"redirect-gateway def1" Problem with raspberry client over UMTS

[emcc]

Hello,

After two days of google and trial and error I don't know what to do next.

I successfully run an openvpn server incl. the option "push "redirect-gateway def1 bypass-dhcp"" on my raspberry pi since two years and can use it with my Android phone via mobile or wlan, i.e. Android_VPNClient===Internet_viaWLAN_or_4G===FritzBox-Router===Raspi1_VPN_Server_onlocal_Wlan

Now I want to create the following setup with a 2nd Pi: Raspi2_OpenVPNclient===UMTS Stick==="Internet"===FritzBox-Router===Raspi1_VPN_Server_onlocal_Wlan. Should be very similar, but does not fully work so far.

What works if "redirect-gateway def1 bypass-dhcp" is NOT activated in the server:
- Connect Raspi2 to internet via UMTS stick
- Avtivate tunnel into Rasp1
- Ping VPNserver under 10.8.0.1

What does not work if "redirect-gateway def1 bypass-dhcp" IS ACTIVATED in the server:
- connection to Raspi1 with openvpn server seems to be activated, but nothing else works afterwards:
- No ping to VPNserver under 10.8.0.1, no ping to internet... nothing....

Thank you very much for a hint, what the problem could be!


Background:
When starting the client I get this output and one strange error:

Code: Select all

[server] Peer Connection Initiated with [AF_INET]123.456.789.12:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 10.8.0.0 255.255.255.0,topology net30,ifconfig 10.8.0.6 10.8.0.5'
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
ROUTE_GATEWAY ON_LINK IFACE=ppp0 HWADDR=00:00:00:00:00:00
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
/sbin/ip route add 123.456.789.12/32 via 0.0.0.0
ERROR: Linux route add command failed: external program exited with error status: 2
/sbin/ip route add 0.0.0.0/1 via 10.8.0.5
/sbin/ip route add 128.0.0.0/1 via 10.8.0.5
/sbin/ip route add 10.8.0.0/24 via 10.8.0.5
Initialization Sequence Completed

My understanding: The encrypted connection is established, the server sends his push messages incl. redirect-gateway and the google DNS 8.8.8.8. Strangely the client gets the external IP of my FritzBox Router 123.456.789.12 (imaginery) as a route push although I have it in not configuration file neither on the server nor on the client. And then the error occurs. The process continues and then "Initialization Sequence Completed"

After this I have this route-n table:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.64.64.64     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0

Unfortunately I cannot really read this and dont know whether this is ok.

BTW: Yes I have on both raspberries (server and client) the 2.3 version of openvpn. Yes I have ip-forward etc on server up and running... my android phone can still connect and routes all its traffic over vpn according to the "redirect-gateway" set-up

[TinCanTech]

/sbin/ip route add 123.456.789.12/32 via 0.0.0.0
ERROR: Linux route add command failed: external program exited with error status: 2
/sbin/ip route add 0.0.0.0/1 via 10.8.0.5
/sbin/ip route add 128.0.0.0/1 via 10.8.0.5
/sbin/ip route add 10.8.0.0/24 via 10.8.0.5

"via 0.0.0.0" .. this is a curious error I have not seen before .. you do not appear to have an IP address .. or perhaps openvpn has not detected your ip address.

Please post details of ifconfig.

Perhaps your UMTS Stick is not suitable for use with openvpn .. you could ask the provider.

[emcc]

Hi,
thanks for your quick reply.

Here the output from ifconfig

Code: Select all

eth0      Link encap:Ethernet  HWaddr b2:34:da:f5:f3:2a  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:10.230.70.15  P-t-P:10.64.64.64  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:56 errors:0 dropped:0 overruns:0 frame:0
          TX packets:55 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:6828 (6.6 KiB)  TX bytes:5358 (5.2 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65085 errors:0 dropped:62790 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:95996249 (91.5 MiB)

If I DON'T use the "redirect-gateway" command, then the Raspi does connect thought the UMTS modem. I can pin 10.8.0.6 from the Raspi1 openvpn server and 10.8.0.1 from the Raspi2 client... so the modem supports it at least for the tunnel itself incl ssh etc... Only with "redirect-gateway" it does not work...

BTW:
Just something which I just noted: I wrote in the openvpn.conf: ... server 10.8.0.0 255.255.255.0 ... according to the setup manual I followed. Neverthess tun0 has 255.255.255.255

[TinCanTech]

I wrote in the openvpn.conf: ... server 10.8.0.0 255.255.255.0 ... according to the setup manual I followed. Neverthess tun0 has 255.255.255.255

That is normal .. you are running with --topoloy net30 - See --topology in The Manual v23x

eth0 Link encap:Ethernet HWaddr b2:34:da:f5:f3:2a
UP BROADCAST MULTICAST MTU:1500 Metric:1
<..>

ppp0 Link encap:Point-to-Point Protocol
inet addr:10.230.70.15 P-t-P:10.64.64.64 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
<..>

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1

Notice, your ethernet has no IP address .. please try again but completely disable your ethernet device first.

[emcc]

Hi,
I tried it with "sudo ifconfig eth0 down" . Hope this what you meant. Unfortunately same behavior, except that in ifconfig eth0 does not appear any more. BTW: After some time is comes back...
But apart from this the UMTS connection is via PPP0, and there isn't any ethernet cable connected to the Raspi.

What about the

Code: Select all

"sbin/ip route add 123.456.789.12/32 via 0.0.0.0
ERROR: Linux route add command failed: external program exited with error status: 2"

when starting the vpn on the client side... Is it normal that the client gets while starting the VPN connection the external internet IP from the Fritzbox-router with which the server is connected via WLAN?

