Delete default route

How to customize and extend your OpenVPN installation.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
plasticassius
OpenVpn Newbie
Posts: 8
Joined: Tue Apr 14, 2020 9:15 am

Delete default route

Post by plasticassius » Tue Apr 14, 2020 10:24 am

Hi,
I'm using an OpenVPN client on a seagate goflexnet device that runs on OpenWrt 19.07.2 r10947-65030d81f3. I have a script that deletes the default route when the openvpn client exits unexpectedly. This makes it easier to detect an error since when the tunnel closes, it loses connectivity outside the local net entirely.

Code: Select all

#!/bin/sh

SECRET=xxx
USER=xxx
PASS=xxx

TMPDIR=/run
if [ -d $TMPDIR ] ; then

#sudo apt-get install openvpn
CONFIGPATH=/work/data/openvpn
#CONFIG="$CONFIGPATH"/Netherlands\ -\ Amsterdam.ovpn
#CONFIG="$CONFIGPATH/Czech Republic - Prague.ovpn"
CONFIG="$CONFIGPATH"/United\ States\ -\ Texas.ovpn

else

#opkg install openvpn-openssl
TMPDIR=/tmp$TMPDIR
CONFIG=/root/loc.ovpn

fi
TMPDIR=$TMPDIR/${0##*/}

serv_auth=$TMPDIR/secret.txt
serv_pid=$TMPDIR/pid.txt
serv_restore=$TMPDIR/default_route.txt
serv_start=$TMPDIR/started.txt
serv_log=/tmp/openvpn.log

if [ "$#" = "0" ] ; then cat <<EOF ; exit ; fi
openvpn.sh: start stop
EOF

echo "$0 $@" >> $serv_log
case "$1" in

start) if [ -e $serv_pid ] ; then echo already started ; exit ; fi
 mkdir -p $TMPDIR
 echo "$USER
$PASS" > "$serv_auth"
 cd /tmp

 openvpn \
 --config "$CONFIG" --auth-user-pass "$serv_auth" \
 --log $serv_log --verb 4 \
 --redirect-gateway \
 --script-security 2 --up "$(readlink -f $0) up" \
 --script-security 2 --route-up "$(readlink -f $0) route-up" \
 --script-security 2 --route-pre-down "$(readlink -f $0) route-pre-down" \
 --script-security 2 --down "$(readlink -f $0) down" \
 & echo $! > $serv_pid

 #wait for tunnel
 while [ -e $serv_pid -a ! -e $serv_start ] ; do sleep 1 ; done
 [ -e $serv_pid ] && echo "$0 started" >> $serv_log

 (#wait for process exit
 while [ -e $serv_pid ] && kill -0 $(cat $serv_pid) 2> /dev/null ; do sleep 1 ; done
 rm -f $serv_pid
 echo "$0 exited" >> $serv_log

 if [ -e $serv_start ] ; then
  echo "$0 unexpected" >> $serv_log
  echo "ip route add $(ip route | grep '^default ')" > $serv_restore
  ip route del default
 fi
 ) &
 ;;

up)
 # after tunnel open
 ;;

route-up)
 # after routes are up
 echo '#up' >>$serv_start
 ;;

route-pre-down)
 # before routes are removed
 ;;

down)
 # after tunnel closed
 ;;

stop)
 # indicate that stop is expected
 rm -f $serv_start

 #kill the client
 [ -e $serv_pid ] && kill $(cat $serv_pid)

 #wait for process exit
 while [ -e $serv_pid ] && kill -0 $(cat $serv_pid) 2> /dev/null ; do sleep 1 ; done

 #restore default route
 [ -e $serv_restore ] && . $serv_restore

 #clean up
 rm -rf $TMPDIR
 ;;

esac
I've tried placing "ip route del default" in route-up, down, and in the poller that checks if openvpn exits unexpectedly. This seems to work since I don't end up in the state where openvpn has terminated unexpectedly and restored the default route. I'd like to determine what causes openvpn to terminate unexpectedly, but haven't had any luck since it happens only infrequently.

There is also another infrequent failure mechanism. After openvpn has been connected for several days, it looses connectivity and attempts to reconnect repeatedly but can't. I can fix this by running stop followed by start in the above script. I will post a log the next time I see this failure, however it hasn't happened in the last week or so.

A similar failure happens when I use the script on my Debian 10.3 laptop (with lxqt and connman). On the laptop I don't leave the tunnel connected for long, but after several days during which I've connected and disconnected perhaps 10x, as well as slept the system and woken it up repeatedly, the script loses ability to connect. It seems that it makes some progress, but retries repeatedly without success. The only way I've found to fix this state is to reboot the laptop. I'll included the log in the next message since I ran out of space in this one.

Another piece of information is that I can't delete the default route on my laptop:

Code: Select all

$ip route
default via 10.0.1.1 dev wlp2s0 
10.0.1.0/24 dev wlp2s0 proto kernel scope link src 10.0.1.90 
10.0.1.1 dev wlp2s0 scope link 
$sudo ip route del default
$ip route
default via 10.0.1.1 dev wlp2s0 
10.0.1.0/24 dev wlp2s0 proto kernel scope link src 10.0.1.90 
10.0.1.1 dev wlp2s0 scope link 
$
So, my questions are:

Is there a better way to disable the default gateway in the event that openvpn fails?

Is there a good way to track down why the tunnel loses connectivity and gets stuck in an endless retry loop?

Why can't I delete the default route on my laptop? Is it supposed to work that way?

Thanks for any help you may offer.

