Package: openvpn Version: 2.5.1-3 Severity: important Tags: upstream patch X-Debbugs-Cc: dani...@retaggio.net
Dear Maintainer, Since openvpn 2.5, if openvpn is compiled without --enable-iproute2, netlink is used to populate the routing table. This have for some reason broken the push route mechanism, at least of my configuration, blocking the possibility to add any further routes for the given vpn interface. The root cause can be identified in the switch from route to netlink. netlink is populating the routing table without specifying the route in kernel, avoiding the possibility to add any further route (with or without openvpn). using ip route to debug: 1) route pushed with iproute/route (either openvpn 2.4 or openvpn 2.5 compiled with --enable-iproite2) 172.17.14.0/24 dev tun-su proto kernel scope link src 172.17.14.127 2) route pushed with netlink (openvpn 2.5 without --enable-iproute2) 172.17.14.0/24 via 172.17.14.1 dev tun-su sample "push" configuration line from openvpn config push "route 172.17.16.0 255.255.255.0 vpn_gateway 100" with netlink route fail as follow 2021-08-27 10:49:45 us=890376 net_route_v4_add: 172.17.16.0/24 via 172.18.14.1 dev [NULL] table 0 metric 100 2021-08-27 10:49:45 us=890389 sitnl_send: rtnl: generic error (-101): Network is unreachable adding manually the same route on openvpn netlink route fail as follow # route add -net 172.17.16.0/24 gw 172.17.14.1 metric 100 SIOCADDRT: Network is unreachable # recompiling the package with --enable-iproute2 fix the issue, as ip is used to create the routing table in place of netlink more detail in the upstream ticket https://community.openvpn.net/openvpn/ticket/1425 As this is a major regression from openvpn 2.4, i believe that the proper solution is to enable --enable-iproute2 for now and identify the upstream problem later on. side note, this is unrelated to "#976070 - openvpn fails with iproute option" https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976070 -- System Information: Debian Release: 11.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/1 CPU thread) Locale: LANG=en_US, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.77 ii iproute2 5.10.0-4 ii libc6 2.31-13 ii liblz4-1 1.9.3-2 ii liblzo2-2 2.10-2 ii libpam0g 1.4.0-9 ii libpkcs11-helper1 1.27-1 ii libssl1.1 1.1.1k-1+deb11u1 ii libsystemd0 247.3-6 ii lsb-base 11.1.0 Versions of packages openvpn recommends: ii easy-rsa 3.0.8-1 Versions of packages openvpn suggests: ii openssl 1.1.1k-1+deb11u1 pn openvpn-systemd-resolved <none> pn resolvconf <none> -- debconf information excluded