Opened 19 months ago

Closed 8 months ago

#1148 closed Bug / Defect (notabug)

OpenVPN Server: BGP Router: wrong ARP lookups

Reported by: Konstantin Shalygin Owned by:
Priority: major Milestone:
Component: Networking Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: bgp arp
Cc:

Description

Router: Dell R330
Kernel: Linux gate 4.11.12-1.el7.centos.x86_64 #1 SMP PREEMPT Fri Feb 16 23:01:02 +07 2018 x86_64 x86_64 x86_64 GNU/Linux
Routing daemon: Quagga 0.99.22.4
OpenVPN:

OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

The problem: OpenVPN Server can't send answer to client because try send packets to wrong interface.

Client:

OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 16 2018
library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
[root@client /]# ip ro get 193.150.124.1
193.150.124.1 via 79.175.37.13 dev vlan999  src 79.175.37.14 
    cache 
[root@client /]# mtr -nzerc 5 193.150.124.1
Start: Wed Dec 12 13:13:56 2018
HOST: *** Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. AS12418 79.175.37.13          0.0%     5    2.0   1.8   1.0   2.9   0.0
  2. AS8359  212.188.22.225        0.0%     5   10.6  11.7  10.6  13.2   1.0
  3. AS8359  212.188.23.94         0.0%     5    9.5   9.7   9.5   9.9   0.0
  4. AS12389 213.228.109.59        0.0%     5   10.1  10.4   9.7  11.9   0.7
  5. AS198181193.150.124.1         0.0%     5    8.8   8.9   8.4  10.1   0.0

Incoming connection to router from vlan301 interface, and send ARP's to this interface is useless, because we already know how to communicate with 79.175.37.14:

[root@gate k0ste]# ip ro get 79.175.37.14
79.175.37.14 via 81.1.245.17 dev vlan1623 src 81.1.245.18 uid 0 
    cache 

Tcpdump:

12:51:36.727084 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:36.727087 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:37.741225 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:37.741227 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:38.754559 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:38.754561 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:42.137844 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:42.137847 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:43.154562 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:43.154565 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:44.167889 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:44.167890 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:50.393027 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:50.393030 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:51.394555 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:51.394557 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:52.411222 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:51:52.411223 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:52:06.407934 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:52:06.407937 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:52:07.421220 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:52:07.421222 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:52:08.434566 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28
12:52:08.434568 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28

Server configuration is:

port 1196
proto udp
dev tap2
server 10.10.0.0 255.255.255.0
dh /etc/openvpn/server/tls/dhparam.pem
ca /etc/openvpn/server/tls/rootCA.crt
cert /etc/openvpn/server/tls/<***>.crt
key /etc/openvpn/server/tls/<***>.key
tls-auth /etc/openvpn/server/tls/ta.key 0
crl-verify /etc/openvpn/server/tls/<***>.pem
user nobody
group nobody
verify-client-cert require
multihome
persist-key
persist-tun
keepalive 10 60
max-clients 250
reneg-sec 86400
replay-window 64
client-to-client
comp-lzo adaptive
verb 4
mute 10
mute-replay-warnings
status /var/lib/openvpn/status1196.log
push "persist-key"
push "persist-tun"
push "comp-lzo adaptive"
tls-server
tls-version-min 1.2
client-config-dir /etc/openvpn/server/openvpn1196
ccd-exclusive

Attachments (2)

openvpn.pcap (26.8 KB) - added by Konstantin Shalygin 19 months ago.
pcap from router
Selection_001.png (203.5 KB) - added by Konstantin Shalygin 19 months ago.
ARP

Download all attachments as: .zip

Change History (7)

Changed 19 months ago by Konstantin Shalygin

Attachment: openvpn.pcap added

pcap from router

Changed 19 months ago by Konstantin Shalygin

Attachment: Selection_001.png added

ARP

comment:1 Changed 19 months ago by Konstantin Shalygin

ARP

gate# sh ip bgp 79.175.37.14/24
BGP routing table entry for 79.175.37.0/24
Paths: (5 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  21127 12418
    81.1.245.17 from 81.1.245.17 (10.7.54.252)
      Origin IGP, localpref 100, valid, external, best
      Community: 21127:12930
      Last update: Tue Dec 11 04:49:41 2018