Peter

plasticassius
OpenVpn Newbie
Posts: 8
Joined: Tue Apr 14, 2020 9:15 am

Re: Delete default route

Post by plasticassius » Tue Apr 14, 2020 10:42 am

Here is the log from the laptop:

Code: Select all

Sat Apr 11 08:04:43 2020 us=448459 Current Parameter Settings:
Sat Apr 11 08:04:43 2020 us=448466   config = '/work/data/openvpn/United States - Texas.ovpn'
Sat Apr 11 08:04:43 2020 us=448471   mode = 0
Sat Apr 11 08:04:43 2020 us=448477   persist_config = DISABLED
Sat Apr 11 08:04:43 2020 us=448482   persist_mode = 1
Sat Apr 11 08:04:43 2020 us=448486   show_ciphers = DISABLED
Sat Apr 11 08:04:43 2020 us=448491   show_digests = DISABLED
Sat Apr 11 08:04:43 2020 us=448495   show_engines = DISABLED
Sat Apr 11 08:04:43 2020 us=448500   genkey = DISABLED
Sat Apr 11 08:04:43 2020 us=448504   key_pass_file = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448508   show_tls_ciphers = DISABLED
Sat Apr 11 08:04:43 2020 us=448513   connect_retry_max = 0
Sat Apr 11 08:04:43 2020 us=448518 Connection profiles [0]:
Sat Apr 11 08:04:43 2020 us=448523   proto = udp
Sat Apr 11 08:04:43 2020 us=448527   local = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448532   local_port = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448536   remote = 'tx-us-openvpn.boxpnservers.com'
Sat Apr 11 08:04:43 2020 us=448541   remote_port = '1195'
Sat Apr 11 08:04:43 2020 us=448545   remote_float = DISABLED
Sat Apr 11 08:04:43 2020 us=448550   bind_defined = DISABLED
Sat Apr 11 08:04:43 2020 us=448554   bind_local = DISABLED
Sat Apr 11 08:04:43 2020 us=448559   bind_ipv6_only = DISABLED
Sat Apr 11 08:04:43 2020 us=448563   connect_retry_seconds = 5
Sat Apr 11 08:04:43 2020 us=448568   connect_timeout = 120
Sat Apr 11 08:04:43 2020 us=448572   socks_proxy_server = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448577   socks_proxy_port = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448581   tun_mtu = 1500
Sat Apr 11 08:04:43 2020 us=448586   tun_mtu_defined = ENABLED
Sat Apr 11 08:04:43 2020 us=448590   link_mtu = 1500
Sat Apr 11 08:04:43 2020 us=448594   link_mtu_defined = DISABLED
Sat Apr 11 08:04:43 2020 us=448599   tun_mtu_extra = 0
Sat Apr 11 08:04:43 2020 us=448603   tun_mtu_extra_defined = DISABLED
Sat Apr 11 08:04:43 2020 us=448608   mtu_discover_type = -1
Sat Apr 11 08:04:43 2020 us=448612   fragment = 0
Sat Apr 11 08:04:43 2020 us=448617   mssfix = 1450
Sat Apr 11 08:04:43 2020 us=448621   explicit_exit_notification = 0
Sat Apr 11 08:04:43 2020 us=448626 Connection profiles END
Sat Apr 11 08:04:43 2020 us=448631   remote_random = DISABLED
Sat Apr 11 08:04:43 2020 us=448635   ipchange = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448640   dev = 'tun'
Sat Apr 11 08:04:43 2020 us=448644   dev_type = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448648   dev_node = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448653   lladdr = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448657   topology = 1
Sat Apr 11 08:04:43 2020 us=448662   ifconfig_local = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448666   ifconfig_remote_netmask = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448671   ifconfig_noexec = DISABLED
Sat Apr 11 08:04:43 2020 us=448675   ifconfig_nowarn = DISABLED
Sat Apr 11 08:04:43 2020 us=448679   ifconfig_ipv6_local = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448684   ifconfig_ipv6_netbits = 0
Sat Apr 11 08:04:43 2020 us=448688   ifconfig_ipv6_remote = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448693   shaper = 0
Sat Apr 11 08:04:43 2020 us=448697   mtu_test = 0
Sat Apr 11 08:04:43 2020 us=448702   mlock = DISABLED
Sat Apr 11 08:04:43 2020 us=448706   keepalive_ping = 10
Sat Apr 11 08:04:43 2020 us=448711   keepalive_timeout = 30
Sat Apr 11 08:04:43 2020 us=448715   inactivity_timeout = 0
Sat Apr 11 08:04:43 2020 us=448720   ping_send_timeout = 10
Sat Apr 11 08:04:43 2020 us=448724   ping_rec_timeout = 30
Sat Apr 11 08:04:43 2020 us=448728   ping_rec_timeout_action = 2
Sat Apr 11 08:04:43 2020 us=448733   ping_timer_remote = DISABLED
Sat Apr 11 08:04:43 2020 us=448737   remap_sigusr1 = 0
Sat Apr 11 08:04:43 2020 us=448742   persist_tun = DISABLED
Sat Apr 11 08:04:43 2020 us=448746   persist_local_ip = DISABLED
Sat Apr 11 08:04:43 2020 us=448751   persist_remote_ip = ENABLED
Sat Apr 11 08:04:43 2020 us=448755   persist_key = ENABLED
Sat Apr 11 08:04:43 2020 us=448763   passtos = DISABLED
Sat Apr 11 08:04:43 2020 us=448768   resolve_retry_seconds = 1000000000
Sat Apr 11 08:04:43 2020 us=448773   resolve_in_advance = DISABLED
Sat Apr 11 08:04:43 2020 us=448777   username = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448782   groupname = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448786   chroot_dir = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448790   cd_dir = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448795   writepid = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448799   up_script = '/home/work/sour/script/openvpn.sh up'
Sat Apr 11 08:04:43 2020 us=448804   down_script = '/home/work/sour/script/openvpn.sh down'
Sat Apr 11 08:04:43 2020 us=448808   down_pre = DISABLED
Sat Apr 11 08:04:43 2020 us=448813   up_restart = DISABLED
Sat Apr 11 08:04:43 2020 us=448817   up_delay = DISABLED
Sat Apr 11 08:04:43 2020 us=448822   daemon = DISABLED
Sat Apr 11 08:04:43 2020 us=448826   inetd = 0
Sat Apr 11 08:04:43 2020 us=448831   log = ENABLED
Sat Apr 11 08:04:43 2020 us=448835   suppress_timestamps = DISABLED
Sat Apr 11 08:04:43 2020 us=448840   machine_readable_output = DISABLED
Sat Apr 11 08:04:43 2020 us=448844   nice = 0
Sat Apr 11 08:04:43 2020 us=448849   verbosity = 4
Sat Apr 11 08:04:43 2020 us=448853   mute = 0
Sat Apr 11 08:04:43 2020 us=448857   gremlin = 0
Sat Apr 11 08:04:43 2020 us=448862   status_file = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448866   status_file_version = 1
Sat Apr 11 08:04:43 2020 us=448871   status_file_update_freq = 60
Sat Apr 11 08:04:43 2020 us=448875   occ = ENABLED
Sat Apr 11 08:04:43 2020 us=448880   rcvbuf = 0
Sat Apr 11 08:04:43 2020 us=448884   sndbuf = 0
Sat Apr 11 08:04:43 2020 us=448889   mark = 0
Sat Apr 11 08:04:43 2020 us=448893   sockflags = 0
