You are not logged in.

#1 2021-07-30 13:04:43

burninggramma
Member
Registered: 2012-11-11
Posts: 8

Routing issue after connecting to openvpn

I can successfully connect to an `udp`/`tap` based openvpn server. However the profile does not contain any routing related rules, nor does the server push any. I was told to simply use `dhcp` on the `tap` interface, however after getting an IP, my routing seems to be broken.

I did a `tcpdump` record (without noise from any running service) to try to figure it out, but I can not pin-point why it would behave like seen below.

Anonym tcpdump w/ some added comments:

# VPN per udp working, but no IP assigned yet to tap0.

14:40:10.053555 wlo1  Out IP <my_hostname>.48399 > <vpn_remote>.23194: UDP, length 44
14:40:17.989006 wlo1  In  IP <vpn_remote>.23194 > <my_hostname>.48399: UDP, length 44
14:40:21.028406 wlo1  Out IP <my_hostname>.48399 > <vpn_remote>.23194: UDP, length 44
14:40:28.539413 wlo1  In  IP <vpn_remote>.23194 > <my_hostname>.48399: UDP, length 44

# Using `dhcpcd --rebind tap0`

14:40:31.593844 wlo1  Out IP <my_hostname>.48399 > <vpn_remote>.23194: UDP, length 44
14:40:35.412055 tap0  Out IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from aa:7e:85:a6:51:18 (oui Unknown), length 300
14:40:35.412168 wlo1  Out IP <my_hostname>.48399 > <vpn_remote>.23194: UDP, length 370
14:40:35.444922 wlo1  In  IP <vpn_remote>.23194 > <my_hostname>.48399: UDP, length 70
14:40:35.445058 tap0  B   ARP, Request who-has 10.23.112.33 tell 10.23.112.11, length 28
14:40:36.524066 wlo1  In  IP <vpn_remote>.23194 > <my_hostname>.48399: UDP, length 370
14:40:36.524070 wlo1  In  IP <vpn_remote>.23194 > <my_hostname>.48399: UDP, length 70
14:40:36.524217 tap0  In  IP 10.23.112.11.bootps > 10.23.112.33.bootpc: BOOTP/DHCP, Reply, length 300
14:40:36.524288 tap0  B   ARP, Request who-has 10.23.112.33 tell 10.23.112.11, length 28
14:40:36.524806 tap0  Out IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from aa:7e:85:a6:51:18 (oui Unknown), length 304
14:40:36.524948 wlo1  Out IP <my_hostname>.48399 > <vpn_remote>.23194: UDP, length 374
14:40:36.604177 wlo1  In  IP <vpn_remote>.23194 > <my_hostname>.48399: UDP, length 370
14:40:36.604309 tap0  In  IP 10.23.112.11.bootps > 10.23.112.33.bootpc: BOOTP/DHCP, Reply, length 300
14:40:36.637012 wlo1  Out ARP, Request who-has _gateway tell <my_hostname>, length 28
14:40:36.638798 wlo1  In  ARP, Reply _gateway is-at f4:db:e6:cd:f0:ea (oui Unknown), length 46
14:40:36.664584 tap0  Out ARP, Request who-has 10.23.112.33 tell 0.0.0.0, length 28
14:40:36.664698 wlo1  Out IP <my_hostname>.48399 > <vpn_remote>.23194: UDP, length 70
14:40:37.546912 wlo1  In  IP <vpn_remote>.23194 > <my_hostname>.48399: UDP, length 70
14:40:37.547051 tap0  B   ARP, Request who-has 10.23.112.33 tell 10.23.112.11, length 28
14:40:37.904326 tap0  Out ARP, Request who-has 10.23.112.33 tell 0.0.0.0, length 28
14:40:37.904439 wlo1  Out IP <my_hostname>.48399 > <vpn_remote>.23194: UDP, length 70
14:40:39.726276 tap0  Out ARP, Request who-has 10.23.112.33 tell 0.0.0.0, length 28
14:40:39.726388 wlo1  Out IP <my_hostname>.48399 > <vpn_remote>.23194: UDP, length 70
14:40:41.731020 tap0  Out ARP, Request who-has 10.23.112.33 tell 10.23.112.33, length 28
14:40:41.731233 tap0  Out ARP, Request who-has _gateway tell 10.23.112.33, length 28
14:40:42.744642 tap0  Out ARP, Request who-has _gateway tell 10.23.112.33, length 28
14:40:43.733176 tap0  Out ARP, Request who-has 10.23.112.33 tell 10.23.112.33, length 28
14:40:43.757051 tap0  Out ARP, Request who-has _gateway tell 10.23.112.33, length 28
14:40:44.771187 lo    In  IP 10.23.112.33 > 10.23.112.33: ICMP host <vpn_remote> unreachable, length 106
14:40:44.771198 lo    In  IP 10.23.112.33 > 10.23.112.33: ICMP host <vpn_remote> unreachable, length 106
14:40:44.771200 lo    In  IP 10.23.112.33 > 10.23.112.33: ICMP host <vpn_remote> unreachable, length 106
14:40:44.771201 lo    In  IP 10.23.112.33 > 10.23.112.33: ICMP host <vpn_remote> unreachable, length 106
14:40:44.771203 lo    In  IP 10.23.112.33 > 10.23.112.33: ICMP host <vpn_remote> unreachable, length 106