Thanks for your help!

[TinCanTech]

Try disabling all network adapters in the BIOS and try again ..

[emcc]

Hmmm... very sorry, but I don't know how to do that... afaik the Raspberry has no classical BIOS ?!?... could you give me a hint what exactly to do? Thanks!

[TinCanTech]

Sorry, I don't know enough about Pi to be able to help with that.

However, I just noticed you are using

Code: Select all

redirect-gateway def1 bypass-dhcp

remove the bypass-dhcp part (from your server pushed options) and try again.

[emcc]

I tried that already. Same thing. With and without def1; with and without bypass-dhcp....
And there is to be remembered: It does work with Android. And there is this error message during startup of the vpn connection, which I cannot understand....
Anybody any other ideas? ......

[TinCanTech]

there is this error message during startup of the vpn connection, which I cannot understand

Which error message do you mean ?

And there is to be remembered: It does work with Android

The problem appears to be the UMTS network but only for using redirect-gaterway .. for some reason openvpn appears to be confused about your gateway.

As you have done so yet, please post your server and client config files.

[emcc]

Hi,

1)
I mean this error (compare above), which is in the output if I start the VPNclient

What about the
Code: Select all
"sbin/ip route add 123.456.789.12/32 via 0.0.0.0
ERROR: Linux route add command failed: external program exited with error status: 2"
when starting the vpn on the client side... Is it normal that the client gets while starting the VPN connection the external internet IP from the Fritzbox-router with which the server is connected via WLAN?

The IP 123.456.... is the external IP from my FritzBox router in the Wlan on the VPN server side (I just anonymized it...) . the question is: Is it normal that the client gets while starting the VPN connection the external internet IP from the Fritzbox-router with which the server is connected via WLAN?

2)
I also disabled eth0 in interfaces by now

Code: Select all

auto lo
iface lo inet loopback

#auto eth0
#iface eth0 inet dhcp

iface ppp0 inet wvdial

so my ifconfig-output is

Code: Select all

lo        Link encap:Lokale Schleife  
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:65536  Metrik:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1 
          RX bytes:1272 (1.2 KiB)  TX bytes:1272 (1.2 KiB)

ppp0      Link encap:Punkt-zu-Punkt-Verbindung  
          inet Adresse:10.249.140.104  P-z-P:10.64.64.64  Maske:255.255.255.255
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1500  Metrik:1
          RX packets:106 errors:0 dropped:0 overruns:0 frame:0
          TX packets:103 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:3 
          RX bytes:11425 (11.1 KiB)  TX bytes:8914 (8.7 KiB)

tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet Adresse:10.8.0.6  P-z-P:10.8.0.5  Maske:255.255.255.255
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:356612 errors:0 dropped:354116 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:100 
          RX bytes:0 (0.0 B)  TX bytes:533123352 (508.4 MiB)

What is strange are the different packets errors (maybe normal?) and the TX bytes in tun0. This cannot be true since it never worked...

3)
Mir client config:

Code: Select all

dev tun
client
proto udp
remote MYSERVERURL.no-ip.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 4

and my server config (which works with Android client):

Code: Select all

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 4
client-to-client
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
log-append /var/log/openvpn
comp-lzo

[TinCanTech]

Hi,

1)
I mean this error (compare above), which is in the output if I start the VPNclient

What about the
Code: Select all
"sbin/ip route add 123.456.789.12/32 via 0.0.0.0
ERROR: Linux route add command failed: external program exited with error status: 2"
when starting the vpn on the client side... Is it normal that the client gets while starting the VPN connection the external internet IP from the Fritzbox-router with which the server is connected via WLAN?

The IP 123.456.... is the external IP from my FritzBox router in the Wlan on the VPN server side (I just anonymized it...) . the question is: Is it normal that the client gets while starting the VPN connection the external internet IP from the Fritzbox-router with which the server is connected via WLAN?

This is not an error, this is openvpn trying to enable the redirect-gateway option. The error is due to openvpn using 0.0.0.0 as the gateway .. for some reason openvpn has not determined your default gateway correctly. Once this is resolved, I think the other problems will be resolved.

Please reboot your computer and start your UMTS network but not openvpn.

Then please post your routing table:

Code: Select all

$ route

[emcc]

Ah ok...
Here you go:

"route" for UMTS without openvpn:

Code: Select all

Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 ppp0
10.64.64.64     *               255.255.255.255 UH    0      0        0 ppp0

and "route -n" for UMTS with openvpn (without -n option nothing appears here):

Code: Select all

Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.64.64.64     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0

[emcc]

Hmmmm... nobody any ideas.... ??? What about these routing tables? Anything I can change? Maybe manually?

Thanks for your help!

[TinCanTech]

I do not know why openvpn is failing to add the correct routing .. but you can do it manually.

Add --up and --down scripts to your config file like so:

Code: Select all

up /etc/openvpn/up.sh
down /etc/openvpn/down.sh

Edit - Version 3:

Code: Select all

#!/bin/bash
# up.sh
# 1.2.3.4 = Replace this with your UMTS Stick IP address
umts_gateway=1.2.3.4
/sbin/ip route add $trusted_ip/32 via $umts_gateway

Code: Select all

#!/bin/bash
# down.sh
/sbin/ip route delete $trusted_ip

Remember to set executable bit on script files ..

[TinCanTech]

Please post output of:

Code: Select all

openvpn --version

[TinCanTech]

Linking to this thread:
viewtopic.php?f=4&t=21913