Sat Apr 11 08:04:43 2020 us=448899   fast_io = DISABLED
Sat Apr 11 08:04:43 2020 us=448904   comp.alg = 2
Sat Apr 11 08:04:43 2020 us=448909   comp.flags = 1
Sat Apr 11 08:04:43 2020 us=448913   route_script = '/home/work/sour/script/openvpn.sh route-up'
Sat Apr 11 08:04:43 2020 us=448918   route_default_gateway = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448923   route_default_metric = 0
Sat Apr 11 08:04:43 2020 us=448927   route_noexec = DISABLED
Sat Apr 11 08:04:43 2020 us=448932   route_delay = 0
Sat Apr 11 08:04:43 2020 us=448936   route_delay_window = 30
Sat Apr 11 08:04:43 2020 us=448941   route_delay_defined = DISABLED
Sat Apr 11 08:04:43 2020 us=448945   route_nopull = DISABLED
Sat Apr 11 08:04:43 2020 us=448950   route_gateway_via_dhcp = DISABLED
Sat Apr 11 08:04:43 2020 us=448954   allow_pull_fqdn = DISABLED
Sat Apr 11 08:04:43 2020 us=448959   [redirect_default_gateway local=0]
Sat Apr 11 08:04:43 2020 us=448964   management_addr = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448968   management_port = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448973   management_user_pass = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448980   management_log_history_cache = 250
Sat Apr 11 08:04:43 2020 us=448985   management_echo_buffer_size = 100
Sat Apr 11 08:04:43 2020 us=448990   management_write_peer_info_file = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448995   management_client_user = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=448999   management_client_group = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449004   management_flags = 0
Sat Apr 11 08:04:43 2020 us=449009   shared_secret_file = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449014   key_direction = 1
Sat Apr 11 08:04:43 2020 us=449018   ciphername = 'AES-256-CBC'
Sat Apr 11 08:04:43 2020 us=449023   ncp_enabled = ENABLED
Sat Apr 11 08:04:43 2020 us=449028   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sat Apr 11 08:04:43 2020 us=449032   authname = 'SHA1'
Sat Apr 11 08:04:43 2020 us=449037   prng_hash = 'SHA1'
Sat Apr 11 08:04:43 2020 us=449042   prng_nonce_secret_len = 16
Sat Apr 11 08:04:43 2020 us=449047   keysize = 0
Sat Apr 11 08:04:43 2020 us=449051   engine = DISABLED
Sat Apr 11 08:04:43 2020 us=449056   replay = ENABLED
Sat Apr 11 08:04:43 2020 us=449061   mute_replay_warnings = DISABLED
Sat Apr 11 08:04:43 2020 us=449065   replay_window = 64
Sat Apr 11 08:04:43 2020 us=449070   replay_time = 15
Sat Apr 11 08:04:43 2020 us=449077   packet_id_file = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449082   use_iv = ENABLED
Sat Apr 11 08:04:43 2020 us=449087   test_crypto = DISABLED
Sat Apr 11 08:04:43 2020 us=449091   tls_server = DISABLED
Sat Apr 11 08:04:43 2020 us=449096   tls_client = ENABLED
Sat Apr 11 08:04:43 2020 us=449101   key_method = 2
Sat Apr 11 08:04:43 2020 us=449106   ca_file = '[[INLINE]]'
Sat Apr 11 08:04:43 2020 us=449110   ca_path = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449115   dh_file = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449120   cert_file = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449125   extra_certs_file = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449129   priv_key_file = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449134   pkcs12_file = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449138   cipher_list = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449143   cipher_list_tls13 = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449148   tls_cert_profile = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449152   tls_verify = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449157   tls_export_cert = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449161   verify_x509_type = 0
Sat Apr 11 08:04:43 2020 us=449166   verify_x509_name = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449171   crl_file = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449175   ns_cert_type = 0
Sat Apr 11 08:04:43 2020 us=449180   remote_cert_ku[i] = 65535
Sat Apr 11 08:04:43 2020 us=449185   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449189   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449194   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449198   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449203   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449208   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449212   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449217   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449221   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449226   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449230   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449235   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449239   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449244   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449249   remote_cert_ku[i] = 0
Sat Apr 11 08:04:43 2020 us=449253   remote_cert_eku = 'TLS Web Server Authentication'
Sat Apr 11 08:04:43 2020 us=449265   ssl_flags = 0
Sat Apr 11 08:04:43 2020 us=449273   tls_timeout = 2
Sat Apr 11 08:04:43 2020 us=449278   renegotiate_bytes = -1
Sat Apr 11 08:04:43 2020 us=449283   renegotiate_packets = 0
Sat Apr 11 08:04:43 2020 us=449288   renegotiate_seconds = 3600
Sat Apr 11 08:04:43 2020 us=449293   handshake_window = 60
Sat Apr 11 08:04:43 2020 us=449297   transition_window = 3600
Sat Apr 11 08:04:43 2020 us=449302   single_session = DISABLED
Sat Apr 11 08:04:43 2020 us=449307   push_peer_info = DISABLED
Sat Apr 11 08:04:43 2020 us=449312   tls_exit = DISABLED
Sat Apr 11 08:04:43 2020 us=449317   tls_auth_file = '[[INLINE]]'
