Opened 5 years ago
Closed 4 years ago
#1148 closed Bug / Defect (notabug)
OpenVPN Server: BGP Router: wrong ARP lookups
Reported by: | Konstantin Shalygin | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Networking | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | bgp arp |
Cc: |
Description
Router: Dell R330
Kernel: Linux gate 4.11.12-1.el7.centos.x86_64 #1 SMP PREEMPT Fri Feb 16 23:01:02 +07 2018 x86_64 x86_64 x86_64 GNU/Linux
Routing daemon: Quagga 0.99.22.4
OpenVPN:
OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Originally developed by James Yonan Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
The problem: OpenVPN Server can't send answer to client because try send packets to wrong interface.
Client:
OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 16 2018 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09 Originally developed by James Yonan Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
[root@client /]# ip ro get 193.150.124.1 193.150.124.1 via 79.175.37.13 dev vlan999 src 79.175.37.14 cache [root@client /]# mtr -nzerc 5 193.150.124.1 Start: Wed Dec 12 13:13:56 2018 HOST: *** Loss% Snt Last Avg Best Wrst StDev 1. AS12418 79.175.37.13 0.0% 5 2.0 1.8 1.0 2.9 0.0 2. AS8359 212.188.22.225 0.0% 5 10.6 11.7 10.6 13.2 1.0 3. AS8359 212.188.23.94 0.0% 5 9.5 9.7 9.5 9.9 0.0 4. AS12389 213.228.109.59 0.0% 5 10.1 10.4 9.7 11.9 0.7 5. AS198181193.150.124.1 0.0% 5 8.8 8.9 8.4 10.1 0.0
Incoming connection to router from vlan301 interface, and send ARP's to this interface is useless, because we already know how to communicate with 79.175.37.14:
[root@gate k0ste]# ip ro get 79.175.37.14 79.175.37.14 via 81.1.245.17 dev vlan1623 src 81.1.245.18 uid 0 cache
Tcpdump:
12:51:36.727084 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:36.727087 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:37.741225 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:37.741227 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:38.754559 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:38.754561 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:42.137844 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:42.137847 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:43.154562 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:43.154565 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:44.167889 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:44.167890 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:50.393027 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:50.393030 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:51.394555 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:51.394557 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:52.411222 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:52.411223 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:52:06.407934 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:52:06.407937 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:52:07.421220 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:52:07.421222 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:52:08.434566 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:52:08.434568 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
Server configuration is:
port 1196 proto udp dev tap2 server 10.10.0.0 255.255.255.0 dh /etc/openvpn/server/tls/dhparam.pem ca /etc/openvpn/server/tls/rootCA.crt cert /etc/openvpn/server/tls/<***>.crt key /etc/openvpn/server/tls/<***>.key tls-auth /etc/openvpn/server/tls/ta.key 0 crl-verify /etc/openvpn/server/tls/<***>.pem user nobody group nobody verify-client-cert require multihome persist-key persist-tun keepalive 10 60 max-clients 250 reneg-sec 86400 replay-window 64 client-to-client comp-lzo adaptive verb 4 mute 10 mute-replay-warnings status /var/lib/openvpn/status1196.log push "persist-key" push "persist-tun" push "comp-lzo adaptive" tls-server tls-version-min 1.2 client-config-dir /etc/openvpn/server/openvpn1196 ccd-exclusive
Attachments (2)
Change History (7)
Changed 5 years ago by
Attachment: | openvpn.pcap added |
---|
comment:1 Changed 5 years ago by
gate# sh ip bgp 79.175.37.14/24 BGP routing table entry for 79.175.37.0/24 Paths: (5 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 21127 12418 81.1.245.17 from 81.1.245.17 (10.7.54.252) Origin IGP, localpref 100, valid, external, best Community: 21127:12930 Last update: Tue Dec 11 04:49:41 2018 9049 20485 21127 12418 188.234.157.13 from 188.234.157.13 (188.234.152.239) Origin IGP, localpref 100, valid, external Last update: Tue Dec 11 02:46:26 2018 12389 8359 12418 12418 95.156.85.193 from 95.156.85.193 (213.228.116.25) Origin IGP, localpref 100, valid, external Community: 8359:5500 8359:55654 12389:8 Last update: Sat Dec 8 02:19:54 2018 50166 21127 12418 195.211.7.125 from 195.211.7.125 (195.211.7.2) Origin IGP, localpref 100, valid, external Last update: Tue Dec 11 04:50:10 2018 25549 20485 21127 12418 212.17.15.169 from 212.17.15.169 (195.49.169.1) Origin IGP, localpref 100, valid, external Community: 20485:10022 Last update: Wed Dec 12 08:11:40 2018
gate# sh ip route 79.175.37.14 Routing entry for 79.175.37.14/32 Known via "kernel", distance 0, metric 0, best * 81.1.245.17, via vlan1623
comment:2 Changed 5 years ago by
while this is an interesting problem, it's totally outside of OpenVPN - in tap mode, OpenVPN does not care about IP addresses or routing and only bothers with Ethernet packets.
