OpenConnect route table issue

kingdase · October 19, 2021, 8:25am

    root@OpenWrt:~# cat /etc/banner | grep Open
      OpenWrt 19.07.8, r11364-ef56c85848

    root@OpenWrt:~# uci show network.vpn.auto
    network.vpn.auto='0'

    root@OpenWrt:~# echo "Internet over $(curl -s ifconfig.me)"
    Internet over 77.xx.xxx.xx
    root@OpenWrt:~# route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         192.168.180.1   0.0.0.0         UG    0      0        0 br-lan
    192.168.180.0   *               255.255.255.0   U     0      0        0 br-lan

    root@OpenWrt:~# ifup vpn

    root@OpenWrt:~# route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         *               0.0.0.0         U     0      0        0 vpn-vpn
    10.10.10.0      *               255.255.255.0   U     0      0        0 vpn-vpn
    95.xxx.xx.xxx   192.168.180.1   255.255.255.255 UGH   0      0        0 br-lan
    192.168.180.0   *               255.255.255.0   U     0      0        0 br-lan

    root@OpenWrt:~# echo "Internet over $(curl -s ifconfig.me)"
    Internet over 95.xxx.xx.xxx

    root@OpenWrt:~# ifdown vpn

    !!! THERE IS AN ERROR IN OUR ROUTING TABLE !!!

    root@OpenWrt:~# route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    95.xxx.xx.xxx   192.168.180.1   255.255.255.255 UGH   0      0        0 br-lan
    192.168.180.0   *               255.255.255.0   U     0      0        0 br-lan

    root@OpenWrt:~# cat fix
    #!/bin/sh

    t="$(ip route)"
    dest="$(echo "$t"  | awk '$2 == "via" {print $1}' )"
    gate="$(echo "$t"  | awk '$2 == "via" {print $3}' )"
    iface="$(echo "$t" | awk '$2 == "via" {print $5}' )"

    logger -t fixroute "dest=$dest gate=$gate iface=$iface"


    ip route del "$dest"
    ip route add defaut via "$gate" dev "$iface"

    root@OpenWrt:~# ./fix
    root@OpenWrt:~# route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         192.168.180.1   0.0.0.0         UG    0      0        0 br-lan
    192.168.180.0   *               255.255.255.0   U     0      0        0 br-lan

kingdase · October 19, 2021, 8:46am

You could place a fix in the vpnc-script/netifd "framework".
Attention !

It is not enough to wait for "down" of vpn interface.
The routing table is updated asynchronously by dnsmasq ( As far as I understood ...)
Maybe there is a cooler way to wait for dnsmasq than parsing the output of "route" until vpn disappears.

Of course, it would be really cool if someone could fix the error.

root@OpenWrt:~# mkdir /etc/openconnect/post-disconnect.d
root@OpenWrt:~# vi /etc/openconnect/post-disconnect.d/fix
root@OpenWrt:~# cat /etc/openconnect/post-disconnect.d/fix

# wait for system to update routing table; removed vpn interface in our case

while [ "$(ip route show $TUNDEV)" != "" ]; do
       sleep 1
done

t="$(ip route)"
dest="$(echo "$t"  | awk '$2 == "via" {print $1}' )"
gate="$(echo "$t"  | awk '$2 == "via" {print $3}' )"
iface="$(echo "$t" | awk '$2 == "via" {print $5}' )"

logger -t openconnect "dest=$dest gate=$gate iface=$iface"

ip route del "$dest"
ip route add defaut via "$gate" dev "$iface"

trendy · October 19, 2021, 1:58pm

You can change the metric of the lan interface. Then, when you bring up the vpn both gateways will be in the routing table. And when the vpn goes down the original gateway will still be there.

kingdase · October 22, 2021, 5:39am

I need to clarify a few things.
It is OpenWRT on a Raspberry PI 3B+
I have tried version 21.02.0 and version 19.07.8.
The Raspberry has only one physical LAN connection.
I am absolutely new to OpenWRT.

As far as I found out, I am missing a WAN interface in contrast to a "normal" OpenWRT configuration.

On the PI, the route is "broken" when the VPN connection is terminated.

The routing table is modified by the script /lib/netifd/vpnc-script.
From therefore I have no plan at all how I should introduce there now metrics

pavelgl · October 22, 2021, 7:19am

uci set network.lan.metric='50'
uci commit network
/etc/init.d/network restart

After that, your routing table should look like that:

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.180.1   0.0.0.0         UG    50     0        0 br-lan
192.168.180.0   *               255.255.255.0   U     50     0        0 br-lan

root@OpenWrt:~# ifup vpn

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 vpn-vpn
default         192.168.180.1   0.0.0.0         UG    50     0        0 br-lan
10.10.10.0      *               255.255.255.0   U     0      0        0 vpn-vpn
95.xxx.xx.xxx   192.168.180.1   255.255.255.255 UGH   50     0        0 br-lan
192.168.180.0   *               255.255.255.0   U     50     0        0 br-lan

root@OpenWrt:~# ifdown vpn

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.180.1   0.0.0.0         UG    50     0        0 br-lan
95.xxx.xx.xxx   192.168.180.1   255.255.255.255 UGH   50     0        0 br-lan
192.168.180.0   *               255.255.255.0   U     50     0        0 br-lan

kingdase · October 22, 2021, 10:17am

Thank you very much. Works perfectly.

trendy · October 22, 2021, 11:28am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.