Openvpn route error



  • Hello,

    I have problems with openvpn giving me route errors, I have the system in a lab environment with no internet. Its setup to talk to the other router and I can ssh from one router to the other. I can't ping from one coputer to the other. That being said this is the route error that i get on both sides.

    ERROR: FreeBSD route add command failed: shell command exited with error status: 1

    Server

    Aug 21 21:54:28 openvpn[289]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
    Aug 21 21:54:28 openvpn[289]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
    Aug 21 21:54:28 openvpn[289]: gw 172.35.222.50
    Aug 21 21:54:28 openvpn[289]: TUN/TAP device /dev/tun0 opened
    Aug 21 21:54:28 openvpn[289]: /sbin/ifconfig tun0 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
    Aug 21 21:54:28 openvpn[289]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
    Aug 21 21:54:28 openvpn[296]: UDPv4 link local (bound): [undef]:1194
    Aug 21 21:54:28 openvpn[296]: UDPv4 link remote: [undef]
    Aug 21 21:54:28 openvpn[296]: Initialization Sequence Completed
    Aug 21 21:54:29 openvpn[296]: Need IPv6 code in mroute_extract_addr_from_packet
    Aug 21 21:54:34 last message repeated 2 times
    Aug 21 21:55:35 openvpn[296]: 172.35.222.3:1194 Re-using SSL/TLS context
    Aug 21 21:55:35 openvpn[296]: 172.35.222.3:1194 LZO compression initialized
    Aug 21 21:55:35 openvpn[296]: 172.35.222.3:1194 [ client.yaya.blah.com] Peer Connection Initiated with 172.35.222.3:1194
    Aug 21 21:55:39 openvpn[296]: client.yaya.blah.com/172.35.222.3:1194 Need IPv6 code in mroute_extract_addr_from_packet
    Aug 21 21:55:42 openvpn[296]: client.yaya.blah.com/172.35.222.3:1194 Need IPv6 code in mroute_extract_addr_from_packet

    Client

    Aug 21 22:03:02 openvpn[262]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
    Aug 21 22:03:02 openvpn[262]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Aug 21 22:03:02 openvpn[262]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 21 22:03:02 openvpn[262]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
    Aug 21 22:03:02 openvpn[262]: LZO compression initialized
    Aug 21 22:03:02 openvpn[263]: UDPv4 link local (bound): [undef]:1194
    Aug 21 22:03:02 openvpn[263]: UDPv4 link remote: 172.35.222.2:1194
    Aug 21 22:03:13 openvpn[263]: write UDPv4: Host is down (code=64)
    Aug 21 22:03:22 last message repeated 4 times
    Aug 21 22:03:22 openvpn[263]: [server.luku.blah.com] Peer Connection Initiated with 172.35.222.2:1194
    Aug 21 22:03:23 openvpn[263]: gw 172.35.222.45
    Aug 21 22:03:23 openvpn[263]: TUN/TAP device /dev/tun0 opened
    Aug 21 22:03:23 openvpn[263]: /sbin/ifconfig tun0 192.168.200.6 192.168.200.5 mtu 1500 netmask 255.255.255.255 up
    Aug 21 22:03:23 openvpn[263]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
    Aug 21 22:03:23 openvpn[263]: Initialization Sequence Completed

    Thanks for the help in advance



  • We need more info. From what I grasp you're either 1) using an older version of pfSense that still runs OpenVPN as non-root or 2) doing something stupid regarding routes (i.e., make sure you're putting the right stuff into "Remote network").



  • Software conifg
    Downloaded RC2 yesterday (liveCD)
    Installed it on 2 systems that are linked via crossover cable in a lab

    ip config

    OPVN server
    wan ip 172.35.222.2
    lan ip 172.22.246.1

    OPVN client
    wan ip 172.35.222.3
    lan ip 172.22.246.2

    Openvpn server config
    protocol: UDP
    Local port: 1194
    Address pool: 192.168.200.0/24
    Use static Ips: unchecked
    Local network: 172.21.246.0/24
    Remote Network: 172.21.246.0/24
    Client to client VPN: Unchecked
    LZO compresion: Checked

    Openvpn client config:
    Protocol: UDP
    Server Address: 172.35.222.2
    Server Port: 1194
    LZO Compression: Checked



  • How do you want to route with the same subnets on each site of the tunnel? You have the same LAN subnets at each end.  ;)



  • I've setup a 3 way openvpn tunnel before with bridging (linux router) with the same subnet at each endpoint. I don't know if I need to have the same subnet to get broadcast to work at both ends? I know that it worked last time by making the vpn server 192.168.1.1 and the clients were 192.168.1.2 and 192.168.1.3. Do I need to different subnets on the LAN side of my tunnel? and if so will broadcast still work?

    thanks for the help



  • This is not Linux.  You need a different subnet at each ends of the tunnel.

