i'm working with Ubuntu 16.04 LTS and i use an openvpn connection to reach my EC2 network
Here is my client side vpn file :
Code: Select all
client
dev tun
proto udp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
auth SHA512
comp-lzo
verb 3
tls-version-min 1.2
reneg-sec 60
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
script-security 2
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
...
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
The connection works fine
The update-resolv script too, feeding my /etc/resolv.conf file (which is a link to /run/resolvconf/resolv.conf)
Here my resolv.conf before connection :
Code: Select all
➜ ~ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
➜ ~
My ip route before vpn
Code: Select all
➜ ~ sudo /sbin/ip route
default via 192.168.43.1 dev wlp4s0 proto static metric 600
169.254.0.0/16 dev wlp4s0 scope link metric 1000
172.16.121.0/24 dev br-e1d8d398de05 proto kernel scope link src 172.16.121.1 linkdown
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-dd6b294340ae proto kernel scope link src 172.18.0.1 linkdown
172.19.0.0/16 dev br-a623726dc9bd proto kernel scope link src 172.19.0.1 linkdown
192.168.43.0/24 dev wlp4s0 proto kernel scope link src 192.168.43.109 metric 600
Code: Select all
➜ ~ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 172.20.32.42
nameserver 172.20.0.2
nameserver 127.0.1.1
➜ ~
ip route :
Code: Select all
➜ ~ sudo /sbin/ip route
default via 192.168.43.1 dev wlp4s0 proto static metric 600
10.8.0.1 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
169.254.0.0/16 dev wlp4s0 scope link metric 1000
172.16.121.0/24 dev br-e1d8d398de05 proto kernel scope link src 172.16.121.1 linkdown
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-dd6b294340ae proto kernel scope link src 172.18.0.1 linkdown
172.19.0.0/16 dev br-a623726dc9bd proto kernel scope link src 172.19.0.1 linkdown
172.20.0.0/16 via 10.8.0.5 dev tun0
192.168.43.0/24 dev wlp4s0 proto kernel scope link src 192.168.43.109 metric 600
The problem appear when i shutdown the vpn with ctrl+c
openvpn log shows :
Code: Select all
^CTue Dec 11 18:43:52 2018 event_wait : Interrupted system call (code=4)
Tue Dec 11 18:43:52 2018 /sbin/ip route del 10.8.0.1/32
RTNETLINK answers: Operation not permitted
Tue Dec 11 18:43:52 2018 ERROR: Linux route delete command failed: external program exited with error status: 2
Tue Dec 11 18:43:52 2018 /sbin/ip route del 172.20.0.0/16
RTNETLINK answers: Operation not permitted
Tue Dec 11 18:43:52 2018 ERROR: Linux route delete command failed: external program exited with error status: 2
Tue Dec 11 18:43:52 2018 Closing TUN/TAP interface
Tue Dec 11 18:43:52 2018 /sbin/ip addr del dev tun0 local 10.8.0.10 peer 10.8.0.9
RTNETLINK answers: Operation not permitted
Tue Dec 11 18:43:52 2018 Linux ip addr del failed: external program exited with error status: 2
Tue Dec 11 18:43:52 2018 /etc/openvpn/update-resolv-conf tun0 1500 1602 10.8.0.10 10.8.0.9 init
rm: cannot remove 'tun0.openvpn': Permission denied
Tue Dec 11 18:43:52 2018 WARNING: Failed running command (--up/--down): external program exited with error status: 1
Tue Dec 11 18:43:52 2018 Exiting due to fatal error
Code: Select all
nameserver 172.20.32.42
nameserver 172.20.0.2
I have to manually edit my resolv.conf to delete the 2 lines each time i quit the vpn
The problem appears 3 days ago, and i can't find why ???
I temporary had a local docker-compose on ly own lan 172.20.0.0 during these 3 days (locally), but is no longer registered, and no trace remains on ip route, so i don't know if it was the origin of the problem.
Thanks for your help