OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Linux route add command failed

https://forums.openvpn.net/viewtopic.php?t=11834

Page 1 of 1

Linux route add command failed

Posted: Fri Dec 21, 2012 5:03 pm
by RafaMas
Hi !
I try create a openvpn server, but doesn't work
I'm using Debian 6.0.6 amd64, with a email(iRedMail) server with squid.
My Client is WinXp Pro.
My server.conf

Code: Select all

proto udp 
port 1194 
dev tun 

server 20.20.20.0 255.255.255.0 

push "route 192.168.0.0 255.255.255.0" 
#push "dhcp-option DNS 192.168.0.1" # I try comment but doesen't work
push "redirect-gateway"  # I insert from a forum post but dsnt wrk

push "ping 10"
push "ping-restart 60"

route 20.20.20.0 255.255.255.0

#comp-lzo  # I try comment but doesen't work

keepalive 10 120
float
ifconfig-pool-persist /etc/openvpn/ipp.txt
max-clients 3
persist-key 
persist-tun 

log-append /var/log/openvpn.log 
verb 6
tls-server
dh /etc/openvpn/keys/dh1024.pem
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/tr.crt
key /etc/openvpn/keys/tr.key
tls-auth /etc/openvpn/keys/chave.key
status /var/log/openvpn.stats
my /etc/default/iptables

Code: Select all

# I try comment but dsnt wrk
*filter 
#:INPUT DROP [0:0]
#:FORWARD DROP [0:0]
#:OUTPUT ACCEPT [0:0]

# Keep state.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Loop device.
-A INPUT -i lo -j ACCEPT

# http, https
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 3128 -j ACCEPT

# smtp, submission
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT

# pop3, pop3s
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT

# imap, imaps
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT

# ssh
-A INPUT -p tcp --dport 2231 -j ACCEPT

# Allow PING from remote hosts.
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

COMMIT
openvpn.log

Code: Select all

Fri Dec 21 14:44:16 2012 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 21 2012
Fri Dec 21 14:44:16 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Dec 21 14:44:16 2012 Diffie-Hellman initialized with 1024 bit key
Fri Dec 21 14:44:16 2012 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Fri Dec 21 14:44:17 2012 Control Channel Authentication: using '/etc/openvpn/keys/chave.key' as a OpenVPN static key file
Fri Dec 21 14:44:17 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 21 14:44:17 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 21 14:44:17 2012 TLS-Auth MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec 21 14:44:17 2012 Socket Buffers: R=[124928->131072] S=[124928->131072]
Fri Dec 21 14:44:17 2012 ROUTE default_gateway=10.10.10.1
Fri Dec 21 14:44:17 2012 TUN/TAP device tun0 opened
Fri Dec 21 14:44:17 2012 TUN/TAP TX queue length set to 100
Fri Dec 21 14:44:17 2012 /sbin/ifconfig tun0 20.20.20.1 pointopoint 20.20.20.2 mtu 1500
Fri Dec 21 14:44:17 2012 /sbin/route add -net 20.20.20.0 netmask 255.255.255.0 gw 20.20.20.2
Fri Dec 21 14:44:17 2012 /sbin/route add -net 20.20.20.0 netmask 255.255.255.0 gw 20.20.20.2
SIOCADDRT: File exists
Fri Dec 21 14:44:17 2012 ERROR: Linux route add command failed: external program exited with error status: 7
Fri Dec 21 14:44:17 2012 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Fri Dec 21 14:44:17 2012 UDPv4 link local (bound): [undef]
Fri Dec 21 14:44:17 2012 UDPv4 link remote: [undef]
Fri Dec 21 14:44:17 2012 MULTI: multi_init called, r=256 v=256
Fri Dec 21 14:44:17 2012 IFCONFIG POOL: base=20.20.20.4 size=62
Fri Dec 21 14:44:17 2012 IFCONFIG POOL LIST
Fri Dec 21 14:44:17 2012 fatur,20.20.20.4
Fri Dec 21 14:44:17 2012 Initialization Sequence Completed
WinXP client config file:

Code: Select all

client
dev tun 
proto udp
remote 10.10.10.114 # internal test network
port 1194
pull 
comp-lzo 
keepalive 10 120 
float 
tls-client
persist-tun 
persist-key 
remote-cert-tls server
dh keys/dh1024.pem 
ca keys/ca.crt 
cert keys/fatur.crt 
key keys/fatur.key 
tls-auth keys/chave.key 
route-method exe
route-delay 2
client Log error

Code: Select all

Fri Dec 21 14:45:24 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Fri Dec 21 14:45:24 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Dec 21 14:45:25 2012 Control Channel Authentication: using 'chave.key' as a OpenVPN static key file
Fri Dec 21 14:45:25 2012 UDPv4 link local (bound): [undef]:1194
Fri Dec 21 14:45:25 2012 UDPv4 link remote: 10.10.10.114:1194
Fri Dec 21 14:46:25 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Dec 21 14:46:25 2012 TLS Error: TLS handshake failed
Fri Dec 21 14:46:25 2012 SIGUSR1[soft,tls-error] received, process restarting
Fri Dec 21 14:46:27 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Dec 21 14:46:27 2012 Re-using SSL/TLS context
Fri Dec 21 14:46:27 2012 UDPv4 link local (bound): [undef]:1194
Fri Dec 21 14:46:27 2012 UDPv4 link remote: 10.10.10.114:1194
Fri Dec 21 14:46:33 2012 SIGTERM[hard,] received, process exiting
I search in forums try this rules:

Code: Select all

iptables -t filter -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t filter -A FORWARD -p udp -s 192.168.0.0/24 --dport 1194 -j ACCEPT
iptables -t filter -A FORWARD -p udp -d 192.168.0.0/24 --sport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 20.20.20.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -d 192.168.0.0/24 -s 20.20.20.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING -s 20.20.20.0/24 -o eth1 -j MASQUERADE
and

Code: Select all

 
iptables -t filter -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t filter -A FORWARD -p udp -s 192.168.0.0/24 --dport 1194 -j ACCEPT
iptables -t filter -A FORWARD -p udp -d 192.168.0.0/24 --sport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 20.20.20.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -d 192.168.0.0/24 -s 20.20.20.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING -s 20.20.20.0/24 -o eth1 -j MASQUERADE
iptables -A INPUT -i eth2 -p UDP --dport 1194 -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -o eth0 -p UDP --dport 1194 -j ACCEPT
iptables -A OUTPUT -o eth0 -p UDP --dport 1194 -j ACCEPT
and insert "push "redirect-gateway" " in server.conf.
but doesn't work!

Re: Linux route add command failed

Posted: Fri Dec 21, 2012 6:09 pm
by maikcat
hi there,

just an advice,

dont try things at random , it will never work , and if it did you will not why...

some things i noticed..

if you want to test your openvpn with both pcs in the same network
DISABLE push routes..it doesnt make any sense...

rule: when you try things, first DISABLE server firewall..if it works then try to refine your rules

never add directives you dont understand what they are doing...

for your info,always use

push "redirect-gateway def1"

also for your own good read the manual pages about each directive you use...

try the above and i will help you..

Michael.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/