Opened 3 years ago

Closed 3 years ago

#888 closed Bug / Defect (fixed-external)

Routes aren't being added on establishing the VPN connection

Reported by: GCRaistlin Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.13 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

ovpn file connects (via 'config routes' command) 'routes' config file. Sometimes it works as expected (log), but more often routes aren't being added on establishing the VPN connection (log). I believe it's because of restarting due timeout:

Tue May 09 13:32:47 2017 Successful ARP Flush on interface [2621453] {6DD66AB8-97C3-425A-AA53-39D5280FEE31}
Tue May 09 13:32:47 2017 [*.opengw.net] Inactivity timeout (--ping-restart), restarting
Tue May 09 13:32:47 2017 SIGUSR1[soft,ping-restart] received, process restarting

Also, I cannot reproduce the issue with 1 route (instead of 56) in 'routes' file.

OpenVPN 2.3.14, Windows Server 2003 R2 SP2.

Change History (10)

comment:1 Changed 3 years ago by Gert Döring

"ping 3" might be
a bit short for windows to get the initialization done - the route setup is sloowwww on windows (especially if you do DNS resolution as well).
Unfortunately, your log file doesn't show which method you're using to install the routes (--ip-win32 <method>) - so maybe there is some improvement possible using ipapi instead of netsh, etc.

comment:2 Changed 3 years ago by tincantech

This is a customer of freeopenvpn.org (who are a vpn service provider) and the user is using --route-nopull and then adding a bunch of routes via FQDN ..

@GCRaistlin you will have to use openvpn-2.4 and --pull-filter to block pushed --ping/--ping-restart values

But even then .. the server side will probably timeout at --ping-restart 20

comment:3 Changed 3 years ago by GCRaistlin

Unfortunately 2.4 doesn't work on Win2k3.
Anyway, OpenVPN seems to just ignore "route" directives on restart due timeout, doesn't it?

comment:4 Changed 3 years ago by selvanair

ping 3, ping-restart 10 is rather tight but you cant do much about it as the server may be using similar numbers. Although route addition by IPAPI (the default method in use as per the config) must be pretty fast, DNS resolution could take a while and that may explain why you get occasional ping timeout.

As this is 2.3 and WinXP, you must be running openvpn as admin. In that case, an option is to move the route addition tasks to a script and run it in background. Extract the route gateway from env and use explicit Windows "route add .." commands. You have to get a bit creative to resolve the domain name and extract the IP to use in the route commands in a bat script.

comment:5 Changed 3 years ago by GCRaistlin

I don't care much about timeouts: it doesn't make a big difference if the connection will be established from the first try or from the tenth one. The problem is that OpenVPN considers the second try successful even if routes weren't added.

Last edited 3 years ago by GCRaistlin (previous) (diff)

comment:6 Changed 3 years ago by selvanair

In that case --remap-usr1 SIGHUP may work as a quick fix.

comment:7 Changed 3 years ago by GCRaistlin

Unfortunately it doesn't seem to help.

comment:8 Changed 3 years ago by selvanair

Need to see logs during restart with SIGUSR1 mapped to SIGHUP.

If the issue is ping-restart triggering before route commands are completed, then the signal remap should "fix" it -- though its not the ideal solution.

comment:9 Changed 3 years ago by GCRaistlin

To be precise, as a rule it works - it was just one time the VPN connection was established without routes added. It indeed seems to be a fix. Thanks!

comment:10 Changed 3 years ago by Gert Döring

Resolution: fixed-external
Status: newclosed

so, closing this one as there is not much more we can do to help - and the workaround syzzer provided seems to have helped :-)

Note: See TracTickets for help on using tickets.