.8.0.0&0xa080001 10.8.0.1           UGS      ovpnc1
This results in certain adresses being misrouted. Take for example IP-addresses from 142.x.x.x to 143.x.x.x, which in result will be misrouted to the VPN, although they should take the default route.

I do not know, why this route is created. On a Windows client, I do not see this route, only on the OPNsense machine.

This is the OpenVPN client config on the OPNsense machine:

client

root@OPNsense:~ # cat /var/etc/openvpn/client1.conf
dev ovpnc1
verb 3
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 192.168.178.39
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote x.x.x.x yyyyy
auth-user-pass /var/etc/openvpn/client1.up
ca /var/etc/openvpn/client1.ca
comp-lzo adaptive
verb 4


And this is the OpenVPN server config:

server

client-to-client
topology subnet
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.123.0 255.255.255.0"
push "dhcp-option DNS 192.168.123.1"
push "dhcp-option WINS 192.168.123.10"

route 192.168.123.0 255.255.255.0

dev tun

management 127.0.0.1 1195

server 10.8.0.0 255.255.255.0

dh /etc/openvpn/dh3072.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key

client-config-dir /etc/openvpn/ccd

max-clients 20

comp-lzo

persist-tun
persist-key

verb 3

keepalive 10 60
reneg-sec 0

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
verify-client-cert none
username-as-common-name
#duplicate-cn

status /tmp/ovpn_status_2_result 30
status-version 2
proto udp
port yyyyy
cipher AES-256-CBC
auth SHA512

mssfix 1431
verb 4


These are the logfiles. First the client-logfile:

Code: Select all

2021-09-20T13:36:45	openvpn[56034]	WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2021-09-20T13:36:45	openvpn[56034]	DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.	 
2021-09-20T13:36:45	openvpn[56034]	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible	 
2021-09-20T13:36:45	openvpn[56034]	OpenVPN 2.5.3 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 22 2021	 
2021-09-20T13:36:45	openvpn[56034]	library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10	 
2021-09-20T13:36:45	openvpn[99375]	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock	 
2021-09-20T13:36:45	openvpn[99375]	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.	 
2021-09-20T13:36:45	openvpn[99375]	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts	 
2021-09-20T13:36:45	openvpn[99375]	TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:yyyyy
2021-09-20T13:36:45	openvpn[99375]	Socket Buffers: R=[42080->42080] S=[57344->57344]
2021-09-20T13:36:45	openvpn[99375]	UDP link local (bound): [AF_INET]192.168.178.39:0	 
2021-09-20T13:36:45	openvpn[99375]	UDP link remote: [AF_INET]x.x.x.x:yyyyy	 
2021-09-20T13:36:45	openvpn[99375]	TLS: Initial packet from [AF_INET]x.x.x.x:yyyyy, sid=e47a5967 1be52043	 
2021-09-20T13:36:45	openvpn[99375]	VERIFY OK: depth=1, C=TW, L=Taipei, O=Synology Inc., CN=Synology Inc. CA	 
2021-09-20T13:36:45	openvpn[99375]	VERIFY OK: depth=0, C=TW, L=Taipei, O=Synology Inc., CN=synology.com	 
2021-09-20T13:36:45	openvpn[99375]	Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256	 
2021-09-20T13:36:45	openvpn[99375]	[synology.com] Peer Connection Initiated with [AF_INET]x.x.x.x:yyyyy
2021-09-20T13:36:46	openvpn[99375]	SENT CONTROL [synology.com]: 'PUSH_REQUEST' (status=1)	 
2021-09-20T13:36:46	openvpn[99375]	PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,dhcp-option DNS 192.168.123.1,dhcp-option WINS 192.168.123.10,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.10 10.8.0.1,peer-id 0,cipher AES-256-GCM'	 
2021-09-20T13:36:46	openvpn[99375]	OPTIONS IMPORT: timers and/or timeouts modified	 
2021-09-20T13:36:46	openvpn[99375]	OPTIONS IMPORT: --ifconfig/up options modified	 
2021-09-20T13:36:46	openvpn[99375]	OPTIONS IMPORT: route options modified	 
2021-09-20T13:36:46	openvpn[99375]	OPTIONS IMPORT: route-related options modified	 
2021-09-20T13:36:46	openvpn[99375]	OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified	 
2021-09-20T13:36:46	openvpn[99375]	OPTIONS IMPORT: peer-id set	 	
2021-09-20T13:36:46	openvpn[99375]	OPTIONS IMPORT: adjusting link_mtu to 1625	 
2021-09-20T13:36:46	openvpn[99375]	OPTIONS IMPORT: data channel crypto options modified	 
2021-09-20T13:36:46	openvpn[99375]	Data Channel: using negotiated cipher 'AES-256-GCM'	 	
2021-09-20T13:36:46	openvpn[99375]	Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key	 
2021-09-20T13:36:46	openvpn[99375]	Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-09-20T13:36:46	openvpn[99375]	Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key	 
2021-09-20T13:36:46	openvpn[99375]	ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=igb1 HWADDR=aa:bb:cc:dd:ee:ff
2021-09-20T13:36:46	openvpn[99375]	TUN/TAP device ovpnc1 exists previously, keep at program end	 
2021-09-20T13:36:46	openvpn[99375]	TUN/TAP device /dev/tun1 opened	 
2021-09-20T13:36:46	openvpn[99375]	/sbin/ifconfig ovpnc1 10.8.0.10 10.8.0.1 mtu 1500 netmask 10.8.0.1 up	 
2021-09-20T13:36:46	openvpn[99375]	/sbin/route add -net 10.8.0.0 10.8.0.1 10.8.0.1	 
2021-09-20T13:36:46	openvpn[99375]	/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpnc1 1500 1553 10.8.0.10 10.8.0.1 init	 
2021-09-20T13:36:47	openvpn[99375]	/sbin/route add -net 10.8.0.0 10.8.0.1 255.255.255.0	 
2021-09-20T13:36:47	openvpn[99375]	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this	 
2021-09-20T13:36:47	openvpn[99375]	Initialization Sequence Completed	 
2021-09-20T13:36:47	openvpn[99375]	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock	 
2021-09-20T13:36:47	openvpn[99375]	MANAGEMENT: CMD 'state all'	 
2021-09-20T13:36:47	openvpn[99375]	MANAGEMENT: CMD 'status 2'	 
2021-09-20T13:36:47	openvpn[99375]	MANAGEMENT: Client disconnected	 
2021-09-20T13:37:00	openvpn[99375]	event_wait : Interrupted system call (code=4)	 
2021-09-20T13:37:00	openvpn[99375]	/sbin/route delete -net 10.8.0.0 10.8.0.1 255.255.255.0	 
2021-09-20T13:37:00	openvpn[99375]	Closing TUN/TAP interface	 
2021-09-20T13:37:00	openvpn[99375]	/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown ovpnc1 1500 1553 10.8.0.10 10.8.0.1 init	 
2021-09-20T13:37:02	openvpn[99375]	SIGTERM[hard,] received, process exiting	 
Then the server-logfile:

Code: Select all

Sep 20 13:36:34 server systemd[1]: Starting OpenVPN service...
Sep 20 13:36:34 server systemd[1]: Starting OpenVPN connection to client...
Sep 20 13:36:34 server systemd[1]: Starting OpenVPN connection to server...
Sep 20 13:36:34 server systemd[1]: Started OpenVPN service.
Sep 20 13:36:34 server ovpn-server[20755]: WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Sep 20 13:36:34 server ovpn-server[20755]: Current Parameter Settings:
Sep 20 13:36:34 server ovpn-client[20754]: Options error: --cert fails with 'client.crt': No such file or directory
Sep 20 13:36:34 server ovpn-server[20755]:   config = '/etc/openvpn/server.conf'
Sep 20 13:36:34 server ovpn-server[20755]:   mode = 1
Sep 20 13:36:34 server ovpn-server[20755]:   persist_config = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   persist_mode = 1
Sep 20 13:36:34 server ovpn-server[20755]:   show_ciphers = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   show_digests = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   show_engines = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   genkey = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   key_pass_file = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   show_tls_ciphers = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   connect_retry_max = 0
Sep 20 13:36:34 server ovpn-server[20755]: Connection profiles [0]:
Sep 20 13:36:34 server ovpn-server[20755]:   proto = udp
Sep 20 13:36:34 server ovpn-server[20755]:   local = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   local_port = 'yyyyy'
Sep 20 13:36:34 server ovpn-server[20755]:   remote = '[UNDEF]'
Sep 20 13:36:34 server systemd[1]: openvpn@client.service: Control process exited, code=exited status=1
Sep 20 13:36:34 server ovpn-server[20755]:   remote_port = 'yyyyy'
Sep 20 13:36:34 server systemd[1]: Failed to start OpenVPN connection to client.
Sep 20 13:36:34 server ovpn-server[20755]:   remote_float = DISABLED
Sep 20 13:36:34 server systemd[1]: openvpn@client.service: Unit entered failed state.
Sep 20 13:36:34 server ovpn-server[20755]:   bind_defined = DISABLED
Sep 20 13:36:34 server systemd[1]: openvpn@client.service: Failed with result 'exit-code'.
Sep 20 13:36:34 server ovpn-server[20755]:   bind_local = ENABLED
Sep 20 13:36:34 server systemd[1]: openvpn@server.service: PID file /run/openvpn/server.pid not readable (yet?) after start: No such file or directory
Sep 20 13:36:34 server ovpn-server[20755]:   bind_ipv6_only = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   connect_retry_seconds = 5
Sep 20 13:36:34 server ovpn-server[20755]:   connect_timeout = 120
Sep 20 13:36:34 server ovpn-server[20755]:   socks_proxy_server = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   socks_proxy_port = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   tun_mtu = 1500
Sep 20 13:36:34 server ovpn-server[20755]:   tun_mtu_defined = ENABLED
Sep 20 13:36:34 server systemd[1]: Started OpenVPN connection to server.
Sep 20 13:36:34 server ovpn-server[20755]:   link_mtu = 1500
Sep 20 13:36:34 server ovpn-server[20755]:   link_mtu_defined = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   tun_mtu_extra = 0
Sep 20 13:36:34 server ovpn-server[20755]:   tun_mtu_extra_defined = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   mtu_discover_type = -1
Sep 20 13:36:34 server ovpn-server[20755]:   fragment = 0
Sep 20 13:36:34 server ovpn-server[20755]:   mssfix = 1431
Sep 20 13:36:34 server ovpn-server[20755]:   explicit_exit_notification = 0
Sep 20 13:36:34 server ovpn-server[20755]: Connection profiles END
Sep 20 13:36:34 server ovpn-server[20755]:   remote_random = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   ipchange = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   dev = 'tun'
Sep 20 13:36:34 server ovpn-server[20755]:   dev_type = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   dev_node = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   lladdr = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   topology = 3
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_local = '10.8.0.1'
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_remote_netmask = '255.255.255.0'
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_noexec = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_nowarn = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_ipv6_local = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_ipv6_netbits = 0
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_ipv6_remote = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   shaper = 0
Sep 20 13:36:34 server ovpn-server[20755]:   mtu_test = 0
Sep 20 13:36:34 server ovpn-server[20755]:   mlock = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   keepalive_ping = 10
Sep 20 13:36:34 server ovpn-server[20755]:   keepalive_timeout = 60
Sep 20 13:36:34 server ovpn-server[20755]:   inactivity_timeout = 0
Sep 20 13:36:34 server ovpn-server[20755]:   ping_send_timeout = 10