  9049 20485 21127 12418
    188.234.157.13 from 188.234.157.13 (188.234.152.239)
      Origin IGP, localpref 100, valid, external
      Last update: Tue Dec 11 02:46:26 2018

  12389 8359 12418 12418
    95.156.85.193 from 95.156.85.193 (213.228.116.25)
      Origin IGP, localpref 100, valid, external
      Community: 8359:5500 8359:55654 12389:8
      Last update: Sat Dec  8 02:19:54 2018

  50166 21127 12418
    195.211.7.125 from 195.211.7.125 (195.211.7.2)
      Origin IGP, localpref 100, valid, external
      Last update: Tue Dec 11 04:50:10 2018

  25549 20485 21127 12418
    212.17.15.169 from 212.17.15.169 (195.49.169.1)
      Origin IGP, localpref 100, valid, external
      Community: 20485:10022
      Last update: Wed Dec 12 08:11:40 2018
gate# sh ip route 79.175.37.14                                                                                                                       
Routing entry for 79.175.37.14/32
  Known via "kernel", distance 0, metric 0, best
  * 81.1.245.17, via vlan1623

comment:2 Changed 19 months ago by Gert Döring

while this is an interesting problem, it's totally outside of OpenVPN - in tap mode, OpenVPN does not care about IP addresses or routing and only bothers with Ethernet packets.

So if the client sends an ARP to the TAP interface, it does so because it has configured a route pointing to the tap interface - this might be due to a client config that installs a "route", or due to external scripts. Hard to say without a client log and a "ip route show" output from thje client.

comment:3 Changed 19 months ago by Konstantin Shalygin

Log from client:

Dec 12 14:46:30 <***> systemd[1]: Stopped OpenVPN tunnel for tap1.
Dec 12 14:46:30 <***> systemd[1]: Starting OpenVPN tunnel for tap1...
Dec 12 14:46:30 <***> openvpn[20032]: Current Parameter Settings:
Dec 12 14:46:30 <***> openvpn[20032]:   config = 'tap1.conf'
Dec 12 14:46:30 <***> openvpn[20032]:   mode = 0
Dec 12 14:46:30 <***> openvpn[20032]:   persist_config = DISABLED
Dec 12 14:46:30 <***> openvpn[20032]:   persist_mode = 1
Dec 12 14:46:30 <***> openvpn[20032]: NOTE: --mute triggered...
Dec 12 14:46:30 <***> openvpn[20032]: 276 variation(s) on previous 5 message(s) suppressed by --mute
Dec 12 14:46:30 <***> openvpn[20032]: OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 16 2018
Dec 12 14:46:30 <***> openvpn[20032]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Dec 12 14:46:30 <***> systemd[1]: Started OpenVPN tunnel for tap1.
Dec 12 14:46:30 <***> openvpn[20032]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Dec 12 14:46:30 <***> openvpn[20032]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 12 14:46:30 <***> openvpn[20032]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 12 14:46:30 <***> openvpn[20032]: LZO compression initializing
Dec 12 14:46:30 <***> openvpn[20032]: Control Channel MTU parms [ L:1654 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Dec 12 14:46:30 <***> openvpn[20032]: Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Dec 12 14:46:30 <***> openvpn[20032]: Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Dec 12 14:46:30 <***> openvpn[20032]: Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Dec 12 14:46:30 <***> openvpn[20032]: TCP/UDP: Preserving recently used remote address: [AF_INET]193.150.124.1:1196
Dec 12 14:46:30 <***> openvpn[20032]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Dec 12 14:46:30 <***> openvpn[20032]: UDP link local: (not bound)
Dec 12 14:46:30 <***> openvpn[20032]: UDP link remote: [AF_INET]193.150.124.1:1196
Dec 12 14:46:30 <***> openvpn[20032]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay

"ip route show" from client:

default via 176.197.91.77 dev vlan888  proto zebra 
5.128.91.23 via 176.197.91.77 dev vlan888  proto zebra 
10.8.0.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
10.9.0.0/24 dev tap0  proto kernel  scope link  src 10.9.0.33 
10.11.0.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
10.100.2.0/26 via 10.9.0.2 dev tap0  proto zebra  metric 20 
10.100.3.0/26 via 10.9.0.16 dev tap0  proto zebra  metric 20 
10.100.4.0/26 via 10.9.0.21 dev tap0  proto zebra  metric 20 
10.100.5.128/25 via 10.9.0.34 dev tap0  proto zebra  metric 20 
10.100.6.0/26 via 10.9.0.17 dev tap0  proto zebra  metric 20 
10.100.7.0/26 via 10.9.0.22 dev tap0  proto zebra  metric 20 
10.100.8.0/26 via 10.9.0.20 dev tap0  proto zebra  metric 20 
10.100.129.0/26 via 10.9.0.1 dev tap0  proto zebra  metric 20 
10.100.129.64/26 via 10.9.0.1 dev tap0  proto zebra  metric 20 
10.100.129.128/26 via 10.9.0.1 dev tap0  proto zebra  metric 20 
10.100.129.192/26 via 10.9.0.1 dev tap0  proto zebra  metric 20 
10.100.130.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
10.100.131.0/26 via 10.9.0.1 dev tap0  proto zebra  metric 20 
10.100.243.0/26 via 10.9.0.19 dev tap0  proto zebra  metric 20 
10.100.243.192/26 via 10.9.0.32 dev tap0  proto zebra  metric 20 
10.100.244.0/26 via 10.9.0.26 dev tap0  proto zebra  metric 20 
10.100.245.0/26 via 10.9.0.8 dev tap0  proto zebra  metric 20 
10.100.247.0/26 via 10.9.0.9 dev tap0  proto zebra  metric 20 
10.100.247.64/26 via 10.9.0.27 dev tap0  proto zebra  metric 20 
10.100.248.0/26 via 10.9.0.23 dev tap0  proto zebra  metric 20 
10.100.248.64/26 via 10.9.0.29 dev tap0  proto zebra  metric 20 
10.100.249.0/26 via 10.9.0.12 dev tap0  proto zebra  metric 20 
10.100.249.64/26 via 10.9.0.13 dev tap0  proto zebra  metric 20 
10.100.250.0/26 via 10.9.0.7 dev tap0  proto zebra  metric 20 
10.100.251.0/26 via 10.9.0.11 dev tap0  proto zebra  metric 20 
10.100.252.0/26 via 10.9.0.14 dev tap0  proto zebra  metric 20 
10.100.252.64/26 dev vlan777  proto kernel  scope link  src 10.100.252.126 
10.100.252.192/26 via 10.9.0.15 dev tap0  proto zebra  metric 20 
10.100.253.0/26 via 10.9.0.24 dev tap0  proto zebra  metric 20 
10.100.254.0/26 via 10.9.0.3 dev tap0  proto zebra  metric 20 
10.100.254.64/26 via 10.9.0.6 dev tap0  proto zebra  metric 20 
10.100.254.128/26 via 10.9.0.4 dev tap0  proto zebra  metric 20 
10.101.3.0/27 via 10.9.0.16 dev tap0  proto zebra  metric 20 
10.101.3.32/27 via 10.9.0.16 dev tap0  proto zebra  metric 20 
10.101.4.0/27 via 10.9.0.21 dev tap0  proto zebra  metric 20 
10.101.4.32/27 via 10.9.0.21 dev tap0  proto zebra  metric 20 
10.101.5.128/27 via 10.9.0.34 dev tap0  proto zebra  metric 20 
10.101.5.160/27 via 10.9.0.34 dev tap0  proto zebra  metric 20 
10.101.6.0/27 via 10.9.0.17 dev tap0  proto zebra  metric 20 
10.101.6.32/27 via 10.9.0.17 dev tap0  proto zebra  metric 20 
10.101.7.0/26 via 10.9.0.22 dev tap0  proto zebra  metric 20 
10.101.8.0/27 via 10.9.0.20 dev tap0  proto zebra  metric 20 
10.101.8.32/27 via 10.9.0.20 dev tap0  proto zebra  metric 20 
10.101.243.0/27 via 10.9.0.19 dev tap0  proto zebra  metric 20 
10.101.243.32/27 via 10.9.0.19 dev tap0  proto zebra  metric 20 
10.101.243.192/26 via 10.9.0.32 dev tap0  proto zebra  metric 20 