Sat Apr 11 08:04:43 2020 us=449321   tls_crypt_file = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449326   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449331   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449335   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449340   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449344   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449349   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449353   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449358   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449362   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449367   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449371   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449376   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449380   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449388   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449393   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449397   pkcs11_protected_authentication = DISABLED
Sat Apr 11 08:04:43 2020 us=449402   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449406   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449411   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449416   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449420   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449425   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449429   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449433   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449438   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449442   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449447   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449451   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449456   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449460   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449465   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449469   pkcs11_private_mode = 00000000
Sat Apr 11 08:04:43 2020 us=449474   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449478   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449483   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449487   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449492   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449496   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449501   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449505   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449510   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449514   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449519   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449523   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449528   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449532   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449537   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449541   pkcs11_cert_private = DISABLED
Sat Apr 11 08:04:43 2020 us=449546   pkcs11_pin_cache_period = -1
Sat Apr 11 08:04:43 2020 us=449550   pkcs11_id = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449555   pkcs11_id_management = DISABLED
Sat Apr 11 08:04:43 2020 us=449561   server_network = 0.0.0.0
Sat Apr 11 08:04:43 2020 us=449566   server_netmask = 0.0.0.0
Sat Apr 11 08:04:43 2020 us=449574   server_network_ipv6 = ::
Sat Apr 11 08:04:43 2020 us=449579   server_netbits_ipv6 = 0
Sat Apr 11 08:04:43 2020 us=449584   server_bridge_ip = 0.0.0.0
Sat Apr 11 08:04:43 2020 us=449589   server_bridge_netmask = 0.0.0.0
Sat Apr 11 08:04:43 2020 us=449594   server_bridge_pool_start = 0.0.0.0
Sat Apr 11 08:04:43 2020 us=449599   server_bridge_pool_end = 0.0.0.0
Sat Apr 11 08:04:43 2020 us=449604   ifconfig_pool_defined = DISABLED
Sat Apr 11 08:04:43 2020 us=449609   ifconfig_pool_start = 0.0.0.0
Sat Apr 11 08:04:43 2020 us=449614   ifconfig_pool_end = 0.0.0.0
Sat Apr 11 08:04:43 2020 us=449619   ifconfig_pool_netmask = 0.0.0.0
Sat Apr 11 08:04:43 2020 us=449624   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449628   ifconfig_pool_persist_refresh_freq = 600
Sat Apr 11 08:04:43 2020 us=449633   ifconfig_ipv6_pool_defined = DISABLED
Sat Apr 11 08:04:43 2020 us=449638   ifconfig_ipv6_pool_base = ::
Sat Apr 11 08:04:43 2020 us=449643   ifconfig_ipv6_pool_netbits = 0
Sat Apr 11 08:04:43 2020 us=449648   n_bcast_buf = 256
Sat Apr 11 08:04:43 2020 us=449652   tcp_queue_limit = 64
Sat Apr 11 08:04:43 2020 us=449657   real_hash_size = 256
Sat Apr 11 08:04:43 2020 us=449662   virtual_hash_size = 256
Sat Apr 11 08:04:43 2020 us=449667   client_connect_script = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449674   learn_address_script = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449679   client_disconnect_script = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449684   client_config_dir = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449688   ccd_exclusive = DISABLED
Sat Apr 11 08:04:43 2020 us=449693   tmp_dir = '/tmp'
Sat Apr 11 08:04:43 2020 us=449697   push_ifconfig_defined = DISABLED
Sat Apr 11 08:04:43 2020 us=449703   push_ifconfig_local = 0.0.0.0
Sat Apr 11 08:04:43 2020 us=449708   push_ifconfig_remote_netmask = 0.0.0.0
Sat Apr 11 08:04:43 2020 us=449712   push_ifconfig_ipv6_defined = DISABLED
Sat Apr 11 08:04:43 2020 us=449717   push_ifconfig_ipv6_local = ::/0
Sat Apr 11 08:04:43 2020 us=449722   push_ifconfig_ipv6_remote = ::
Sat Apr 11 08:04:43 2020 us=449727   enable_c2c = DISABLED
Sat Apr 11 08:04:43 2020 us=449732   duplicate_cn = DISABLED
Sat Apr 11 08:04:43 2020 us=449737   cf_max = 0
Sat Apr 11 08:04:43 2020 us=449741   cf_per = 0
Sat Apr 11 08:04:43 2020 us=449746   max_clients = 1024
Sat Apr 11 08:04:43 2020 us=449751   max_routes_per_client = 256
Sat Apr 11 08:04:43 2020 us=449756   auth_user_pass_verify_script = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449760   auth_user_pass_verify_script_via_file = DISABLED
Sat Apr 11 08:04:43 2020 us=449765   auth_token_generate = DISABLED
Sat Apr 11 08:04:43 2020 us=449769   auth_token_lifetime = 0
Sat Apr 11 08:04:43 2020 us=449774   port_share_host = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449779   port_share_port = '[UNDEF]'
Sat Apr 11 08:04:43 2020 us=449783   client = ENABLED
Sat Apr 11 08:04:43 2020 us=449788   pull = ENABLED
Sat Apr 11 08:04:43 2020 us=449793   auth_user_pass_file = '/run/openvpn.sh/secret.txt'
