Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn route error

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 4 Posters 17.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yaya
      last edited by

      Hello,

      I have problems with openvpn giving me route errors, I have the system in a lab environment with no internet. Its setup to talk to the other router and I can ssh from one router to the other. I can't ping from one coputer to the other. That being said this is the route error that i get on both sides.

      ERROR: FreeBSD route add command failed: shell command exited with error status: 1

      Server

      Aug 21 21:54:28 openvpn[289]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
      Aug 21 21:54:28 openvpn[289]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
      Aug 21 21:54:28 openvpn[289]: gw 172.35.222.50
      Aug 21 21:54:28 openvpn[289]: TUN/TAP device /dev/tun0 opened
      Aug 21 21:54:28 openvpn[289]: /sbin/ifconfig tun0 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
      Aug 21 21:54:28 openvpn[289]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
      Aug 21 21:54:28 openvpn[296]: UDPv4 link local (bound): [undef]:1194
      Aug 21 21:54:28 openvpn[296]: UDPv4 link remote: [undef]
      Aug 21 21:54:28 openvpn[296]: Initialization Sequence Completed
      Aug 21 21:54:29 openvpn[296]: Need IPv6 code in mroute_extract_addr_from_packet
      Aug 21 21:54:34 last message repeated 2 times
      Aug 21 21:55:35 openvpn[296]: 172.35.222.3:1194 Re-using SSL/TLS context
      Aug 21 21:55:35 openvpn[296]: 172.35.222.3:1194 LZO compression initialized
      Aug 21 21:55:35 openvpn[296]: 172.35.222.3:1194 [ client.yaya.blah.com] Peer Connection Initiated with 172.35.222.3:1194
      Aug 21 21:55:39 openvpn[296]: client.yaya.blah.com/172.35.222.3:1194 Need IPv6 code in mroute_extract_addr_from_packet
      Aug 21 21:55:42 openvpn[296]: client.yaya.blah.com/172.35.222.3:1194 Need IPv6 code in mroute_extract_addr_from_packet

      Client

      Aug 21 22:03:02 openvpn[262]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
      Aug 21 22:03:02 openvpn[262]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
      Aug 21 22:03:02 openvpn[262]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Aug 21 22:03:02 openvpn[262]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
      Aug 21 22:03:02 openvpn[262]: LZO compression initialized
      Aug 21 22:03:02 openvpn[263]: UDPv4 link local (bound): [undef]:1194
      Aug 21 22:03:02 openvpn[263]: UDPv4 link remote: 172.35.222.2:1194
      Aug 21 22:03:13 openvpn[263]: write UDPv4: Host is down (code=64)
      Aug 21 22:03:22 last message repeated 4 times
      Aug 21 22:03:22 openvpn[263]: [server.luku.blah.com] Peer Connection Initiated with 172.35.222.2:1194
      Aug 21 22:03:23 openvpn[263]: gw 172.35.222.45
      Aug 21 22:03:23 openvpn[263]: TUN/TAP device /dev/tun0 opened
      Aug 21 22:03:23 openvpn[263]: /sbin/ifconfig tun0 192.168.200.6 192.168.200.5 mtu 1500 netmask 255.255.255.255 up
      Aug 21 22:03:23 openvpn[263]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
      Aug 21 22:03:23 openvpn[263]: Initialization Sequence Completed

      Thanks for the help in advance

      1 Reply Last reply Reply Quote 0
      • F
        fernandotcl
        last edited by

        We need more info. From what I grasp you're either 1) using an older version of pfSense that still runs OpenVPN as non-root or 2) doing something stupid regarding routes (i.e., make sure you're putting the right stuff into "Remote network").

        1 Reply Last reply Reply Quote 0
        • Y
          yaya
          last edited by

          Software conifg
          Downloaded RC2 yesterday (liveCD)
          Installed it on 2 systems that are linked via crossover cable in a lab

          ip config

          OPVN server
          wan ip 172.35.222.2
          lan ip 172.22.246.1

          OPVN client
          wan ip 172.35.222.3
          lan ip 172.22.246.2

          Openvpn server config
          protocol: UDP
          Local port: 1194
          Address pool: 192.168.200.0/24
          Use static Ips: unchecked
          Local network: 172.21.246.0/24
          Remote Network: 172.21.246.0/24
          Client to client VPN: Unchecked
          LZO compresion: Checked

          Openvpn client config:
          Protocol: UDP
          Server Address: 172.35.222.2
          Server Port: 1194
          LZO Compression: Checked

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            How do you want to route with the same subnets on each site of the tunnel? You have the same LAN subnets at each end.  ;)

            1 Reply Last reply Reply Quote 0
            • Y
              yaya
              last edited by

              I've setup a 3 way openvpn tunnel before with bridging (linux router) with the same subnet at each endpoint. I don't know if I need to have the same subnet to get broadcast to work at both ends? I know that it worked last time by making the vpn server 192.168.1.1 and the clients were 192.168.1.2 and 192.168.1.3. Do I need to different subnets on the LAN side of my tunnel? and if so will broadcast still work?

              thanks for the help

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                This is not Linux.  You need a different subnet at each ends of the tunnel.

