# openVPN client add route error



## marino (Nov 11, 2009)

Right now I'm only interested in setting up a VPN client.  I've done that using openVPN and I'm connecting to the swissvpn.com site.  My local LAN is 192.168.0.x

Here is the complete sequence shown /var/log/messages log:

```
Nov 11 14:27:50 draco openvpn[1786]: OpenVPN 2.1_rc20 amd64-portbld-freebsd7.2 [SSL] [LZO2] built on Nov 11 2009
Nov 11 14:27:50 draco openvpn[1786]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 11 14:27:50 draco openvpn[1786]: Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Nov 11 14:27:50 draco openvpn[1786]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Nov 11 14:27:50 draco openvpn[1786]: Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth 
SHA1,keysize 128,key-method 2,tls-client'
Nov 11 14:27:50 draco openvpn[1786]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher 
BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Nov 11 14:27:50 draco openvpn[1786]: Local Options hash (VER=V4): 'db02a8f8'
Nov 11 14:27:50 draco openvpn[1786]: Expected Remote Options hash (VER=V4): '7e068940'
Nov 11 14:27:50 draco openvpn[1787]: Attempting to establish TCP connection with 80.254.79.87:443 [nonblock]
Nov 11 14:27:51 draco openvpn[1787]: TCP connection established with 80.254.79.87:443
Nov 11 14:27:51 draco openvpn[1787]: Socket Buffers: R=[65572->65536] S=[33124->65536]
Nov 11 14:27:51 draco openvpn[1787]: TCPv4_CLIENT link local: [undef]
Nov 11 14:27:51 draco openvpn[1787]: TCPv4_CLIENT link remote: 80.254.79.87:443
Nov 11 14:27:51 draco openvpn[1787]: TLS: Initial packet from 80.254.79.87:443, sid=6403cc73 9e244097
Nov 11 14:27:51 draco openvpn[1787]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 11 14:27:54 draco openvpn[1787]: VERIFY OK: depth=1, /C=CH/ST=ZH/L=Regensdorf/O=Monzoon_Networks_AG/OU=OpenVPN_CA/CN=OpenVPN-
CA/emailAddress=operations@monzoon.net
Nov 11 14:27:54 draco openvpn[1787]: VERIFY OK: nsCertType=SERVER
Nov 11 14:27:54 draco openvpn[1787]: VERIFY OK: depth=0, /C=CH/ST=ZH/O=Monzoon_Networks_AG/OU=OpenVPN_server/CN=server
/emailAddress=operations@monzoon.net
Nov 11 14:27:56 draco openvpn[1787]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 11 14:27:56 draco openvpn[1787]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 11 14:27:56 draco openvpn[1787]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 11 14:27:56 draco openvpn[1787]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 11 14:27:56 draco openvpn[1787]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov 11 14:27:56 draco openvpn[1787]: [server] Peer Connection Initiated with 80.254.79.87:443
Nov 11 14:27:59 draco openvpn[1787]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov 11 14:27:59 draco openvpn[1787]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 
80.254.79.157,dhcp-option DNS 80.254.77.39,route-gateway 80.254.76.129,topology subnet,ping 10,ping-restart 60,socket-flags 
TCP_NODELAY,ifconfig 80.254.76.210 255.255.255.128'
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: --socket-flags option modified
Nov 11 14:27:59 draco openvpn[1787]: NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: route options modified
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: route-related options modified
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Nov 11 14:27:59 draco openvpn[1787]: ROUTE default_gateway=192.168.0.1
Nov 11 14:27:59 draco openvpn[1787]: TUN/TAP device /dev/tun0 opened
Nov 11 14:27:59 draco openvpn[1787]: /sbin/ifconfig tun0 80.254.76.210 netmask 255.255.255.128 mtu 1500 up
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 80.254.76.128 80.254.76.210 255.255.255.128
Nov 11 14:27:59 draco openvpn[1787]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 80.254.79.87 192.168.0.1 255.255.255.255
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 0.0.0.0 80.254.76.129 128.0.0.0
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 128.0.0.0 80.254.76.129 128.0.0.0
Nov 11 14:27:59 draco openvpn[1787]: Initialization Sequence Completed
```

note the error "ERROR: FreeBSD route add command failed: external program exited with error status: 1"

Is this line "ROUTE default_gateway=192.168.0.1" coming from the swissVPN openVPN server?  So there's a conflict between it and my local LAN?

