After client gets connected, cannot ping from client to server or vice versa (route added to the client machine)

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
WildCat
OpenVpn Newbie
Posts: 5
Joined: Mon Oct 11, 2021 12:21 am

After client gets connected, cannot ping from client to server or vice versa (route added to the client machine)

Post by WildCat » Mon Oct 11, 2021 12:32 am

Hello,

I'm setting up OpenVPN from WAN to LAN to access my home devices when I'm outside.

However, I'm stuck at this point: The client can connect to OpenVPN server. However, the client cannot ping or access the server IP (either the IP assigned by OpenVPN or the actual LAN IP).

Here is my OpenVPN configuration (On OpenWRT):

Code: Select all

config openvpn 'openvpn_server'
	option dev 'tun0'
	option topology 'subnet'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh1024.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option client_to_client '1'
	option remote_cert_tls 'client'
	option verb '3'
	option keepalive '10 120'
	option tls_auth '/etc/openvpn/ta.key 0'
	option persist_key '1'
	option persist_tun '1'
	option status '/tmp/openvpn-status.log'
	option script_security '2'
	option auth_user_pass_verify '/usr/bin/ovpnauth.sh via-file'
	option username_as_common_name '1'
	option proto 'tcp'
	option duplicate_cn '1'
	option enabled '1'
	option log '/var/log/openvpn.log'
	list push 'route-delay 10'
	list push 'dhcp-option DNS 10.8.0.1'
	list push 'route 10.8.0.0 255.255.255.0'
	list push 'route 192.168.3.0 255.255.255.0'
#	list push 'redirect-gateway def1' # No matter what it is, this server does not work
	option port '61289'
The client log:


Using `tcpdump -i tun0 icmp -n` or `tcpdump -i br-lan icmp -n` won't show any traffic related when ping the server IP from the client:

Code: Select all

➜  temp ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
➜  temp ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 10.8.0.2 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
The client shows the route has been added:

Code: Select all

➜  temp netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags        Netif Expire
default            172.20.10.1        UGScg          en0
10.8/24            10.8.0.2           UGSc        utun17
10.8.0.1           10.8.0.2           UH          utun17

# ifconfig output:
utun17: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 6000
	inet 10.8.0.2 --> 10.8.0.1 netmask 0xffffff00
The server `ifconfig` show no traffic was received:

Code: Select all

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          inet6 addr: fe80::6de4:e29a:2e30:82f7/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:6610 (6.4 KiB)
Server firewall and route:

Code: Select all

root@OpenWrt:~ # ip rule show; iptables-save -c | grep tun0
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_ovpntunzone_prerouting
[3:556] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_ovpntunzone_postrouting
[9:2991] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_ovpntunzone_input
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_ovpntunzone_forward
[14:3367] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_ovpntunzone_output
[0:0] -A zone_ovpntunzone_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[14:3367] -A zone_ovpntunzone_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[9:2991] -A zone_ovpntunzone_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT

root@OpenWrt:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
Can anybody give me a hint? I've been debugging this for several weeks 😰

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: After client gets connected, cannot ping from client to server or vice versa (route added to the client machine)

Post by TinCanTech » Mon Oct 11, 2021 7:48 pm

WildCat wrote: ↑
Mon Oct 11, 2021 12:32 am
The client log:
You forgot that log.

WildCat
OpenVpn Newbie
Posts: 5
Joined: Mon Oct 11, 2021 12:21 am

Re: After client gets connected, cannot ping from client to server or vice versa (route added to the client machine)

Post by WildCat » Wed Oct 13, 2021 3:13 pm

TinCanTech wrote: ↑
Mon Oct 11, 2021 7:48 pm
WildCat wrote: ↑
Mon Oct 11, 2021 12:32 am
The client log:
You forgot that log.