So if the client sends an ARP to the TAP interface, it does so because it has configured a route pointing to the tap interface - this might be due to a client config that installs a "route", or due to external scripts. Hard to say without a client log and a "ip route show" output from thje client.
comment:3 Changed 5 years ago by
Log from client:
Dec 12 14:46:30 <***> systemd[1]: Stopped OpenVPN tunnel for tap1. Dec 12 14:46:30 <***> systemd[1]: Starting OpenVPN tunnel for tap1... Dec 12 14:46:30 <***> openvpn[20032]: Current Parameter Settings: Dec 12 14:46:30 <***> openvpn[20032]: config = 'tap1.conf' Dec 12 14:46:30 <***> openvpn[20032]: mode = 0 Dec 12 14:46:30 <***> openvpn[20032]: persist_config = DISABLED Dec 12 14:46:30 <***> openvpn[20032]: persist_mode = 1 Dec 12 14:46:30 <***> openvpn[20032]: NOTE: --mute triggered... Dec 12 14:46:30 <***> openvpn[20032]: 276 variation(s) on previous 5 message(s) suppressed by --mute Dec 12 14:46:30 <***> openvpn[20032]: OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 16 2018 Dec 12 14:46:30 <***> openvpn[20032]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09 Dec 12 14:46:30 <***> systemd[1]: Started OpenVPN tunnel for tap1. Dec 12 14:46:30 <***> openvpn[20032]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Dec 12 14:46:30 <***> openvpn[20032]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Dec 12 14:46:30 <***> openvpn[20032]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Dec 12 14:46:30 <***> openvpn[20032]: LZO compression initializing Dec 12 14:46:30 <***> openvpn[20032]: Control Channel MTU parms [ L:1654 D:1184 EF:66 EB:0 ET:0 EL:3 ] Dec 12 14:46:30 <***> openvpn[20032]: Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ] Dec 12 14:46:30 <***> openvpn[20032]: Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' Dec 12 14:46:30 <***> openvpn[20032]: Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' Dec 12 14:46:30 <***> openvpn[20032]: TCP/UDP: Preserving recently used remote address: [AF_INET]193.150.124.1:1196 Dec 12 14:46:30 <***> openvpn[20032]: Socket Buffers: R=[212992->212992] S=[212992->212992] Dec 12 14:46:30 <***> openvpn[20032]: UDP link local: (not bound) Dec 12 14:46:30 <***> openvpn[20032]: UDP link remote: [AF_INET]193.150.124.1:1196 Dec 12 14:46:30 <***> openvpn[20032]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
"ip route show" from client:
default via 176.197.91.77 dev vlan888 proto zebra 5.128.91.23 via 176.197.91.77 dev vlan888 proto zebra 10.8.0.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 10.9.0.0/24 dev tap0 proto kernel scope link src 10.9.0.33 10.11.0.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 10.100.2.0/26 via 10.9.0.2 dev tap0 proto zebra metric 20 10.100.3.0/26 via 10.9.0.16 dev tap0 proto zebra metric 20 10.100.4.0/26 via 10.9.0.21 dev tap0 proto zebra metric 20 10.100.5.128/25 via 10.9.0.34 dev tap0 proto zebra metric 20 10.100.6.0/26 via 10.9.0.17 dev tap0 proto zebra metric 20 10.100.7.0/26 via 10.9.0.22 dev tap0 proto zebra metric 20 10.100.8.0/26 via 10.9.0.20 dev tap0 proto zebra metric 20 10.100.129.0/26 via 10.9.0.1 dev tap0 proto zebra metric 20 10.100.129.64/26 via 10.9.0.1 dev tap0 proto zebra metric 20 10.100.129.128/26 via 10.9.0.1 dev tap0 proto zebra metric 20 10.100.129.192/26 via 10.9.0.1 dev tap0 proto zebra metric 20 10.100.130.