OpenWrt 19.07 OpenVPN client does not pass configuration parameters to UP/ROUTE-UP scripts

open.nya · April 17, 2021, 8:17pm

Hi All!

I was unable to set up my VPN routing because OpenVPN tunnels are not working correctly on a stable build 19.07
That is all because some of the most important configuration parameter to be passed to UP/ROUTE-UP scripts are ignored.

According to OpenVPN manual the following parameters SHOULD be passed (in deed many times more, but these parameters are critical for my routing config):

dev
ifconfig_local
ifconfig_remote
route_vpn_gateway

After setting up my 'up' and 'route-up' scripts I figured out that some of parameters are lost somewhere.
The most important parameters like $ifconfig_remote and $route_vpn_gateway are lost or ignored along the way.

After a little digging and logging I can confirm that only a subset of mandatory parameters are passed to UP/ROUTE-UP scripts (see log below).
.

Please advice me how to deal with this mess.

.
My script is configured as follows:
This script works fine on other systems (Ubuntu, AdvancedTomato), but not on stable build OpenWRT 19.07.

...
route-noexec
route-delay 2
script-security 2
up /etc/openvpn/pbr-ovpn-up.sh
route-up /etc/openvpn/pbr-ovpn-up.sh
...

A small sample from the syslog (I have dumped env variables from the script to the syslog):

...
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: dev='tun0'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: dev_type='tun'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: ifconfig_broadcast='10.8.0.255'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: ifconfig_local='10.8.0.3'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: ifconfig_netmask='255.255.255.0'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: link_mtu='1574'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: proto_1='tcp-client'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: script_context='init'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: script_type='route-up'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: tun_mtu='1500'
...

Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: dev='tun0'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: dev_type='tun'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: ifconfig_broadcast='10.8.0.255'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: ifconfig_local='10.8.0.3'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: ifconfig_netmask='255.255.255.0'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: link_mtu='1574'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: proto_1='tcp-client'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: script_context='init'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: script_type='up'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: tun_mtu='1500'

open.nya · April 17, 2021, 9:13pm

open.nya · April 17, 2021, 9:44pm

I have such a record in the syslog:

Sat Apr 17 19:45:55 2021 daemon.notice openvpn(vul_fra_client2)[31499]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,socket-flags TCP_NODELAY,ifconfig 10.8.0.3 255.255.255.0,peer-id 0'

I see the gateway address of 10.8.0.1 passed to client by by the server.
But I see neither ifconfig_remote nor route_vpn_gateway environment variables are passed to the script...

UPDATE:
According to OpenVPN official documentation (environment variables section):

route_vpn_gateway:
The default gateway used by --route options, as specified in either the --route-gateway option or the second parameter to --ifconfig when --dev tun is specified.

And I have a record in the syslog with a 'route-gateway' option passed to client:

openvpn(client2)[31499]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,socket-flags TCP_NODELAY,ifconfig 10.8.0.3 255.255.255.0,peer-id 0

As we can see 'route-gateway' directive was passed to client but was NOT re-transmitted to the UP scrips as a 'route_vpn_gateway' environment variable.

It's a bug.

UPDATE 2:
Filed a bug to the bugtracker of 'packages':

github.com/openwrt/packages

openvpn-openssl: OpenVPN client does not pass some of mandatory configuration parameters to UP and ROUTE-UP scripts