Thanks for the reminder! Looks like I cannot edit the original post anymore. Appending the client log here:

Code: Select all

~ Β» sudo openvpn --config '/home/username/client.ovpn'                                          username@my-linux-machine
Oct 13 01:44:54 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
Oct 13 01:44:54 2021 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Enter Auth Username: myovpnusername
Enter Auth Password: *********               
Oct 13 01:44:58 2021 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 13 01:44:58 2021 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 13 01:44:58 2021 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 6000)
Oct 13 01:44:58 2021 TCP/UDP: Preserving recently used remote address: [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:44:58 2021 Socket Buffers: R=[131072->131072] S=[16384->16384]
Oct 13 01:44:58 2021 Attempting to establish TCP connection with [AF_INET][my_home_router_public_ip]:61289 [nonblock]
Oct 13 01:44:59 2021 TCP connection established with [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:44:59 2021 TCP_CLIENT link local: (not bound)
Oct 13 01:44:59 2021 TCP_CLIENT link remote: [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:44:59 2021 TLS: Initial packet from [AF_INET][my_home_router_public_ip]:61289, sid=d9b247b6 6307912b
Oct 13 01:44:59 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Oct 13 01:45:00 2021 VERIFY OK: depth=1, O=LuCI, CN=OpenVPN CA
Oct 13 01:45:00 2021 VERIFY KU OK
Oct 13 01:45:00 2021 Validating certificate extended key usage
Oct 13 01:45:00 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 13 01:45:00 2021 VERIFY EKU OK
Oct 13 01:45:00 2021 VERIFY OK: depth=0, O=LuCI, CN=OpenVPN Server
Oct 13 01:45:00 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 6044', remote='link-mtu 1543'
Oct 13 01:45:00 2021 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 6000', remote='tun-mtu 1500'
Oct 13 01:45:00 2021 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Oct 13 01:45:00 2021 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Oct 13 01:45:00 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA
Oct 13 01:45:00 2021 [OpenVPN Server] Peer Connection Initiated with [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:45:01 2021 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Oct 13 01:45:01 2021 PUSH: Received control message: 'PUSH_REPLY,route-delay 10,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,route 192.168.3.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Oct 13 01:45:01 2021 OPTIONS IMPORT: timers and/or timeouts modified
Oct 13 01:45:01 2021 OPTIONS IMPORT: --ifconfig/up options modified
Oct 13 01:45:01 2021 OPTIONS IMPORT: route options modified
Oct 13 01:45:01 2021 OPTIONS IMPORT: route-related options modified
Oct 13 01:45:01 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 13 01:45:01 2021 OPTIONS IMPORT: peer-id set
Oct 13 01:45:01 2021 OPTIONS IMPORT: adjusting link_mtu to 6127
Oct 13 01:45:01 2021 OPTIONS IMPORT: data channel crypto options modified
Oct 13 01:45:01 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 13 01:45:01 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 13 01:45:01 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 13 01:45:01 2021 ROUTE_GATEWAY 172.20.10.1/255.255.255.240 IFACE=wlp6s0 HWADDR=14:f6:d8:9d:ad:aa
Oct 13 01:45:01 2021 TUN/TAP device tun0 opened
Oct 13 01:45:01 2021 TUN/TAP TX queue length set to 100
Oct 13 01:45:01 2021 /sbin/ip link set dev tun0 up mtu 6000
Oct 13 01:45:01 2021 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Oct 13 01:45:11 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.1
RTNETLINK answers: File exists
Oct 13 01:45:11 2021 ERROR: Linux route add command failed: external program exited with error status: 2
Oct 13 01:45:11 2021 /sbin/ip route add 192.168.3.0/24 via 10.8.0.1
Oct 13 01:45:11 2021 Initialization Sequence Completed
Oct 13 01:45:11 2021 Bad LZO decompression header byte: 42
Oct 13 01:45:22 2021 Bad LZO decompression header byte: 42