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 10.100.131.0/26 via 10.9.0.1 dev tap0 proto zebra metric 20 10.100.243.0/26 via 10.9.0.19 dev tap0 proto zebra metric 20 10.100.243.192/26 via 10.9.0.32 dev tap0 proto zebra metric 20 10.100.244.0/26 via 10.9.0.26 dev tap0 proto zebra metric 20 10.100.245.0/26 via 10.9.0.8 dev tap0 proto zebra metric 20 10.100.247.0/26 via 10.9.0.9 dev tap0 proto zebra metric 20 10.100.247.64/26 via 10.9.0.27 dev tap0 proto zebra metric 20 10.100.248.0/26 via 10.9.0.23 dev tap0 proto zebra metric 20 10.100.248.64/26 via 10.9.0.29 dev tap0 proto zebra metric 20 10.100.249.0/26 via 10.9.0.12 dev tap0 proto zebra metric 20 10.100.249.64/26 via 10.9.0.13 dev tap0 proto zebra metric 20 10.100.250.0/26 via 10.9.0.7 dev tap0 proto zebra metric 20 10.100.251.0/26 via 10.9.0.11 dev tap0 proto zebra metric 20 10.100.252.0/26 via 10.9.0.14 dev tap0 proto zebra metric 20 10.100.252.64/26 dev vlan777 proto kernel scope link src 10.100.252.126 10.100.252.192/26 via 10.9.0.15 dev tap0 proto zebra metric 20 10.100.253.0/26 via 10.9.0.24 dev tap0 proto zebra metric 20 10.100.254.0/26 via 10.9.0.3 dev tap0 proto zebra metric 20 10.100.254.64/26 via 10.9.0.6 dev tap0 proto zebra metric 20 10.100.254.128/26 via 10.9.0.4 dev tap0 proto zebra metric 20 10.101.3.0/27 via 10.9.0.16 dev tap0 proto zebra metric 20 10.101.3.32/27 via 10.9.0.16 dev tap0 proto zebra metric 20 10.101.4.0/27 via 10.9.0.21 dev tap0 proto zebra metric 20 10.101.4.32/27 via 10.9.0.21 dev tap0 proto zebra metric 20 10.101.5.128/27 via 10.9.0.34 dev tap0 proto zebra metric 20 10.101.5.160/27 via 10.9.0.34 dev tap0 proto zebra metric 20 10.101.6.0/27 via 10.9.0.17 dev tap0 proto zebra metric 20 10.101.6.32/27 via 10.9.0.17 dev tap0 proto zebra metric 20 10.101.7.0/26 via 10.9.0.22 dev tap0 proto zebra metric 20 10.101.8.0/27 via 10.9.0.20 dev tap0 proto zebra metric 20 10.101.8.32/27 via 10.9.0.20 dev tap0 proto zebra metric 20 10.101.243.0/27 via 10.9.0.19 dev tap0 proto zebra metric 20 10.101.243.32/27 via 10.9.0.19 dev tap0 proto zebra metric 20 10.101.243.192/26 via 10.9.0.32 dev tap0 proto zebra metric 20 10.101.244.0/27 via 10.9.0.26 dev tap0 proto zebra metric 20 10.101.244.32/27 via 10.9.0.26 dev tap0 proto zebra metric 20 10.101.245.0/27 via 10.9.0.8 dev tap0 proto zebra metric 20 10.101.245.32/27 via 10.9.0.8 dev tap0 proto zebra metric 20 10.101.247.0/27 via 10.9.0.9 dev tap0 proto zebra metric 20 10.101.247.32/27 via 10.9.0.9 dev tap0 proto zebra metric 20 10.101.247.64/27 via 10.9.0.27 dev tap0 proto zebra metric 20 10.101.247.96/27 via 10.9.0.27 dev tap0 proto zebra metric 20 10.101.248.0/27 