www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Host-to-site route add problem?

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> VPN
View previous topic :: View next topic  
Author Message
dnsadmin



Joined: 19 Oct 2010
Posts: 12

PostPosted: Tue Oct 19, 2010 10:47 pm    Post subject: Host-to-site route add problem? Reply with quote

I'm not sure if I'm misconfiguring something, or have encountered a bug.

Win 7, openvpn set with route-method exe and route-delay 2

When I establish a connection and have not configured additional routes to be pushed to the client, the client log shows route add xxx OK. I can manually add additonal routes from my dos command line.

If I configure zeroshell to tunnel additional lans, I get a large number of bogus routes. I'm setting up the additional routes in the "IP Traffic to tunnel through VPN" dialog box (VPN, Net button in Client IP Range area) and can enter either 10.0.0.0/8 OR 10.0.0.0/255.255.0.0 which yields the same series of bad routes (varriants of addresses which look like they're on 32 bit mask boundries, with netmask of 255.255.255.255).

I'm in a routed situation on the zeroshell side (10.10.250.x client range for instance).

I'd be happy to provide any further information or attempt to debug with someone.

Thanks in advance for the assistance.
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Wed Oct 20, 2010 11:07 am    Post subject: Reply with quote

Here is a sample openvpn config file for windows connecting to Zeroshell
Code:

remote someip.dyndns.org 1194
proto udp
#auth-user-pass
ca CA_Zeroshell.pem
cert trendy.pem
key  trendy.pem
comp-lzo
verb 3
mute 20
resolv-retry infinite
nobind
client
dev tap
keepalive 5 60
persist-key
persist-tun

Make sure you run it as administrator on windows 7. Can you paste here the output of
Code:
route print
on windows before and after the openvpn establishes the connection? Also set a network that is already connected on the ZS, this shouldn't make any difference but I'm just guessing.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
dnsadmin



Joined: 19 Oct 2010
Posts: 12

PostPosted: Wed Oct 20, 2010 3:45 pm    Post subject: Reply with quote

Client.ovpn
Code:
remote myserver.ip.address 1194
proto tcp
auth-user-pass
ca zeroshell.pem
cert user.pem
key  user.pem
auth-nocache
comp-lzo
verb 4
mute 10
resolv-retry infinite
nobind
client
dev tap
persist-key
persist-tun
route-method exe
route-delay 2


No VPN connected
Code:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1       10.0.7.165     25
         10.0.0.0    255.255.248.0         On-link        10.0.7.165    281
       10.0.7.165  255.255.255.255         On-link        10.0.7.165    281
       10.0.7.255  255.255.255.255         On-link        10.0.7.165    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.16.0  255.255.255.248         On-link      192.168.16.1    286
     192.168.16.1  255.255.255.255         On-link      192.168.16.1    286
     192.168.16.7  255.255.255.255         On-link      192.168.16.1    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link        10.0.7.165    282
        224.0.0.0        240.0.0.0         On-link      192.168.16.1    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link        10.0.7.165    281
  255.255.255.255  255.255.255.255         On-link      192.168.16.1    286
===========================================================================
Persistent Routes:
  None


Route output for vpn connected, NO additional routes configured
Code:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       10.0.240.1       10.0.240.2     31
          0.0.0.0          0.0.0.0         10.0.0.1       10.0.7.165     25
         10.0.0.0    255.255.248.0       10.0.240.1       10.0.240.2     31
         10.0.0.0    255.255.248.0         On-link        10.0.7.165    281
       10.0.7.165  255.255.255.255         On-link        10.0.7.165    281
       10.0.7.255  255.255.255.255         On-link        10.0.7.165    281
       10.0.240.0    255.255.255.0         On-link        10.0.240.2    286
       10.0.240.2  255.255.255.255         On-link        10.0.240.2    286
     10.0.240.255  255.255.255.255         On-link        10.0.240.2    286
         10.5.0.0      255.255.0.0       10.0.240.1       10.0.240.2     31
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.16.0  255.255.255.248         On-link      192.168.16.1    286
     192.168.16.1  255.255.255.255         On-link      192.168.16.1    286
     192.168.16.7  255.255.255.255         On-link      192.168.16.1    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link        10.0.7.165    282
        224.0.0.0        240.0.0.0         On-link        10.0.240.2    284
        224.0.0.0        240.0.0.0         On-link      192.168.16.1    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link        10.0.7.165    281
  255.255.255.255  255.255.255.255         On-link        10.0.240.2    286
  255.255.255.255  255.255.255.255         On-link      192.168.16.1    286
===========================================================================
Persistent Routes:
  None