Oct 13 01:45:31 2021 Bad LZO decompression header byte: 42
^COct 13 01:45:36 2021 event_wait : Interrupted system call (code=4)
Oct 13 01:45:36 2021 /sbin/ip route del 192.168.3.0/24
Oct 13 01:45:36 2021 Closing TUN/TAP interface
Oct 13 01:45:36 2021 /sbin/ip addr del dev tun0 10.8.0.2/24
Oct 13 01:45:36 2021 SIGINT[hard,] received, process exiting
-----------------------------------------------------------------------------------------------------------------------------
~ Β» sudo openvpn --config '/home/myusername/Downloads/client.ovpn'                                          username@my-linux-machine
Oct 13 01:46:39 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
Oct 13 01:46:39 2021 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Enter Auth Username: myovpnusername
Enter Auth Password: *********               
Oct 13 01:46:44 2021 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 13 01:46:44 2021 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 13 01:46:44 2021 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 6000)
Oct 13 01:46:44 2021 TCP/UDP: Preserving recently used remote address: [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:46:44 2021 Socket Buffers: R=[131072->131072] S=[16384->16384]
Oct 13 01:46:44 2021 Attempting to establish TCP connection with [AF_INET][my_home_router_public_ip]:61289 [nonblock]
Oct 13 01:46:45 2021 TCP connection established with [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:46:45 2021 TCP_CLIENT link local: (not bound)
Oct 13 01:46:45 2021 TCP_CLIENT link remote: [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:46:45 2021 TLS: Initial packet from [AF_INET][my_home_router_public_ip]:61289, sid=0c9e739a f4304023
Oct 13 01:46:45 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Oct 13 01:46:45 2021 VERIFY OK: depth=1, O=LuCI, CN=OpenVPN CA
Oct 13 01:46:45 2021 VERIFY KU OK
Oct 13 01:46:45 2021 Validating certificate extended key usage
Oct 13 01:46:45 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 13 01:46:45 2021 VERIFY EKU OK
Oct 13 01:46:45 2021 VERIFY OK: depth=0, O=LuCI, CN=OpenVPN Server
Oct 13 01:46:45 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 6044', remote='link-mtu 1543'
Oct 13 01:46:45 2021 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 6000', remote='tun-mtu 1500'
Oct 13 01:46:45 2021 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Oct 13 01:46:45 2021 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Oct 13 01:46:45 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA
Oct 13 01:46:45 2021 [OpenVPN Server] Peer Connection Initiated with [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:46:46 2021 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Oct 13 01:46:46 2021 PUSH: Received control message: 'PUSH_REPLY,route-delay 10,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,route 192.168.3.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Oct 13 01:46:46 2021 OPTIONS IMPORT: timers and/or timeouts modified
Oct 13 01:46:46 2021 OPTIONS IMPORT: --ifconfig/up options modified
Oct 13 01:46:46 2021 OPTIONS IMPORT: route options modified
Oct 13 01:46:46 2021 OPTIONS IMPORT: route-related options modified
Oct 13 01:46:46 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 13 01:46:46 2021 OPTIONS IMPORT: peer-id set
Oct 13 01:46:46 2021 OPTIONS IMPORT: adjusting link_mtu to 6127
Oct 13 01:46:46 2021 OPTIONS IMPORT: data channel crypto options modified
Oct 13 01:46:46 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 13 01:46:46 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 13 01:46:46 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 13 01:46:46 2021 ROUTE_GATEWAY 172.20.10.1/255.255.255.240 IFACE=wlp6s0 HWADDR=14:f6:d8:9d:ad:aa
Oct 13 01:46:46 2021 TUN/TAP device tun0 opened
Oct 13 01:46:46 2021 TUN/TAP TX queue length set to 100
Oct 13 01:46:46 2021 /sbin/ip link set dev tun0 up mtu 6000
Oct 13 01:46:46 2021 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Oct 13 01:46:56 2021 Bad LZO decompression header byte: 42