10.101.244.0/27 via 10.9.0.26 dev tap0  proto zebra  metric 20 
10.101.244.32/27 via 10.9.0.26 dev tap0  proto zebra  metric 20 
10.101.245.0/27 via 10.9.0.8 dev tap0  proto zebra  metric 20 
10.101.245.32/27 via 10.9.0.8 dev tap0  proto zebra  metric 20 
10.101.247.0/27 via 10.9.0.9 dev tap0  proto zebra  metric 20 
10.101.247.32/27 via 10.9.0.9 dev tap0  proto zebra  metric 20 
10.101.247.64/27 via 10.9.0.27 dev tap0  proto zebra  metric 20 
10.101.247.96/27 via 10.9.0.27 dev tap0  proto zebra  metric 20 
10.101.248.0/27 via 10.9.0.23 dev tap0  proto zebra  metric 20 
10.101.248.32/27 via 10.9.0.23 dev tap0  proto zebra  metric 20 
10.101.248.64/27 via 10.9.0.29 dev tap0  proto zebra  metric 20 
10.101.248.96/27 via 10.9.0.29 dev tap0  proto zebra  metric 20 
10.101.249.0/27 via 10.9.0.12 dev tap0  proto zebra  metric 20 
10.101.249.32/27 via 10.9.0.12 dev tap0  proto zebra  metric 20 
10.101.249.64/27 via 10.9.0.13 dev tap0  proto zebra  metric 20 
10.101.249.96/27 via 10.9.0.13 dev tap0  proto zebra  metric 20 
10.101.250.0/27 via 10.9.0.7 dev tap0  proto zebra  metric 20 
10.101.250.32/27 via 10.9.0.7 dev tap0  proto zebra  metric 20 
10.101.251.0/27 via 10.9.0.11 dev tap0  proto zebra  metric 20 
10.101.251.32/27 via 10.9.0.11 dev tap0  proto zebra  metric 20 
10.101.252.0/27 via 10.9.0.14 dev tap0  proto zebra  metric 20 
10.101.252.32/27 via 10.9.0.14 dev tap0  proto zebra  metric 20 
10.101.252.64/27 dev vlan1995  proto kernel  scope link  src 10.101.252.65 
10.101.252.96/27 dev vlan1994  proto kernel  scope link  src 10.101.252.97 
10.101.253.0/27 via 10.9.0.24 dev tap0  proto zebra  metric 20 
10.101.253.32/27 via 10.9.0.24 dev tap0  proto zebra  metric 20 
10.101.254.0/27 via 10.9.0.3 dev tap0  proto zebra  metric 20 
10.101.254.32/27 via 10.9.0.3 dev tap0  proto zebra  metric 20 
10.101.254.64/27 via 10.9.0.6 dev tap0  proto zebra  metric 20 
10.101.254.96/27 via 10.9.0.6 dev tap0  proto zebra  metric 20 
10.101.254.128/27 via 10.9.0.4 dev tap0  proto zebra  metric 20 
10.101.254.160/27 via 10.9.0.4 dev tap0  proto zebra  metric 20 
10.110.2.0/24 via 10.9.0.2 dev tap0  proto zebra  metric 20 
10.110.3.0/26 via 10.9.0.16 dev tap0  proto zebra  metric 20 
10.110.4.0/26 via 10.9.0.21 dev tap0  proto zebra  metric 20 
10.110.5.128/25 via 10.9.0.34 dev tap0  proto zebra  metric 20 
10.110.6.0/26 via 10.9.0.17 dev tap0  proto zebra  metric 20 
10.110.8.0/26 via 10.9.0.20 dev tap0  proto zebra  metric 20 
10.110.129.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
10.110.243.0/26 via 10.9.0.19 dev tap0  proto zebra  metric 20 
10.110.243.192/26 via 10.9.0.32 dev tap0  proto zebra  metric 20 
10.110.244.0/26 via 10.9.0.26 dev tap0  proto zebra  metric 20 
10.110.245.0/26 via 10.9.0.8 dev tap0  proto zebra  metric 20 
10.110.247.0/26 via 10.9.0.9 dev tap0  proto zebra  metric 20 
10.110.247.64/26 via 10.9.0.27 dev tap0  proto zebra  metric 20 
10.110.248.0/26 via 10.9.0.23 dev tap0  proto zebra  metric 20 
10.110.248.64/26 via 10.9.0.29 dev tap0  proto zebra  metric 20 
10.110.249.0/26 via 10.9.0.12 dev tap0  proto zebra  metric 20 
10.110.249.64/26 via 10.9.0.13 dev tap0  proto zebra  metric 20 
10.110.250.0/26 via 10.9.0.7 dev tap0  proto zebra  metric 20 
10.110.251.0/26 via 10.9.0.11 dev tap0  proto zebra  metric 20 
