I have a openvpn 2.2 server setup and we are hitting the 100 route limit. When I have more than 100 "route x.x.x.x" in the server config file it fails to start with the following error.
OpenVPN ROUTE: cannot add more than 100 routes -- please increase the max-routes option in the client configuration file
This is a bit confusing as we are hitting this route limit on the server, if I do add the max-routes option to the clients configuration file how in the world would the server even know that and allow me to start the service considering its all client initiated. I have tried adding the max-routes option to the server config and the issue persists. Hoping I am missing something simple.
[Solved] Openvpn 2.2 and max-routes
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Dec 20, 2010 6:13 pm
-
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Openvpn 2.2 and max-routes
From the 22 manual:
https://community.openvpn.net/openvpn/w ... n22ManPage
--max-routes n
https://community.openvpn.net/openvpn/w ... n22ManPage
--max-routes n
- Allow a maximum number of n --route options to be specified, either in the local
configuration file, or pulled from an OpenVPN server. By default, n=100.
- Allow a maximum of n internal routes per client (default=256). This is designed
to help contain DoS attacks where an authenticated client floods the server with
packets appearing to come from many unique MAC addresses, forcing the server to
deplete virtual memory as its internal routing table expands. This directive can
be used in a --client-config-dir file or auto-generated by a --client-connect
script to override the global value for a particular client.
Note that this directive affects OpenVPN's internal routing table, not the kernel
routing table.
Did you stop/start the server ?Driver wrote:I have tried adding the max-routes option to the server config and the issue persists
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Dec 20, 2010 6:13 pm
Re: Openvpn 2.2 and max-routes
TinCanTech wrote:From the 22 manual:
https://community.openvpn.net/openvpn/w ... n22ManPage
--max-routes n--max-routes-per-client n
- Allow a maximum number of n --route options to be specified, either in the local
configuration file, or pulled from an OpenVPN server. By default, n=100.You ought to use up-to date version 2.3.11
- Allow a maximum of n internal routes per client (default=256). This is designed
to help contain DoS attacks where an authenticated client floods the server with
packets appearing to come from many unique MAC addresses, forcing the server to
deplete virtual memory as its internal routing table expands. This directive can
be used in a --client-config-dir file or auto-generated by a --client-connect
script to override the global value for a particular client.
Note that this directive affects OpenVPN's internal routing table, not the kernel
routing table.
Did you stop/start the server ?Driver wrote:I have tried adding the max-routes option to the server config and the issue persists
We are on CentOS6 and the version available is 2.2.2, packages outside of yum are a pretty hard sell in our enviroment. Either way, max-routes is suppose to be supported in 2.2.
Yep restarting the service and it simply fails to start when there are more than 100 routes in the server config file. I can comment one of them out to get us back to 100 and the service starts with no issues.
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Dec 20, 2010 6:13 pm
Re: Openvpn 2.2 and max-routes
Figured it out. Did some testing a CentOS7 box which told me exactly what my issue was. The man page should probably be updated with these details.
Tue Jun 7 08:29:29 2016 us=455904 SIGTERM[hard,] received, process exiting
Options error: --max-routes must to be specifed before any route/route-ipv6/redirect-gateway option
Once I put the max-routes above my route commands everything fell in line and started working as expected.
Tue Jun 7 08:29:29 2016 us=455904 SIGTERM[hard,] received, process exiting
Options error: --max-routes must to be specifed before any route/route-ipv6/redirect-gateway option
Once I put the max-routes above my route commands everything fell in line and started working as expected.
-
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Openvpn 2.2 and max-routes
Thanks for letting us know you worked it out 
