OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

"redirect-gateway def1" Problem with raspberry client over UMTS

https://forums.openvpn.net/viewtopic.php?t=21844

Page 1 of 1

"redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Tue Jun 07, 2016 9:54 am
by emcc
Hello,

After two days of google and trial and error I don't know what to do next.

I successfully run an openvpn server incl. the option "push "redirect-gateway def1 bypass-dhcp"" on my raspberry pi since two years and can use it with my Android phone via mobile or wlan, i.e. Android_VPNClient===Internet_viaWLAN_or_4G===FritzBox-Router===Raspi1_VPN_Server_onlocal_Wlan

Now I want to create the following setup with a 2nd Pi: Raspi2_OpenVPNclient===UMTS Stick==="Internet"===FritzBox-Router===Raspi1_VPN_Server_onlocal_Wlan. Should be very similar, but does not fully work so far.

What works if "redirect-gateway def1 bypass-dhcp" is NOT activated in the server:
- Connect Raspi2 to internet via UMTS stick
- Avtivate tunnel into Rasp1
- Ping VPNserver under 10.8.0.1

What does not work if "redirect-gateway def1 bypass-dhcp" IS ACTIVATED in the server:
- connection to Raspi1 with openvpn server seems to be activated, but nothing else works afterwards:
- No ping to VPNserver under 10.8.0.1, no ping to internet... nothing....

Thank you very much for a hint, what the problem could be!


Background:
When starting the client I get this output and one strange error:

Code: Select all

[server] Peer Connection Initiated with [AF_INET]123.456.789.12:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 10.8.0.0 255.255.255.0,topology net30,ifconfig 10.8.0.6 10.8.0.5'
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
ROUTE_GATEWAY ON_LINK IFACE=ppp0 HWADDR=00:00:00:00:00:00
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
/sbin/ip route add 123.456.789.12/32 via 0.0.0.0
ERROR: Linux route add command failed: external program exited with error status: 2
/sbin/ip route add 0.0.0.0/1 via 10.8.0.5
/sbin/ip route add 128.0.0.0/1 via 10.8.0.5
/sbin/ip route add 10.8.0.0/24 via 10.8.0.5
Initialization Sequence Completed
My understanding: The encrypted connection is established, the server sends his push messages incl. redirect-gateway and the google DNS 8.8.8.8. Strangely the client gets the external IP of my FritzBox Router 123.456.789.12 (imaginery) as a route push although I have it in not configuration file neither on the server nor on the client. And then the error occurs. The process continues and then "Initialization Sequence Completed"

After this I have this route-n table:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.64.64.64     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0
Unfortunately I cannot really read this and dont know whether this is ok.

BTW: Yes I have on both raspberries (server and client) the 2.3 version of openvpn. Yes I have ip-forward etc on server up and running... my android phone can still connect and routes all its traffic over vpn according to the "redirect-gateway" set-up

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Tue Jun 07, 2016 10:51 am
by TinCanTech
emcc wrote:/sbin/ip route add 123.456.789.12/32 via 0.0.0.0
ERROR: Linux route add command failed: external program exited with error status: 2
/sbin/ip route add 0.0.0.0/1 via 10.8.0.5
/sbin/ip route add 128.0.0.0/1 via 10.8.0.5
/sbin/ip route add 10.8.0.0/24 via 10.8.0.5
"via 0.0.0.0" .. this is a curious error I have not seen before .. you do not appear to have an IP address .. or perhaps openvpn has not detected your ip address.

Please post details of ifconfig.

Perhaps your UMTS Stick is not suitable for use with openvpn .. you could ask the provider.

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Tue Jun 07, 2016 1:33 pm
by emcc
Hi,
thanks for your quick reply.

Here the output from ifconfig

Code: Select all

eth0      Link encap:Ethernet  HWaddr b2:34:da:f5:f3:2a  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:10.230.70.15  P-t-P:10.64.64.64  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:56 errors:0 dropped:0 overruns:0 frame:0
          TX packets:55 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:6828 (6.6 KiB)  TX bytes:5358 (5.2 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65085 errors:0 dropped:62790 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:95996249 (91.5 MiB)
If I DON'T use the "redirect-gateway" command, then the Raspi does connect thought the UMTS modem. I can pin 10.8.0.6 from the Raspi1 openvpn server and 10.8.0.1 from the Raspi2 client... so the modem supports it at least for the tunnel itself incl ssh etc... Only with "redirect-gateway" it does not work...