opened 09:23AM - 18 Apr 21 UTC

OpenNya

Maintainer: @nbd168 Environment: arm_cortex-a15_neon-vfpv4 Netgear Nighthawk …X4S R7800 Linux R7800 4.14.221 #0 SMP Mon Feb 22 15:36:55 2021 armv7l GNU/Linux OpenWrt 19.07-SNAPSHOT r11312-e9c0c5021c OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] OpenSSL 1.1.1j 16 Feb 2021, LZO 2.10 Description: OpenVPN client does not pass some of mandatory configuration parameters to UP and ROUTE-UP scripts. I was trying to to set up my VPN routing on OpenWRT 19.07 using UP and ROUTE-UP scripts as I did it before on other platforms but step into an issue. I found out that some of the most important mandatory configuration parameter to be passed to UP/ROUTE-UP scripts are ignored or lost somewhere along the way. The most important parameter that is lost/ignored is ''**route_vpn_gateway**'. According OpenVPN 2.4 MAN page/reference manual: 1) The 'up' and 'route-up' commands are useful for specifying route commands which route IP traffic into the tunnel. 2) A huge set of configuration parameters are passed to these scripts via environment variables. 3) Besides all of these parameters there is a mandatory parameter that is critical for configuring routing of other networks through vpn tunnel: '**route_vpn_gateway**' 4) The '**route_vpn_gateway**' environment variable is described in the OpenVPN documentation as follows: ``` The default gateway used by --route options, as specified in either the --route-gateway option or the second parameter to --ifconfig when --dev tun is specified. Set prior to --up script execution. ``` After setting up my 'up' and 'route-up' scripts I figured out that at least two mandatory parameters are ignored or lost somewhere along the way: ``` $route_vpn_gateway $ifconfig_remote ``` My client config is created according to official documentation and works fine on other systems (Ubuntu, AdvancedTomato). The portion of the client config related to UP and ROUTE-UP script startup is configured as follows: ``` ... script-security 2 route-noexec up /etc/openvpn/pbr-ovpn-up.sh route-up /etc/openvpn/pbr-ovpn-up.sh ... ``` Thirst of all I have verified that the '--route-gateway' option is really passes from server to client by examining OpenVPN events in the system log. I found a record confirming the '--route-gateway' option is pushed by the server and received by client on every connection establishment: ``` Sun Apr 18 08:32:30 2021 daemon.notice openvpn(vul_fra_client2)[4063]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,socket-flags TCP_NODELAY,ifconfig 10.8.0.3 255.255.255.0,peer-id 0' ``` `route-gateway 10.8.0.1` To re-confirm the issue I saved the whole bundle of parameters passed to 'up' and 'route-up' scripts to the system log. ``` #!/usr/bin/env sh SCRIPT_NAME_POSU="pbr-ovpn-up" env | logger -t "${SCRIPT_NAME_POSU} [$$]" set | logger -t "${SCRIPT_NAME_POSU} [$$]" ``` And then performed a search by keywords 'route_' and 'ifconfig_': `root@R7800:~# logread | egrep ".*route_.*|.*ifconfig_.*"` ``` Sun Apr 18 08:32:30 2021 daemon.notice openvpn(vul_fra_client2)[4063]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_broadcast=10.8.0.255 Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_netmask=255.255.255.0 Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_local=10.8.0.3 Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_broadcast='10.8.0.255' Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_local='10.8.0.3' Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_netmask='255.255.255.0' ``` As you can see from the output the **$route_vpn_gateway** environment variable was not passed to the script, just like '$ifconfig_remote'. I am really not very interested in the presence of '$ifconfig_remote' variable but **$route_vpn_gateway** is critical for my routing scripts. **HOW TO REPRODUCE:** 1) Create a simple OpenVPN client/server installation (a simple instruction from digitalocean could be used). 2) Create a simple script /etc/openvpn/up.sh Example contents could be something like this: ``` #!/bin/sh env | logger -t "UP.SH [$$]" set | logger -t "UP.SH [$$]" echo "script_type: '$script_type' | dev: '$dev' | ifconfig_local: '$ifconfig_local' | ifconfig_remote: '$ifconfig_remote' | gw: '$route_vpn_gateway'" | logger -t "UP.SH [$$]" ``` 3) Add the following lines to the standard ovpn client config file: As you wish you can remove 'route-noexec' and 'route-up' directives and leave only 'script-security 2' and 'up /etc/openvpn/up.sh' (I was testing both script types). ``` script-security 2 route-noexec up /etc/openvpn/pbr-ovpn-up.sh route-up /etc/openvpn/pbr-ovpn-up.sh ``` 4) Establish VPN connection. 5) Examine system log for output from the script. You will see that the most of the variables were successfully passed to the script but '$route_vpn_gateway' and '$ifconfig_remote' **Thank you in advance!**