Upgraded openvpn from 2.1_rc15 to 2.1_rc19. Now, default routing is broken. Reverted to rc15, and default routing works as expected. Reproducible: Always Steps to Reproduce: 1.emerge -u net-misc/openvpn 2. 3. Actual Results: Pertinent info from /var/log/messages, first for rc15: < OpenVPN 2.1_rc15 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug 2 2009 < TLS: Initial packet from 111.222.333.444:443, sid=8e0bf1ce 9ed5724f < /etc/openvpn/up.sh tap0 1500 1576 172.16.11.244 255.255.255.0 init < /sbin/route add -net 111.222.333.444 netmask 255.255.255.255 gw 192.168.0.1 < /sbin/route del -net 0.0.0.0 netmask 0.0.0.0 < /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 172.16.11.1 < Initialization Sequence Completed < Joining mDNS multicast group on interface tap0.IPv6 with address fe80::451:3eff:fe60:7614. < Registering new address record for fe80::451:3eff:fe60:7614 on tap0.*. Next for rc19: > OpenVPN 2.1_rc19 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug 2 2009 > TLS: Initial packet from 111.222.333.444:443, sid=4ef0b4a1 e44e4e9f > /etc/openvpn/up.sh tap0 1500 1576 172.16.11.244 255.255.255.0 init > /sbin/route add -net 111.222.333.444 netmask 255.255.255.255 gw 192.168.0.1 > Initialization Sequence Completed > Joining mDNS multicast group on interface tap0.IPv6 with address fe80::6c45:eaff:fe91:ad59. > Registering new address record for fe80::6c45:eaff:fe91:ad59 on tap0.*. Expected Results: As with rc15.
Please include your emerge --info output to assist the maintainers.
# emerge --info Portage 2.1.6.13 (default/linux/x86/2008.0, gcc-4.3.3, glibc-2.10.1-r0, 2.6.30-gentoo-r4 i686) ================================================================= System uname: Linux-2.6.30-gentoo-r4-i686-Intel-R-_Pentium-R-_M_processor_2.00GHz-with-gentoo-2.0.1 Timestamp of tree: Sun, 02 Aug 2009 14:00:01 +0000 app-shells/bash: 4.0_p28 dev-java/java-config: 2.1.8-r1 dev-lang/python: 2.5.4-r2, 2.6.2-r1, 3.1 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.6.4-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.4.3-r3 sys-apps/sandbox: 2.0 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2, 1.11 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86 ~x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=i686 -O2 -pipe -ggdb" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/
# emerge --info Portage 2.1.6.13 (default/linux/x86/2008.0, gcc-4.3.3, glibc-2.10.1-r0, 2.6.30-gentoo-r4 i686) ================================================================= System uname: Linux-2.6.30-gentoo-r4-i686-Intel-R-_Pentium-R-_M_processor_2.00GHz-with-gentoo-2.0.1 Timestamp of tree: Sun, 02 Aug 2009 14:00:01 +0000 app-shells/bash: 4.0_p28 dev-java/java-config: 2.1.8-r1 dev-lang/python: 2.5.4-r2, 2.6.2-r1, 3.1 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.6.4-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.4.3-r3 sys-apps/sandbox: 2.0 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2, 1.11 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86 ~x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=i686 -O2 -pipe -ggdb" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=i686 -O2 -pipe -ggdb" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,-O1" MAKEOPTS="" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acl acpi aiglx alsa apache2 apm arts ati audiofile avahi avi bash-completion berkdb bitmap-fonts bzip2 cairo caps cardbus cdio cdr cli consolekit cracklib crypt ctype cups dba dbtool dbus digitalradio diskio djvu dri dts dvdread eds emboss encode esd ethereal exif expat fastbuild ffmpeg fftw fglrx foomaticdb force-cgi-redirect fortran ftp fuse gamin gd gdbm gif glib glitz glut gmp gpm gstreamer gtk gtk2 gtkhtml guile hal iconv idn imlib ipv6 isdnlog ithreads jack java jpeg kde kerberos kqemu lcms ldap libclamav libg++ libwww lirc live lm_sensors lua mad madwifi matroska mdnsresponder-compat memlimit mhash mikmod mmx mmxext mng mono motif mozilla mp3 mpeg mudflap mysql ncurses netboot netjack networking nforce2 nls nptl nptlonly nsplugin nvidia ocaml ogg oggvorbis opengl openmp oss pam pango pch pcmcia pcre pdf pdflib pear perl php pmu png portaudio posix pppd pulseaudio python qt qt3support qtmt quicktime readline reflection ruby samba sasl sdl session simplexml slang sndfile snmp soap sockets spell spl sql sqlite sse sse2 ssl svg sysfs tcl tcltk tcpd theora threads threadsafe tiff tk tokenizer truetype truetype-fonts type1-fonts udev unicode utempter vorbis webkit wifi win32codecs x86 xanim xinerama xml xmlrpc xorg xscreensaver xsl xulrunner xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" FOO2ZJS_DEVICES="hp2600n" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Sorry for the omission of the `emerge --info` material. Also, comment #2 was inadvertently truncated... refer to the complete output in comment #3.