BTW:
Just something which I just noted: I wrote in the openvpn.conf: ... server 10.8.0.0 255.255.255.0 ... according to the setup manual I followed. Neverthess tun0 has 255.255.255.255

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Tue Jun 07, 2016 1:56 pm
by TinCanTech
emcc wrote:I wrote in the openvpn.conf: ... server 10.8.0.0 255.255.255.0 ... according to the setup manual I followed. Neverthess tun0 has 255.255.255.255
That is normal .. you are running with --topoloy net30 - See --topology in The Manual v23x
emcc wrote:eth0 Link encap:Ethernet HWaddr b2:34:da:f5:f3:2a
UP BROADCAST MULTICAST MTU:1500 Metric:1
<..>

ppp0 Link encap:Point-to-Point Protocol
inet addr:10.230.70.15 P-t-P:10.64.64.64 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
<..>

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
Notice, your ethernet has no IP address .. please try again but completely disable your ethernet device first.

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Tue Jun 07, 2016 2:58 pm
by emcc
Hi,
I tried it with "sudo ifconfig eth0 down" . Hope this what you meant. Unfortunately same behavior, except that in ifconfig eth0 does not appear any more. BTW: After some time is comes back...
But apart from this the UMTS connection is via PPP0, and there isn't any ethernet cable connected to the Raspi.

What about the

Code: Select all

"sbin/ip route add 123.456.789.12/32 via 0.0.0.0
ERROR: Linux route add command failed: external program exited with error status: 2"
when starting the vpn on the client side... Is it normal that the client gets while starting the VPN connection the external internet IP from the Fritzbox-router with which the server is connected via WLAN?

Thanks for your help!

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Tue Jun 07, 2016 9:13 pm
by TinCanTech
Try disabling all network adapters in the BIOS and try again ..

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Tue Jun 07, 2016 10:22 pm
by emcc
Hmmm... very sorry, but I don't know how to do that... afaik the Raspberry has no classical BIOS ?!?... could you give me a hint what exactly to do? Thanks!

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Tue Jun 07, 2016 10:40 pm
by TinCanTech
Sorry, I don't know enough about Pi to be able to help with that.

However, I just noticed you are using

Code: Select all

redirect-gateway def1 bypass-dhcp
remove the bypass-dhcp part (from your server pushed options) and try again.

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Wed Jun 08, 2016 5:55 am
by emcc
I tried that already. Same thing. With and without def1; with and without bypass-dhcp....
And there is to be remembered: It does work with Android. And there is this error message during startup of the vpn connection, which I cannot understand....
Anybody any other ideas? ......

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Wed Jun 08, 2016 1:13 pm
by TinCanTech
emcc wrote:there is this error message during startup of the vpn connection, which I cannot understand
Which error message do you mean ?
emcc wrote:And there is to be remembered: It does work with Android
The problem appears to be the UMTS network but only for using redirect-gaterway .. for some reason openvpn appears to be confused about your gateway.

As you have done so yet, please post your server and client config files.

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Wed Jun 08, 2016 5:55 pm
by emcc
Hi,

1)
I mean this error (compare above), which is in the output if I start the VPNclient
What about the
Code: Select all
"sbin/ip route add 123.456.789.12/32 via 0.0.0.0
ERROR: Linux route add command failed: external program exited with error status: 2"
when starting the vpn on the client side... Is it normal that the client gets while starting the VPN connection the external internet IP from the Fritzbox-router with which the server is connected via WLAN?
The IP 123.456.... is the external IP from my FritzBox router in the Wlan on the VPN server side (I just anonymized it...) . the question is: Is it normal that the client gets while starting the VPN connection the external internet IP from the Fritzbox-router with which the server is connected via WLAN?