Sep 20 13:36:34 server ovpn-server[20755]:   ping_rec_timeout = 120
Sep 20 13:36:34 server ovpn-server[20755]:   ping_rec_timeout_action = 2
Sep 20 13:36:34 server ovpn-server[20755]:   ping_timer_remote = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   remap_sigusr1 = 0
Sep 20 13:36:34 server ovpn-server[20755]:   persist_tun = ENABLED
Sep 20 13:36:34 server ovpn-server[20755]:   persist_local_ip = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   persist_remote_ip = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   persist_key = ENABLED
Sep 20 13:36:34 server ovpn-server[20755]:   passtos = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   resolve_retry_seconds = 1000000000
Sep 20 13:36:34 server ovpn-server[20755]:   resolve_in_advance = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   username = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   groupname = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   chroot_dir = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   cd_dir = '/etc/openvpn'
Sep 20 13:36:34 server ovpn-server[20755]:   writepid = '/run/openvpn/server.pid'
Sep 20 13:36:34 server ovpn-server[20755]:   up_script = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   down_script = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   down_pre = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   up_restart = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   up_delay = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   daemon = ENABLED
Sep 20 13:36:34 server ovpn-server[20755]:   inetd = 0
Sep 20 13:36:34 server ovpn-server[20755]:   log = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   suppress_timestamps = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   machine_readable_output = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   nice = 0
Sep 20 13:36:34 server ovpn-server[20755]:   verbosity = 4
Sep 20 13:36:34 server ovpn-server[20755]:   mute = 0
Sep 20 13:36:34 server ovpn-server[20755]:   gremlin = 0
Sep 20 13:36:34 server ovpn-server[20755]:   status_file = '/tmp/ovpn_status_2_result'
Sep 20 13:36:34 server ovpn-server[20755]:   status_file_version = 2
Sep 20 13:36:34 server ovpn-server[20755]:   status_file_update_freq = 30
Sep 20 13:36:34 server ovpn-server[20755]:   occ = ENABLED
Sep 20 13:36:34 server ovpn-server[20755]:   rcvbuf = 0
Sep 20 13:36:34 server ovpn-server[20755]:   sndbuf = 0
Sep 20 13:36:34 server ovpn-server[20755]:   mark = 0
Sep 20 13:36:34 server ovpn-server[20755]:   sockflags = 0
Sep 20 13:36:34 server ovpn-server[20755]:   fast_io = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   comp.alg = 2
Sep 20 13:36:34 server ovpn-server[20755]:   comp.flags = 1
Sep 20 13:36:34 server ovpn-server[20755]:   route_script = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   route_default_gateway = '10.8.0.2'
Sep 20 13:36:34 server ovpn-server[20755]:   route_default_metric = 0
Sep 20 13:36:34 server ovpn-server[20755]:   route_noexec = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   route_delay = 0
Sep 20 13:36:34 server ovpn-server[20755]:   route_delay_window = 30
Sep 20 13:36:34 server ovpn-server[20755]:   route_delay_defined = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   route_nopull = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   route_gateway_via_dhcp = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   allow_pull_fqdn = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   route 192.168.123.0/255.255.255.0/default (not set)/default (not set)
Sep 20 13:36:34 server ovpn-server[20755]:   management_addr = '127.0.0.1'
Sep 20 13:36:34 server ovpn-server[20755]:   management_port = '1195'
Sep 20 13:36:34 server ovpn-server[20755]:   management_user_pass = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   management_log_history_cache = 250
Sep 20 13:36:34 server ovpn-server[20755]:   management_echo_buffer_size = 100
Sep 20 13:36:34 server ovpn-server[20755]:   management_write_peer_info_file = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   management_client_user = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   management_client_group = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   management_flags = 0
Sep 20 13:36:34 server ovpn-server[20755]:   plugin[0] /usr/lib/openvpn/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/openvpn-plugin-auth-pam.so] [login]'
Sep 20 13:36:34 server ovpn-server[20755]:   shared_secret_file = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   key_direction = 0
Sep 20 13:36:34 server ovpn-server[20755]:   ciphername = 'AES-256-CBC'
Sep 20 13:36:34 server ovpn-server[20755]:   ncp_enabled = ENABLED
Sep 20 13:36:34 server ovpn-server[20755]:   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sep 20 13:36:34 server ovpn-server[20755]:   authname = 'SHA512'
Sep 20 13:36:34 server ovpn-server[20755]:   prng_hash = 'SHA1'
Sep 20 13:36:34 server ovpn-server[20755]:   prng_nonce_secret_len = 16
Sep 20 13:36:34 server ovpn-server[20755]:   keysize = 0
