id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 1425,"netlink routes does not work with ""push route""",dpalumbo,Antonio Quartulli,"Moving to openvpn 2.5, netlink is now used in place of ifconfig/route commands https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst > On Linux, if configured without --enable-iproute2, configuring IP >addresses and adding/removing routes is now done via the netlink(3) kernel interface. This is much faster than calling ifconfig or route and also enables OpenVPN to run with less privileges. What is happening, is that when the interface / routing is created with netlink, this is the routing entry that we see: `172.17.14.0/24 via 172.17.14.1 dev tun-su` while with the old route we have: `172.17.14.0/24 dev tun-su proto kernel scope link src 172.17.14.127` Because of that (subnet not ""known"" by the kernel) any further command to add a route via push, eg `push ""route 172.17.16.0 255.255.255.0 vpn_gateway 100""` Fail with {{{ 2021-08-27 10:49:45 us=890376 net_route_v4_add: 172.17.16.0/24 via 172.18.14.1 dev [NULL] table 0 metric 100 2021-08-27 10:49:45 us=890389 sitnl_send: rtnl: generic error (-101): Network is unreachable }}} This is not necessarily an error in push, because also trying to add the route manually gives this error: {{{ # route add -net 172.17.16.0/24 gw 172.17.14.1 metric 100 SIOCADDRT: Network is unreachable # }}} To me, seems that the whole ""push"" mechanism has been compromised, but i've not performed extensive test. This bug is also described in https://bbs.archlinux.org/viewtopic.php?id=260625 But the workaround is not working for me. I've replicated the bug in Debian 11. openvpn server config {{{ [...] push ""topology subnet"" ifconfig 172.17.14.1 255.255.255.0 ifconfig-pool 172.17.14.126 172.17.14.252 route 172.17.14.0 255.255.255.0 push ""route 172.17.14.0 255.255.255.0"" push ""route-gateway 172.17.14.1"" push ""route 172.17.16.0 255.255.255.0 vpn_gateway 100"" mode server topology subnet tls-server [...] }}} Recompiling the package with --with-iproute2 fix the issue.",Bug / Defect,assigned,major,release 2.5.5,Generic / unclassified,OpenVPN 2.5.0 (Community Ed),"Not set (select this one, unless your'e a OpenVPN developer)",,netlink route ifconfig Network is unreachable,