OpenVPN 2.5.1 route on client side

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
shajek
OpenVpn Newbie
Posts: 3
Joined: Wed Aug 17, 2022 3:19 pm

OpenVPN 2.5.1 route on client side

Post by shajek » Thu Dec 08, 2022 9:13 am

Hello,

i have Mikrotik UDP OpenVPN server (ROS 7.6) basically without problems. I use various clients (X86 or Aarch64). I have installed the latest version of Debian (Dietpi) on RPI CM4 where the only available version of OVPN 2.5. I generated certificates, put the profile - all works flawlessy except route. Mikrotik doesnt have possibility to push route and i have to solve it on client side

client config

client
dev tun
proto udp
remote vpn.on.mikrotik 1195
float
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca ca.crt
cert client.crt
key client.key
askpass client.pass
verb 5
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass secret
auth-nocache
script-security 2
up after.sh
#route 10.0.1.0 255.255.255.0
#route 192.168.87.0 255.255.255.0
log-append openvpn.log


here is after.sh (with #!/bin/sh on first line)
after.sh

#!/bin/sh
ip route add 192.168.87.0/24 via 0.0.0.0 dev tun0
ip route add 10.0.1.0/24 via 0.0.0.0 dev tun0


with this setup previous version of dietpi/openvpn all working good and no problem at all.
But here is problem that OVPN exited (and stoped working or reconnect) because:
  1. ip route return error code -2 because kernel doesnt add one route because
  2. my network, where I install/testing is 10.0.1.0/24
  3. Script try add route wich exist because i have assigned local IP 10.0.1.x via eth0 and try add route via tun0
But this was not problem in versions/instalations before, and OVPN work even with this setup

so i tried eliminate external script and use route directly in config
client config

..same config without up after.sh ....
route 10.0.1.0 255.255.255.0
route 192.168.87.0 255.255.255.0
....


now OVPN doesnt exit and stop, but throw errors

Code: Select all

2022-12-07 15:09:02 us=533913 net_route_v4_best_gw query: dst 0.0.0.0
2022-12-07 15:09:02 us=534590 net_route_v4_best_gw result: via 10.0.1.1 dev eth0
2022-12-07 15:09:02 us=534817 ROUTE_GATEWAY 10.0.1.1/255.255.255.0 IFACE=eth0 HWADDR=e4:5f:01:63:d6:f4
2022-12-07 15:09:02 us=538439 TUN/TAP device tun0 opened
2022-12-07 15:09:02 us=538647 do_ifconfig, ipv4=1, ipv6=0
2022-12-07 15:09:02 us=538852 net_iface_mtu_set: mtu 1500 for tun0
2022-12-07 15:09:02 us=539223 net_iface_up: set tun0 up
2022-12-07 15:09:02 us=539660 net_addr_v4_add: 192.168.89.28/24 dev tun0
2022-12-07 15:09:02 us=540346 net_route_v4_add: 10.0.1.0/24 via 192.168.87.205 dev [NULL] table 0 metric -1
2022-12-07 15:09:02 us=540543 sitnl_send: rtnl: generic error (-101): Network is unreachable
2022-12-07 15:09:02 us=540752 ERROR: Linux route add command failed
2022-12-07 15:09:02 us=540804 net_route_v4_add: 192.168.87.0/24 via 192.168.87.205 dev [NULL] table 0 metric -1
2022-12-07 15:09:02 us=540965 sitnl_send: rtnl: generic error (-101): Network is unreachable
2022-12-07 15:09:02 us=541041 ERROR: Linux route add command failed

if i dont use after.sh or route, connection is solid and working

Clients are headless on my "customer" site, most time DHCP with address pool which I will not affect (and yes, there can be situation that customer can have my subnet 10.0.1.0 which i want to route to my network, but that's a situation I can't influence and I'm not going to deal with it now)

I know that is not so clever add route wich are actually added, but before, it was working for what i need.

Can you help me correct way to do routing without OVPN crashing ?

Thank you

300000
OpenVPN Expert
Posts: 688
Joined: Tue May 01, 2012 9:30 pm

Re: OpenVPN 2.5.1 route on client side

Post by 300000 » Fri Dec 09, 2022 12:06 am

You can try this one , It should works for you.

route 10.0.1.0 255.255.255.0 net_gateway
route 192.168.87.0 255.255.255.0 net_gateway


If it not working as you expect you can try this way . either way it will work

route 10.0.1.0 255.255.255.0 vpn_gateway
route 192.168.87.0 255.255.255.0 vpn_gateway

User avatar
ordex
OpenVPN Inc.
Posts: 437
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: OpenVPN 2.5.1 route on client side

Post by ordex » Mon Dec 12, 2022 9:10 pm

beware those two commands do 2 totally opposite things. therefore you should not "try which one works", but rather understand which one you need.

The error you are getting is probably because 192.168.87.205 is not on any of your interfaces (and this seems indeed the case since you are trying to add a route to 192.168.87.0/24). Why are you using 192.168.87.205 as gateway?

However, if I am guessing right, the command suggested by 3000000 ending with "vpn_gateway" is what you need (although it should be the default)

shajek
OpenVpn Newbie
Posts: 3
Joined: Wed Aug 17, 2022 3:19 pm

Re: OpenVPN 2.5.1 route on client side

Post by shajek » Wed Dec 14, 2022 8:57 am

Mikrotik iself assign local address in pool 192.168.87.x/24 (on mikrotik) and remote address 192.168.89.x/24
i maybe not need 87 subnet, only 89 because mikrotik will transate it, but i need 10.0.1.x/24 subnet where is my main site
(10.0.1.x local network, my site)
(192.168.87.x local VPN address pool)
(192.168.89.x remote VPN address pool what is assigned on tun0)
Why are you using 192.168.87.205 as gateway?
Because is local address on gateway, and this route generate openvpn itself


but problem itself is not wrong routing, but "error handling" of allready added routes
  • via ip route is "kernel error" as return value and openvpn end forcefully
I will look at the difference between vpn_gateway and net_gateway.
Thank you

Post Reply