Bug 1394459 - Openvpn sets route incorrectly
Summary: Openvpn sets route incorrectly
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openvpn
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: David Sommerseth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-12 09:58 UTC by j.gjorgji
Modified: 2017-04-24 20:49 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-24 20:49:54 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description j.gjorgji 2016-11-12 09:58:00 UTC 
Description of problem:
The openvpn client sets the destination route incorrectly on F25, with the same configuration it worked fine on F24 and continues to work fine on CentOS 7. Server is F24.

Version-Release number of selected component (if applicable):
openvpn-2.3.13-1.fc25.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Start openvpn as a client on F25
2.
3.

Actual results:
Route is set incorrectly as this:
ip route
default via 192.168.178.1 dev enp5s0  proto static  metric 100
192.168.178.0/24 dev enp5s0  proto kernel  scope link  src 192.168.178.40  metric 100
255.255.255.0 dev tun0  proto kernel  scope link  src 10.8.0.3

Expected results:
Here is the route which when set manually with this command works:

ip route add 10.8.0.0/24 dev tun0

ip route
default via 192.168.178.1 dev enp5s0  proto static  metric 100
10.8.0.0/24 dev tun0  scope link
192.168.178.0/24 dev enp5s0  proto kernel  scope link  src 192.168.178.40  metric 100

Additional info:
Here is the route set up from Centos:
ip route
default via 192.168.178.1 dev br0  proto static  metric 425
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.2

This is set up by default and works fine.

Here are the commands executed by openvpn as seen in the logs.

Centos 7:
/usr/sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255

F25:
/usr/sbin/ip addr add dev tun0 local 10.8.0.3 peer 255.255.255.0

Both Centos and F25 computers are on the same network connecting to the same server with the exact same config (besides the ip address allocation).

Client config:

client
remote myserver
dev tun
proto udp
nobind
resolv-retry infinite
persist-key
persist-tun
verb 4
remote-cert-tls server
ns-cert-type server
key-direction 1

<removed inline keys>

Server config:

mode server
tls-server

ifconfig 10.8.0.1 255.255.255.0
ifconfig-pool 10.8.0.10 10.8.0.50 255.255.255.0

port 1194
proto udp
dev tun

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
tls-auth /etc/openvpn/keys/ta.key 0

topology subnet
push '"topology subnet"'

client-config-dir ccd
keepalive 10 120

user openvpn
group openvpn

persist-key
persist-tun

verb 4
mute 20

push "dhcp-option DNS 10.8.0.1"
Comment 1 j.gjorgji 2016-11-12 09:59:07 UTC 
Versions on server and Centos 7:
openvpn-2.3.12-1.fc24.x86_64
openvpn-2.3.12-1.el7.x86_64
Comment 2 David Sommerseth 2016-11-12 11:18:44 UTC 
Have the iproute2 ip route syntax changed lately?  OpenVPN calls 'ip route add' directly, so if that has changed in F25 things may break as things are now.
Comment 3 Gwyn Ciesla 2016-12-16 15:20:58 UTC 
Is this working with 2.3.14?
Comment 4 j.gjorgji 2016-12-18 13:23:53 UTC 
This does not happen with openvpn-2.3.14-1.fc25.x86_64, however I'm not sure if it's due to the new version or there was some configuration issue beforehand (or upgrade leftover) as i did a fresh install of Fedora 25.
Comment 5 Fedora Admin XMLRPC Client 2017-03-14 12:15:41 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 6 David Sommerseth 2017-04-24 20:49:54 UTC 
Closing this now, as we've anyway moved a step forward with OpenVPN v2.4.
Note You need to log in before you can comment on or make changes to this bug.