Recursive routing detected

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
archimede.pitagorico
OpenVpn Newbie
Posts: 7
Joined: Mon Feb 13, 2017 2:08 am

Recursive routing detected

Post by archimede.pitagorico » Mon Feb 13, 2017 11:40 am

I connect via udp to a vpn server located at 212.138.35.25 (this is not the real IP i connect to, I changed it to a dummy one for privacy reasons).

I see lot of messages like the ones below in the log, with a distance of a few seconds.

The tun interface is working correctly. All traffic originated from a segregated network namespace is
succesfully routed via it using policy routing. The wan interface is also working well.

I am using openvpn 2.4.0 on the latest Linux kernel distributed with Arch Linux.

I assume these are packets originated by a local process and directed to the VPN server, but routed via
the tun interface instead of via the wan interface. However, if I add in all tables and chains of the iptables firewall
the rules like this

Code: Select all

iptables -I OUTPUT 1 -d 212.138.35.25 -p udp -m udp --dport 443 ! -o vpn -j LOG --log-prefix "BAD PACKET"
nothing gets logged.

How can I debug this further, is there a way I can hack openvpn source code to display more info on these packets?

Thanks

Code: Select all

Feb 13 19:01:11 archimede openvpn[537]: Recursive routing detected, drop tun packet to [AF_INET]212.138.35.25:443
Feb 13 19:01:12 archimede openvpn[537]: Recursive routing detected, drop tun packet to [AF_INET]212.138.35.25:443
Feb 13 19:01:14 archimede openvpn[537]: Recursive routing detected, drop tun packet to [AF_INET]212.138.35.25:443
Feb 13 19:01:15 archimede openvpn[537]: NOTE: --mute triggered...
Feb 13 19:02:05 archimede openvpn[537]: 5 variation(s) on previous 3 message(s) suppressed by --mute
Feb 13 19:02:05 archimede openvpn[537]: PID_ERR replay-window backtrack occurred [3] [SSL-7 [0___000000000000000000000000000000000000000000000000001111111111] 0:4180 0:4177 t=1486983725[0] r=[-2,64,15,3,1] sl=[44,64,64,528]
Feb 13 19:02:50 archimede openvpn[537]: Recursive routing detected, drop tun packet to [AF_INET]212.138.35.25:443
Feb 13 19:05:14 archimede openvpn[537]: Recursive routing detected, drop tun packet to [AF_INET]212.138.35.25:443
Feb 13 19:05:14 archimede openvpn[537]: Recursive routing detected, drop tun packet to [AF_INET]212.138.35.25:443
Feb 13 19:05:14 archimede openvpn[537]: NOTE: --mute triggered...
Feb 13 19:06:38 archimede openvpn[537]: 4 variation(s) on previous 3 message(s) suppressed by --mute
Feb 13 19:06:38 archimede openvpn[537]: PID_ERR replay-window backtrack occurred [4] [SSL-7  [0____00000000000000000000000000000000000000000000000011111111111] 0:16738 0:16734 t=1486983998[0] r=[0,64,15,4,1] sl=[30,64,64,528]


archimede.pitagorico
OpenVpn Newbie
Posts: 7
Joined: Mon Feb 13, 2017 2:08 am

Re: Recursive routing detected

Post by archimede.pitagorico » Tue Feb 14, 2017 12:39 pm

I have an hypothesis about what happens.

First of all, the openvpn error message is incorrect and misled me. It prints

Code: Select all

drop tun packet to [AF_INET]212.83.177.138:443
Here port 443 is not actually read from the packet, it is simply assumed that the destination port of the packet is the same as the one of the VPN server, but that that this is not the case for me. This is a bug. The destination port should be explicitly read from the packet. And, by the way, if this gets fixed, it would be nice to have as much info as possible on the packet in the error message.

Bad packets are originated by a BitTorrent client runnning in a container with DHT enabled. All traffic from the container is routed via the tun interface via a separate routing table (policy routing). My hypothesis is that my own address becomes part of the DHT on other clients, which in turn send it back to my client, which then attempt to contact itself, not knowing that it is my own address. I presume here that my BitTorrent client has no knowledge that this is my own external VPN IP, unless it uses some external web service to discover the external IP address.