Sep 20 13:36:34 server ovpn-server[20755]:   engine = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   replay = ENABLED
Sep 20 13:36:34 server ovpn-server[20755]:   mute_replay_warnings = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   replay_window = 64
Sep 20 13:36:34 server ovpn-server[20755]:   replay_time = 15
Sep 20 13:36:34 server ovpn-server[20755]:   packet_id_file = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   use_iv = ENABLED
Sep 20 13:36:34 server ovpn-server[20755]:   test_crypto = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   tls_server = ENABLED
Sep 20 13:36:34 server ovpn-server[20755]:   tls_client = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   key_method = 2
Sep 20 13:36:34 server ovpn-server[20755]:   ca_file = '/etc/openvpn/ca.crt'
Sep 20 13:36:34 server ovpn-server[20755]:   ca_path = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   dh_file = '/etc/openvpn/dh3072.pem'
Sep 20 13:36:34 server ovpn-server[20755]:   cert_file = '/etc/openvpn/server.crt'
Sep 20 13:36:34 server ovpn-server[20755]:   extra_certs_file = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   priv_key_file = '/etc/openvpn/server.key'
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs12_file = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   cipher_list = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   tls_verify = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   tls_export_cert = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   verify_x509_type = 0
Sep 20 13:36:34 server ovpn-server[20755]:   verify_x509_name = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   crl_file = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   ns_cert_type = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_ku[i] = 0
Sep 20 13:36:34 server ovpn-server[20755]:   remote_cert_eku = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   ssl_flags = 5
Sep 20 13:36:34 server ovpn-server[20755]:   tls_timeout = 2
Sep 20 13:36:34 server ovpn-server[20755]:   renegotiate_bytes = -1
Sep 20 13:36:34 server ovpn-server[20755]:   renegotiate_packets = 0
Sep 20 13:36:34 server ovpn-server[20755]:   renegotiate_seconds = 0
Sep 20 13:36:34 server ovpn-server[20755]:   handshake_window = 60
Sep 20 13:36:34 server ovpn-server[20755]:   transition_window = 3600
Sep 20 13:36:34 server ovpn-server[20755]:   single_session = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   push_peer_info = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   tls_exit = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   tls_auth_file = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   tls_crypt_file = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_protected_authentication = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-client[20754]: WARNING: cannot stat file 'client.key': No such file or directory (errno=2)
Sep 20 13:36:34 server ovpn-client[20754]: Options error: --key fails with 'client.key': No such file or directory
Sep 20 13:36:34 server ovpn-client[20754]: WARNING: cannot stat file 'ta.key': No such file or directory (errno=2)
Sep 20 13:36:34 server ovpn-client[20754]: Options error: --tls-auth fails with 'ta.key': No such file or directory
Sep 20 13:36:34 server ovpn-client[20754]: Options error: Please correct these errors.
Sep 20 13:36:34 server ovpn-client[20754]: Use --help for more information.
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_private_mode = 00000000
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_cert_private = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_pin_cache_period = -1
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_id = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   pkcs11_id_management = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   server_network = 10.8.0.0
Sep 20 13:36:34 server ovpn-server[20755]:   server_netmask = 255.255.255.0
Sep 20 13:36:34 server ovpn-server[20755]:   server_network_ipv6 = ::
Sep 20 13:36:34 server ovpn-server[20755]:   server_netbits_ipv6 = 0
Sep 20 13:36:34 server ovpn-server[20755]:   server_bridge_ip = 0.0.0.0
Sep 20 13:36:34 server ovpn-server[20755]:   server_bridge_netmask = 0.0.0.0
Sep 20 13:36:34 server ovpn-server[20755]:   server_bridge_pool_start = 0.0.0.0
Sep 20 13:36:34 server ovpn-server[20755]:   server_bridge_pool_end = 0.0.0.0
Sep 20 13:36:34 server ovpn-server[20755]:   push_entry = 'route 10.8.0.0 255.255.255.0'
Sep 20 13:36:34 server ovpn-server[20755]:   push_entry = 'route 192.168.123.0 255.255.255.0'
Sep 20 13:36:34 server ovpn-server[20755]:   push_entry = 'dhcp-option DNS 192.168.123.1'
Sep 20 13:36:34 server ovpn-server[20755]:   push_entry = 'dhcp-option WINS 192.168.123.10'
Sep 20 13:36:34 server ovpn-server[20755]:   push_entry = 'route-gateway 10.8.0.1'
Sep 20 13:36:34 server ovpn-server[20755]:   push_entry = 'topology subnet'
Sep 20 13:36:34 server ovpn-server[20755]:   push_entry = 'ping 10'