Oct 13 01:46:56 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.1
RTNETLINK answers: File exists
Oct 13 01:46:56 2021 ERROR: Linux route add command failed: external program exited with error status: 2
Oct 13 01:46:56 2021 /sbin/ip route add 192.168.3.0/24 via 10.8.0.1
Oct 13 01:46:56 2021 Initialization Sequence Completed
Oct 13 01:47:07 2021 Bad LZO decompression header byte: 42
Oct 13 01:47:17 2021 Bad LZO decompression header byte: 42
Oct 13 01:47:27 2021 Bad LZO decompression header byte: 42
Oct 13 01:47:37 2021 Bad LZO decompression header byte: 42
Oct 13 01:47:47 2021 Bad LZO decompression header byte: 42
Oct 13 01:47:58 2021 Bad LZO decompression header byte: 42
Oct 13 01:48:08 2021 Bad LZO decompression header byte: 42
Oct 13 01:48:18 2021 Bad LZO decompression header byte: 42
Oct 13 01:48:28 2021 Bad LZO decompression header byte: 42
Oct 13 01:48:38 2021 Bad LZO decompression header byte: 42
Oct 13 01:48:46 2021 [OpenVPN Server] Inactivity timeout (--ping-restart), restarting
Oct 13 01:48:46 2021 SIGUSR1[soft,ping-restart] received, process restarting
Oct 13 01:48:46 2021 Restart pause, 5 second(s)
Oct 13 01:48:51 2021 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 6000)
Oct 13 01:48:51 2021 TCP/UDP: Preserving recently used remote address: [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:48:51 2021 Socket Buffers: R=[131072->131072] S=[16384->16384]
Oct 13 01:48:51 2021 Attempting to establish TCP connection with [AF_INET][my_home_router_public_ip]:61289 [nonblock]
Oct 13 01:48:52 2021 TCP connection established with [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:48:52 2021 TCP_CLIENT link local: (not bound)
Oct 13 01:48:52 2021 TCP_CLIENT link remote: [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:48:52 2021 TLS: Initial packet from [AF_INET][my_home_router_public_ip]:61289, sid=83abb4a1 bcfd6fff
Oct 13 01:48:52 2021 VERIFY OK: depth=1, O=LuCI, CN=OpenVPN CA
Oct 13 01:48:52 2021 VERIFY KU OK
Oct 13 01:48:52 2021 Validating certificate extended key usage
Oct 13 01:48:52 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 13 01:48:52 2021 VERIFY EKU OK
Oct 13 01:48:52 2021 VERIFY OK: depth=0, O=LuCI, CN=OpenVPN Server
Oct 13 01:48:52 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 6044', remote='link-mtu 1543'
Oct 13 01:48:52 2021 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 6000', remote='tun-mtu 1500'
Oct 13 01:48:52 2021 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Oct 13 01:48:52 2021 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Oct 13 01:48:52 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA
Oct 13 01:48:52 2021 [OpenVPN Server] Peer Connection Initiated with [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:48:53 2021 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Oct 13 01:48:53 2021 PUSH: Received control message: 'PUSH_REPLY,route-delay 10,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,route 192.168.3.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Oct 13 01:48:53 2021 OPTIONS IMPORT: timers and/or timeouts modified
Oct 13 01:48:53 2021 OPTIONS IMPORT: --ifconfig/up options modified
Oct 13 01:48:53 2021 OPTIONS IMPORT: route options modified
Oct 13 01:48:53 2021 OPTIONS IMPORT: route-related options modified
Oct 13 01:48:53 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 13 01:48:53 2021 OPTIONS IMPORT: peer-id set
Oct 13 01:48:53 2021 OPTIONS IMPORT: adjusting link_mtu to 6127
Oct 13 01:48:53 2021 OPTIONS IMPORT: data channel crypto options modified
Oct 13 01:48:53 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 13 01:48:53 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 13 01:48:53 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 13 01:48:53 2021 Preserving previous TUN/TAP instance: tun0
Oct 13 01:48:53 2021 Initialization Sequence Completed
Oct 13 01:49:03 2021 Bad LZO decompression header byte: 42
Oct 13 01:49:13 2021 Bad LZO decompression header byte: 42
Oct 13 01:49:23 2021 Bad LZO decompression header byte: 42
Oct 13 01:49:33 2021 Bad LZO decompression header byte: 42
