I connect with openvpn-2.0.5-r2 on Gentoo to a openvpn server running on debian sarge via a routed setup (configs see below). The server redirects the gateway, so that it is used as standard gateway on the client. If I disconnect from the VPN, the route to the former standard gateway is not restored. The only solution is to restart the interface or set the route by hand. The VPN works without any problems, if I connect from a WindowsXP client. Steps to reproduce: 1.) Use similiar configs: server.conf: port 1194 proto udp dev tun ca keys/ca.crt cert keys/firewall.crt key keys/firewall.key dh keys/dh1024.pem server 10.8.0.0 255.255.255.0 push "route XXX.XXX.aaa.0 255.255.255.0" push "route XXX.XXX.bbb.0 255.255.255.128" client-config-dir ccd push "redirect-gateway" push "dhcp-option DNS XXX.XXX.ccc.150" push "dhcp-option DNS XXX.XXX.ccc.151" push "dhcp-option DNS XXX.XXX.ccc.152" client-to-client keepalive 10 120 tls-auth keys/ta.key 0 cipher BF-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 4 mute 20 client.conf: client dev tun proto udp remote XXX.XXX.aaa.131 1194 float resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert retsina.crt key retsina.key ns-cert-type server tls-auth ta.key 1 cipher BF-CBC comp-lzo verb 4 2.) connect and disconnect: /etc/init.d/openvpn start /etc/init.d/openvpn stop 3.) check the routes: route -n Actual Results: 1.) before connecting to VPN hive marc # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 2.) VPN is stopped: hive marc # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface XXX.XXX.aaa.131 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo Expected Results: 1.) and 2.) should be the same.
Added emerge info: Portage 2.0.53 (default-linux/x86/2005.1, gcc-3.4.4, glibc-2.3.6-r2, 2.6.12-gent oo-r10 i686) ================================================================= System uname: 2.6.12-gentoo-r10 i686 AMD Athlon(tm) XP 2700+ Gentoo Base System version 1.6.13 ccache version 2.3 [enabled] dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r1 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=c3-2 -Os -fomit-frame-pointer -pipe -msse -mmmx -mfpmath=sse" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/ X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=c3-2 -Os -fomit-frame-pointer -pipe -msse -mmmx -mfpmath=sse" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks sandbox sfperms strict userpriv" GENTOO_MIRRORS="ftp://ftp.rz.tu-bs.de/pub/mirror/ftp.gentoo.org/gentoo-distfiles /" LANG="de_DE" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp/portage" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/gentoo-de /usr/local/portage/epios" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="x86 16bit 3dnow X a52 aac aalib accessibility acpi alsa ansi apache2 apm au diofile avi bash-completion berkdb bitmap-fonts bzip2 cdparanoia cdr cjk cle266 crypt cscope curl curlwrappers dbus dga dio directfb divx4linux dri dts dv dvb d vd dvdr dvdread encode expat fbcon ffmpeg flac flash freetds freetype ftp gd gdb m gif glut gnutls gphoto2 gstreamer hal ieee1394 imagemagick imap imlib imon inn odb java javascript joystick jpeg lcms libgda libwww lirc live lm_sensors mad ma ildir matroska mhash mikmod mime mmap mmx mng motif mozilla mp3 mpeg mplayer mys ql mysqli mythtv ncurses nocd nptl ogg oggvorbis opengl pam pcre pda pdflib perl php pic png posix python quicktime readline samba sdl session shorten skey slan g smartcard sndfile socks5 sox speex spl sse ssl streamzap svg sysvipc tcltk tcp d theora tidy tiff tokenizer transcode truetype truetype-fonts type1-fonts udev unichrome unicode usb v4l v4l2 vcd video_cards_via vidix vorbis wifi win32codecs wmf xine xinerama xml xml2 xpm xsl xv xvid xvmc zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LC_ALL, LDFLAGS, LINGUAS I also changed my email (which I thought I did already...).
Exact same problem here, using same OpenVPN version.
Hi, i solved this issue. When openvpn starts it's running as root and can change routing table, then drops root privileges and run as nobody. As nobody you can't alter the routing table, that's why the original routing table can't be restored. I solved this by commenting out the user nobody group nogroup lines since it's only the client running as root and not the server - i don't consider this a security risk since the client is not always running. Greets.
(In reply to comment #3) > I solved this by commenting out the > > user nobody > group nogroup The same for me. The funny thing is, I thought I did not have these line in my openvpn.conf (as shown above in my post), but I had. After commenting them, resetting of routes is working. Could there be another more secure solution? Marc
(In reply to comment #4) > Could there be another more secure solution? Use SELinux or grsec kernels for this level of security. Oterwise you have to use root when openvpn needs to change routing or ip.
(In reply to comment #5) > (In reply to comment #4) > > Could there be another more secure solution? > > Use SELinux or grsec kernels for this level of security. > Oterwise you have to use root when openvpn needs to change routing or ip. > OK, then I think, this bug is closed. ...closing it...