Hi All!
I was unable to set up my VPN routing because OpenVPN tunnels are not working correctly on a stable build 19.07
That is all because some of the most important configuration parameter to be passed to UP/ROUTE-UP scripts are ignored.
According to OpenVPN manual the following parameters SHOULD be passed (in deed many times more, but these parameters are critical for my routing config):
dev
ifconfig_local
ifconfig_remote
route_vpn_gateway
After setting up my 'up' and 'route-up' scripts I figured out that some of parameters are lost somewhere.
The most important parameters like $ifconfig_remote and $route_vpn_gateway are lost or ignored along the way.
After a little digging and logging I can confirm that only a subset of mandatory parameters are passed to UP/ROUTE-UP scripts (see log below).
.
Please advice me how to deal with this mess.
.
My script is configured as follows:
This script works fine on other systems (Ubuntu, AdvancedTomato), but not on stable build OpenWRT 19.07.
...
route-noexec
route-delay 2
script-security 2
up /etc/openvpn/pbr-ovpn-up.sh
route-up /etc/openvpn/pbr-ovpn-up.sh
...
A small sample from the syslog (I have dumped env variables from the script to the syslog):
...
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: dev='tun0'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: dev_type='tun'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: ifconfig_broadcast='10.8.0.255'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: ifconfig_local='10.8.0.3'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: ifconfig_netmask='255.255.255.0'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: link_mtu='1574'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: proto_1='tcp-client'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: script_context='init'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: script_type='route-up'
Sat Apr 17 19:45:57 2021 user.notice pbr-ovpn-up [31764]: tun_mtu='1500'
...
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: dev='tun0'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: dev_type='tun'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: ifconfig_broadcast='10.8.0.255'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: ifconfig_local='10.8.0.3'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: ifconfig_netmask='255.255.255.0'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: link_mtu='1574'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: proto_1='tcp-client'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: script_context='init'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: script_type='up'
Sat Apr 17 19:45:55 2021 user.notice pbr-ovpn-up [31637]: tun_mtu='1500'
1 Like
I have such a record in the syslog:
Sat Apr 17 19:45:55 2021 daemon.notice openvpn(vul_fra_client2)[31499]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1 ,topology subnet,ping 10,ping-restart 120,socket-flags TCP_NODELAY,ifconfig 10.8.0.3 255.255.255.0,peer-id 0'
I see the gateway address of 10.8.0.1 passed to client by by the server.
But I see neither ifconfig_remote nor route_vpn_gateway environment variables are passed to the script...
UPDATE :
According to OpenVPN official documentation (environment variables section):
route_vpn_gateway:
The default gateway used by --route options, as specified in either the --route-gateway option or the second parameter to --ifconfig when --dev tun is specified.
And I have a record in the syslog with a 'route-gateway ' option passed to client:
openvpn(client2)[31499]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1 ,topology subnet,ping 10,ping-restart 120,socket-flags TCP_NODELAY,ifconfig 10.8.0.3 255.255.255.0,peer-id 0
As we can see 'route-gateway ' directive was passed to client but was NOT re-transmitted to the UP scrips as a 'route_vpn_gateway ' environment variable.
It's a bug.
UPDATE 2:
Filed a bug to the bugtracker of 'packages':
opened 09:23AM - 18 Apr 21 UTC
Maintainer: @nbd168
Environment:
arm_cortex-a15_neon-vfpv4
Netgear Nighthawk … X4S R7800
Linux R7800 4.14.221 #0 SMP Mon Feb 22 15:36:55 2021 armv7l GNU/Linux
OpenWrt 19.07-SNAPSHOT r11312-e9c0c5021c
OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
OpenSSL 1.1.1j 16 Feb 2021, LZO 2.10
Description:
OpenVPN client does not pass some of mandatory configuration parameters to UP and ROUTE-UP scripts.
I was trying to to set up my VPN routing on OpenWRT 19.07 using UP and ROUTE-UP scripts as I did it before on other platforms but step into an issue.
I found out that some of the most important mandatory configuration parameter to be passed to UP/ROUTE-UP scripts are ignored or lost somewhere along the way.