With 10.5.0.0/8 added to the ZeroShell config:
Code:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1       10.0.7.165     25
          0.0.0.0          0.0.0.0     75.213.79.31       10.0.7.165     26
          0.0.0.0  255.255.255.255         10.0.0.1       10.0.240.2     31
          0.0.0.1  255.255.255.255         10.0.0.1       10.0.240.2     31
          0.0.0.3  255.255.255.255         10.0.0.1       10.0.240.2     31
         0.0.0.12  255.255.255.255         10.0.0.1       10.0.240.2     31
         0.0.0.15  255.255.255.255         10.0.0.1       10.0.240.2     31
        0.0.0.194  255.255.255.255         10.0.0.1       10.0.240.2     31
        0.0.11.64  255.255.255.255         10.0.0.1       10.0.240.2     31
         0.0.48.0  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.34.243.152  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.34.243.184  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.34.243.216  255.255.255.255         10.0.0.1       10.0.240.2     31
      0.34.244.56  255.255.255.255         10.0.0.1       10.0.240.2     31
      0.34.244.80  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.34.244.104  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.34.244.140  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.34.244.152  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.34.244.188  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.34.244.192  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.34.244.232  255.255.255.255         10.0.0.1       10.0.240.2     31
      0.34.245.24  255.255.255.255         10.0.0.1       10.0.240.2     31
      0.34.245.80  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.34.251.228  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.34.251.248  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.34.253.224  255.255.255.255         10.0.0.1       10.0.240.2     31
       0.64.0.142  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.64.166.220  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.64.205.124  255.255.255.255         10.0.0.1       10.0.240.2     31
      0.64.214.67  255.255.255.255         10.0.0.1       10.0.240.2     31
      0.65.17.243  255.255.255.255         10.0.0.1       10.0.240.2     31
      0.65.28.146  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.68.143.120  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.69.241.255  255.255.255.255         10.0.0.1       10.0.240.2     31
      0.69.242.97  255.255.255.255         10.0.0.1       10.0.240.2     31
       0.71.37.69  255.255.255.255         10.0.0.1       10.0.240.2     31
       0.71.68.64  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.72.195.184  255.255.255.255         10.0.0.1       10.0.240.2     31
      0.112.206.0  255.255.255.255         10.0.0.1       10.0.240.2     31
    0.112.228.212  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.113.63.208  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.115.241.12  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.116.109.40  255.255.255.255         10.0.0.1       10.0.240.2     31
      0.117.27.52  255.255.255.255         10.0.0.1       10.0.240.2     31
      0.117.27.64  255.255.255.255         10.0.0.1       10.0.240.2     31
    0.117.201.184  255.255.255.255         10.0.0.1       10.0.240.2     31
    0.117.201.188  255.255.255.255         10.0.0.1       10.0.240.2     31
     0.135.43.228  255.255.255.255         10.0.0.1       10.0.240.2     31
    0.135.242.112  255.255.255.255         10.0.0.1       10.0.240.2     31
    0.135.246.128  255.255.255.255         10.0.0.1       10.0.240.2     31
     6.216.13.238  255.255.255.255         10.0.0.1       10.0.240.2     31
         10.0.0.0    255.255.248.0       10.0.240.1       10.0.240.2     31
         10.0.0.0    255.255.248.0         On-link        10.0.7.165    281
       10.0.7.165  255.255.255.255         On-link        10.0.7.165    281
       10.0.7.255  255.255.255.255         On-link        10.0.7.165    281
       10.0.240.0    255.255.255.0         On-link        10.0.240.2    286
       10.0.240.2  255.255.255.255         On-link        10.0.240.2    286
     10.0.240.255  255.255.255.255         On-link        10.0.240.2    286
         10.5.0.0      255.255.0.0       10.0.240.1       10.0.240.2     31
         34.0.0.3  255.255.255.255         10.0.0.1       10.0.240.2     31
    70.91.142.123  255.255.255.255         10.0.0.1       10.0.240.2     31
   119.76.156.222  255.255.255.255         10.0.0.1       10.0.240.2     31
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.16.0  255.255.255.248         On-link      192.168.16.1    286
     192.168.16.1  255.255.255.255         On-link      192.168.16.1    286
     192.168.16.7  255.255.255.255         On-link      192.168.16.1    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link        10.0.7.165    282
        224.0.0.0        240.0.0.0         On-link        10.0.240.2    284
        224.0.0.0        240.0.0.0         On-link      192.168.16.1    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link        10.0.7.165    281
  255.255.255.255  255.255.255.255         On-link        10.0.240.2    286
  255.255.255.255  255.255.255.255         On-link      192.168.16.1    286
===========================================================================
Persistent Routes:
  None
Back to top
View user's profile Send private message
mattschedler