Sep 20 13:36:34 server ovpn-server[20755]:   push_entry = 'ping-restart 60'
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_pool_defined = ENABLED
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_pool_start = 10.8.0.2
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_pool_end = 10.8.0.253
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_pool_netmask = 255.255.255.0
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_pool_persist_filename = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_pool_persist_refresh_freq = 600
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_ipv6_pool_defined = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_ipv6_pool_base = ::
Sep 20 13:36:34 server ovpn-server[20755]:   ifconfig_ipv6_pool_netbits = 0
Sep 20 13:36:34 server ovpn-server[20755]:   n_bcast_buf = 256
Sep 20 13:36:34 server ovpn-server[20755]:   tcp_queue_limit = 64
Sep 20 13:36:34 server ovpn-server[20755]:   real_hash_size = 256
Sep 20 13:36:34 server ovpn-server[20755]:   virtual_hash_size = 256
Sep 20 13:36:34 server ovpn-server[20755]:   client_connect_script = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   learn_address_script = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   client_disconnect_script = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   client_config_dir = '/etc/openvpn/ccd'
Sep 20 13:36:34 server ovpn-server[20755]:   ccd_exclusive = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   tmp_dir = '/tmp'
Sep 20 13:36:34 server ovpn-server[20755]:   push_ifconfig_defined = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   push_ifconfig_local = 0.0.0.0
Sep 20 13:36:34 server ovpn-server[20755]:   push_ifconfig_remote_netmask = 0.0.0.0
Sep 20 13:36:34 server ovpn-server[20755]:   push_ifconfig_ipv6_defined = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   push_ifconfig_ipv6_local = ::/0
Sep 20 13:36:34 server ovpn-server[20755]:   push_ifconfig_ipv6_remote = ::
Sep 20 13:36:34 server ovpn-server[20755]:   enable_c2c = ENABLED
Sep 20 13:36:34 server ovpn-server[20755]:   duplicate_cn = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   cf_max = 0
Sep 20 13:36:34 server ovpn-server[20755]:   cf_per = 0
Sep 20 13:36:34 server ovpn-server[20755]:   max_clients = 20
Sep 20 13:36:34 server ovpn-server[20755]:   max_routes_per_client = 256
Sep 20 13:36:34 server ovpn-server[20755]:   auth_user_pass_verify_script = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   auth_user_pass_verify_script_via_file = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   auth_token_generate = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   auth_token_lifetime = 0
Sep 20 13:36:34 server ovpn-server[20755]:   port_share_host = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   port_share_port = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]:   client = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   pull = DISABLED
Sep 20 13:36:34 server ovpn-server[20755]:   auth_user_pass_file = '[UNDEF]'
Sep 20 13:36:34 server ovpn-server[20755]: OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 14 2018
Sep 20 13:36:34 server ovpn-server[20755]: library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Sep 20 13:36:34 server ovpn-server[20761]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1195
Sep 20 13:36:34 server ovpn-server[20761]: PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Sep 20 13:36:34 server ovpn-server[20761]: Diffie-Hellman initialized with 3072 bit key
Sep 20 13:36:34 server ovpn-server[20761]: TLS-Auth MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sep 20 13:36:34 server ovpn-server[20761]: ROUTE_GATEWAY x.x.x.x/255.255.255.192 IFACE=eth0 HWADDR=aa:bb:cc:dd:ee:ff
Sep 20 13:36:34 server ovpn-server[20761]: TUN/TAP device tun0 opened
Sep 20 13:36:34 server ovpn-server[20761]: TUN/TAP TX queue length set to 100
Sep 20 13:36:34 server ovpn-server[20761]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sep 20 13:36:34 server ovpn-server[20761]: /sbin/ip link set dev tun0 up mtu 1500
Sep 20 13:36:34 server ovpn-server[20761]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Sep 20 13:36:34 server ovpn-server[20761]: /sbin/ip route add 192.168.123.0/24 via 10.8.0.2
Sep 20 13:36:34 server ovpn-server[20761]: Data Channel MTU parms [ L:1622 D:1431 EF:122 EB:406 ET:0 EL:3 ]
Sep 20 13:36:34 server ovpn-server[20761]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sep 20 13:36:34 server ovpn-server[20761]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Sep 20 13:36:34 server ovpn-server[20761]: UDPv4 link local (bound): [AF_INET][undef]:yyyyy
Sep 20 13:36:34 server ovpn-server[20761]: UDPv4 link remote: [AF_UNSPEC]
Sep 20 13:36:34 server ovpn-server[20761]: MULTI: multi_init called, r=256 v=256
Sep 20 13:36:34 server ovpn-server[20761]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Sep 20 13:36:34 server ovpn-server[20761]: Initialization Sequence Completed
Sep 20 13:36:45 server ovpn-server[20761]: MULTI: multi_create_instance called