Oct 13 01:49:43 2021 Bad LZO decompression header byte: 42
Oct 13 01:49:53 2021 Bad LZO decompression header byte: 42
Oct 13 01:50:03 2021 Bad LZO decompression header byte: 42
Oct 13 01:50:13 2021 Bad LZO decompression header byte: 42
Oct 13 01:50:23 2021 Bad LZO decompression header byte: 42
Oct 13 01:50:34 2021 Bad LZO decompression header byte: 42
Oct 13 01:50:44 2021 Bad LZO decompression header byte: 42
Oct 13 01:50:53 2021 [OpenVPN Server] Inactivity timeout (--ping-restart), restarting
Oct 13 01:50:53 2021 SIGUSR1[soft,ping-restart] received, process restarting
Oct 13 01:50:53 2021 Restart pause, 5 second(s)
Oct 13 01:50:58 2021 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 6000)
Oct 13 01:50:58 2021 TCP/UDP: Preserving recently used remote address: [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:50:58 2021 Socket Buffers: R=[131072->131072] S=[16384->16384]
Oct 13 01:50:58 2021 Attempting to establish TCP connection with [AF_INET][my_home_router_public_ip]:61289 [nonblock]
Oct 13 01:50:59 2021 TCP connection established with [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:50:59 2021 TCP_CLIENT link local: (not bound)
Oct 13 01:50:59 2021 TCP_CLIENT link remote: [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:50:59 2021 TLS: Initial packet from [AF_INET][my_home_router_public_ip]:61289, sid=73c1c011 23d2c0ee
Oct 13 01:50:59 2021 VERIFY OK: depth=1, O=LuCI, CN=OpenVPN CA
Oct 13 01:50:59 2021 VERIFY KU OK
Oct 13 01:50:59 2021 Validating certificate extended key usage
Oct 13 01:50:59 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 13 01:50:59 2021 VERIFY EKU OK
Oct 13 01:50:59 2021 VERIFY OK: depth=0, O=LuCI, CN=OpenVPN Server
Oct 13 01:50:59 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 6044', remote='link-mtu 1543'
Oct 13 01:50:59 2021 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 6000', remote='tun-mtu 1500'
Oct 13 01:50:59 2021 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Oct 13 01:50:59 2021 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Oct 13 01:50:59 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA
Oct 13 01:50:59 2021 [OpenVPN Server] Peer Connection Initiated with [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:51:00 2021 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Oct 13 01:51:00 2021 PUSH: Received control message: 'PUSH_REPLY,route-delay 10,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,route 192.168.3.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Oct 13 01:51:00 2021 OPTIONS IMPORT: timers and/or timeouts modified
Oct 13 01:51:00 2021 OPTIONS IMPORT: --ifconfig/up options modified
Oct 13 01:51:00 2021 OPTIONS IMPORT: route options modified
Oct 13 01:51:00 2021 OPTIONS IMPORT: route-related options modified
Oct 13 01:51:00 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 13 01:51:00 2021 OPTIONS IMPORT: peer-id set
Oct 13 01:51:00 2021 OPTIONS IMPORT: adjusting link_mtu to 6127
Oct 13 01:51:00 2021 OPTIONS IMPORT: data channel crypto options modified
Oct 13 01:51:00 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 13 01:51:00 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 13 01:51:00 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 13 01:51:00 2021 Preserving previous TUN/TAP instance: tun0
Oct 13 01:51:00 2021 Initialization Sequence Completed
Oct 13 01:51:11 2021 Bad LZO decompression header byte: 42
Oct 13 01:51:20 2021 Bad LZO decompression header byte: 42
Oct 13 01:51:30 2021 Bad LZO decompression header byte: 42
Oct 13 01:51:41 2021 Bad LZO decompression header byte: 42
Oct 13 01:51:51 2021 Bad LZO decompression header byte: 42
Oct 13 01:52:01 2021 Bad LZO decompression header byte: 42
Oct 13 01:52:11 2021 Bad LZO decompression header byte: 42
Oct 13 01:53:00 2021 [OpenVPN Server] Inactivity timeout (--ping-restart), restarting
Oct 13 01:53:00 2021 SIGUSR1[soft,ping-restart] received, process restarting
Oct 13 01:53:00 2021 Restart pause, 5 second(s)
Oct 13 01:53:05 2021 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 6000)
