Date: 2010-02-26 12:05:46 EET Sender: dazo Could you please provide a complete configuration file for client and server, and log files with verb set to 4? I'm presuming you are using OpenVPN 2.1.0 or 2.1.1, is that correct? --- Date: 2010-03-12 00:36:03 EET Sender: phaoost I confirm this bug in 2.1.0 and earlier versions (2.1-rc11). The reason is that on Linux when you set default route to point-to-point connection, the IP address of the default gateway isn't necessary. Here is how the log looks like: warp:~/ovpn238# openvpn --config ovpn238.ovpn Fri Mar 12 00:16:58 2010 us=403658 Current Parameter Settings: Fri Mar 12 00:16:58 2010 us=404263 config = 'ovpn238.ovpn' Fri Mar 12 00:16:58 2010 us=404332 mode = 0 Fri Mar 12 00:16:58 2010 us=404380 persist_config = DISABLED Fri Mar 12 00:16:58 2010 us=404419 NOTE: --mute triggered... Fri Mar 12 00:16:58 2010 us=404500 256 variation(s) on previous 4 message(s) suppressed by --mute Fri Mar 12 00:16:58 2010 us=404544 OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Dec 11 2009 Fri Mar 12 00:16:58 2010 us=404906 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Fri Mar 12 00:16:58 2010 us=404956 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Fri Mar 12 00:16:58 2010 us=409174 /usr/bin/openssl-vulnkey -q -b 1024 -m Fri Mar 12 00:16:59 2010 us=156885 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Fri Mar 12 00:16:59 2010 us=157050 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Mar 12 00:16:59 2010 us=157103 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Mar 12 00:16:59 2010 us=157467 Control Channel MTU parms [ L:1545 D:166 EF:66 EB:0 ET:0 EL:0 ] Fri Mar 12 00:16:59 2010 us=157789 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:4 ET:0 EL:0 ] Fri Mar 12 00:16:59 2010 us=157863 Fragmentation MTU parms [ L:1545 D:1300 EF:45 EB:4 ET:0 EL:0 ] Fri Mar 12 00:16:59 2010 us=157955 Local Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' Fri Mar 12 00:16:59 2010 us=157996 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' Fri Mar 12 00:16:59 2010 us=158106 Local Options hash (VER=V4): '885414e3' Fri Mar 12 00:16:59 2010 us=158172 Expected Remote Options hash (VER=V4): '8bcc3b84' Fri Mar 12 00:16:59 2010 us=158247 Socket Buffers: R=[108544->131072] S=[108544->131072] Fri Mar 12 00:16:59 2010 us=158297 UDPv4 link local: [undef] Fri Mar 12 00:16:59 2010 us=158361 UDPv4 link remote: [AF_INET]x.x.x.x:4672 Fri Mar 12 00:16:59 2010 us=400999 TLS: Initial packet from [AF_INET]x.x.x.x:4672, sid=ccdce634 90e3e447 Fri Mar 12 00:17:00 2010 us=576787 VERIFY OK: depth=1, /C=US/ST=NA/L=x/O=x/CN=ovpn238/emailAddress=x Fri Mar 12 00:17:00 2010 us=578011 VERIFY OK: depth=0, /C=US/ST=NA/O=x/CN=ovpn238/emailAddress=x Fri Mar 12 00:17:02 2010 us=769948 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Mar 12 00:17:02 2010 us=770245 NOTE: --mute triggered... Fri Mar 12 00:17:02 2010 us=770897 4 variation(s) on previous 4 message(s) suppressed by --mute Fri Mar 12 00:17:02 2010 us=771100 [ovpn238] Peer Connection Initiated with [AF_INET]x.x.x.x:4672 Fri Mar 12 00:17:05 2010 us=34780 SENT CONTROL [ovpn238]: 'PUSH_REQUEST' (status=1) Fri Mar 12 00:17:05 2010 us=270452 PUSH: Received control message: 'PUSH_REPLY,route-delay 2,dhcp-option DNS x.x.x.x,dhcp-option DNS x.x.x.x,route-metric 1,redirect-gateway def1,route 10.8.7.113,topology net30,ping 10,ping-restart 120,ifconfig 10.8.7.118 10.8.7.117' Fri Mar 12 00:17:05 2010 us=270837 OPTIONS IMPORT: timers and/or timeouts modified Fri Mar 12 00:17:05 2010 us=270881 OPTIONS IMPORT: --ifconfig/up options modified Fri Mar 12 00:17:05 2010 us=270917 NOTE: --mute triggered... Fri Mar 12 00:17:05 2010 us=271724 3 variation(s) on previous 4 message(s) suppressed by --mute Fri Mar 12 00:17:05 2010 us=271768 ROUTE: default_gateway=UNDEF Fri Mar 12 00:17:05 2010 us=291679 TUN/TAP device tun0 opened Fri Mar 12 00:17:05 2010 us=291820 TUN/TAP TX queue length set to 100 Fri Mar 12 00:17:05 2010 us=291931 /sbin/ifconfig tun0 10.8.7.118 pointopoint 10.8.7.117 mtu 1500 Fri Mar 12 00:17:07 2010 us=426627 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system Fri Mar 12 00:17:07 2010 