Bug#783394: marked as done (openvpn: Missing route entry on OpenVPN server when client connects)

[Debian Bug Tracking System]

Your message dated Mon, 27 Apr 2015 13:29:25 +0200
with message-id <20150427112925.go1...@bin.inittab.org>
and subject line Not a bug
has caused the Debian Bug report #783394,
regarding openvpn: Missing route entry on OpenVPN server when client connects
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
783394: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783394
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openvpn
Version: 2.3.4-5
Severity: normal

Dear Maintainer,

after upgrading an OpenVPN server to Jessie, the VPN tunnels appear to come up
normally, but no traffic is being passed over the tunnels.

It seems that there is a routing entry missing on the jessie-setup:
- my server is 192.168.20.4 (eth0) and 10.11.0.1 (tun0)
- vpn client is 10.11.0.10

On Wheezy, the routing table looks like this with a client connection active:

root@vvpn:~# uname -a
Linux vvpn 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u2 x86_64 GNU/Linux
root@vvpn:~# ip route get 10.11.0.10
10.11.0.10 via 10.11.0.2 dev tun0  src 10.11.0.1 
    cache 
root@vvpn:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.20.1    0.0.0.0         UG    0      0        0 eth0
10.11.0.0       10.11.0.2       255.255.255.0   UG    0      0        0 tun0
10.11.0.0       192.168.20.4    255.255.255.0   UG    0      0        0 eth0
10.11.0.2       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0


On Jessie it is like this:

root@vvpn:/etc/default# ip route flush cache
root@vvpn:/etc/default# ip route get 10.11.0.10
10.11.0.10 dev eth0  src 192.168.20.4 
   cache 

Note that this is now routed via eth0/192.168.20.4 instead of the tunnel 
interface.

root@vvpn:/etc/default# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.20.1    0.0.0.0         UG    0      0        0 eth0
10.11.0.0       192.168.20.4    255.255.255.0   UG    0      0        0 eth0
10.11.0.2       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

Note that the route for 10.11.0.0/24 via 10.11.0.2 is missing.

I can see packets coming in over the VPN link - running a ping from the client 
against
the vpn server itself gives:

root@vvpn:/etc/default# tcpdump -i tun0  -n proto 1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
19:30:02.217293 IP 10.11.0.10 > 192.168.20.4: ICMP echo request, id 24141, seq 
30, length 64
19:30:03.217465 IP 10.11.0.10 > 192.168.20.4: ICMP echo request, id 24141, seq 
31, length 64
19:30:04.215826 IP 10.11.0.10 > 192.168.20.4: ICMP echo request, id 24141, seq 
32, length 64


A final note: I tested the setup after doing only the "apt-get upgrade" first 
step of the 
upgrade process, and at that point the setup was working. Only after the 
dist-upgrade did it
fail.


openvpn server configuration:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
crl-verify crl.pem
dh dh2048.pem
server 10.11.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.20.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log


openvpn client configuration:

client
dev tun
proto udp
remote vpn.hswn.dk 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca xen-ca.crt
cert xen-client.crt
key xen-client.key
remote-cert-tls server
comp-lzo
verb 3



-- System Information:
Debian Release: 8.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=da_DK.UTF-8, LC_CTYPE=da_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.56
ii  init-system-helpers    1.22
ii  initscripts            2.88dsf-59
ii  iproute2               3.16.0-2
ii  libc6                  2.19-18
ii  liblzo2-2              2.08-1.2
ii  libpam0g               1.1.8-3.1
ii  libpkcs11-helper1      1.11-2
ii  libssl1.0.0            1.0.1k-3

Versions of packages openvpn recommends:
ii  easy-rsa  2.2.2-1

Versions of packages openvpn suggests:
ii  openssl     1.0.1k-3
pn  resolvconf  <none>

-- debconf information excluded

--- End Message ---

--- Begin Message ---

Thanks.

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: a...@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

--- End Message ---