                Or break up your subnet into a /27 or something.

                1 Reply Last reply Reply Quote 0
                • Y
                  yaya
                  last edited by

                  I need Broadcast to work. How is broadcast goign to work with both LAN's on different subnets?

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    It won't. I don't think there is a way to do this with pfSense's implementation of openvpn atm but I might be wrong.

                    1 Reply Last reply Reply Quote 0
                    • Y
                      yaya
                      last edited by

                      I changed the client LAN ip address from 172.21.246.0/24 to 172.21.247.0/24. I don't get the route error anymore but can't ping the remote end.

                      Thanks

                      1 Reply Last reply Reply Quote 0
                      • H
                        hoba
                        last edited by

                        Have a look at this: http://doc.pfsense.org/index.php/Setting_up_OpenVPN_with_pfSense

                        1 Reply Last reply Reply Quote 0
                        • Y
                          yaya
                          last edited by

                          I'm trying to ping fromt he client side (client side lan= 172.21.247.0/24) an ip addres on the other lan (server side LAN = 172.21.246.0/24) and I don't get any replies :)

                          So far this is what I get on the client side

                          Aug 21 22:03:02   openvpn[262]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
                          Aug 21 22:03:02   openvpn[262]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
                          Aug 21 22:03:02   openvpn[262]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
                          Aug 21 22:03:02   openvpn[262]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
                          Aug 21 22:03:02   openvpn[262]: LZO compression initialized
                          Aug 21 22:03:02   openvpn[263]: UDPv4 link local (bound): [undef]:1194
                          Aug 21 22:03:02   openvpn[263]: UDPv4 link remote: 172.35.222.2:1194
                          Aug 21 22:03:13   openvpn[263]: write UDPv4: Host is down (code=64)
                          Aug 21 22:03:22   last message repeated 4 times
                          Aug 21 22:03:22   openvpn[263]: [server.luku.blah.com] Peer Connection Initiated with 172.35.222.2:1194
                          Aug 21 22:03:23   openvpn[263]: gw 172.35.222.45
                          Aug 21 22:03:23   openvpn[263]: TUN/TAP device /dev/tun0 opened
                          Aug 21 22:03:23   openvpn[263]: /sbin/ifconfig tun0 192.168.200.6 192.168.200.5 mtu 1500 netmask 255.255.255.255 up
                          Aug 21 22:03:23   openvpn[263]: Initialization Sequence Completed

                          Server Side

                          Aug 21 21:54:28   openvpn[289]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
                          Aug 21 21:54:28   openvpn[289]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
                          Aug 21 21:54:28   openvpn[289]: gw 172.35.222.50
                          Aug 21 21:54:28   openvpn[289]: TUN/TAP device /dev/tun0 opened
                          Aug 21 21:54:28   openvpn[289]: /sbin/ifconfig tun0 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
                          Aug 21 21:54:28   openvpn[296]: UDPv4 link local (bound): [undef]:1194
                          Aug 21 21:54:28   openvpn[296]: UDPv4 link remote: [undef]
                          Aug 21 21:54:28   openvpn[296]: Initialization Sequence Completed
                          Aug 21 21:54:29   openvpn[296]: Need IPv6 code in mroute_extract_addr_from_packet
                          Aug 21 21:54:34   last message repeated 2 times
                          Aug 21 21:55:35   openvpn[296]: 172.35.222.3:1194 Re-using SSL/TLS context
                          Aug 21 21:55:35   openvpn[296]: 172.35.222.3:1194 LZO compression initialized
                          Aug 21 21:55:35   openvpn[296]: 172.35.222.3:1194 [ client.yaya.blah.com] Peer Connection Initiated with 172.35.222.3:1194
                          Aug 21 21:55:39   openvpn[296]: client.yaya.blah.com/172.35.222.3:1194 Need IPv6 code in mroute_extract_addr_from_packet
                          Aug 21 21:55:42   openvpn[296]: client.yaya.blah.com/172.35.222.3:1194 Need IPv6 code in mroute_extract_addr_from_packet

                          1 Reply Last reply Reply Quote 0
                          • H
                            hoba
                            last edited by

                            http://doc.pfsense.org/index.php/Setting_up_OpenVPN_with_pfSense

                            1 Reply Last reply Reply Quote 0
                            • F
                              fernandotcl
                              last edited by

                              Broadcast will not work cause you need to configure OpenVPN to use TAP interfaces, ethernet layer VPN.

                              Also, make sure you're not pinging from your OpenVPN gateway to the other side, but rather from a client in the local LAN to a client in the local WAN.

                              Oh, and make sure you're not doing anything stupid (like firewalling yourself).

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.