Host-to-site route add problem?

Home Page Forums Network Management VPN Host-to-site route add problem?

This topic contains 13 replies, has 0 voices, and was last updated by  dnsadmin 8 years, 2 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #42696

    dnsadmin
    Member

    I’m not sure if I’m misconfiguring something, or have encountered a bug.

    Win 7, openvpn set with route-method exe and route-delay 2

    When I establish a connection and have not configured additional routes to be pushed to the client, the client log shows route add xxx OK. I can manually add additonal routes from my dos command line.

    If I configure zeroshell to tunnel additional lans, I get a large number of bogus routes. I’m setting up the additional routes in the “IP Traffic to tunnel through VPN” dialog box (VPN, Net button in Client IP Range area) and can enter either 10.0.0.0/8 OR 10.0.0.0/255.255.0.0 which yields the same series of bad routes (varriants of addresses which look like they’re on 32 bit mask boundries, with netmask of 255.255.255.255).

    I’m in a routed situation on the zeroshell side (10.10.250.x client range for instance).

    I’d be happy to provide any further information or attempt to debug with someone.

    Thanks in advance for the assistance.

    #51232

    ppalias
    Member

    Here is a sample openvpn config file for windows connecting to Zeroshell


    remote someip.dyndns.org 1194
    proto udp
    #auth-user-pass
    ca CA_Zeroshell.pem
    cert trendy.pem
    key trendy.pem
    comp-lzo
    verb 3
    mute 20
    resolv-retry infinite
    nobind
    client
    dev tap
    keepalive 5 60
    persist-key
    persist-tun

    Make sure you run it as administrator on windows 7. Can you paste here the output of

    route print

    on windows before and after the openvpn establishes the connection? Also set a network that is already connected on the ZS, this shouldn’t make any difference but I’m just guessing.

    #51233

    dnsadmin
    Member

    Client.ovpn

    remote myserver.ip.address 1194
    proto tcp
    auth-user-pass
    ca zeroshell.pem
    cert user.pem
    key user.pem
    auth-nocache
    comp-lzo
    verb 4
    mute 10
    resolv-retry infinite
    nobind
    client
    dev tap
    persist-key
    persist-tun
    route-method exe
    route-delay 2

    No VPN connected


    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 10.0.0.1 10.0.7.165 25
    10.0.0.0 255.255.248.0 On-link 10.0.7.165 281
    10.0.7.165 255.255.255.255 On-link 10.0.7.165 281
    10.0.7.255 255.255.255.255 On-link 10.0.7.165 281
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    192.168.16.0 255.255.255.248 On-link 192.168.16.1 286
    192.168.16.1 255.255.255.255 On-link 192.168.16.1 286
    192.168.16.7 255.255.255.255 On-link 192.168.16.1 286
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 On-link 10.0.7.165 282
    224.0.0.0 240.0.0.0 On-link 192.168.16.1 286
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    255.255.255.255 255.255.255.255 On-link 10.0.7.165 281
    255.255.255.255 255.255.255.255 On-link 192.168.16.1 286
    ===========================================================================
    Persistent Routes:
    None

    Route output for vpn connected, NO additional routes configured


    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 10.0.240.1 10.0.240.2 31
    0.0.0.0 0.0.0.0 10.0.0.1 10.0.7.165 25
    10.0.0.0 255.255.248.0 10.0.240.1 10.0.240.2 31
    10.0.0.0 255.255.248.0 On-link 10.0.7.165 281
    10.0.7.165 255.255.255.255 On-link 10.0.7.165 281
    10.0.7.255 255.255.255.255 On-link 10.0.7.165 281
    10.0.240.0 255.255.255.0 On-link 10.0.240.2 286
    10.0.240.2 255.255.255.255 On-link 10.0.240.2 286
    10.0.240.255 255.255.255.255 On-link 10.0.240.2 286
    10.5.0.0 255.255.0.0 10.0.240.1 10.0.240.2 31
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    192.168.16.0 255.255.255.248 On-link 192.168.16.1 286
    192.168.16.1 255.255.255.255 On-link 192.168.16.1 286
    192.168.16.7 255.255.255.255 On-link 192.168.16.1 286
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 On-link 10.0.7.165 282
    224.0.0.0 240.0.0.0 On-link 10.0.240.2 284
    224.0.0.0 240.0.0.0 On-link 192.168.16.1 286
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    255.255.255.255 255.255.255.255 On-link 10.0.7.165 281
    255.255.255.255 255.255.255.255 On-link 10.0.240.2 286
    255.255.255.255 255.255.255.255 On-link 192.168.16.1 286
    ===========================================================================
    Persistent Routes:
    None

    With 10.5.0.0/8 added to the ZeroShell config:


    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 10.0.0.1 10.0.7.165 25
    0.0.0.0 0.0.0.0 75.213.79.31 10.0.7.165 26
    0.0.0.0 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.0.0.1 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.0.0.3 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.0.0.12 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.0.0.15 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.0.0.194 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.0.11.64 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.0.48.0 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.243.152 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.243.184 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.243.216 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.244.56 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.244.80 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.244.104 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.244.140 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.244.152 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.244.188 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.244.192 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.244.232 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.245.24 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.245.80 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.251.228 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.251.248 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.34.253.224 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.64.0.142 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.64.166.220 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.64.205.124 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.64.214.67 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.65.17.243 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.65.28.146 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.68.143.120 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.69.241.255 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.69.242.97 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.71.37.69 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.71.68.64 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.72.195.184 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.112.206.0 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.112.228.212 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.113.63.208 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.115.241.12 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.116.109.40 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.117.27.52 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.117.27.64 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.117.201.184 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.117.201.188 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.135.43.228 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.135.242.112 255.255.255.255 10.0.0.1 10.0.240.2 31
    0.135.246.128 255.255.255.255 10.0.0.1 10.0.240.2 31
    6.216.13.238 255.255.255.255 10.0.0.1 10.0.240.2 31
    10.0.0.0 255.255.248.0 10.0.240.1 10.0.240.2 31
    10.0.0.0 255.255.248.0 On-link 10.0.7.165 281
    10.0.7.165 255.255.255.255 On-link 10.0.7.165 281
    10.0.7.255 255.255.255.255 On-link 10.0.7.165 281
    10.0.240.0 255.255.255.0 On-link 10.0.240.2 286
    10.0.240.2 255.255.255.255 On-link 10.0.240.2 286
    10.0.240.255 255.255.255.255 On-link 10.0.240.2 286
    10.5.0.0 255.255.0.0 10.0.240.1 10.0.240.2 31
    34.0.0.3 255.255.255.255 10.0.0.1 10.0.240.2 31
    70.91.142.123 255.255.255.255 10.0.0.1 10.0.240.2 31
    119.76.156.222 255.255.255.255 10.0.0.1 10.0.240.2 31
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    192.168.16.0 255.255.255.248 On-link 192.168.16.1 286
    192.168.16.1 255.255.255.255 On-link 192.168.16.1 286
    192.168.16.7 255.255.255.255 On-link 192.168.16.1 286
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 On-link 10.0.7.165 282
    224.0.0.0 240.0.0.0 On-link 10.0.240.2 284
    224.0.0.0 240.0.0.0 On-link 192.168.16.1 286
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    255.255.255.255 255.255.255.255 On-link 10.0.7.165 281
    255.255.255.255 255.255.255.255 On-link 10.0.240.2 286
    255.255.255.255 255.255.255.255 On-link 192.168.16.1 286
    ===========================================================================
    Persistent Routes:
    None
    #51234

    mattschedler
    Participant

    I am getting almost identical results. I have been unable to find any info about this anywhere else. I add 10.0.0.0/24 and I get 41 routes added in my windows XP client nearly identical to dnsadmin. Anyone find anything?

    #51235

    ppalias
    Member

    Could you try with a client config identical to mine? Those routes don’t seem right and I cannot tell where are they coming from.

    #51236

    mattschedler
    Participant

    I’m using the default from one of the howto’s there… Less the comments it looks like this:

    remote vpn.myserver.net 1194
    proto tcp
    auth-user-pass
    ca CA.pem
    ;cert client.pem
    ;key client.pem
    comp-lzo
    verb 3
    mute 20
    resolv-retry infinite
    nobind
    client
    dev tap
    persist-key
    persist-tun

    Wonder if the client could be involved too… I’m using the Windows OpenVPN client Access Server client instead of the community one (it seemed to have a more “simplified” interface).

    #51237

    ppalias
    Member

    I always use the community software and the gui is working fine for me for a simplified way to operate.

    #51238

    mattschedler
    Participant

    I have an unused laptop with XP and my own with Kubuntu 10.04 that I will try out this weekend… I’ll see what happens with the different setups and clients. The only thing I want to accomplish is to have normal internet traffic on the client not go thru the openvpn tunnel.

    #51239

    dnsadmin
    Member

    I’m also using the community software. Windows 7, so according to everything I’ve read, I need those route-method lines (in fact without them I get errors! and no route changes)

    From what I see in the config differences, none would relate to the route issue (tcp vs udp, logging, using keys in addition to password… all those things are “pre route” so to speak.

    In your working configuration, is it also windows 7?

    Perhaps increasing the logging verbosity will provide some idea. I’ll also experiment today; the basis of my configuration was likely the same sample set that Matt used.

    #51240

    mattschedler
    Participant

    One other similarity I see is that we both seem to be using the 10.0.0.0 network addresses range on one end or the other… can’t see why that would be an issue but I’ll point it out anyway just in case.