    Or break up your subnet into a /27 or something.



  • I need Broadcast to work. How is broadcast goign to work with both LAN's on different subnets?

    Thanks



  • It won't. I don't think there is a way to do this with pfSense's implementation of openvpn atm but I might be wrong.



  • I changed the client LAN ip address from 172.21.246.0/24 to 172.21.247.0/24. I don't get the route error anymore but can't ping the remote end.

    Thanks





  • I'm trying to ping fromt he client side (client side lan= 172.21.247.0/24) an ip addres on the other lan (server side LAN = 172.21.246.0/24) and I don't get any replies :)

    So far this is what I get on the client side

    Aug 21 22:03:02   openvpn[262]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
    Aug 21 22:03:02   openvpn[262]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Aug 21 22:03:02   openvpn[262]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 21 22:03:02   openvpn[262]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
    Aug 21 22:03:02   openvpn[262]: LZO compression initialized
    Aug 21 22:03:02   openvpn[263]: UDPv4 link local (bound): [undef]:1194
    Aug 21 22:03:02   openvpn[263]: UDPv4 link remote: 172.35.222.2:1194
    Aug 21 22:03:13   openvpn[263]: write UDPv4: Host is down (code=64)
    Aug 21 22:03:22   last message repeated 4 times
    Aug 21 22:03:22   openvpn[263]: [server.luku.blah.com] Peer Connection Initiated with 172.35.222.2:1194
    Aug 21 22:03:23   openvpn[263]: gw 172.35.222.45
    Aug 21 22:03:23   openvpn[263]: TUN/TAP device /dev/tun0 opened
    Aug 21 22:03:23   openvpn[263]: /sbin/ifconfig tun0 192.168.200.6 192.168.200.5 mtu 1500 netmask 255.255.255.255 up
    Aug 21 22:03:23   openvpn[263]: Initialization Sequence Completed

    Server Side

    Aug 21 21:54:28   openvpn[289]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
    Aug 21 21:54:28   openvpn[289]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
    Aug 21 21:54:28   openvpn[289]: gw 172.35.222.50
    Aug 21 21:54:28   openvpn[289]: TUN/TAP device /dev/tun0 opened
    Aug 21 21:54:28   openvpn[289]: /sbin/ifconfig tun0 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
    Aug 21 21:54:28   openvpn[296]: UDPv4 link local (bound): [undef]:1194
    Aug 21 21:54:28   openvpn[296]: UDPv4 link remote: [undef]
    Aug 21 21:54:28   openvpn[296]: Initialization Sequence Completed
    Aug 21 21:54:29   openvpn[296]: Need IPv6 code in mroute_extract_addr_from_packet
    Aug 21 21:54:34   last message repeated 2 times
    Aug 21 21:55:35   openvpn[296]: 172.35.222.3:1194 Re-using SSL/TLS context
    Aug 21 21:55:35   openvpn[296]: 172.35.222.3:1194 LZO compression initialized
    Aug 21 21:55:35   openvpn[296]: 172.35.222.3:1194 [ client.yaya.blah.com] Peer Connection Initiated with 172.35.222.3:1194
    Aug 21 21:55:39   openvpn[296]: client.yaya.blah.com/172.35.222.3:1194 Need IPv6 code in mroute_extract_addr_from_packet
    Aug 21 21:55:42   openvpn[296]: client.yaya.blah.com/172.35.222.3:1194 Need IPv6 code in mroute_extract_addr_from_packet





  • Broadcast will not work cause you need to configure OpenVPN to use TAP interfaces, ethernet layer VPN.

    Also, make sure you're not pinging from your OpenVPN gateway to the other side, but rather from a client in the local LAN to a client in the local WAN.

    Oh, and make sure you're not doing anything stupid (like firewalling yourself).


Locked