via 10.9.0.23 dev tap0 proto zebra metric 20 10.101.248.32/27 via 10.9.0.23 dev tap0 proto zebra metric 20 10.101.248.64/27 via 10.9.0.29 dev tap0 proto zebra metric 20 10.101.248.96/27 via 10.9.0.29 dev tap0 proto zebra metric 20 10.101.249.0/27 via 10.9.0.12 dev tap0 proto zebra metric 20 10.101.249.32/27 via 10.9.0.12 dev tap0 proto zebra metric 20 10.101.249.64/27 via 10.9.0.13 dev tap0 proto zebra metric 20 10.101.249.96/27 via 10.9.0.13 dev tap0 proto zebra metric 20 10.101.250.0/27 via 10.9.0.7 dev tap0 proto zebra metric 20 10.101.250.32/27 via 10.9.0.7 dev tap0 proto zebra metric 20 10.101.251.0/27 via 10.9.0.11 dev tap0 proto zebra metric 20 10.101.251.32/27 via 10.9.0.11 dev tap0 proto zebra metric 20 10.101.252.0/27 via 10.9.0.14 dev tap0 proto zebra metric 20 10.101.252.32/27 via 10.9.0.14 dev tap0 proto zebra metric 20 10.101.252.64/27 dev vlan1995 proto kernel scope link src 10.101.252.65 10.101.252.96/27 dev vlan1994 proto kernel scope link src 10.101.252.97 10.101.253.0/27 via 10.9.0.24 dev tap0 proto zebra metric 20 10.101.253.32/27 via 10.9.0.24 dev tap0 proto zebra metric 20 10.101.254.0/27 via 10.9.0.3 dev tap0 proto zebra metric 20 10.101.254.32/27 via 10.9.0.3 dev tap0 proto zebra metric 20 10.101.254.64/27 via 10.9.0.6 dev tap0 proto zebra metric 20 10.101.254.96/27 via 10.9.0.6 dev tap0 proto zebra metric 20 10.101.254.128/27 via 10.9.0.4 dev tap0 proto zebra metric 20 10.101.254.160/27 via 10.9.0.4 dev tap0 proto zebra metric 20 10.110.2.0/24 via 10.9.0.2 dev tap0 proto zebra metric 20 10.110.3.0/26 via 10.9.0.16 dev tap0 proto zebra metric 20 10.110.4.0/26 via 10.9.0.21 dev tap0 proto zebra metric 20 10.110.5.128/25 via 10.9.0.34 dev tap0 proto zebra metric 20 10.110.6.0/26 via 10.9.0.17 dev tap0 proto zebra metric 20 10.110.8.0/26 via 10.9.0.20 dev tap0 proto zebra metric 20 10.110.129.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 10.110.243.0/26 via 10.9.0.19 dev tap0 proto zebra metric 20 10.110.243.192/26 via 10.9.0.32 dev tap0 proto zebra metric 20 10.110.244.0/26 via 10.9.0.26 dev tap0 proto zebra metric 20 10.110.245.0/26 via 10.9.0.8 dev tap0 proto zebra metric 20 10.110.247.0/26 via 10.9.0.9 dev tap0 proto zebra metric 20 10.110.247.64/26 via 10.9.0.27 dev tap0 proto zebra metric 20 10.110.248.0/26 via 10.9.0.23 dev tap0 proto zebra metric 20 10.110.248.64/26 via 10.9.0.29 dev tap0 proto zebra metric 20 10.110.249.0/26 via 10.9.0.12 dev tap0 proto zebra metric 20 10.110.249.64/26 via 10.9.0.13 dev tap0 proto zebra metric 20 10.110.250.0/26 via 10.9.0.7 dev tap0 proto zebra metric 20 10.110.251.0/26 via 10.9.0.11 dev tap0 proto zebra metric 20 10.110.252.0/26 via 10.9.0.14 dev tap0 proto zebra metric 20 10.110.252.64/26 dev vlan10 proto kernel scope link src 10.110.252.65 10.110.253.0/26 via 10.9.0.24 dev tap0 proto zebra metric 20 10.110.254.0/26 via 10.9.0.3 dev tap0 proto zebra metric 20 10.110.254.64/26 via 10.9.0.6 dev tap0 proto zebra metric 20 10.110.254.128/26 via 10.9.0.4 dev tap0 proto zebra metric 20 79.175.37.12/30 dev vlan999 proto kernel scope link src 79.175.37.14 100.64.0.