    I did try one other thing, I tried adding only a couple of IP addresses to the “traffic to tunnel” and got the same results. Thought that was strange.

    Last thing I’ll mention, looking at dnsadmin’s routing table it looks like something else that’s similar might be happening… can’t tell sure because the test environment where I noticed this part was flawed. Anyway, when I configure a network to tunnel, after a connect and then a disconnect, the client’s default gateway is stripped away. I have yet to verify this in a proper environment (looks like my weekend will be busy with tinkering).

    I have to say though, other then this hickup, this is a fabulous project. I currently have 4 branches plus our main location, all in a 5 state area connected together using ZS Lan-to-Lan. Each office’s telephone system is VOIP connected and all 5 can call any extension in any office. The only thing not working as well or better then the old systems is the QoS… It’s just whooping my butt in one office where the bandwidth is way too low. I was using linux and tc. I just can’t quite seem to get it as good using ZS. Another day perhaps.

    #51241

    mattschedler
    Participant

    Looks like I may have an answer. Basically I tried 3 different versions of the windoze client. One from openvpn.se (linked from the howto on ZS page) and two clients (“Access server” and “Community”) from openvpn.net. Did this:

    Installed version from openvpn.se and all worked as it should and routes set up fine. Disconnect worked fine as well (didn’t strip out my default gw). Uninstalled and removed tap device.

    Installed community version from openvpn. net… got crazy route additions and disconnect stripped out my default gateway. (route addresses were much more similar to dnsadmin, btw). Uninstalled and removed tap device.

    Installed “Access Server” version from openvpn.net… got crazy routes (slightly different then previously) and gw was stripped. Uninstalled and removed device.

    Installed openvpn.se community version again… ran perfectly as before. Routes normal and gateway was not stripped.

    Also, both openvpn.net versions did not set up the correct routes either so no connectivity to remote network. I noticed that both showed tap driver versions to be 9.x (9.11 and 9.13 I think) while the version that worked had version 8.01 (?).

    I think it’s safe to conclude that there is an issue with the version of the client network device driver. Removing whatever version of openvpn.net you have and getting the version from openvpn.se seems to be the ticket.

    Link: http://openvpn.se/download.html

    #51242

    mattschedler
    Participant

    Unfortunately, using the older version turned out to be not such a good option. It requires the client user to have Administrative rights (a couple of options can get around it but none of them I liked very much). So that, at least for me, is out.

    Good news is, after some googling and tinkering, I think I have found a fix. I found on a debian list, something that sounds like the same issue (bug #600166) and at least a temporary resolution. Using this as a guide, I made a change to a script on a test ZS box which changes one of the “push” options slightly.

    On line 61 of “/root/kerbynet.cgi/scripts/vpn_start”:
    ” PUSHNETS0=”route remote_host 255.255.255.255 net_gateway 1″

    Replace “remote_host” with “OPENVPN_REMOTE_PEER

    Routes are now added and removed correctly with all three tested client programs and the default gateway is left alone (and not deleted on disconnect). After multiple connects and disconnects I am satisfied that it is working like it should. I assume that this change will not survive a reboot but I haven’t checked.

    #51243

    dnsadmin
    Member

    OpenVPN 2.1.4 — released on 2010.11.09 (Change Log) included a fix:

    Fixed problem with special case route targets (‘remote_host’), which could cause filling of the routing table with random garbage.

    I’m now seeing good behavior, so long as the user runs openvpn as administrator. (Your workaround kept me going for a bit, thanks again Matt)

    😉

    #51244

    mattschedler
    Participant

    Glad to be of help. I don’t suppose you tried openVpn without being administrator? There’s an upgrade to ZeroShell too… wonder if there’s anything in there that affects this.

    Well… one way or the other I have it working and it survives a ZeroShell reboot.

    Thanks dnsadmin for the additional info.

    #51245

    dnsadmin
    Member

    No problem Matt.

    Yes, I did try — it’s still a requirement to become administrator. I haven’t seen any release notes for the upgrade of ZeroShell, and haven’t had time to try anything there either.

    The upgrade cleaned up the configuration a lot. For me, I’m using:

    remote vpn.company.com 1194
    remote-random
    resolv-retry infinite

    proto tcp

    auth-user-pass # require username/password dialog

    pkcs12 user.pfx # Use pkcs12 for ca, pub/pvt key
    tls-remote /OU=Hosts/CN=vpn.company.com

    client # This is a client config
    dev tap # Ethernet Tunnel mode
    comp-lzo # Compress traffic

    verb 1 # Logging level
    mute 10 # Limit consecutive loging of same cateogry messages
    #show-net-up # Log routing table & network adapter info after we’re up

    nobind # Don’t bind to local addr/port
    persist-key # Don’t re-read keyfile on soft restart
    persist-tun # Don’t close and reopen device, run scripts on soft restart

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.