The most important parameter that is lost/ignored is ''**route_vpn_gateway**'.
According OpenVPN 2.4 MAN page/reference manual:
1) The 'up' and 'route-up' commands are useful for specifying route commands which route IP traffic into the tunnel.
2) A huge set of configuration parameters are passed to these scripts via environment variables.
3) Besides all of these parameters there is a mandatory parameter that is critical for configuring routing of other networks through vpn tunnel: '**route_vpn_gateway**'
4) The '**route_vpn_gateway**' environment variable is described in the OpenVPN documentation as follows:
```
The default gateway used by --route options, as specified in either the --route-gateway option
or the second parameter to --ifconfig when --dev tun is specified. Set prior to --up script execution.
```
After setting up my 'up' and 'route-up' scripts I figured out that at least two mandatory parameters are ignored or lost somewhere along the way:
```
$route_vpn_gateway
$ifconfig_remote
```
My client config is created according to official documentation and works fine on other systems (Ubuntu, AdvancedTomato).
The portion of the client config related to UP and ROUTE-UP script startup is configured as follows:
```
...
script-security 2
route-noexec
up /etc/openvpn/pbr-ovpn-up.sh
route-up /etc/openvpn/pbr-ovpn-up.sh
...
```
Thirst of all I have verified that the '--route-gateway' option is really passes from server to client by examining OpenVPN events in the system log.
I found a record confirming the '--route-gateway' option is pushed by the server and received by client on every connection establishment:
```
Sun Apr 18 08:32:30 2021 daemon.notice openvpn(vul_fra_client2)[4063]:
PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,socket-flags TCP_NODELAY,ifconfig 10.8.0.3 255.255.255.0,peer-id 0'
```
`route-gateway 10.8.0.1`
To re-confirm the issue I saved the whole bundle of parameters passed to 'up' and 'route-up' scripts to the system log.
```
#!/usr/bin/env sh
SCRIPT_NAME_POSU="pbr-ovpn-up"
env | logger -t "${SCRIPT_NAME_POSU} [$$]"
set | logger -t "${SCRIPT_NAME_POSU} [$$]"
```
And then performed a search by keywords 'route_' and 'ifconfig_':
`root@R7800:~# logread | egrep ".*route_.*|.*ifconfig_.*"`
```
Sun Apr 18 08:32:30 2021 daemon.notice openvpn(vul_fra_client2)[4063]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_broadcast=10.8.0.255
Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_netmask=255.255.255.0
Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_local=10.8.0.3
Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_broadcast='10.8.0.255'
Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_local='10.8.0.3'
Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_netmask='255.255.255.0'
```
As you can see from the output the **$route_vpn_gateway** environment variable was not passed to the script, just like '$ifconfig_remote'.
I am really not very interested in the presence of '$ifconfig_remote' variable but **$route_vpn_gateway** is critical for my routing scripts.
**HOW TO REPRODUCE:**
1) Create a simple OpenVPN client/server installation (a simple instruction from digitalocean could be used).
2) Create a simple script /etc/openvpn/up.sh
Example contents could be something like this:
```
#!/bin/sh
env | logger -t "UP.SH [$$]"
set | logger -t "UP.SH [$$]"
echo "script_type: '$script_type' | dev: '$dev' | ifconfig_local: '$ifconfig_local' | ifconfig_remote: '$ifconfig_remote' | gw: '$route_vpn_gateway'" | logger -t "UP.SH [$$]"
```
3) Add the following lines to the standard ovpn client config file:
As you wish you can remove 'route-noexec' and 'route-up' directives and leave only 'script-security 2' and 'up /etc/openvpn/up.sh' (I was testing both script types).
```
script-security 2
route-noexec
up /etc/openvpn/pbr-ovpn-up.sh
route-up /etc/openvpn/pbr-ovpn-up.sh
```
4) Establish VPN connection.
5) Examine system log for output from the script.
You will see that the most of the variables were successfully passed to the script but '$route_vpn_gateway' and '$ifconfig_remote'
**Thank you in advance!**
2 Likes