Oct 13 01:53:05 2021 TCP/UDP: Preserving recently used remote address: [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:53:05 2021 Socket Buffers: R=[131072->131072] S=[16384->16384]
Oct 13 01:53:05 2021 Attempting to establish TCP connection with [AF_INET][my_home_router_public_ip]:61289 [nonblock]
Oct 13 01:53:06 2021 TCP connection established with [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:53:06 2021 TCP_CLIENT link local: (not bound)
Oct 13 01:53:06 2021 TCP_CLIENT link remote: [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:53:06 2021 TLS: Initial packet from [AF_INET][my_home_router_public_ip]:61289, sid=7fe43089 a49d3e34
Oct 13 01:53:06 2021 VERIFY OK: depth=1, O=LuCI, CN=OpenVPN CA
Oct 13 01:53:06 2021 VERIFY KU OK
Oct 13 01:53:06 2021 Validating certificate extended key usage
Oct 13 01:53:06 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 13 01:53:06 2021 VERIFY EKU OK
Oct 13 01:53:06 2021 VERIFY OK: depth=0, O=LuCI, CN=OpenVPN Server
Oct 13 01:53:06 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 6044', remote='link-mtu 1543'
Oct 13 01:53:06 2021 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 6000', remote='tun-mtu 1500'
Oct 13 01:53:06 2021 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Oct 13 01:53:06 2021 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Oct 13 01:53:06 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA
Oct 13 01:53:06 2021 [OpenVPN Server] Peer Connection Initiated with [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:53:08 2021 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Oct 13 01:53:08 2021 PUSH: Received control message: 'PUSH_REPLY,route-delay 10,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,route 192.168.3.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Oct 13 01:53:08 2021 OPTIONS IMPORT: timers and/or timeouts modified
Oct 13 01:53:08 2021 OPTIONS IMPORT: --ifconfig/up options modified
Oct 13 01:53:08 2021 OPTIONS IMPORT: route options modified
Oct 13 01:53:08 2021 OPTIONS IMPORT: route-related options modified
Oct 13 01:53:08 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 13 01:53:08 2021 OPTIONS IMPORT: peer-id set
Oct 13 01:53:08 2021 OPTIONS IMPORT: adjusting link_mtu to 6127
Oct 13 01:53:08 2021 OPTIONS IMPORT: data channel crypto options modified
Oct 13 01:53:08 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 13 01:53:08 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 13 01:53:08 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 13 01:53:08 2021 Preserving previous TUN/TAP instance: tun0
Oct 13 01:53:08 2021 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Oct 13 01:53:08 2021 /sbin/ip route del 192.168.3.0/24
Oct 13 01:53:08 2021 Closing TUN/TAP interface
Oct 13 01:53:08 2021 /sbin/ip addr del dev tun0 10.8.0.2/24
Oct 13 01:53:09 2021 ROUTE_GATEWAY 192.168.3.1/255.255.255.0 IFACE=enp7s0 HWADDR=24:4b:fe:57:77:e2
Oct 13 01:53:09 2021 TUN/TAP device tun0 opened
Oct 13 01:53:09 2021 TUN/TAP TX queue length set to 100
Oct 13 01:53:09 2021 /sbin/ip link set dev tun0 up mtu 6000
Oct 13 01:53:09 2021 /sbin/ip addr add dev tun0 10.8.0.3/24 broadcast 10.8.0.255
Oct 13 01:53:18 2021 Bad LZO decompression header byte: 42
Oct 13 01:53:19 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.1
RTNETLINK answers: File exists
Oct 13 01:53:19 2021 ERROR: Linux route add command failed: external program exited with error status: 2
Oct 13 01:53:19 2021 /sbin/ip route add 192.168.3.0/24 via 10.8.0.1
Oct 13 01:53:19 2021 Initialization Sequence Completed
Oct 13 01:53:28 2021 Bad LZO decompression header byte: 42
Oct 13 01:53:38 2021 Bad LZO decompression header byte: 42
Oct 13 01:53:48 2021 Bad LZO decompression header byte: 42
Oct 13 01:53:58 2021 Bad LZO decompression header byte: 42
Oct 13 01:54:08 2021 Bad LZO decompression header byte: 42
Oct 13 01:54:18 2021 Bad LZO decompression header byte: 42
Oct 13 01:54:28 2021 Bad LZO decompression header byte: 42
Oct 13 01:54:38 2021 Bad LZO decompression header byte: 42
Oct 13 01:54:48 2021 Bad LZO decompression header byte: 42
