[Solved] Openvpn 2.2 and max-routes

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Driver
OpenVpn Newbie
Posts: 10
Joined: Mon Dec 20, 2010 6:13 pm

[Solved] Openvpn 2.2 and max-routes

Post by Driver » Tue Jun 07, 2016 11:52 am

I have a openvpn 2.2 server setup and we are hitting the 100 route limit. When I have more than 100 "route x.x.x.x" in the server config file it fails to start with the following error.

OpenVPN ROUTE: cannot add more than 100 routes -- please increase the max-routes option in the client configuration file

This is a bit confusing as we are hitting this route limit on the server, if I do add the max-routes option to the clients configuration file how in the world would the server even know that and allow me to start the service considering its all client initiated. I have tried adding the max-routes option to the server config and the issue persists. Hoping I am missing something simple.

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn 2.2 and max-routes

Post by TinCanTech » Tue Jun 07, 2016 12:12 pm

From the 22 manual:
https://community.openvpn.net/openvpn/w ... n22ManPage

--max-routes n
  • Allow a maximum number of n --route options to be specified, either in the local
    configuration file, or pulled from an OpenVPN server. By default, n=100.
--max-routes-per-client n
  • Allow a maximum of n internal routes per client (default=256). This is designed
    to help contain DoS attacks where an authenticated client floods the server with
    packets appearing to come from many unique MAC addresses, forcing the server to
    deplete virtual memory as its internal routing table expands. This directive can
    be used in a --client-config-dir file or auto-generated by a --client-connect
    script to override the global value for a particular client.

    Note that this directive affects OpenVPN's internal routing table, not the kernel
    routing table.
You ought to use up-to date version 2.3.11

Driver wrote:I have tried adding the max-routes option to the server config and the issue persists
Did you stop/start the server ?

Driver
OpenVpn Newbie
Posts: 10
Joined: Mon Dec 20, 2010 6:13 pm

Re: Openvpn 2.2 and max-routes

Post by Driver » Tue Jun 07, 2016 12:18 pm

TinCanTech wrote:From the 22 manual:
https://community.openvpn.net/openvpn/w ... n22ManPage

--max-routes n
  • Allow a maximum number of n --route options to be specified, either in the local
    configuration file, or pulled from an OpenVPN server. By default, n=100.
--max-routes-per-client n
  • Allow a maximum of n internal routes per client (default=256). This is designed
    to help contain DoS attacks where an authenticated client floods the server with
    packets appearing to come from many unique MAC addresses, forcing the server to
    deplete virtual memory as its internal routing table expands. This directive can
    be used in a --client-config-dir file or auto-generated by a --client-connect
    script to override the global value for a particular client.

    Note that this directive affects OpenVPN's internal routing table, not the kernel
    routing table.
You ought to use up-to date version 2.3.11

Driver wrote:I have tried adding the max-routes option to the server config and the issue persists
Did you stop/start the server ?

We are on CentOS6 and the version available is 2.2.2, packages outside of yum are a pretty hard sell in our enviroment. Either way, max-routes is suppose to be supported in 2.2.

Yep restarting the service and it simply fails to start when there are more than 100 routes in the server config file. I can comment one of them out to get us back to 100 and the service starts with no issues.

Driver
OpenVpn Newbie
Posts: 10
Joined: Mon Dec 20, 2010 6:13 pm

Re: Openvpn 2.2 and max-routes

Post by Driver » Tue Jun 07, 2016 12:34 pm

Figured it out. Did some testing a CentOS7 box which told me exactly what my issue was. The man page should probably be updated with these details.

Tue Jun 7 08:29:29 2016 us=455904 SIGTERM[hard,] received, process exiting
Options error: --max-routes must to be specifed before any route/route-ipv6/redirect-gateway option

Once I put the max-routes above my route commands everything fell in line and started working as expected.

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn 2.2 and max-routes

Post by TinCanTech » Tue Jun 07, 2016 12:41 pm

Thanks for letting us know you worked it out 8-)

Post Reply