I really don't have a good grasp on the concept of routing, so be gentle here.  Knowing that I have no control over the openVPN server, and that I'd prefer to keep using the TUN interface rather than a bridge, is there something that I can add to the client.conf file to make this conflict go away?

Is this error even hurting anything?  the VPN seems to work.


----------



## SirDice (Nov 12, 2009)

It's this line that causes the error:

```
/sbin/route add -net 80.254.76.128 80.254.76.210 255.255.255.128
```
That's because 80.254.76.210 is the IP address on tun0. You need to configure it to use the next hop (most likely 80.254.76.129).


----------



## marino (Nov 12, 2009)

I doubt that I can.  I'm just using a variation of the client.conf file that swissvpn gave me (see below).  Those 80.254.76.* addresses are coming from swissvpn's openVPN server I think.  I could be wrong, I don't really understand this stuff that well.  Could it be a bad configuration on the server side that I just have to live with?


```
dev tun
client
proto tcp-client
remote connect-openvpn.swissvpn.net 443
ca ca.crt
auth-user-pass
reneg-sec 86400
ns-cert-type server
```


----------



## marino (Nov 14, 2009)

so nobody knows if it's a server configuration problem, or if it's something I can fix on the client side?


----------



## DutchDaemon (Nov 14, 2009)

Can you re-number your LAN to a 192.168.1.x network?


----------



## marino (Nov 15, 2009)

I didn't think I could, but looking at the router configuration, apparently this is possible.

However, it might not be desirable.  Most of my machines are given specific IP addresses, numerous configuration files would have to be revised.  It's something I'd really like to avoid.


----------



## ctaranotte (Nov 15, 2009)

could you share with us your ifconfig output?


----------



## marino (Nov 18, 2009)

sure, this is with openvpn active:


```
draco-root# ifconfig -a
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 00:1d:60:af:29:ce
	inet 192.168.0.25 netmask 0xffffff00 broadcast 192.168.0.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
tun0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
	inet 80.254.76.137 netmask 0xffffff80 broadcast 80.254.76.255
	Opened by PID 76112
```


----------



## ctaranotte (Nov 19, 2009)

From your /var/log/messages log:


```
....
Nov 11 14:27:59 draco openvpn[1787]: TUN/TAP device /dev/tun0 opened
Nov 11 14:27:59 draco openvpn[1787]: /sbin/ifconfig tun0 [color="red"]80.254.76.210[/color] netmask 255.255.255.128 mtu 1500 up
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 80.254.76.128 80.254.76.210 255.255.255.128
Nov 11 14:27:59 draco openvpn[1787]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
.....
```

From your ifconfig output:


```
tun0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
	inet [color="Red"]80.254.76.137[/color] netmask 0xffffff80 broadcast 80.254.76.255
	Opened by PID 76112
```

your final tun0 IP (80.254.76.137) is not the one negotiated by OPENVPN (80.254.76.210).

No wonder ROUTE is exiting with error 1.

looks like an OPENVPN bug to me.

But just in case, I suggest your restart your box, post your ifconfig output, start openvpn and post again your ifconfig output together with your message.log. Let's see if something else is resetting your tun0.

EDIT: Have you tried security/openvpn-devel instead?