Oct 13 01:54:58 2021 Bad LZO decompression header byte: 42
Oct 13 01:55:08 2021 [OpenVPN Server] Inactivity timeout (--ping-restart), restarting
Oct 13 01:55:08 2021 SIGUSR1[soft,ping-restart] received, process restarting
Oct 13 01:55:08 2021 Restart pause, 5 second(s)
Oct 13 01:55:13 2021 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 6000)
Oct 13 01:55:13 2021 TCP/UDP: Preserving recently used remote address: [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:55:13 2021 Socket Buffers: R=[131072->131072] S=[16384->16384]
Oct 13 01:55:13 2021 Attempting to establish TCP connection with [AF_INET][my_home_router_public_ip]:61289 [nonblock]
Oct 13 01:55:14 2021 TCP connection established with [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:55:14 2021 TCP_CLIENT link local: (not bound)
Oct 13 01:55:14 2021 TCP_CLIENT link remote: [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:55:14 2021 TLS: Initial packet from [AF_INET][my_home_router_public_ip]:61289, sid=d126bf4a df23942d
Oct 13 01:55:14 2021 VERIFY OK: depth=1, O=LuCI, CN=OpenVPN CA
Oct 13 01:55:14 2021 VERIFY KU OK
Oct 13 01:55:14 2021 Validating certificate extended key usage
Oct 13 01:55:14 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 13 01:55:14 2021 VERIFY EKU OK
Oct 13 01:55:14 2021 VERIFY OK: depth=0, O=LuCI, CN=OpenVPN Server
Oct 13 01:55:14 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 6044', remote='link-mtu 1543'
Oct 13 01:55:14 2021 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 6000', remote='tun-mtu 1500'
Oct 13 01:55:14 2021 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Oct 13 01:55:14 2021 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Oct 13 01:55:14 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA
Oct 13 01:55:14 2021 [OpenVPN Server] Peer Connection Initiated with [AF_INET][my_home_router_public_ip]:61289
Oct 13 01:55:15 2021 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Oct 13 01:55:15 2021 PUSH: Received control message: 'PUSH_REPLY,route-delay 10,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,route 192.168.3.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Oct 13 01:55:15 2021 OPTIONS IMPORT: timers and/or timeouts modified
Oct 13 01:55:15 2021 OPTIONS IMPORT: --ifconfig/up options modified
Oct 13 01:55:15 2021 OPTIONS IMPORT: route options modified
Oct 13 01:55:15 2021 OPTIONS IMPORT: route-related options modified
Oct 13 01:55:15 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 13 01:55:15 2021 OPTIONS IMPORT: peer-id set
Oct 13 01:55:15 2021 OPTIONS IMPORT: adjusting link_mtu to 6127
Oct 13 01:55:15 2021 OPTIONS IMPORT: data channel crypto options modified
Oct 13 01:55:15 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 13 01:55:15 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 13 01:55:15 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 13 01:55:15 2021 Preserving previous TUN/TAP instance: tun0
Oct 13 01:55:15 2021 Initialization Sequence Completed
Oct 13 01:55:24 2021 Bad LZO decompression header byte: 69
Oct 13 01:55:29 2021 Bad LZO decompression header byte: 69
Oct 13 01:55:39 2021 Bad LZO decompression header byte: 42
Oct 13 01:55:49 2021 Bad LZO decompression header byte: 42
Oct 13 01:55:59 2021 Bad LZO decompression header byte: 42
Oct 13 01:56:09 2021 Bad LZO decompression header byte: 42
^COct 13 01:56:15 2021 event_wait : Interrupted system call (code=4)
Oct 13 01:56:15 2021 /sbin/ip route del 192.168.3.0/24
Oct 13 01:56:15 2021 Closing TUN/TAP interface
Oct 13 01:56:15 2021 /sbin/ip addr del dev tun0 10.8.0.3/24
Oct 13 01:56:15 2021 SIGINT[hard,] received, process exiting
-----------------------------------------------------------------------------------------------------------------------------
~ Β» de=4)                                                                                               username@my-linux-machine
Oct 13 01:56:15 2021 /sbin/ip route del 192.168.3.0/24
Oct 13 01:56:15 2021 Closing TUN/TAP interface
de=4)
Oct 13 01:56:15 2021 /sbin/ip route del 192.168.3.0/24
Oct 13 01:56:15 2021 Closing TUN/TAP interface