Sat Apr 11 08:04:43 2020 us=449798 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sat Apr 11 08:04:43 2020 us=449807 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Sat Apr 11 08:04:43 2020 us=449897 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Apr 11 08:04:43 2020 us=450220 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Apr 11 08:04:43 2020 us=450233 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Apr 11 08:04:43 2020 us=450240 LZO compression initializing
Sat Apr 11 08:04:43 2020 us=450297 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat Apr 11 08:04:43 2020 us=450908 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Apr 11 08:04:43 2020 us=450933 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Apr 11 08:04:43 2020 us=450940 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Apr 11 08:04:43 2020 us=450947 TCP/UDP: Preserving recently used remote address: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:04:43 2020 us=450961 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Apr 11 08:04:43 2020 us=450968 UDP link local: (not bound)
Sat Apr 11 08:04:43 2020 us=450973 UDP link remote: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:05:14 2020 us=174764 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Apr 11 08:05:14 2020 us=174967 TCP/UDP: Closing socket
Sat Apr 11 08:05:14 2020 us=175021 SIGUSR1[soft,ping-restart] received, process restarting
Sat Apr 11 08:05:14 2020 us=175067 Restart pause, 5 second(s)
Sat Apr 11 08:05:19 2020 us=175199 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Apr 11 08:05:19 2020 us=175287 Re-using SSL/TLS context
Sat Apr 11 08:05:19 2020 us=175318 LZO compression initializing
Sat Apr 11 08:05:19 2020 us=175499 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat Apr 11 08:05:19 2020 us=176812 TCP/UDP: Preserving recently used remote address: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:05:19 2020 us=176858 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Apr 11 08:05:19 2020 us=176943 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Apr 11 08:05:19 2020 us=176973 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Apr 11 08:05:19 2020 us=176997 TCP/UDP: Preserving recently used remote address: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:05:19 2020 us=177061 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Apr 11 08:05:19 2020 us=177090 UDP link local: (not bound)
Sat Apr 11 08:05:19 2020 us=177110 UDP link remote: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:05:49 2020 us=493338 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Apr 11 08:05:49 2020 us=493495 TCP/UDP: Closing socket
Sat Apr 11 08:05:49 2020 us=493549 SIGUSR1[soft,ping-restart] received, process restarting
Sat Apr 11 08:05:49 2020 us=493624 Restart pause, 5 second(s)
Sat Apr 11 08:05:54 2020 us=493772 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Apr 11 08:05:54 2020 us=493868 Re-using SSL/TLS context
Sat Apr 11 08:05:54 2020 us=495298 LZO compression initializing
Sat Apr 11 08:05:54 2020 us=495486 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat Apr 11 08:05:54 2020 us=495559 TCP/UDP: Preserving recently used remote address: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:05:54 2020 us=495593 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Apr 11 08:05:54 2020 us=495661 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Apr 11 08:05:54 2020 us=495695 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Apr 11 08:05:54 2020 us=495729 TCP/UDP: Preserving recently used remote address: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:05:54 2020 us=495804 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Apr 11 08:05:54 2020 us=495849 UDP link local: (not bound)
Sat Apr 11 08:05:54 2020 us=495883 UDP link remote: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:06:24 2020 us=907489 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Apr 11 08:06:24 2020 us=907664 TCP/UDP: Closing socket
Sat Apr 11 08:06:24 2020 us=907725 SIGUSR1[soft,ping-restart] received, process restarting
Sat Apr 11 08:06:24 2020 us=907776 Restart pause, 5 second(s)
Sat Apr 11 08:06:29 2020 us=907938 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Apr 11 08:06:29 2020 us=908036 Re-using SSL/TLS context
Sat Apr 11 08:06:29 2020 us=908066 LZO compression initializing
Sat Apr 11 08:06:29 2020 us=908216 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat Apr 11 08:06:29 2020 us=909459 TCP/UDP: Preserving recently used remote address: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:06:29 2020 us=909531 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Apr 11 08:06:29 2020 us=909612 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Apr 11 08:06:29 2020 us=909634 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Apr 11 08:06:29 2020 us=909659 TCP/UDP: Preserving recently used remote address: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:06:29 2020 us=909805 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Apr 11 08:06:29 2020 us=909908 UDP link local: (not bound)
Sat Apr 11 08:06:29 2020 us=909961 UDP link remote: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:06:59 2020 us=124963 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Apr 11 08:06:59 2020 us=125133 TCP/UDP: Closing socket
Sat Apr 11 08:06:59 2020 us=125193 SIGUSR1[soft,ping-restart] received, process restarting
Sat Apr 11 08:06:59 2020 us=125240 Restart pause, 5 second(s)
Sat Apr 11 08:07:04 2020 us=125370 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Apr 11 08:07:04 2020 us=125451 Re-using SSL/TLS context
Sat Apr 11 08:07:04 2020 us=125479 LZO compression initializing
Sat Apr 11 08:07:04 2020 us=125612 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat Apr 11 08:07:04 2020 us=126982 TCP/UDP: Preserving recently used remote address: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:07:04 2020 us=127031 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Apr 11 08:07:04 2020 us=127100 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Apr 11 08:07:04 2020 us=127120 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Apr 11 08:07:04 2020 us=127141 TCP/UDP: Preserving recently used remote address: [AF_INET]69.12.94.154:1195
Sat Apr 11 08:07:04 2020 us=127195 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Apr 11 08:07:04 2020 us=127217 UDP link local: (not bound)
Sat Apr 11 08:07:04 2020 us=127237 UDP link remote: [AF_INET]69.12.94.154:1195

