search

OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.66k stars 2.97k forks source link

Routing loop: read UDPv4 [EHOSTUNREACH]: No route to host (fd=3,code=113) #365

Closed mythosking closed 1 year ago

mythosking commented 1 year ago

Describe the bug client run command: openvpn --config /etc/openvpn/client/client.ovpn

Client encountered an error: 2023-07-14 15:54:22 read UDPv4 [EHOSTUNREACH]: No route to host (fd=3,code=113)

But for the same client configuration, using OpenVPN 2.6.4 [git: v2.6.4/b4f749f14a8edc75] under Win11 to connect to the same server successfully

The detailed logs of the client are as follows:

[root@vpn libnl-3.5.0]# openvpn --config /etc/openvpn/client/client.ovpn
2023-07-14 16:42:40 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-07-14 16:42:40 WARNING: file '/etc/openvpn/client/client.key' is group or others accessible
2023-07-14 16:42:40 OpenVPN 2.6.5 [git:HEAD/cbc9e0ce412e7b42+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 14 2023
2023-07-14 16:42:40 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
2023-07-14 16:42:40 TCP/UDP: Preserving recently used remote address: [AF_INET]10.10.8.60:11941
2023-07-14 16:42:40 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-07-14 16:42:40 UDPv4 link local: (not bound)
2023-07-14 16:42:40 UDPv4 link remote: [AF_INET]10.10.8.60:11941
2023-07-14 16:42:40 TLS: Initial packet from [AF_INET]10.10.8.60:11941, sid=3c70c154 95260899
2023-07-14 16:42:40 VERIFY OK: depth=1, CN=Easy-RSA CA
2023-07-14 16:42:40 VERIFY KU OK
2023-07-14 16:42:40 Validating certificate extended key usage
2023-07-14 16:42:40 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-07-14 16:42:40 VERIFY EKU OK
2023-07-14 16:42:40 VERIFY OK: depth=0, CN=server
2023-07-14 16:42:40 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-07-14 16:42:40 [server] Peer Connection Initiated with [AF_INET]10.10.8.60:11941
2023-07-14 16:42:40 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-07-14 16:42:40 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-07-14 16:42:40 PUSH: Received control message: 'PUSH_REPLY,route 10.8.16.0 255.255.255.0,dhcp-option DNS 114.114.114.114,explicit-exit-notify 3,route-gateway 10.10.8.1,ping 10,ping-restart 120,ifconfig 10.10.8.100 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1400'
2023-07-14 16:42:40 OPTIONS IMPORT: --ifconfig/up options modified
2023-07-14 16:42:40 OPTIONS IMPORT: route options modified
2023-07-14 16:42:40 OPTIONS IMPORT: route-related options modified
2023-07-14 16:42:40 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-07-14 16:42:40 OPTIONS IMPORT: tun-mtu set to 1400
2023-07-14 16:42:40 net_route_v4_best_gw query: dst 0.0.0.0
2023-07-14 16:42:40 net_route_v4_best_gw result: via 10.8.36.1 dev ens2f0
2023-07-14 16:42:40 ROUTE_GATEWAY 10.8.36.1/255.255.255.0 IFACE=ens2f0 HWADDR=e8:61:1f:24:df:be
2023-07-14 16:42:40 TUN/TAP device tap1 opened
2023-07-14 16:42:40 net_iface_mtu_set: mtu 1400 for tap1
2023-07-14 16:42:40 net_iface_up: set tap1 up
2023-07-14 16:42:40 net_addr_v4_add: 10.10.8.100/24 dev tap1
2023-07-14 16:42:40 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2023-07-14 16:42:40 Timers: ping 10, ping-restart 120
2023-07-14 16:42:40 Protocol options: explicit-exit-notify 3, protocol-flags cc-exit tls-ekm dyn-tls-crypt
2023-07-14 16:42:42 net_route_v4_add: 10.8.16.0/24 via 10.10.8.1 dev [NULL] table 0 metric -1
2023-07-14 16:42:42 Initialization Sequence Completed
2023-07-14 16:42:43 read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNR]: No route to host (fd=3,code=113)
2023-07-14 16:42:47 read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: No route to host (fd=3,code=113)
2023-07-14 16:42:53 read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: No route to host (fd=3,code=113)
2023-07-14 16:43:05 read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: No route to host (fd=3,code=113)
2023-07-14 16:43:18 read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: No route to host (fd=3,code=113)

To Reproduce VPN server:10.10.8.60 VPN client:10.8.36.3

Expected behavior The phenomenon of Centos client and Windows client consistently being able to successfully connect to the server.

Version information (please complete the following information): VPN server:

[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 8.5.2111
[root@localhost server]# service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
[root@localhost server]#

VPN client:

[root@vpn libnl-3.5.0]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@vpn openvpn]# service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
[root@vpn openvpn]#
[root@localhost ~]# openvpn --version
OpenVPN 2.6.5 [git:HEAD/cbc9e0ce412e7b42+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO] built on Jul 14 2023
library versions: OpenSSL 1.1.1k  FIPS 25 Mar 2021, LZO 2.08
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=auto enable_dco_arg=auto enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

Additional context VPN server.conf

local 0.0.0.0
port 11941
proto udp
topology subnet
dev tap0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn//server/server.key
dh /etc/openvpn/server/dh.pem
cipher AES-256-GCM
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM
remote-cert-tls client
tls-version-min 1.2
server-bridge 10.10.8.1 255.255.255.0 10.10.8.100 10.10.8.103
push "route 10.8.16.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 114.114.114.114"
push "explicit-exit-notify 3"
allow-compression no
keepalive 10 120
max-clients 100
duplicate-cn
persist-key
persist-tun
tun-mtu 1400
mssfix 1400
log /var/log/openvpn.log
log-append /var/log/openvpn.log
status openvpn-status.log
verb 4
mute 20
script-security 2

VPN client.ovpn

client
dev tap
remote 10.10.8.60 11941 udp
nobind
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/client.crt
key /etc/openvpn/client/client.key
remote-cert-tls server
resolv-retry infinite
persist-key
persist-tun
remote-random
resolv-retry infinite
verb 3
auth-nocache
route-delay 2
mute-replay-warnings
schwabe commented 1 year ago

Your bug is somehow missing the describtion of the problem that you experience.

mythosking commented 1 year ago

Your bug is somehow missing the describtion of the problem that you experience.

I have modified the issue and submitted a detailed log.

schwabe commented 1 year ago

You are creating a routing loop. You are connecting to 10.10.8.60 but also assign a 10.10.8.100/24 to your client. This is a configuration error more than anything else.

mythosking commented 1 year ago

You are creating a routing loop. You are connecting to 10.10.8.60 but also assign a 10.10.8.100/24 to your client. This is a configuration error more than anything else.

Hello, I still have many questions. Firstly, is it allowed to configure DHCP pool and serve in the same network segment? Just ensure that the DHCP pool does not conflict with the IP of the existing terminal, right? Secondly, using the configuration of the client in question, on Win11, it was possible to successfully connect to the server without the same error. Is there any mechanical difference between Win11 and Centos8?

schwabe commented 1 year ago

This is a bug tracker to report bugs and problems in OpenVPN to developers. This not the right place to explain routing and network setup problems. Connecting to a server from the same network to the server itself that serves the same network is always tricky and problematic and most times compeletly pointless since you are already in there. You can look into thing like redirect-private etc. but ultimatively it is better to tried to avoid this situation. And yes differrent platforms can exhibit different behaviour.