10.110.252.0/26 via 10.9.0.14 dev tap0  proto zebra  metric 20 
10.110.252.64/26 dev vlan10  proto kernel  scope link  src 10.110.252.65 
10.110.253.0/26 via 10.9.0.24 dev tap0  proto zebra  metric 20 
10.110.254.0/26 via 10.9.0.3 dev tap0  proto zebra  metric 20 
10.110.254.64/26 via 10.9.0.6 dev tap0  proto zebra  metric 20 
10.110.254.128/26 via 10.9.0.4 dev tap0  proto zebra  metric 20 
79.175.37.12/30 dev vlan999  proto kernel  scope link  src 79.175.37.14 
100.64.0.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
100.64.1.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
100.64.11.180/30 via 10.9.0.1 dev tap0  proto zebra  metric 20 
100.64.12.60/30 via 10.9.0.1 dev tap0  proto zebra  metric 20 
100.64.12.64/30 via 10.9.0.1 dev tap0  proto zebra  metric 20 
100.64.12.68/30 via 10.9.0.1 dev tap0  proto zebra  metric 20 
100.100.100.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
100.100.101.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
100.100.102.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
100.100.103.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
100.100.104.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
172.16.14.0/25 dev vlan1999  proto kernel  scope link  src 172.16.14.1 
172.16.14.128/25 dev vlan1998  proto kernel  scope link  src 172.16.14.129 
172.16.15.0/24 dev vlan111  proto kernel  scope link  src 172.16.15.1 
172.16.18.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
172.16.200.0/24 dev vlan1997  proto kernel  scope link  src 172.16.200.1 
172.16.201.0/26 via 10.9.0.1 dev tap0  proto zebra  metric 20 
172.16.202.0/26 via 10.9.0.1 dev tap0  proto zebra  metric 20 
176.197.91.76/30 dev vlan888  proto kernel  scope link  src 176.197.91.78 
192.168.0.128/26 via 10.9.0.30 dev tap0  proto zebra  metric 20 
192.168.0.192/26 via 10.9.0.5 dev tap0  proto zebra  metric 20 
192.168.2.0/24 via 10.9.0.2 dev tap0  proto zebra  metric 20 
192.168.3.0/26 via 10.9.0.16 dev tap0  proto zebra  metric 20 
192.168.4.0/26 via 10.9.0.21 dev tap0  proto zebra  metric 20 
192.168.4.64/26 via 10.9.0.2 dev tap0  proto zebra  metric 20 
192.168.5.128/25 via 10.9.0.34 dev tap0  proto zebra  metric 20 
192.168.6.0/26 via 10.9.0.17 dev tap0  proto zebra  metric 20 
192.168.6.128/26 via 10.9.0.31 dev tap0  proto zebra  metric 20 
192.168.7.0/26 via 10.9.0.22 dev tap0  proto zebra  metric 20 
192.168.8.0/26 via 10.9.0.20 dev tap0  proto zebra  metric 20 
192.168.100.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.101.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.102.0/24 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.110.77 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.110.78 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.111.121 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.129.0/27 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.129.32/27 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.129.64/27 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.129.96/27 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.129.128/27 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.129.160/27 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.129.192/27 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.129.224/27 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.131.0/26 via 10.9.0.1 dev tap0  proto zebra  metric 20 