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Delete default route

Post by TinCanTech » Tue Apr 14, 2020 3:44 pm

Try deleting the LAN IP address instead.

plasticassius
OpenVpn Newbie
Posts: 8
Joined: Tue Apr 14, 2020 9:15 am

Re: Delete default route

Post by plasticassius » Tue Apr 14, 2020 8:58 pm

I can delete both of the other routes, but afterwards I can still reach addresses on the LAN as well as the WAN. In short, the laptop can still connect to anything it normally connects to, no matter what route I delete or try to delete.

I don't really need this functionality on the laptop, I just found it confusing that it behaves this way.

d2t93y7c
OpenVpn Newbie
Posts: 14
Joined: Fri Feb 22, 2019 7:35 pm

Re: Delete default route

Post by d2t93y7c » Wed Apr 15, 2020 2:05 am

I have a script that deletes the default route when the openvpn client exits unexpectedly.
Opinion: the default route should be deleted immediately after an openvpn connection and not when openvpn exits.
Reason 1: to reduce chance of an IP leak during VPN connection if not using a firewall.
Reason 2: the default route IP might be exposed briefly after openvpn exits.
I'd like to determine what causes openvpn to terminate unexpectedly, but haven't had any luck since it happens only infrequently.
Maybe the remote server didn't push a keepalive value.
Another piece of information is that I can't delete the default route on my laptop
DHCP may be readding the default route. Search: how to stop DHCP from readding default gateway
Disabling this DHCP behavior is distro specific.
Is there a better way to disable the default gateway in the event that openvpn fails?
Yes.
Is there a good way to track down why the tunnel loses connectivity and gets stuck in an endless retry loop?
Submit your code to r/bash for analysis.
Why can't I delete the default route on my laptop? Is it supposed to work that way?
Yes. Both DHCP and networkmanager will try to reestablish the default route.

Side comment: congtratulations for going the 'disabling the default route' route, as I have read that using a firewall can slow down your connection--although I haven't really noticed a slowdown.

plasticassius
OpenVpn Newbie
Posts: 8
Joined: Tue Apr 14, 2020 9:15 am

Re: Delete default route

Post by plasticassius » Sat Apr 18, 2020 1:03 pm

Thanks for the detailed answer, it gave me a number of things to think about.
d2t93y7c wrote:
Wed Apr 15, 2020 2:05 am
I have a script that deletes the default route when the openvpn client exits unexpectedly.
Opinion: the default route should be deleted immediately after an openvpn connection and not when openvpn exits.
Reason 1: to reduce chance of an IP leak during VPN connection if not using a firewall.
Reason 2: the default route IP might be exposed briefly after openvpn exits.
I agree with both of your reasons, and I have tried deleting the default route in the route-up script. However, I stopped doing it that way because the tunnel would close and openvpn would endlessly try to reestablish it. I'm not completely sure that the default route is needed to reestablish the tunnel if it closes, but it likely is since the url to my vpn server resolves to more than one ip address, so I imagine that openvpn needs to do dns lookups wen it goes to restablish the tunnel.

I imagine there may be something else involved in this issue, the tunnel goes down infrequently enough that it's hard to say. One idea I had to deal with this is to create individual routes to each of the possible vpn server ips when I delete the default route. I'll likely try this in the future.
I'd like to determine what causes openvpn to terminate unexpectedly, but haven't had any luck since it happens only infrequently.
Maybe the remote server didn't push a keepalive value.
I don't think this is the issue since when the tunnel terminates unexpectedly, the log (in previous post) shows "[UNDEF] Inactivity timeout (--ping-restart), restarting" and "SIGUSR1[soft,ping-restart] received, process restarting". This restart activity then repeats every 30 seconds which corresponds to the "keepalive_timeout = 30" which also appears in the log. This endless restart activity is what I referred to as "an endless retry loop" later in this post.
Another piece of information is that I can't delete the default route on my laptop
DHCP may be readding the default route. Search: how to stop DHCP from readding default gateway
Disabling this DHCP behavior is distro specific.
Interesting.. I'll look into this further.
Is there a better way to disable the default gateway in the event that openvpn fails?
Yes.
This is also interesting. I'll keep this in mind, but I think it is overkill for what I'm trying to do now.
Is there a good way to track down why the tunnel loses connectivity and gets stuck in an endless retry loop?
Submit your code to r/bash for analysis.
Sorry, I didn't decribe what I meant in detail. By "an endless retry loop", I mean that openvpn itself is doing an endless "(--ping-restart), restarting" loop. The batch file doesn't enter into this at all.

Also, on my nas device it's enough to kill the openvpn process and then restart it (with the same configuration) to reestablish the tunnel. On my laptop, I need to kill the openvpn process, then disable and reenable wifi in connman, and restart openvpn (with the same configuration). It seems that there's something about the state of openvpn / network configuration of the device that needs to be reset in order to fix things.
Why can't I delete the default route on my laptop? Is it supposed to work that way?
Yes. Both DHCP and networkmanager will try to reestablish the default route.
I'm using DHCP and connman, apparently connman does something similar.

d2t93y7c
OpenVpn Newbie
Posts: 14
Joined: Fri Feb 22, 2019 7:35 pm

Re: Delete default route

Post by d2t93y7c » Tue Apr 21, 2020 4:11 am

I'm using DHCP and connman, apparently connman does something similar.
Does connmand -I or blacklisting interfaces stop ConnMan from readding a default route?

plasticassius
OpenVpn Newbie
Posts: 8
Joined: Tue Apr 14, 2020 9:15 am

Re: Delete default route

Post by plasticassius » Sat Apr 25, 2020 6:08 pm

d2t93y7c wrote:
Tue Apr 21, 2020 4:11 am
Does connmand -I or blacklisting interfaces stop ConnMan from readding a default route?
I imagine that it would, but if I blacklist the interface with the default route, I won't have any network connectivity at all.

plasticassius
OpenVpn Newbie
Posts: 8
Joined: Tue Apr 14, 2020 9:15 am

Re: Delete default route

Post by plasticassius » Thu May 07, 2020 12:58 pm

I've found that much of my difficulty was related to DHCP and DNS. At one time I experimented with the update-resolv-conf script from the resolvconf debian package. I still find it confusing, but at the time, I didn't understand the DNS mechanisms at all, let alone testing for DNS leaks. I've made considerable progress since.