The fix is to add a container firewall rule to drop these packets before they arrive to the VPN. Arguably I could do nothing and let openvpn discard these packets and log the warning message, but I have already seen my Linux server crashing twice, which never happened before, and I suspect it is related.

I'll test this for a while and revert if it does not work.

archimede.pitagorico
OpenVpn Newbie
Posts: 7
Joined: Mon Feb 13, 2017 2:08 am

Re: Recursive routing detected

Post by archimede.pitagorico » Tue Feb 14, 2017 1:10 pm


maskedkuma
OpenVpn Newbie
Posts: 5
Joined: Tue Aug 01, 2017 10:46 am

Re: Recursive routing detected

Post by maskedkuma » Fri Nov 02, 2018 9:21 am

came here via google.

i have these errors and want to rule them out as the reason my openvpn client on debian stops responding.

can you tell me what criteria you use to block the packets? i am using iptables

nomorefudgicles
OpenVpn Newbie
Posts: 1
Joined: Sat Jul 04, 2020 1:56 am

Re: Recursive routing detected

Post by nomorefudgicles » Sat Jul 04, 2020 2:00 am

This thread hasn't had an update for nearly 2 years. I still experience this issue using the latest client 2.4.9. The support ticket doesn't have any actionable information. Is there a resolution for this issue somewhere else? Thx.

https://community.openvpn.net/openvpn/ticket/843

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Recursive routing detected

Post by TinCanTech » Sat Jul 04, 2020 2:29 am

The answer is in the question: "How do i fix recursive routing"

Answer: Do not recursively route ..

:mrgreen:

maratik
OpenVpn Newbie
Posts: 1
Joined: Mon Apr 12, 2021 6:38 am

Re: Recursive routing detected

Post by maratik » Mon Apr 12, 2021 6:41 am

Found that this occurs sometimes when dhcpcd incorrectly resets routes on wifi reconnection. Switching from dhcpcd to dhclient (from dhcp package) resolves issue.

grimmy
OpenVpn Newbie
Posts: 1
Joined: Tue Jun 29, 2021 12:12 pm

Re: Recursive routing detected

Post by grimmy » Tue Jun 29, 2021 12:17 pm

archimede.pitagorico wrote:
Tue Feb 14, 2017 12:39 pm
I have an hypothesis about what happens.

First of all, the openvpn error message is incorrect and misled me. It prints

Code: Select all

drop tun packet to [AF_INET]212.83.177.138:443
Here port 443 is not actually read from the packet, it is simply assumed that the destination port of the packet is the same as the one of the VPN server, but that that this is not the case for me. This is a bug. The destination port should be explicitly read from the packet. And, by the way, if this gets fixed, it would be nice to have as much info as possible on the packet in the error message.

Bad packets are originated by a BitTorrent client runnning in a container with DHT enabled. All traffic from the container is routed via the tun interface via a separate routing table (policy routing). My hypothesis is that my own address becomes part of the DHT on other clients, which in turn send it back to my client, which then attempt to contact itself, not knowing that it is my own address. I presume here that my BitTorrent client has no knowledge that this is my own external VPN IP, unless it uses some external web service to discover the external IP address.

The fix is to add a container firewall rule to drop these packets before they arrive to the VPN. Arguably I could do nothing and let openvpn discard these packets and log the warning message, but I have already seen my Linux server crashing twice, which never happened before, and I suspect it is related.

I'll test this for a while and revert if it does not work.

this is correct and the same thing is happening for me. Thanks to your post i was able to confirm it was my torrent client causing the issue.
TinCanTech wrote:
Sat Jul 04, 2020 2:29 am
The answer is in the question: "How do i fix recursive routing"

Answer: Do not recursively route ..

:mrgreen:
how would you suggest we do that? In my case i dont have much choice as my ISP double Nats so no incoming connections will come in.

To get around this i purchased a VPS and have my home network and that linked via openVPN. this means when i am out and about i can still access my home e.g remote device > VPS-VPN > Home-VPN

Post Reply