Opened 4 years ago

Closed 3 years ago

#579 closed Bug / Defect (notabug)

issue with routing on windows client

Reported by: alexs_yb Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.8 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hi

Posed the question on the foroms
https://forums.openvpn.net/topic18973.html

basically I have my servers setup to dish up 10.32.23.128/25 with the server being on 10.32.23.129

but my routing table on my windows box looks like this

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.11.1   192.168.11.204     10
          0.0.0.0        128.0.0.0       10.32.23.1     10.32.23.158     20
          0.0.0.0        128.0.0.0     10.32.23.129     10.32.23.158     20

        128.0.0.0        128.0.0.0       10.32.23.1     10.32.23.158     20
        128.0.0.0        128.0.0.0     10.32.23.129     10.32.23.158     20

Logs from the windows client

Sat Jul 11 22:06:41 2015 [vpn.y.com] Peer Connection Initiated with [AF_INET]22.4.3.21:2443
Sat Jul 11 22:06:43 2015 SENT CONTROL [vpn.y.com]: 'PUSH_REQUEST' (status=1)
Sat Jul 11 22:06:43 2015 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 2002:ca4a:2000:2017:c000::101c/66 2002:ca4a:2000:2017:c000::1,sndbuf 393216,rcvbuf 393216,route-ipv6 2001::/16,route-ipv6 2002::/16,route-ipv6 0::/1,route-ipv6 8000::/1,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.32.20.100,dhcp-option DNS 10.32.20.102,dhcp-option DNS 10.32.69.11,comp-lzo yes,tun-ipv6,route-gateway 10.32.23.129,topology subnet,ping 5,ping-restart 15,ifconfig 10.32.23.158 255.255.255.128'
Sat Jul 11 22:06:43 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jul 11 22:06:43 2015 OPTIONS IMPORT: LZO parms modified
Sat Jul 11 22:06:43 2015 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sat Jul 11 22:06:43 2015 Socket Buffers: R=[65536->393216] S=[65536->393216]
Sat Jul 11 22:06:43 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 11 22:06:43 2015 OPTIONS IMPORT: route options modified
Sat Jul 11 22:06:43 2015 OPTIONS IMPORT: route-related options modified
Sat Jul 11 22:06:43 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jul 11 22:06:43 2015 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
Sat Jul 11 22:06:44 2015 NETSH: C:\Windows\system32\netsh.exe interface ipv6 set address Ethernet 4 2002:ca4a:2000:2017:c000::101c store=active
Sat Jul 11 22:06:45 2015 add_route_ipv6(2002:ca4a:2000:2017:c000::/66 -> 2002:ca4a:2000:2017:c000::101c metric 0) dev Ethernet 4
Sat Jul 11 22:06:45 2015 C:\Windows\system32\netsh.exe interface ipv6 add route 2002:ca4a:2000:2017:c000::/66 Ethernet 4 fe80::8 store=active
Sat Jul 11 22:06:45 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Jul 11 22:06:45 2015 ERROR: Windows route add ipv6 command failed: returned error code 1
Sat Jul 11 22:06:45 2015 open_tun, tt->ipv6=1
Sat Jul 11 22:06:45 2015 TAP-WIN32 device [Ethernet 4] opened: \\.\Global\{05861746-0878-407F-A9B3-E442997FE712}.tap
Sat Jul 11 22:06:45 2015 TAP-Windows Driver Version 9.21 
Sat Jul 11 22:06:45 2015 Set TAP-Windows TUN subnet mode network/local/netmask = 10.32.23.128/10.32.23.158/255.255.255.128 [SUCCEEDED]
Sat Jul 11 22:06:45 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.32.23.158/255.255.255.128 on interface {05861746-0878-407F-A9B3-E442997FE712} [DHCP-serv: 10.32.23.254, lease-time: 31536000]
Sat Jul 11 22:06:45 2015 Successful ARP Flush on interface [18] {05861746-0878-407F-A9B3-E442997FE712}
Sat Jul 11 22:06:50 2015 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Sat Jul 11 22:06:50 2015 C:\Windows\system32\route.exe ADD 202.74.32.201 MASK 255.255.255.255 192.168.11.1
Sat Jul 11 22:06:50 2015 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=26]
Sat Jul 11 22:06:50 2015 Route addition via IPAPI failed [adaptive]
Sat Jul 11 22:06:50 2015 Route addition fallback to route.exe
Sat Jul 11 22:06:50 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Jul 11 22:06:50 2015 C:\Windows\system32\route.exe ADD 192.168.11.5 MASK 255.255.255.255 192.168.11.1 IF 26
Sat Jul 11 22:06:50 2015 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=26]
Sat Jul 11 22:06:50 2015 Route addition via IPAPI failed [adaptive]
Sat Jul 11 22:06:50 2015 Route addition fallback to route.exe
Sat Jul 11 22:06:50 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Jul 11 22:06:50 2015 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.32.23.129
Sat Jul 11 22:06:50 2015 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=18]
Sat Jul 11 22:06:50 2015 Route addition via IPAPI failed [adaptive]
Sat Jul 11 22:06:50 2015 Route addition fallback to route.exe
Sat Jul 11 22:06:50 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Jul 11 22:06:50 2015 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.32.23.129
Sat Jul 11 22:06:50 2015 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=18]
Sat Jul 11 22:06:50 2015 Route addition via IPAPI failed [adaptive]
Sat Jul 11 22:06:50 2015 Route addition fallback to route.exe
Sat Jul 11 22:06:50 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Jul 11 22:06:50 2015 add_route_ipv6(2001::/16 -> 2002:ca4a:2000:2017:c000::1 metric -1) dev Ethernet 4
Sat Jul 11 22:06:50 2015 C:\Windows\system32\netsh.exe interface ipv6 add route 2001::/16 Ethernet 4 fe80::8 store=active
Sat Jul 11 22:06:50 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Jul 11 22:06:50 2015 ERROR: Windows route add ipv6 command failed: returned error code 1
Sat Jul 11 22:06:50 2015 add_route_ipv6(2002::/16 -> 2002:ca4a:2000:2017:c000::1 metric -1) dev Ethernet 4
Sat Jul 11 22:06:50 2015 C:\Windows\system32\netsh.exe interface ipv6 add route 2002::/16 Ethernet 4 fe80::8 store=active
Sat Jul 11 22:06:50 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Jul 11 22:06:50 2015 ERROR: Windows route add ipv6 command failed: returned error code 1
Sat Jul 11 22:06:50 2015 add_route_ipv6(::/1 -> 2002:ca4a:2000:2017:c000::1 metric -1) dev Ethernet 4
Sat Jul 11 22:06:50 2015 C:\Windows\system32\netsh.exe interface ipv6 add route ::/1 Ethernet 4 fe80::8 store=active
Sat Jul 11 22:06:50 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Jul 11 22:06:50 2015 ERROR: Windows route add ipv6 command failed: returned error code 1
Sat Jul 11 22:06:50 2015 add_route_ipv6(8000::/1 -> 2002:ca4a:2000:2017:c000::1 metric -1) dev Ethernet 4
Sat Jul 11 22:06:50 2015 C:\Windows\system32\netsh.exe interface ipv6 add route 8000::/1 Ethernet 4 fe80::8 store=active
Sat Jul 11 22:06:50 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Jul 11 22:06:50 2015 ERROR: Windows route add ipv6 command failed: returned error code 1
Sat Jul 11 22:06:50 2015 Initialization Sequence Completed