On my debian laptop, I started using update-resolv-conf which works as expected, but I still don't understand it's mechanism which I imagine is due to it's calls into systemd via a binary code file. I still get connection failures after repeated start / stop cycles, but I've found that can be worked around by disconnecting and reconnecting the wifi connection with connman. I'm happy that DNS is working properly though.

The update-resolv-conf script doesn't work on my openwrt box, I imagine due to it's lack of systemd. Instead, it has dnsmasq and busybox udhcpc. I've modified update-resolv-conf to work with dnsmasq for openwrt and disabled udhcpc while openvpn is connected in my updated connection script below, where I also delete the default route in route-up.

This combination appears to be much more stable on my openwrt box. I believe that must be due to several reasons. Disabling DHCP while openvpn is connected avoids resetting the DNS servers in use during DHCP renews, and is harmless since the DHCP server doesn't change ip addresses once clients are booted. Also, the script does get DNS through the tunnel working properly (as verified through whoami.ds.akahelp.net). And, finally I do have the default route deleted while the tunnel is in use so that there are no ip leaks in addition to no dns leaks.

My update script follows:

Code: Select all

#!/bin/sh

SECRET=xxx
USER=xxx
PASS=xxx

# read distribution type
OSID=$(. /etc/os-release ; echo $ID)

if [ "$OSID" != "openwrt" ] ; then
TMPDIR=/run

#sudo apt-get install openvpn resolvconf
CONFIGPATH=/work/data/openvpn
#CONFIG="$CONFIGPATH"/Netherlands\ -\ Amsterdam.ovpn
#CONFIG="$CONFIGPATH/Czech Republic - Prague.ovpn"
CONFIG="$CONFIGPATH"/United\ States\ -\ Texas.ovpn
#CONFIG="$CONFIGPATH"/'United States - Florida.ovpn'

else # "$OSID" == "openwrt"
TMPDIR=/tmp/run

#opkg install openvpn-openssl
CONFIG=/root/loc.ovpn

fi

TMPDIR=$TMPDIR/${0##*/}
serv_auth=$TMPDIR/secret.txt
serv_pid=$TMPDIR/pid.txt
serv_restore=$TMPDIR/restore.txt
serv_start=$TMPDIR/start.txt
serv_log=/tmp/openvpn.log
serv_resolv=/tmp/resolv.conf.auto

openwrt_update_resolv_conf() {
    echo '# openwrt_update_resolv_conf' > "$serv_resolv"
    I=0
    while : ; do
        I=$((I + 1)) ; T=$(eval echo \$foreign_option_$I)
        [ -z "$T" ] && break
        echo "$T" | {
            read t0 t1 t2
            [ "$t0 $t1" = "dhcp-option DNS" ] && echo nameserver $t2 >> "$serv_resolv"
        }
    done
}

while : ; do case "$script_type" in
up)
    # after tunnel open
    [ "$OSID" = "openwrt" ] || exec /etc/openvpn/update-resolv-conf
    ;;

route-up)
    # after routes are up
    if [ "$OSID" = "openwrt" ] ; then
        # default route
        echo "ip route add $(ip route | grep '^default ')" > $serv_restore

        # restart dhcp and renew
        echo "kill -SIGCONT $(cat /var/run/udhcpc-br-lan.pid)" >> $serv_restore
        echo "kill -SIGUSR1 $(cat /var/run/udhcpc-br-lan.pid)" >> $serv_restore

        # stop dhcp
        kill -SIGSTOP $(cat /var/run/udhcpc-br-lan.pid)

        # update DNS servers
        openwrt_update_resolv_conf

        # delete default route
        ip route del default
    fi
    echo '#up' >>$serv_start
    ;;

down)
    # after tunnel closed
    [ "$OSID" = "openwrt" ] || exec /etc/openvpn/update-resolv-conf
    ;;

# zero length string executes remainder of file, otherwise exit
'') break ;; esac ; exit ; done

case "$1" in

start)
    if [ -e $serv_pid ] ; then echo already started ; exit 1 ; fi
    mkdir -p $TMPDIR
    echo "$USER
$PASS" > "$serv_auth"
    cd /tmp

    openvpn \
        --config "$CONFIG" --auth-user-pass "$serv_auth" \
        --log $serv_log --verb 4 \
        --script-security 2 --up "$0" --route-up "$0" --down "$0" \
        & echo $! > $serv_pid

    # wait for tunnel
    while [ ! -e $serv_start ] ; do
        if [ ! -e $serv_pid ] || ! kill -0 $(cat $serv_pid) 2> /dev/null ; then
            rm -f $serv_pid
            echo failed to start ; exit 1
        fi
    done
    echo "$0 start" >> $serv_log
    ;;

stop)
    # indicate that stop is expected
    rm -f $serv_start

    # kill the client
    [ -e $serv_pid ] && kill $(cat $serv_pid)

    # wait for process exit
    while [ -e $serv_pid ] && kill -0 $(cat $serv_pid) 2> /dev/null ; do sleep 1 ; done

    # restore routes
    [ -e $serv_restore ] && . $serv_restore

    # clean up
    rm -rf $TMPDIR
    ;;

*) cat <<EOF ;;
openvpn.sh: start stop
EOF

esac

d2t93y7c
OpenVpn Newbie
Posts: 14
Joined: Fri Feb 22, 2019 7:35 pm

Re: Delete default route

Post by d2t93y7c » Sat May 09, 2020 10:41 am

Immortalize your unique work on GitLab.

Another potential solve, besides yours, is to make the VPN connection the default route.

plasticassius
OpenVpn Newbie
Posts: 8
Joined: Tue Apr 14, 2020 9:15 am

Re: Delete default route

Post by plasticassius » Mon May 18, 2020 6:39 pm

I continued to make some improvements. I switched to network-manager from connman which made it possible to delete the default route (apparently connman was preventing that in some way). Also, I found that everything was more stable when I used my own script to update the DNS servers rather than update-resolv-conf or update-systemd-resolved. At least I don't have to resort to rebooting anymore.