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 100.64.1.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 100.64.11.180/30 via 10.9.0.1 dev tap0 proto zebra metric 20 100.64.12.60/30 via 10.9.0.1 dev tap0 proto zebra metric 20 100.64.12.64/30 via 10.9.0.1 dev tap0 proto zebra metric 20 100.64.12.68/30 via 10.9.0.1 dev tap0 proto zebra metric 20 100.100.100.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 100.100.101.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 100.100.102.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 100.100.103.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 100.100.104.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 172.16.14.0/25 dev vlan1999 proto kernel scope link src 172.16.14.1 172.16.14.128/25 dev vlan1998 proto kernel scope link src 172.16.14.129 172.16.15.0/24 dev vlan111 proto kernel scope link src 172.16.15.1 172.16.18.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 172.16.200.0/24 dev vlan1997 proto kernel scope link src 172.16.200.1 172.16.201.0/26 via 10.9.0.1 dev tap0 proto zebra metric 20 172.16.202.0/26 via 10.9.0.1 dev tap0 proto zebra metric 20 176.197.91.76/30 dev vlan888 proto kernel scope link src 176.197.91.78 192.168.0.128/26 via 10.9.0.30 dev tap0 proto zebra metric 20 192.168.0.192/26 via 10.9.0.5 dev tap0 proto zebra metric 20 192.168.2.0/24 via 10.9.0.2 dev tap0 proto zebra metric 20 192.168.3.0/26 via 10.9.0.16 dev tap0 proto zebra metric 20 192.168.4.0/26 via 10.9.0.21 dev tap0 proto zebra metric 20 192.168.4.64/26 via 10.9.0.2 dev tap0 proto zebra metric 20 192.168.5.128/25 via 10.9.0.34 dev tap0 proto zebra metric 20 192.168.6.0/26 via 10.9.0.17 dev tap0 proto zebra metric 20 192.168.6.128/26 via 10.9.0.31 dev tap0 proto zebra metric 20 192.168.7.0/26 via 10.9.0.22 dev tap0 proto zebra metric 20 192.168.8.0/26 via 10.9.0.20 dev tap0 proto zebra metric 20 192.168.100.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.101.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.102.0/24 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.110.77 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.110.78 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.111.121 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.129.0/27 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.129.32/27 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.129.64/27 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.129.96/27 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.129.128/27 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.129.160/27 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.129.192/27 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.129.224/27 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.131.0/26 via 10.9.0.1 dev tap0 proto zebra metric 20 192.168.243.0/26 via 10.9.0.19 dev tap0 proto zebra metric 20 