things still work. my other server handles the 10.32.23.1/25 network and presents with the same routing table ... so very strange ...

this maybe a windows 8.1 thing... But when i stop the service (I am using nssm openvpn setup) all the routes disappear.

Change History (3)

comment:1 Changed 4 years ago by Gert Döring

are you running two openvpn sessions in parallel, both using "redirect-gateway def1"?

If yes, don't. This is not a supported configuration - as both will try to install the same routes, and the result is at best undefined.

comment:2 Changed 4 years ago by alexs_yb

Yes and no.

To clarify

I have 2 servers listening, but the client only has 1 openvpn session running at a time.

I just tested by using the telnet command interface into the client.

stop service
start service
it connects to the .201 server via udp which is the .128/25 server
I get both default routes
I telnet into the openvpn service and kill my connection, the client fails over to the .200 server via udp which is the .1/25 server
I only get 1 route (well one of each 0/128 and 128/128)

if i do this again so it fails back to the .129/29 server i again get the 2 def routes ( 2 x 0/128 and 2x 128/128 )

comment:3 Changed 3 years ago by Gert Döring

Resolution: notabug
Status: newclosed

The only explanation for the "route print" output you show is two openvpn processes running at the same time (should be easy to verify using resource monitor) - if you use the openvpn service, it will run openvpn processes for *all* .ovpn files it can find, so if you have two configs, you'll get two processes.

From the log file, it's clear that this particular openvpn process wants to install the /128.0.0.0 routes, they are already there - so you get two o fthem. Which can only be explained, as I said, if another process is still around.

More robust would be to just use a single .ovpn file with two "remote" lines in it

remote x.x.x.201
remote x.x.x.200

so it will try both alternatively, not at the same time.

Note: See TracTickets for help on using tickets.