Bug 743257 - openvpn fails to set up routes
Summary: openvpn fails to set up routes
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openvpn
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Steven Pritchard
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-04 11:57 UTC by Dan Winship
Modified: 2011-10-11 12:41 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-11 12:41:03 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Dan Winship 2011-10-04 11:57:02 UTC 
openvpn-2.2.1-2.fc16.x86_64
kernel-3.1.0-0.rc8.git0.0.fc16.x86_64
iproute-2.6.39-3.fc16.x86_64

NetworkManager-openvpn fails silently. Exporting the config and then running openvpn by hand with "-verb 3" gives:

...
Tue Oct  4 07:53:14 2011 TUN/TAP device tun0 opened
Tue Oct  4 07:53:14 2011 TUN/TAP TX queue length set to 100
Tue Oct  4 07:53:14 2011 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct  4 07:53:14 2011 /sbin/ip addr add dev tun0 local 10.3.112.35 peer 255.255.255.0
Tue Oct  4 07:53:14 2011 /sbin/ip route add 10.0.0.0/8 via 10.3.112.1
RTNETLINK answers: No such process
Tue Oct  4 07:53:14 2011 ERROR: Linux route add command failed: external program exited with error status: 2
Tue Oct  4 07:53:14 2011 /sbin/ip route add 172.16.0.0/16 via 10.3.112.1
RTNETLINK answers: No such process
Tue Oct  4 07:53:14 2011 ERROR: Linux route add command failed: external program exited with error status: 2
...

It appears that there is no route to 10.3.112.1, so the attempt to use it as a route to 10.0.0.0/8 fails. If I manually do:

    /sbin/ip route add 10.3.112.1 dev tun0

then that succeeds, and I can add the other two previously-failed routes after that.
Comment 1 Dan Winship 2011-10-04 15:21:58 UTC 
ah, the bug goes away if you turn off selinux. not sure where this belongs then
Comment 2 Petr Šabata 2011-10-04 15:29:20 UTC 
(In reply to comment #1)
> ah, the bug goes away if you turn off selinux. not sure where this belongs then

selinux-policy, I believe...
Comment 3 Gwyn Ciesla 2011-10-04 15:35:07 UTC 
Please include the AVC warnings, as well.
Comment 4 Dan Winship 2011-10-04 17:14:03 UTC 
(In reply to comment #3)
> Please include the AVC warnings, as well.

Didn't get any. Maybe the thing that shows those was broken too... there was lots of random crashing going on.
Comment 5 Daniel Walsh 2011-10-04 20:39:02 UTC 
dmesg | grep avc
Comment 6 Daniel Walsh 2011-10-04 20:39:20 UTC 
Are things working for you now?
Comment 7 Dan Winship 2011-10-04 20:48:07 UTC 
yes, after disabling selinux, things work.

nothing in dmesg. i'll try to remember to reboot with selinux and try again tomorrow morning
Comment 8 Dan Winship 2011-10-04 23:40:57 UTC 
Huh. Actually it doesn't work regardless of selinux setting. (I'd swear it worked the first time I tried after disabling it though...)
Comment 9 Miroslav Grepl 2011-10-05 05:33:34 UTC 
Also, if you talk about disabling SELinux, please make sure, you talk about permissive mode. Thanks.
Comment 10 Dan Winship 2011-10-11 12:41:03 UTC 
shortly after i commented that it didn't work any more, it started working again. I have no idea what I did. Maybe I had a bad kernel at some point and was accidentally switching between good and bad kernels when rebooting or something.
Note You need to log in before you can comment on or make changes to this bug.