EDIT: Have you tried to add the route manually once OPENVPN is up and running? Something like 
	
	



```
route add -net 80.254.76.128 80.254.76.137 255.255.255.128
```


----------



## marino (Nov 19, 2009)

Hi ctaranotte,

I'm actually using security/openvpn-devel
You can see this in the log...

```
Nov 11 14:27:50 draco openvpn[1786]: OpenVPN 2.1_rc20 amd64-portbld-freebsd7.2 [SSL] [LZO2] built on Nov 11 2009
```

Here is the output to your suggested route command:

```
draco-root# route add -net 80.254.76.128 80.254.76.137 255.255.255.128
route: writing to routing socket: File exists
add net 80.254.76.128: gateway 80.254.76.137: route already in table
```

So I have openvpn configured to start at boot up (/usr/local/etc/rc.d/openvpn), so the log I posted is from immediately after boot.  I was not using tun before I installed openvpn, so I don't think there are other culprits...

Let me post this all again, though, I probably posted an ifconfig from a different session.


----------



## marino (Nov 19, 2009)

After reboot:


```
draco-marino# ifconfig tun0
tun0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
	inet [color="Red"]80.254.76.155[/color] netmask 0xffffff80 broadcast 80.254.76.255
	Opened by PID 831
```



```
Nov 19 14:02:02 draco openvpn[830]: OpenVPN 2.1_rc20 amd64-portbld-freebsd7.2 [SSL] [LZO2] built on Nov 11 2009
Nov 19 14:02:02 draco openvpn[830]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 19 14:02:02 draco openvpn[830]: Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Nov 19 14:02:02 draco openvpn[830]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Nov 19 14:02:02 draco openvpn[830]: Local Options hash (VER=V4): 'db02a8f8'
Nov 19 14:02:02 draco openvpn[830]: Expected Remote Options hash (VER=V4): '7e068940'
Nov 19 14:02:02 draco openvpn[831]: Attempting to establish TCP connection with 80.254.79.87:443 [nonblock]
Nov 19 14:02:03 draco openvpn[831]: TCP connection established with 80.254.79.87:443
Nov 19 14:02:03 draco openvpn[831]: Socket Buffers: R=[65572->65536] S=[33124->65536]
Nov 19 14:02:03 draco openvpn[831]: TCPv4_CLIENT link local: [undef]
Nov 19 14:02:03 draco openvpn[831]: TCPv4_CLIENT link remote: 80.254.79.87:443
Nov 19 14:02:04 draco openvpn[831]: TLS: Initial packet from 80.254.79.87:443, sid=a7c1bbbb 20a64ba1
Nov 19 14:02:04 draco openvpn[831]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 19 14:02:06 draco openvpn[831]: VERIFY OK: depth=1, /C=CH/ST=ZH/L=Regensdorf/O=Monzoon_Networks_AG/OU=OpenVPN_CA/CN=OpenVPN-CA/emailAddress=operations@monzoon.net
Nov 19 14:02:06 draco openvpn[831]: VERIFY OK: nsCertType=SERVER
Nov 19 14:02:06 draco openvpn[831]: VERIFY OK: depth=0, /C=CH/ST=ZH/O=Monzoon_Networks_AG/OU=OpenVPN_server/CN=server/emailAddress=operations@monzoon.net
Nov 19 14:02:08 draco openvpn[831]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 19 14:02:08 draco openvpn[831]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 19 14:02:08 draco openvpn[831]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 19 14:02:08 draco openvpn[831]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 19 14:02:08 draco openvpn[831]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov 19 14:02:08 draco openvpn[831]: [server] Peer Connection Initiated with 80.254.79.87:443
Nov 19 14:02:10 draco openvpn[831]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov 19 14:02:10 draco openvpn[831]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 80.254.79.157,dhcp-option DNS 80.254.77.39,route-gateway 80.254.76.129,topology subnet,ping 10,ping-restart 60,socket-flags TCP_NODELAY,ifconfig 80.254.76.155 255.255.255.128'
Nov 19 14:02:10 draco openvpn[831]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 19 14:02:10 draco openvpn[831]: OPTIONS IMPORT: --socket-flags option modified
Nov 19 14:02:10 draco openvpn[831]: NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)
Nov 19 14:02:10 draco openvpn[831]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 19 14:02:10 draco openvpn[831]: OPTIONS IMPORT: route options modified
Nov 19 14:02:10 draco openvpn[831]: OPTIONS IMPORT: route-related options modified
Nov 19 14:02:10 draco openvpn[831]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Nov 19 14:02:10 draco openvpn[831]: ROUTE default_gateway=192.168.0.1
Nov 19 14:02:10 draco openvpn[831]: TUN/TAP device /dev/tun0 opened
Nov 19 14:02:10 draco openvpn[831]: /sbin/ifconfig tun0 [color="Red"]80.254.76.155[/color] netmask 255.255.255.128 mtu 1500 up
Nov 19 14:02:10 draco openvpn[831]: /sbin/route add -net 80.254.76.128 80.254.76.155 255.255.255.128
Nov 19 14:02:10 draco openvpn[831]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 19 14:02:10 draco openvpn[831]: /sbin/route add -net 80.254.79.87 192.168.0.1 255.255.255.255
Nov 19 14:02:10 draco openvpn[831]: /sbin/route add -net 0.0.0.0 80.254.76.129 128.0.0.0
Nov 19 14:02:10 draco openvpn[831]: /sbin/route add -net 128.0.0.0 80.254.76.129 128.0.0.0
Nov 19 14:02:10 draco openvpn[831]: Initialization Sequence Completed
```

