[Solved] Openvpn 2.2 and max-routes

[Driver]

I have a openvpn 2.2 server setup and we are hitting the 100 route limit. When I have more than 100 "route x.x.x.x" in the server config file it fails to start with the following error.

OpenVPN ROUTE: cannot add more than 100 routes -- please increase the max-routes option in the client configuration file

This is a bit confusing as we are hitting this route limit on the server, if I do add the max-routes option to the clients configuration file how in the world would the server even know that and allow me to start the service considering its all client initiated. I have tried adding the max-routes option to the server config and the issue persists. Hoping I am missing something simple.

[TinCanTech]

From the 22 manual:
https://community.openvpn.net/openvpn/w ... n22ManPage

--max-routes n

• Allow a maximum number of n --route options to be specified, either in the local
  configuration file, or pulled from an OpenVPN server. By default, n=100.

--max-routes-per-client n

• Allow a maximum of n internal routes per client (default=256). This is designed
  to help contain DoS attacks where an authenticated client floods the server with
  packets appearing to come from many unique MAC addresses, forcing the server to
  deplete virtual memory as its internal routing table expands. This directive can
  be used in a --client-config-dir file or auto-generated by a --client-connect
  script to override the global value for a particular client.
  
  Note that this directive affects OpenVPN's internal routing table, not the kernel
  routing table.

You ought to use up-to date version 2.3.11

I have tried adding the max-routes option to the server config and the issue persists

Did you stop/start the server ?

[Driver]

From the 22 manual:
https://community.openvpn.net/openvpn/w ... n22ManPage

--max-routes n

• Allow a maximum number of n --route options to be specified, either in the local
  configuration file, or pulled from an OpenVPN server. By default, n=100.

--max-routes-per-client n

• Allow a maximum of n internal routes per client (default=256). This is designed
  to help contain DoS attacks where an authenticated client floods the server with
  packets appearing to come from many unique MAC addresses, forcing the server to
  deplete virtual memory as its internal routing table expands. This directive can
  be used in a --client-config-dir file or auto-generated by a --client-connect
  script to override the global value for a particular client.
  
  Note that this directive affects OpenVPN's internal routing table, not the kernel
  routing table.

You ought to use up-to date version 2.3.11

I have tried adding the max-routes option to the server config and the issue persists

Did you stop/start the server ?

We are on CentOS6 and the version available is 2.2.2, packages outside of yum are a pretty hard sell in our enviroment. Either way, max-routes is suppose to be supported in 2.2.

Yep restarting the service and it simply fails to start when there are more than 100 routes in the server config file. I can comment one of them out to get us back to 100 and the service starts with no issues.

[Driver]

Figured it out. Did some testing a CentOS7 box which told me exactly what my issue was. The man page should probably be updated with these details.

Tue Jun 7 08:29:29 2016 us=455904 SIGTERM[hard,] received, process exiting
Options error: --max-routes must to be specifed before any route/route-ipv6/redirect-gateway option

Once I put the max-routes above my route commands everything fell in line and started working as expected.

[TinCanTech]

Thanks for letting us know you worked it out