Joined: 20 Oct 2010
Posts: 9

PostPosted: Wed Oct 20, 2010 6:41 pm    Post subject: Reply with quote

I am getting almost identical results. I have been unable to find any info about this anywhere else. I add 10.0.0.0/24 and I get 41 routes added in my windows XP client nearly identical to dnsadmin. Anyone find anything?
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Thu Oct 21, 2010 7:32 am    Post subject: Reply with quote

Could you try with a client config identical to mine? Those routes don't seem right and I cannot tell where are they coming from.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
mattschedler



Joined: 20 Oct 2010
Posts: 9

PostPosted: Thu Oct 21, 2010 10:45 pm    Post subject: Reply with quote

I'm using the default from one of the howto's there... Less the comments it looks like this:

remote vpn.myserver.net 1194
proto tcp
auth-user-pass
ca CA.pem
;cert client.pem
;key client.pem
comp-lzo
verb 3
mute 20
resolv-retry infinite
nobind
client
dev tap
persist-key
persist-tun

Wonder if the client could be involved too... I'm using the Windows OpenVPN client Access Server client instead of the community one (it seemed to have a more "simplified" interface).
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Fri Oct 22, 2010 6:41 am    Post subject: Reply with quote

I always use the community software and the gui is working fine for me for a simplified way to operate.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
mattschedler



Joined: 20 Oct 2010
Posts: 9

PostPosted: Fri Oct 22, 2010 4:52 pm    Post subject: Reply with quote

I have an unused laptop with XP and my own with Kubuntu 10.04 that I will try out this weekend... I'll see what happens with the different setups and clients. The only thing I want to accomplish is to have normal internet traffic on the client not go thru the openvpn tunnel.
Back to top
View user's profile Send private message
dnsadmin



Joined: 19 Oct 2010
Posts: 12

PostPosted: Fri Oct 22, 2010 6:06 pm    Post subject: Reply with quote

I'm also using the community software. Windows 7, so according to everything I've read, I need those route-method lines (in fact without them I get errors! and no route changes)

From what I see in the config differences, none would relate to the route issue (tcp vs udp, logging, using keys in addition to password... all those things are "pre route" so to speak.

In your working configuration, is it also windows 7?

Perhaps increasing the logging verbosity will provide some idea. I'll also experiment today; the basis of my configuration was likely the same sample set that Matt used.
Back to top
View user's profile Send private message
mattschedler



Joined: 20 Oct 2010
Posts: 9

PostPosted: Fri Oct 22, 2010 7:19 pm    Post subject: Reply with quote

One other similarity I see is that we both seem to be using the 10.0.0.0 network addresses range on one end or the other... can't see why that would be an issue but I'll point it out anyway just in case.

I did try one other thing, I tried adding only a couple of IP addresses to the "traffic to tunnel" and got the same results. Thought that was strange.

Last thing I'll mention, looking at dnsadmin's routing table it looks like something else that's similar might be happening... can't tell sure because the test environment where I noticed this part was flawed. Anyway, when I configure a network to tunnel, after a connect and then a disconnect, the client's default gateway is stripped away. I have yet to verify this in a proper environment (looks like my weekend will be busy with tinkering).

I have to say though, other then this hickup, this is a fabulous project. I currently have 4 branches plus our main location, all in a 5 state area connected together using ZS Lan-to-Lan. Each office's telephone system is VOIP connected and all 5 can call any extension in any office. The only thing not working as well or better then the old systems is the QoS... It's just whooping my butt in one office where the bandwidth is way too low. I was using linux and tc. I just can't quite seem to get it as good using ZS. Another day perhaps.
Back to top
View user's profile Send private message
mattschedler



Joined: 20 Oct 2010
Posts: 9

PostPosted: Sun Oct 24, 2010 8:27 pm    Post subject: Reply with quote

Looks like I may have an answer. Basically I tried 3 different versions of the windoze client. One from openvpn.se (linked from the howto on ZS page) and two clients ("Access server" and "Community") from openvpn.net. Did this:

Installed version from openvpn.se and all worked as it should and routes set up fine. Disconnect worked fine as well (didn't strip out my default gw). Uninstalled and removed tap device.