2)
I also disabled eth0 in interfaces by now

Code: Select all

auto lo
iface lo inet loopback

#auto eth0
#iface eth0 inet dhcp

iface ppp0 inet wvdial
so my ifconfig-output is

Code: Select all

lo        Link encap:Lokale Schleife  
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:65536  Metrik:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1 
          RX bytes:1272 (1.2 KiB)  TX bytes:1272 (1.2 KiB)

ppp0      Link encap:Punkt-zu-Punkt-Verbindung  
          inet Adresse:10.249.140.104  P-z-P:10.64.64.64  Maske:255.255.255.255
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1500  Metrik:1
          RX packets:106 errors:0 dropped:0 overruns:0 frame:0
          TX packets:103 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:3 
          RX bytes:11425 (11.1 KiB)  TX bytes:8914 (8.7 KiB)

tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet Adresse:10.8.0.6  P-z-P:10.8.0.5  Maske:255.255.255.255
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:356612 errors:0 dropped:354116 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:100 
          RX bytes:0 (0.0 B)  TX bytes:533123352 (508.4 MiB)
What is strange are the different packets errors (maybe normal?) and the TX bytes in tun0. This cannot be true since it never worked...

3)
Mir client config:

Code: Select all

dev tun
client
proto udp
remote MYSERVERURL.no-ip.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 4
and my server config (which works with Android client):

Code: Select all

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 4
client-to-client
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
log-append /var/log/openvpn
comp-lzo

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Wed Jun 08, 2016 7:26 pm
by TinCanTech
emcc wrote:Hi,

1)
I mean this error (compare above), which is in the output if I start the VPNclient
What about the
Code: Select all
"sbin/ip route add 123.456.789.12/32 via 0.0.0.0
ERROR: Linux route add command failed: external program exited with error status: 2"
when starting the vpn on the client side... Is it normal that the client gets while starting the VPN connection the external internet IP from the Fritzbox-router with which the server is connected via WLAN?
The IP 123.456.... is the external IP from my FritzBox router in the Wlan on the VPN server side (I just anonymized it...) . the question is: Is it normal that the client gets while starting the VPN connection the external internet IP from the Fritzbox-router with which the server is connected via WLAN?
This is not an error, this is openvpn trying to enable the redirect-gateway option. The error is due to openvpn using 0.0.0.0 as the gateway .. for some reason openvpn has not determined your default gateway correctly. Once this is resolved, I think the other problems will be resolved.

Please reboot your computer and start your UMTS network but not openvpn.

Then please post your routing table:

Code: Select all

$ route

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Wed Jun 08, 2016 9:19 pm
by emcc
Ah ok...
Here you go:

"route" for UMTS without openvpn:

Code: Select all

Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 ppp0
10.64.64.64     *               255.255.255.255 UH    0      0        0 ppp0
and "route -n" for UMTS with openvpn (without -n option nothing appears here):

Code: Select all

Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.64.64.64     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Tue Jun 14, 2016 2:40 pm
by emcc
Hmmmm... nobody any ideas.... ??? What about these routing tables? Anything I can change? Maybe manually?

Thanks for your help!

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Tue Jun 14, 2016 7:47 pm
by TinCanTech
I do not know why openvpn is failing to add the correct routing .. but you can do it manually.

Add --up and --down scripts to your config file like so:

Code: Select all

up /etc/openvpn/up.sh
down /etc/openvpn/down.sh
Edit - Version 3:

Code: Select all

#!/bin/bash
# up.sh
# 1.2.3.4 = Replace this with your UMTS Stick IP address
umts_gateway=1.2.3.4
/sbin/ip route add $trusted_ip/32 via $umts_gateway

Code: Select all

#!/bin/bash
# down.sh
/sbin/ip route delete $trusted_ip
Remember to set executable bit on script files ..

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Tue Jun 14, 2016 9:31 pm
by TinCanTech
Please post output of:

Code: Select all

openvpn --version

Re: "redirect-gateway def1" Problem with raspberry client over UMTS

Posted: Wed Jun 15, 2016 8:13 pm
by TinCanTech
Linking to this thread:
viewtopic.php?f=4&t=21913
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/