(In reply to comment #0) > Upgraded openvpn from 2.1_rc15 to 2.1_rc19. Now, default routing is broken. > Reverted to rc15, and default routing works as expected. could you please post your server/client-config? i'm using 2.1_rc19 on amd64 as client and i can't reproduce this error. which version is the server running?
Our server version is pretty old, though I can't get at it right at the moment to say exactly which version its running. I'll update this ticket later on with that info. Client config: verb 4 client dev tap proto tcp nobind persist-key persist-tun auth-user-pass comp-lzo remote vpn11.mysite.com 443 ca /etc/openvpn/cacert.pem cert /etc/openvpn/wdawson.cer key /etc/openvpn/wdawson.cer tls-remote vpn11.mysite.com script-security 2 down-pre Server config (local address is NAT'ed by external firewall) local 172.16.13.10 port 443 proto tcp dev tap1 ca cacert.pem cert vpn11.mysite.com.cert key vpn11.mysite.com.key crl-verify mysite.crl dh dh2048.pem server-bridge 172.16.11.1 255.255.255.0 172.16.11.244 172.16.11.254 push "redirect-gateway" push "dhcp-option DOMAIN mysite.com" push "dhcp-option DNS 111.222.333.444" keepalive 10 120 comp-lzo max-clients 10 user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3
(In reply to comment #6) > Client config: > please add "pull" to your client-config and try again! which adresses have: your vpn-server from external, from internal and your client if he is not connected? did he need a hostroute to connect to client?
(In reply to comment #7) > please add "pull" to your client-config and try again! Done, but with no good effect. > which adresses have: > your vpn-server from external, from internal and > your client if he is not connected? did he need a hostroute to connect to > client? I don't understand your question... the external and internal IP addresses on the server and client did not change from one version of openvpn to the next.
(In reply to comment #8) > (In reply to comment #7) > > please add "pull" to your client-config and try again! > > Done, but with no good effect. Please have a look at the openvpn-users-list: http://sourceforge.net/mailarchive/forum.php?thread_name=20090611081012.GM5044%40charite.de&forum_name=openvpn-users and try push "redirect-gateway def1" on server side. i'm using 2.1-rc19 as server and client and i could not reproduce this problem.
(In reply to comment #9) > Please have a look at the openvpn-users-list: > http://sourceforge.net/mailarchive/forum.php?thread_name=20090611081012.GM5044%40charite.de&forum_name=openvpn-users > I cannot access that forum URL. I received the error: ERROR Your mailing list, openvpn-users, appears to be either not archived yet, or has had no e-mails sent to it. If it is a new list, please wait 2-4 hours after the first message is sent for the archive to show up. > and try push "redirect-gateway def1" on server side. i'm using 2.1-rc19 as > server and client and i could not reproduce this problem. I have "redirect-gateway" but not "redirect-gateway def1". I'll try it as soon as possible and post back with the result.
> I have "redirect-gateway" but not "redirect-gateway def1". I'll try it as soon > as possible and post back with the result. > I was able to access the forum posting, when I retried it this evening. Also, adding "redirect-gateway def1" to my client settings was sufficient to re-enable the routing. I did not need to modify the server settings at all. I also saw some odd timeouts occur, which were hopefully transient in nature. At the time, adding "keepalive 10 600" was helpful. No harm in keeping it that way, apparently. My working client settings: verb 4 client dev tap proto tcp nobind persist-key persist-tun auth-user-pass comp-lzo pull keepalive 10 600 redirect-gateway def1 remote vpn11.mysite.com 443 ca /etc/openvpn/cacert.pem cert /etc/openvpn/wdawson.cer key /etc/openvpn/wdawson.cer tls-remote vpn11.mysite.com script-security 2 down-pre Thank you for the references and the fix.
2009.10.01 -- Version 2.1_rc20 * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the redirect-gateway option by itself, without any extra parameters, would cause the option to be ignored. so waiting it in portage, because for me bug still exists
(In reply to comment #12) > 2009.10.01 -- Version 2.1_rc20 > > * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the > redirect-gateway option by itself, without any extra parameters, > would cause the option to be ignored. > > > > so waiting it in portage, because for me bug still exists just copy ebuild of rc19 to rc20 works for installing rc20. i think the new ebuild will be soon in portage.