us=427232 /sbin/route add -net 10.8.7.113 netmask 255.255.255.255 gw 10.8.7.117 metric 1 Fri Mar 12 00:17:07 2010 us=429677 Initialization Sequence Completed However, I need to point out one more thing. For some reasons my ISP has two PPP connections: ppp0 Link encap:Point-to-Point Protocol inet addr:1.8.160.81 P-t-P:93.84.80.34 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:16578 errors:0 dropped:0 overruns:0 frame:0 TX packets:15504 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:12782306 (12.1 MiB) TX bytes:1255803 (1.1 MiB) ppp1 Link encap:Point-to-Point Protocol inet addr:86.57.254.161 P-t-P:93.84.80.34 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:336773 errors:0 dropped:0 overruns:0 frame:0 TX packets:345265 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:126402706 (120.5 MiB) TX bytes:45407057 (43.3 MiB) My default gateway looks like: warp:~/ovpn238# ip ro|grep default default dev ppp1 scope link So, the proper way to set the route towards VPN server 1.2.3.4 is: ip ro ad to 1.2.3.4/32 via 93.84.80.34 dev ppp1 Here 'dev ppp1' is important. In case I'll use 'route add ...', it will set ppp0 as a device and it won't work. I have tested it by changing default gateway with 'ip ro ch default via 93.84.80.34 dev ppp1' and ran openvpn again: Fri Mar 12 00:29:00 2010 us=273161 [ovpn238] Peer Connection Initiated with [AF_INET]x.x.x.x:4672 Fri Mar 12 00:29:02 2010 us=686793 SENT CONTROL [ovpn238]: 'PUSH_REQUEST' (status=1) Fri Mar 12 00:29:02 2010 us=915580 PUSH: Received control message: 'PUSH_REPLY,route-delay 2,dhcp-option DNS x.x.x.x,dhcp-option DNS x.x.x.x,route-metric 1,redirect-gateway def1,route 10.8.7.113,topology net30,ping 10,ping-restart 120,ifconfig 10.8.7.118 10.8.7.117' Fri Mar 12 00:29:02 2010 us=915928 OPTIONS IMPORT: timers and/or timeouts modified Fri Mar 12 00:29:02 2010 us=915969 OPTIONS IMPORT: --ifconfig/up options modified Fri Mar 12 00:29:02 2010 us=916006 NOTE: --mute triggered... Fri Mar 12 00:29:02 2010 us=916856 3 variation(s) on previous 4 message(s) suppressed by --mute Fri Mar 12 00:29:02 2010 us=916906 ROUTE default_gateway=93.84.80.34 Fri Mar 12 00:29:02 2010 us=935956 TUN/TAP device tun0 opened Fri Mar 12 00:29:02 2010 us=936100 TUN/TAP TX queue length set to 100 Fri Mar 12 00:29:02 2010 us=936210 /sbin/ifconfig tun0 10.8.7.118 pointopoint 10.8.7.117 mtu 1500 Fri Mar 12 00:29:05 2010 us=146692 /sbin/route add -net x.x.x.x netmask 255.255.255.255 gw 93.84.80.34 Fri Mar 12 00:29:05 2010 us=149296 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.7.117 Fri Mar 12 00:29:05 2010 us=151905 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.7.117 Fri Mar 12 00:29:05 2010 us=154973 /sbin/route add -net 10.8.7.113 netmask 255.255.255.255 gw 10.8.7.117 metric 1 Fri Mar 12 00:29:05 2010 us=157478 Initialization Sequence Completed Following lines I've gotten in routing table: 93.84.80.34 dev ppp0 proto kernel scope link src 1.8.160.81 93.84.80.34 dev ppp1 proto kernel scope link src 86.57.254.161 x.x.x.x via 93.84.80.34 dev ppp0 (!!!!!) 10.8.7.117 dev tun0 proto kernel scope link src 10.8.7.118 10.8.7.113 via 10.8.7.117 dev tun0 metric 1 172.16.17.0/27 dev eth1 proto kernel scope link src 172.16.17.30 0.0.0.0/1 via 10.8.7.117 dev tun0 128.0.0.0/1 via 10.8.7.117 dev tun0 default via 93.84.80.34 dev ppp1 So VPN dropped after timeout, as the route went thorough wrong device (ppp0 instead of ppp1). Hope this will help --- Date: 2010-03-13 13:56:04 EET Sender: derrichard sorry for not responding, during the weekend i'll post a complete configuration plus log files. currently, i am very busy. cheers, //richard --- Date: 2010-04-22 16:08:33 EEST Sender: sven-ola Have a related problem. No default route at all. Server can be reached via host route or (that's my current problem) via a default route in a table != main aka policy route. Especially when using "push def1" it's not necessary AFAICT to search + fiddle with the default route on the client. --- Date: 2010-04-22 17:21:23 EEST Sender: sven-ola And a fix (for at least my quirks) is here: http://ff-firmware.cvs.sourceforge.net/viewvc/*checkout*/ff-firmware/ff-devel/openvpn.patch