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: After client gets connected, cannot ping from client to server or vice versa (route added to the client machine)

Post by TinCanTech » Wed Oct 13, 2021 4:00 pm

WildCat wrote: ↑
Wed Oct 13, 2021 3:13 pm

Code: Select all

Oct 13 01:45:11 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.1
RTNETLINK answers: File exists
Oct 13 01:45:11 2021 ERROR: Linux route add command failed: external program exited with error status: 2
From your server config, remove:

Code: Select all

push "route 10.8.0.0 255.255.255.0"
WildCat wrote: ↑
Wed Oct 13, 2021 3:13 pm
Oct 13 01:45:11 2021 Bad LZO decompression header byte: 42
To your server and client config, add:

Code: Select all

comp-lzo no

WildCat
OpenVpn Newbie
Posts: 5
Joined: Mon Oct 11, 2021 12:21 am

Re: After client gets connected, cannot ping from client to server or vice versa (route added to the client machine)

Post by WildCat » Thu Oct 14, 2021 7:52 am

TinCanTech wrote: ↑
Wed Oct 13, 2021 4:00 pm
WildCat wrote: ↑
Wed Oct 13, 2021 3:13 pm

Code: Select all

Oct 13 01:45:11 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.1
RTNETLINK answers: File exists
Oct 13 01:45:11 2021 ERROR: Linux route add command failed: external program exited with error status: 2
From your server config, remove:

Code: Select all

push "route 10.8.0.0 255.255.255.0"
WildCat wrote: ↑
Wed Oct 13, 2021 3:13 pm
Oct 13 01:45:11 2021 Bad LZO decompression header byte: 42
To your server and client config, add:

Code: Select all

comp-lzo no

Thanks a lot! It works! I have to keep

Code: Select all

push "route 10.8.0.0 255.255.255.0"
otherwise the connection cannot be established.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: After client gets connected, cannot ping from client to server or vice versa (route added to the client machine)

Post by TinCanTech » Thu Oct 14, 2021 1:11 pm

WildCat wrote: ↑
Thu Oct 14, 2021 7:52 am
Thanks a lot! It works! I have to keep

Code: Select all

push "route 10.8.0.0 255.255.255.0"
otherwise the connection cannot be established.
As you can see from your log:

Code: Select all

Oct 13 01:45:11 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.1
RTNETLINK answers: File exists
Oct 13 01:45:11 2021 ERROR: Linux route add command failed: external program exited with error status: 2
pushing the route does nothing.

If removing the pushed route breaks your VPN then you have some other problem.

WildCat
OpenVpn Newbie
Posts: 5
Joined: Mon Oct 11, 2021 12:21 am

Re: After client gets connected, cannot ping from client to server or vice versa (route added to the client machine)

Post by WildCat » Fri Oct 15, 2021 11:50 am

TinCanTech wrote: ↑
Thu Oct 14, 2021 1:11 pm
WildCat wrote: ↑
Thu Oct 14, 2021 7:52 am
Thanks a lot! It works! I have to keep

Code: Select all

push "route 10.8.0.0 255.255.255.0"
otherwise the connection cannot be established.
As you can see from your log:

Code: Select all

Oct 13 01:45:11 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.1
RTNETLINK answers: File exists
Oct 13 01:45:11 2021 ERROR: Linux route add command failed: external program exited with error status: 2
pushing the route does nothing.

If removing the pushed route breaks your VPN then you have some other problem.
Yeah, you're right! Thanks for the reply!

I tried again and this error was still here.

Got two questions here:

1. If adding this route failed, should it be an issue from the client side instead of the server side?

2. Since the compression algorithm is disabled (the doc said we shouldn't disable it because of deprecation), any hint to fix it? Could it be a problem of the server (OpenWrt misses some package/dependency)?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: After client gets connected, cannot ping from client to server or vice versa (route added to the client machine)

Post by TinCanTech » Fri Oct 15, 2021 1:34 pm

WildCat wrote: ↑
Fri Oct 15, 2021 11:50 am
If adding this route failed, should it be an issue from the client side instead of the server side?
No, configure the server and take out your manually pushed route.
WildCat wrote: ↑
Fri Oct 15, 2021 11:50 am
Since the compression algorithm is disabled (the doc said we shouldn't disable it because of deprecation), any hint to fix it? Could it be a problem of the server (OpenWrt misses some package/dependency)?
It is probably some setting in OpenWRT , see your server log for details.

WildCat
OpenVpn Newbie
Posts: 5
Joined: Mon Oct 11, 2021 12:21 am

Re: After client gets connected, cannot ping from client to server or vice versa (route added to the client machine)

Post by WildCat » Sun Oct 17, 2021 5:01 am

Thanks! I did some search and found lzo compression has been disabled for security purpose:

- https://github.com/openwrt/packages/com ... f34ed25eca
- Mentioned by https://forum.openwrt.org/t/openvpn-in- ... -07/100998

Might be related: https://community.openvpn.net/openvpn/wiki/VORACLE

Post Reply