192.168.243.0/26 via 10.9.0.19 dev tap0  proto zebra  metric 20 
192.168.243.192/26 via 10.9.0.32 dev tap0  proto zebra  metric 20 
192.168.244.0/26 via 10.9.0.26 dev tap0  proto zebra  metric 20 
192.168.245.0/26 via 10.9.0.8 dev tap0  proto zebra  metric 20 
192.168.246.0/26 via 10.9.0.10 dev tap0  proto zebra  metric 20 
192.168.247.0/26 via 10.9.0.9 dev tap0  proto zebra  metric 20 
192.168.247.64/26 via 10.9.0.27 dev tap0  proto zebra  metric 20 
192.168.248.0/26 via 10.9.0.23 dev tap0  proto zebra  metric 20 
192.168.248.64/26 via 10.9.0.29 dev tap0  proto zebra  metric 20 
192.168.249.0/26 via 10.9.0.12 dev tap0  proto zebra  metric 20 
192.168.249.64/26 via 10.9.0.13 dev tap0  proto zebra  metric 20 
192.168.250.0/26 via 10.9.0.7 dev tap0  proto zebra  metric 20 
192.168.251.0/26 via 10.9.0.11 dev tap0  proto zebra  metric 20 
192.168.252.0/26 via 10.9.0.14 dev tap0  proto zebra  metric 20 
192.168.252.64/26 dev vlan2048  proto kernel  scope link  src 192.168.252.65 
192.168.252.192/26 via 10.9.0.15 dev tap0  proto zebra  metric 20 
192.168.253.0/27 via 10.9.0.24 dev tap0  proto zebra  metric 20 
192.168.253.32/27 via 10.9.0.24 dev tap0  proto zebra  metric 20 
192.168.253.128/26 via 10.9.0.25 dev tap0  proto zebra  metric 20 
192.168.254.0/26 via 10.9.0.3 dev tap0  proto zebra  metric 20 
192.168.254.64/26 via 10.9.0.6 dev tap0  proto zebra  metric 20 
192.168.254.128/26 via 10.9.0.4 dev tap0  proto zebra  metric 20 
193.150.124.1 via 79.175.37.13 dev vlan999  proto zebra 
193.150.124.5 via 10.9.0.1 dev tap0  proto zebra  metric 20 
193.150.124.7 via 10.9.0.1 dev tap0  proto zebra  metric 20 
193.150.124.10 via 10.9.0.1 dev tap0  proto zebra  metric 20 
193.150.124.44 via 10.9.0.1 dev tap0  proto zebra  metric 20 
193.150.124.98 via 10.9.0.1 dev tap0  proto zebra  metric 20 
193.150.124.99 via 10.9.0.1 dev tap0  proto zebra  metric 20 
193.150.124.100 via 10.9.0.1 dev tap0  proto zebra  metric 20 
198.18.2.0/24 via 10.9.0.2 dev tap0  proto zebra  metric 20 
198.18.3.0/26 via 10.9.0.16 dev tap0  proto zebra  metric 20 
198.18.4.0/26 via 10.9.0.21 dev tap0  proto zebra  metric 20 
198.18.5.128/25 via 10.9.0.34 dev tap0  proto zebra  metric 20 
198.18.6.0/26 via 10.9.0.17 dev tap0  proto zebra  metric 20 
198.18.7.0/26 via 10.9.0.22 dev tap0  proto zebra  metric 20 
198.18.8.0/26 via 10.9.0.20 dev tap0  proto zebra  metric 20 
198.18.129.0/26 via 10.9.0.1 dev tap0  proto zebra  metric 20 
198.18.192.0/23 via 10.9.0.1 dev tap0  proto zebra  metric 20 
198.18.243.0/26 via 10.9.0.19 dev tap0  proto zebra  metric 20 
198.18.243.192/26 via 10.9.0.32 dev tap0  proto zebra  metric 20 
198.18.244.0/26 via 10.9.0.26 dev tap0  proto zebra  metric 20 
198.18.245.0/26 via 10.9.0.8 dev tap0  proto zebra  metric 20 
198.18.247.0/26 via 10.9.0.9 dev tap0  proto zebra  metric 20 
198.18.247.64/26 via 10.9.0.27 dev tap0  proto zebra  metric 20 
198.18.248.0/26 via 10.9.0.23 dev tap0  proto zebra  metric 20 
198.18.248.64/26 via 10.9.0.29 dev tap0  proto zebra  metric 20 
198.18.249.0/26 via 10.9.0.12 dev tap0  proto zebra  metric 20 
198.18.249.64/26 via 10.9.0.13 dev tap0  proto zebra  metric 20 