so it appears the IP addresses match as expected.


----------



## ctaranotte (Nov 20, 2009)

Could you post the output of "netstat -r"?


----------



## marino (Nov 20, 2009)

sure!


```
draco-root# [color="Blue"]/usr/local/etc/rc.d/openvpn start[/color]
Starting openvpn.
draco-root# [color="#0000ff"]ifconfig tun0[/color]
tun0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
	inet 80.254.76.237 netmask 0xffffff80 broadcast 80.254.76.255
	Opened by PID 4384
draco-root# [color="#0000ff"]netstat -r[/color]
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
0.0.0.0/1          80-254-76-129.dyna UGS         0        0   tun0 =>
default            192.168.0.1        UGS         0   784108   nfe0
80.254.76.128/25   80-254-76-237.dyna U           2        0   tun0
80.254.79.87/32    192.168.0.1        UGS         0        6   nfe0
localhost          localhost          UH          0       50    lo0
128.0.0.0/1        80-254-76-129.dyna UGS         0        0   tun0
192.168.0.0        link#1             UC          0        0   nfe0
192.168.0.1        00:24:01:32:b2:bd  UHLW        3      222   nfe0   1225
orion              00:1e:2a:cc:69:90  UHLW        1      462   nfe0   1084

Internet6:
Destination        Gateway            Flags      Netif Expire
localhost          localhost          UHL         lo0
fe80::%lo0         fe80::1%lo0        U           lo0
fe80::1%lo0        link#3             UHL         lo0
ff01:3::           fe80::1%lo0        UC          lo0
ff02::%lo0         fe80::1%lo0        UC          lo0
```


----------



## ctaranotte (Nov 23, 2009)

what do you have any fw?


----------



## marino (Nov 24, 2009)

fw = firewall?

No, I am not running any firewall.  Just a router (dlink DIR-655), basic configuration.


----------



## ctaranotte (Nov 25, 2009)

You need to set up a firewall on your box (not on the server) which will nat and filter all traffic through tun0.

For example, in pf.conf, you may add something like

```
nat on tun0 from any to any -> tun0

pass in on ne0 inet proto {tcp udp icmp} from 80.254.76.128/25 to any flags S/SA keep state
pass out on ne0 inet proto {tcp udp icmp} from any to 80.254.76.128/25 flags S/SA keep state

pass in on tun0 inet proto {tcp udp icmp} from any to any flags S/SA keep state
pass out on tun0 inet proto {tcp udp icmp} from any to any flags S/SA keep state
```

You can also run 
	
	



```
tcpdump -n -i tun0
```
 to see what's wrong.


----------



## ctaranotte (Nov 25, 2009)

Almost forgot, you need also to add the following line in pf.conf:


```
nat on ne0 from any to any -> ne0
```


----------