I may ry to make the VPN connection the default route at some point; however, I'd have to re-rig all of the routes rather that just deleting the default one.

Here is my latest script for both openwrt and debian:

Code: Select all

#!/bin/sh

[ "$1" = "start" ] && CONFIG="${2:-/etc/openvpn/default.ovpn}"
AUTH=/etc/openvpn/auth.config
RESOLV=

# read distribution type
OSID=$(. /etc/os-release ; echo $ID)

if [ "$OSID" != "openwrt" ] ; then
serv_dir=/run/${0##*/}
serv_resolv=/etc/resolv.conf
#sudo apt-get install openvpn
#sudo dpkg -P connman connman-vpn cmst
#sudo apt install nm-tray network-manager network-manager-pptp network-manager-l2tp network-manager-openvpn

:<<EOF #optional setup
#systemd-resolve --status #get systemd DNS status

#sudo apt-get install resolvconf
#this updates /etc/resolv.conf with the VPN DNS servers (when it works)
#RESOLV=/etc/openvpn/update-resolv-conf

#sudo apt-get install openvpn-systemd-resolved
#this updates systemd DNS servers from the VPN (but leaves the global ones in place)
#RESOLV=/etc/openvpn/update-systemd-resolved
#RESOLV=/zaloh/make/update-systemd-resolved/update-systemd-resolved

#to disable dns via DHCP
#nano /etc/NetworkManager/NetworkManager.conf
[main]
dns=none
#this keeps DHCP from putting DNS information into /etc/resolv.conf
#which has the global DNS servers listed (from ISP)

EOF

else # "$OSID" == "openwrt"
serv_dir=/tmp/run/${0##*/}
serv_resolv=/tmp/resolv.conf.auto
#opkg install openvpn-openssl

fi

serv_pid=$serv_dir/pid.txt
serv_restore=$serv_dir/restore.txt
serv_start=$serv_dir/start.txt
serv_log=/tmp/openvpn.log

update_resolv_conf() {
    echo "# $0" > "$serv_resolv"
    I=0
    while : ; do
        I=$((I + 1)) ; T=$(eval echo \$foreign_option_$I)
        [ -z "$T" ] && break
        echo "$T" | {
            read t0 t1 t2
            [ "$t0 $t1" = "dhcp-option DNS" ] && echo nameserver $t2 >> "$serv_resolv"
            [ "$t0 $t1" = "dhcp-option DOMAIN" ] && echo search $t2 >> "$serv_resolv"
        }
    done
}

while : ; do case "$script_type" in
up)
    # after tunnel open
    [ -z "$RESOLV" ] || exec "$RESOLV"
    ;;

route-up)
    # after routes are up

    # restore default route
    echo "ip route add $(ip route | grep '^default ')" > $serv_restore

    # restore resolve file
    mv $serv_resolv $serv_dir
    echo mv $serv_dir/${serv_resolv##*/} $serv_resolv >> $serv_restore

    # delete default route
    ip route del default

    if [ "$OSID" = "openwrt" ] ; then
        for PID in /var/run/udhcpc-*.pid ; do
            [ -e $PID ] || continue
            PID=$(cat $PID)

            # stop dhcp
            kill -SIGSTOP $PID

            # restart dhcp and renew
            echo "kill -SIGCONT $PID" >> $serv_restore
            echo "kill -SIGUSR1 $PID" >> $serv_restore
        done
    fi

    # update DNS servers to resolve file
    update_resolv_conf

    echo '#up' >>$serv_start
    ;;

down)
    # after tunnel closed
    [ -z "$RESOLV" ] || exec "$RESOLV"
    ;;

# zero length string executes remainder of file, otherwise exit
'') break ;; esac ; exit ; done

case "$1" in

start)
    if [ -e $serv_pid ] ; then echo already started ; exit 1 ; fi
    mkdir -p $serv_dir
    cd /tmp

    openvpn \
        --config "$CONFIG" --auth-user-pass "$AUTH" \
        --log $serv_log --verb 4 \
        --script-security 2 --up "$0" --route-up "$0" --down "$0" \
        & echo $! > $serv_pid

    # wait for tunnel
    while [ ! -e $serv_start ] ; do
        if [ ! -e $serv_pid ] || ! kill -0 $(cat $serv_pid) 2> /dev/null ; then
            rm -f $serv_pid
            echo failed to start ; exit 1
        fi
    done
    echo "$0 start" >> $serv_log
    ;;

stop)
    # indicate that stop is expected
    rm -f $serv_start

    # kill the client
    [ -e $serv_pid ] && kill $(cat $serv_pid)

    # wait for process exit
    while [ -e $serv_pid ] && kill -0 $(cat $serv_pid) 2> /dev/null ; do sleep 1 ; done

    # restore routes
    [ -e $serv_restore ] && . $serv_restore

    # clean up
    rm -rf $serv_dir
    ;;

restart)
    "$0" stop
    "$0" start
    ;;

*) cat <<EOF ;;
openvpn.sh: start stop
EOF

esac
I continue to have problems with losing connectivity occasionally. This primarily happens on openwrt, which I suspect is due to the long connection times I use (weeks at a time). I also suspect there may be some problem at the server side (Boxpn) which puts the client side into a state where it's continually retrying. However, it's fixed by restarting the client (no reboot needed).

Here's something curious that showed up in the log after 6 days without problems. After this, openvpn endlessly tried to reconnect with no luck. A restart of the client fixed it.

Code: Select all

Tue May 12 20:35:40 2020 us=614449 Recursive routing detected, drop tun packet to [AF_INET]5.8.48.45:1195
Tue May 12 20:35:40 2020 us=614945 Recursive routing detected, drop tun packet to [AF_INET]5.8.48.45:1195
Tue May 12 20:35:40 2020 us=615423 Recursive routing detected, drop tun packet to [AF_INET]5.8.48.45:1195

Post Reply