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 Re-using SSL/TLS context
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 LZO compression initializing
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 Data Channel MTU parms [ L:1622 D:1431 EF:122 EB:406 ET:0 EL:3 ]
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 TLS: Initial packet from [AF_INET]z.z.z.z:31195, sid=eb676579 8f3e5862
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 peer info: IV_VER=2.5.3
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 peer info: IV_PLAT=freebsd
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 peer info: IV_PROTO=6
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 peer info: IV_NCP=2
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 peer info: IV_LZ4=1
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 peer info: IV_LZ4v2=1
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 peer info: IV_LZO=1
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 peer info: IV_COMP_STUB=1
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 peer info: IV_COMP_STUBv2=1
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 peer info: IV_TCPNL=1
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 TLS: Username/Password authentication succeeded for username 'opnsense_router' [CN SET]
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Sep 20 13:36:45 server ovpn-server[20761]: z.z.z.z:31195 [opnsense_router] Peer Connection Initiated with [AF_INET]z.z.z.z:31195
Sep 20 13:36:45 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/opnsense_router
Sep 20 13:36:45 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 MULTI: Learn: 10.8.0.10 -> opnsense_router/z.z.z.z:31195
Sep 20 13:36:45 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 MULTI: primary virtual IP for opnsense_router/z.z.z.z:31195: 10.8.0.10
Sep 20 13:36:45 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 MULTI: internal route 192.168.123.0/24 -> opnsense_router/z.z.z.z:31195
Sep 20 13:36:45 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 MULTI: Learn: 192.168.123.0/24 -> opnsense_router/z.z.z.z:31195
Sep 20 13:36:45 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 REMOVE PUSH ROUTE: 'route 192.168.123.0 255.255.255.0'
Sep 20 13:36:46 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 PUSH: Received control message: 'PUSH_REQUEST'
Sep 20 13:36:46 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 SENT CONTROL [opnsense_router]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,dhcp-option DNS 192.168.123.1,dhcp-option WINS 192.168.123.10,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.10 10.8.0.1,peer-id 0,cipher AES-256-GCM' (status=1)
Sep 20 13:36:46 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 Data Channel MTU parms [ L:1550 D:1431 EF:50 EB:406 ET:0 EL:3 ]
Sep 20 13:36:46 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 20 13:36:46 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 20 13:36:47 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 MULTI: bad source address from client [::], packet dropped
Sep 20 13:36:47 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 MULTI: bad source address from client [::], packet dropped
Sep 20 13:36:47 server ovpn-server[20761]: opnsense_router/z.z.z.z:31195 MULTI: bad source address from client [::], packet dropped
Sep 20 13:37:08 server ovpn-server[20761]: event_wait : Interrupted system call (code=4)
Sep 20 13:37:08 server ovpn-server[20761]: TCP/UDP: Closing socket
Sep 20 13:37:08 server ovpn-server[20761]: /sbin/ip route del 192.168.123.0/24
Sep 20 13:37:08 server systemd[1]: Stopping OpenVPN connection to server...
Sep 20 13:37:08 server systemd[1]: Stopped OpenVPN service.
Sep 20 13:37:08 server ovpn-server[20761]: Closing TUN/TAP interface
Sep 20 13:37:08 server ovpn-server[20761]: /sbin/ip addr del dev tun0 10.8.0.1/24
Sep 20 13:37:08 server ovpn-server[20761]: PLUGIN_CLOSE: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
Sep 20 13:37:08 server ovpn-server[20761]: SIGTERM[hard,] received, process exiting
Sep 20 13:37:08 server systemd[1]: Stopped OpenVPN connection to server.
How can I get rid of this route?

Best regards and thanks in advance,
Dennis

herakles
OpenVpn Newbie
Posts: 3
Joined: Thu Sep 16, 2021 8:43 am

Re: Weird route while using OpenVPN in OPNsense

Post by herakles » Wed Sep 22, 2021 7:44 am

Solution found!

I had client-based scripts activated for those that connect to the server, check the following dirctive in the server config:

Code: Select all

client-config-dir /etc/openvpn/ccd
Problem was, that the file for that sepcific client that made this mistake, had this information:

Code: Select all

ifconfig-push 10.8.0.10 10.8.0.1
This is wrong, as ifconfig-push expects the netmask as second parameter, not the server-IP.

So the problem was related to the open space in between chair and monitor and nowhere else.

Thanks to everyone who has had some thoughts on this weird problem.

All the best,
Dennis

Post Reply