Bug 743257

Summary: openvpn fails to set up routes
Product: [Fedora] Fedora Reporter: Dan Winship <danw>
Component: openvpnAssignee: Steven Pritchard <steve>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, gwync, huzaifas, mgrepl, psabata, steve
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-11 12:41:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dan Winship 2011-10-04 11:57:02 UTC 
openvpn-2.2.1-2.fc16.x86_64
kernel-3.1.0-0.rc8.git0.0.fc16.x86_64
iproute-2.6.39-3.fc16.x86_64

NetworkManager-openvpn fails silently. Exporting the config and then running openvpn by hand with "-verb 3" gives:

...
Tue Oct  4 07:53:14 2011 TUN/TAP device tun0 opened
Tue Oct  4 07:53:14 2011 TUN/TAP TX queue length set to 100
Tue Oct  4 07:53:14 2011 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct  4 07:53:14 2011 /sbin/ip addr add dev tun0 local 10.3.112.35 peer 255.255.255.0
Tue Oct  4 07:53:14 2011 /sbin/ip route add 10.0.0.0/8 via 10.3.112.1
RTNETLINK answers: No such process
Tue Oct  4 07:53:14 2011 ERROR: Linux route add command failed: external program exited with error status: 2
Tue Oct  4 07:53:14 2011 /sbin/ip route add 172.16.0.0/16 via 10.3.112.1
RTNETLINK answers: No such process
Tue Oct  4 07:53:14 2011 ERROR: Linux route add command failed: external program exited with error status: 2
...

It appears that there is no route to 10.3.112.1, so the attempt to use it as a route to 10.0.0.0/8 fails. If I manually do:

    /sbin/ip route add 10.3.112.1 dev tun0

then that succeeds, and I can add the other two previously-failed routes after that.
Comment 1 Dan Winship 2011-10-04 15:21:58 UTC 
ah, the bug goes away if you turn off selinux. not sure where this belongs then
Comment 2 Petr Ĺ abata 2011-10-04 15:29:20 UTC 
(In reply to comment #1)
> ah, the bug goes away if you turn off selinux. not sure where this belongs then

selinux-policy, I believe...
Comment 3 Gwyn Ciesla 2011-10-04 15:35:07 UTC 
Please include the AVC warnings, as well.
Comment 4 Dan Winship 2011-10-04 17:14:03 UTC 
(In reply to comment #3)
> Please include the AVC warnings, as well.

Didn't get any. Maybe the thing that shows those was broken too... there was lots of random crashing going on.
Comment 5 Daniel Walsh 2011-10-04 20:39:02 UTC 
dmesg | grep avc
Comment 6 Daniel Walsh 2011-10-04 20:39:20 UTC 
Are things working for you now?
Comment 7 Dan Winship 2011-10-04 20:48:07 UTC 
yes, after disabling selinux, things work.

nothing in dmesg. i'll try to remember to reboot with selinux and try again tomorrow morning
Comment 8 Dan Winship 2011-10-04 23:40:57 UTC 
Huh. Actually it doesn't work regardless of selinux setting. (I'd swear it worked the first time I tried after disabling it though...)
Comment 9 Miroslav Grepl 2011-10-05 05:33:34 UTC 
Also, if you talk about disabling SELinux, please make sure, you talk about permissive mode. Thanks.
Comment 10 Dan Winship 2011-10-11 12:41:03 UTC 
shortly after i commented that it didn't work any more, it started working again. I have no idea what I did. Maybe I had a bad kernel at some point and was accidentally switching between good and bad kernels when rebooting or something.