192.168.243.192/26 via 10.9.0.32 dev tap0 proto zebra metric 20 192.168.244.0/26 via 10.9.0.26 dev tap0 proto zebra metric 20 192.168.245.0/26 via 10.9.0.8 dev tap0 proto zebra metric 20 192.168.246.0/26 via 10.9.0.10 dev tap0 proto zebra metric 20 192.168.247.0/26 via 10.9.0.9 dev tap0 proto zebra metric 20 192.168.247.64/26 via 10.9.0.27 dev tap0 proto zebra metric 20 192.168.248.0/26 via 10.9.0.23 dev tap0 proto zebra metric 20 192.168.248.64/26 via 10.9.0.29 dev tap0 proto zebra metric 20 192.168.249.0/26 via 10.9.0.12 dev tap0 proto zebra metric 20 192.168.249.64/26 via 10.9.0.13 dev tap0 proto zebra metric 20 192.168.250.0/26 via 10.9.0.7 dev tap0 proto zebra metric 20 192.168.251.0/26 via 10.9.0.11 dev tap0 proto zebra metric 20 192.168.252.0/26 via 10.9.0.14 dev tap0 proto zebra metric 20 192.168.252.64/26 dev vlan2048 proto kernel scope link src 192.168.252.65 192.168.252.192/26 via 10.9.0.15 dev tap0 proto zebra metric 20 192.168.253.0/27 via 10.9.0.24 dev tap0 proto zebra metric 20 192.168.253.32/27 via 10.9.0.24 dev tap0 proto zebra metric 20 192.168.253.128/26 via 10.9.0.25 dev tap0 proto zebra metric 20 192.168.254.0/26 via 10.9.0.3 dev tap0 proto zebra metric 20 192.168.254.64/26 via 10.9.0.6 dev tap0 proto zebra metric 20 192.168.254.128/26 via 10.9.0.4 dev tap0 proto zebra metric 20 193.150.124.1 via 79.175.37.13 dev vlan999 proto zebra 193.150.124.5 via 10.9.0.1 dev tap0 proto zebra metric 20 193.150.124.7 via 10.9.0.1 dev tap0 proto zebra metric 20 193.150.124.10 via 10.9.0.1 dev tap0 proto zebra metric 20 193.150.124.44 via 10.9.0.1 dev tap0 proto zebra metric 20 193.150.124.98 via 10.9.0.1 dev tap0 proto zebra metric 20 193.150.124.99 via 10.9.0.1 dev tap0 proto zebra metric 20 193.150.124.100 via 10.9.0.1 dev tap0 proto zebra metric 20 198.18.2.0/24 via 10.9.0.2 dev tap0 proto zebra metric 20 198.18.3.0/26 via 10.9.0.16 dev tap0 proto zebra metric 20 198.18.4.0/26 via 10.9.0.21 dev tap0 proto zebra metric 20 198.18.5.128/25 via 10.9.0.34 dev tap0 proto zebra metric 20 198.18.6.0/26 via 10.9.0.17 dev tap0 proto zebra metric 20 198.18.7.0/26 via 10.9.0.22 dev tap0 proto zebra metric 20 198.18.8.0/26 via 10.9.0.20 dev tap0 proto zebra metric 20 198.18.129.0/26 via 10.9.0.1 dev tap0 proto zebra metric 20 198.18.192.0/23 via 10.9.0.1 dev tap0 proto zebra metric 20 198.18.243.0/26 via 10.9.0.19 dev tap0 proto zebra metric 20 198.18.243.192/26 via 10.9.0.32 dev tap0 proto zebra metric 20 198.18.244.0/26 via 10.9.0.26 dev tap0 proto zebra metric 20 198.18.245.0/26 via 10.9.0.8 dev tap0 proto zebra metric 20 198.18.247.0/26 via 10.9.0.9 dev tap0 proto zebra metric 20 198.18.247.64/26 via 10.9.0.27 dev tap0 proto zebra metric 20 198.18.248.0/26 via 10.9.0.23 dev tap0 proto zebra metric 20 198.18.248.64/26 via 10.9.0.29 dev tap0 proto zebra metric 20 198.18.249.0/26 via 10.9.0.12 dev tap0 proto zebra metric 20 198.18.249.64/26 via 10.9.0.13 dev tap0 proto zebra metric 20 198.18.250.0/26 via 10.9.0.7 dev tap0 proto zebra metric 20 