198.18.250.0/26 via 10.9.0.7 dev tap0  proto zebra  metric 20 
198.18.251.0/26 via 10.9.0.11 dev tap0  proto zebra  metric 20 
198.18.252.0/26 via 10.9.0.14 dev tap0  proto zebra  metric 20 
198.18.252.64/26 dev vlan666  proto kernel  scope link  src 198.18.252.65 
198.18.252.192/26 via 10.9.0.15 dev tap0  proto zebra  metric 20 
198.18.253.0/26 via 10.9.0.24 dev tap0  proto zebra  metric 20 
198.18.254.0/26 via 10.9.0.3 dev tap0  proto zebra  metric 20 
198.18.254.64/26 via 10.9.0.6 dev tap0  proto zebra  metric 20 
198.18.254.128/26 via 10.9.0.4 dev tap0  proto zebra  metric 20 
198.19.2.0/24 via 10.9.0.2 dev tap0  proto zebra  metric 20 
198.19.3.0/26 via 10.9.0.16 dev tap0  proto zebra  metric 20 
198.19.4.0/26 via 10.9.0.21 dev tap0  proto zebra  metric 20 
198.19.5.128/25 via 10.9.0.34 dev tap0  proto zebra  metric 20 
198.19.6.0/26 via 10.9.0.17 dev tap0  proto zebra  metric 20 
198.19.7.0/26 via 10.9.0.22 dev tap0  proto zebra  metric 20 
198.19.8.0/26 via 10.9.0.20 dev tap0  proto zebra  metric 20 
198.19.129.0/26 via 10.9.0.1 dev tap0  proto zebra  metric 20 
198.19.243.0/26 via 10.9.0.19 dev tap0  proto zebra  metric 20 
198.19.243.192/26 via 10.9.0.32 dev tap0  proto zebra  metric 20 
198.19.244.0/26 via 10.9.0.26 dev tap0  proto zebra  metric 20 
198.19.245.0/26 via 10.9.0.8 dev tap0  proto zebra  metric 20 
198.19.247.0/26 via 10.9.0.9 dev tap0  proto zebra  metric 20 
198.19.247.64/26 via 10.9.0.27 dev tap0  proto zebra  metric 20 
198.19.248.0/26 via 10.9.0.23 dev tap0  proto zebra  metric 20 
198.19.248.64/26 via 10.9.0.29 dev tap0  proto zebra  metric 20 
198.19.249.0/26 via 10.9.0.12 dev tap0  proto zebra  metric 20 
198.19.249.64/26 via 10.9.0.13 dev tap0  proto zebra  metric 20 
198.19.250.0/26 via 10.9.0.7 dev tap0  proto zebra  metric 20 
198.19.251.0/26 via 10.9.0.11 dev tap0  proto zebra  metric 20 
198.19.252.0/26 via 10.9.0.14 dev tap0  proto zebra  metric 20 
198.19.252.64/26 dev vlan1996  proto kernel  scope link  src 198.19.252.65 
198.19.252.192/26 via 10.9.0.15 dev tap0  proto zebra  metric 20 
198.19.253.0/26 via 10.9.0.24 dev tap0  proto zebra  metric 20 
198.19.254.0/26 via 10.9.0.3 dev tap0  proto zebra  metric 20 
198.19.254.64/26 via 10.9.0.6 dev tap0  proto zebra  metric 20 
198.19.254.128/26 via 10.9.0.4 dev tap0  proto zebra  metric 20 

ip rules & tables from client:

[root@client /]# ip ru sh
0:      from all lookup local 
32762:  from 79.175.37.14 lookup quantum 
32763:  from all fwmark 0x7cd lookup service 
32764:  from all fwmark 0x29a lookup wifi 
32765:  from 176.197.91.78 lookup elite 
32766:  from all lookup main 
32767:  from all lookup default 
[root@client /]# ip ro sh ta quantum
default via 79.175.37.13 dev vlan999 
[root@client /]# ip ro sh ta elite
default via 176.197.91.77 dev vlan888 

comment:4 Changed 17 months ago by tincantech

cc

comment:5 Changed 8 months ago by Gert Döring

Resolution: notabug
Status: newclosed

Way too much output here.

If this can be reproduced, please reduce output to just a few lines showing relevant(!) routing information and a few packets.

Routing info here has nothing about "vlan 301", so it's totally unclear why packets are sent that way - but this is still all outside of OpenVPN.

Note: See TracTickets for help on using tickets.