# Started `ping` against working host on 10.23.112.

14:40:47.889542 wlo1  In  IP <vpn_remote>.23194 > <my_hostname>.48399: UDP, length 44
14:40:50.110152 tap0  Out ARP, Request who-has _gateway tell 10.23.112.33, length 28
14:40:51.118019 tap0  Out ARP, Request who-has _gateway tell 10.23.112.33, length 28
14:40:52.131318 tap0  Out ARP, Request who-has _gateway tell 10.23.112.33, length 28
14:40:53.144706 lo    In  IP 10.23.112.33 > 10.23.112.33: ICMP host _gateway unreachable, length 92
14:40:53.144721 lo    In  IP 10.23.112.33 > 10.23.112.33: ICMP host <vpn_remote> unreachable, length 106
14:40:53.144731 lo    In  IP 10.23.112.33 > 10.23.112.33: ICMP host _gateway unreachable, length 92
14:40:53.144738 lo    In  IP 10.23.112.33 > 10.23.112.33: ICMP host <vpn_remote> unreachable, length 106
14:40:53.144745 lo    In  IP 10.23.112.33 > 10.23.112.33: ICMP host _gateway unreachable, length 92
14:40:53.144752 lo    In  IP 10.23.112.33 > 10.23.112.33: ICMP host <vpn_remote> unreachable, length 106

Routing table before and after the `dhcp` with `route -n`:

# Before dhcp

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.200.200.1    0.0.0.0         UG    3003   0        0 wlo1
10.200.200.0    0.0.0.0         255.255.254.0   U     3003   0        0 wlo1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

# After dhcp
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.23.112.1     0.0.0.0         UG    1009   0        0 tap0
0.0.0.0         10.200.200.1    0.0.0.0         UG    3003   0        0 wlo1
10.23.112.0     0.0.0.0         255.255.254.0   U     1009   0        0 tap0
10.200.200.0    0.0.0.0         255.255.254.0   U     3003   0        0 wlo1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

I don't understand why do I see still gateway address related queries in `tcpdump`, when my routing table already seems to be having a gateway set for that network.

Offline

#2 2021-07-30 14:54:01

rsmarples
Member
Registered: 2009-05-12
Posts: 287

Re: Routing issue after connecting to openvpn

Try adding this to /etc/dhcpcd.conf

# Ensure that tap0 does not affect our default routes
interface tap0
metric 5001

Then restart dhcpcd.

Offline

#3 2021-07-31 04:30:39

burninggramma
Member
Registered: 2012-11-11
Posts: 8

Re: Routing issue after connecting to openvpn

rsmarples wrote:

Try adding this to /etc/dhcpcd.conf

# Ensure that tap0 does not affect our default routes
interface tap0
metric 5001

Then restart dhcpcd.

Thanks for your input! I've played around w/ the metric before, by adjusting routing rules manually, but that didn't help. I've also tried your idea, the routing table got the entries properly added (with 5001 metric for tap0), but still network unreachable.

Also an interesting part is, that both with and without this metric modification, once the DHCP address is set up, routing is broken into both the internal network (any `10.23.112.` address) and external e.g. `ping 8.8.8.8` returns unreachable. After I release `dhcpcd --release tap0`, (which of course remove the entries from the routing table) the external works again: `ping 8.8.8.8` properly displays regular output.

I would've expected - should it be a metric problem - the external routing to keep working.

In the `tcpdump` (attached above) I see packets for the loopback, which I feel are wrong, however I've no idea why would this routing table result in that.

Last edited by burninggramma (2021-07-31 04:38:57)

Offline

Board footer

Powered by FluxBB