198.18.251.0/26 via 10.9.0.11 dev tap0 proto zebra metric 20 198.18.252.0/26 via 10.9.0.14 dev tap0 proto zebra metric 20 198.18.252.64/26 dev vlan666 proto kernel scope link src 198.18.252.65 198.18.252.192/26 via 10.9.0.15 dev tap0 proto zebra metric 20 198.18.253.0/26 via 10.9.0.24 dev tap0 proto zebra metric 20 198.18.254.0/26 via 10.9.0.3 dev tap0 proto zebra metric 20 198.18.254.64/26 via 10.9.0.6 dev tap0 proto zebra metric 20 198.18.254.128/26 via 10.9.0.4 dev tap0 proto zebra metric 20 198.19.2.0/24 via 10.9.0.2 dev tap0 proto zebra metric 20 198.19.3.0/26 via 10.9.0.16 dev tap0 proto zebra metric 20 198.19.4.0/26 via 10.9.0.21 dev tap0 proto zebra metric 20 198.19.5.128/25 via 10.9.0.34 dev tap0 proto zebra metric 20 198.19.6.0/26 via 10.9.0.17 dev tap0 proto zebra metric 20 198.19.7.0/26 via 10.9.0.22 dev tap0 proto zebra metric 20 198.19.8.0/26 via 10.9.0.20 dev tap0 proto zebra metric 20 198.19.129.0/26 via 10.9.0.1 dev tap0 proto zebra metric 20 198.19.243.0/26 via 10.9.0.19 dev tap0 proto zebra metric 20 198.19.243.192/26 via 10.9.0.32 dev tap0 proto zebra metric 20 198.19.244.0/26 via 10.9.0.26 dev tap0 proto zebra metric 20 198.19.245.0/26 via 10.9.0.8 dev tap0 proto zebra metric 20 198.19.247.0/26 via 10.9.0.9 dev tap0 proto zebra metric 20 198.19.247.64/26 via 10.9.0.27 dev tap0 proto zebra metric 20 198.19.248.0/26 via 10.9.0.23 dev tap0 proto zebra metric 20 198.19.248.64/26 via 10.9.0.29 dev tap0 proto zebra metric 20 198.19.249.0/26 via 10.9.0.12 dev tap0 proto zebra metric 20 198.19.249.64/26 via 10.9.0.13 dev tap0 proto zebra metric 20 198.19.250.0/26 via 10.9.0.7 dev tap0 proto zebra metric 20 198.19.251.0/26 via 10.9.0.11 dev tap0 proto zebra metric 20 198.19.252.0/26 via 10.9.0.14 dev tap0 proto zebra metric 20 198.19.252.64/26 dev vlan1996 proto kernel scope link src 198.19.252.65 198.19.252.192/26 via 10.9.0.15 dev tap0 proto zebra metric 20 198.19.253.0/26 via 10.9.0.24 dev tap0 proto zebra metric 20 198.19.254.0/26 via 10.9.0.3 dev tap0 proto zebra metric 20 198.19.254.64/26 via 10.9.0.6 dev tap0 proto zebra metric 20 198.19.254.128/26 via 10.9.0.4 dev tap0 proto zebra metric 20
ip rules & tables from client:
[root@client /]# ip ru sh 0: from all lookup local 32762: from 79.175.37.14 lookup quantum 32763: from all fwmark 0x7cd lookup service 32764: from all fwmark 0x29a lookup wifi 32765: from 176.197.91.78 lookup elite 32766: from all lookup main 32767: from all lookup default [root@client /]# ip ro sh ta quantum default via 79.175.37.13 dev vlan999 [root@client /]# ip ro sh ta elite default via 176.197.91.77 dev vlan888
comment:5 Changed 4 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
Way too much output here.
If this can be reproduced, please reduce output to just a few lines showing relevant(!) routing information and a few packets.
Routing info here has nothing about "vlan 301", so it's totally unclear why packets are sent that way - but this is still all outside of OpenVPN.
pcap from router