Installed community version from openvpn. net... got crazy route additions and disconnect stripped out my default gateway. (route addresses were much more similar to dnsadmin, btw). Uninstalled and removed tap device.

Installed "Access Server" version from openvpn.net... got crazy routes (slightly different then previously) and gw was stripped. Uninstalled and removed device.

Installed openvpn.se community version again... ran perfectly as before. Routes normal and gateway was not stripped.

Also, both openvpn.net versions did not set up the correct routes either so no connectivity to remote network. I noticed that both showed tap driver versions to be 9.x (9.11 and 9.13 I think) while the version that worked had version 8.01 (?).

I think it's safe to conclude that there is an issue with the version of the client network device driver. Removing whatever version of openvpn.net you have and getting the version from openvpn.se seems to be the ticket.

Link: http://openvpn.se/download.html
Back to top
View user's profile Send private message
mattschedler



Joined: 20 Oct 2010
Posts: 9

PostPosted: Tue Oct 26, 2010 7:46 pm    Post subject: Reply with quote

Unfortunately, using the older version turned out to be not such a good option. It requires the client user to have Administrative rights (a couple of options can get around it but none of them I liked very much). So that, at least for me, is out.

Good news is, after some googling and tinkering, I think I have found a fix. I found on a debian list, something that sounds like the same issue (bug #600166) and at least a temporary resolution. Using this as a guide, I made a change to a script on a test ZS box which changes one of the "push" options slightly.

On line 61 of "/root/kerbynet.cgi/scripts/vpn_start":
" PUSHNETS0="route remote_host 255.255.255.255 net_gateway 1"

Replace "remote_host" with "OPENVPN_REMOTE_PEER"

Routes are now added and removed correctly with all three tested client programs and the default gateway is left alone (and not deleted on disconnect). After multiple connects and disconnects I am satisfied that it is working like it should. I assume that this change will not survive a reboot but I haven't checked.
Back to top
View user's profile Send private message
dnsadmin



Joined: 19 Oct 2010
Posts: 12

PostPosted: Fri Jan 21, 2011 3:11 pm    Post subject: Looks like there's a fix... Reply with quote

OpenVPN 2.1.4 -- released on 2010.11.09 (Change Log) included a fix:

Fixed problem with special case route targets ('remote_host'), which could cause filling of the routing table with random garbage.

I'm now seeing good behavior, so long as the user runs openvpn as administrator. (Your workaround kept me going for a bit, thanks again Matt)

Wink
Back to top
View user's profile Send private message
mattschedler



Joined: 20 Oct 2010
Posts: 9

PostPosted: Fri Jan 21, 2011 5:04 pm    Post subject: Re: Looks like there's a fix... Reply with quote

Glad to be of help. I don't suppose you tried openVpn without being administrator? There's an upgrade to ZeroShell too... wonder if there's anything in there that affects this.

Well... one way or the other I have it working and it survives a ZeroShell reboot.

Thanks dnsadmin for the additional info.
Back to top
View user's profile Send private message
dnsadmin



Joined: 19 Oct 2010
Posts: 12

PostPosted: Fri Jan 21, 2011 7:53 pm    Post subject: Reply with quote

No problem Matt.

Yes, I did try -- it's still a requirement to become administrator. I haven't seen any release notes for the upgrade of ZeroShell, and haven't had time to try anything there either.

The upgrade cleaned up the configuration a lot. For me, I'm using:

remote vpn.company.com 1194
remote-random
resolv-retry infinite

proto tcp

auth-user-pass # require username/password dialog

pkcs12 user.pfx # Use pkcs12 for ca, pub/pvt key
tls-remote /OU=Hosts/CN=vpn.company.com

client # This is a client config
dev tap # Ethernet Tunnel mode
comp-lzo # Compress traffic

verb 1 # Logging level
mute 10 # Limit consecutive loging of same cateogry messages
#show-net-up # Log routing table & network adapter info after we're up

nobind # Don't bind to local addr/port
persist-key # Don't re-read keyfile on soft restart
persist-tun # Don't close and reopen device, run scripts on soft restart
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> VPN All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group