Route to OpenVPN GW remains after tunnel is closed, results in having to manually delete route from routing table before trying to reconnect

[GoogleCodeExporter]

2011-03-15 15:52:39 *Tunnelblick: OS X 10.6.6; Tunnelblick 3.1.6 (build 
2190.2392); OpenVPN 2.1.4

The subject says it all -- if I tear down the tunnel, or if the tunnel is torn 
down (e.g. "no buffer space available"), I manually have to remove the route to 
the VPN server before I can reconnect.

Tor

Original issue reported on code.google.com by tor.houg...@gmail.com on 15 Mar 2011 at 3:01

[GoogleCodeExporter]

Please post your configuration file and the _complete_ log from the Details… 
window? X out anything sensitive.

Thanks.

Original comment by jkbull...@gmail.com on 15 Mar 2011 at 3:22

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Here you go. The session got torn down while I was away from my desk, so not 
sure if there were any "no buffer space available" issues.

From the logs it looks like it was 16:43 when the session got torn down.

Tor

Original comment by tor.houg...@gmail.com on 15 Mar 2011 at 4:27

Attachments:

• config.ovpn
• log.txt

[GoogleCodeExporter]

I think I see the problem.

You use openvpn-downroot.so, along with "user nobody" and "group nobody" so 
that OpenVPN drops privileges towards the end of making a connection. 
"downroot" allows the down script to be run as root, even though the main 
OpenVPN process is running as nobody.

 That's fine. However, when OpenVPN goes to close down the connection, it is not running as root. So it is unable to alter the routing tables. This is seen in several log entries starting with

2011-03-15 16:26:35 /sbin/route delete -net 10.8.0.1 10.8.0.5 255.255.255.255
                                        route: must be root to alter routing table
2011-03-15 16:26:35 ERROR: OS X route delete command failed: external program 
exited with error status: 77

I am not an OpenVPN expert, and you might want to consult the OpenVPN mailing 
list (a  link to it is in the left-most column on the Tunnelblick home page), 
but I think there are two possible solutions:
(1) Get rid of "user nobody" and "group nobody"; or
(2) Do the routing in customized up/down scripts instead of in OpenVPN itself.

If you go with (1), you should also remove the per-configuration 
"-useDownRootPlugin" preference, although leaving it in shouldn't cause any 
problems (the downroot plugin will be used even though it isn't necessary).

Please reply when you've resolved the situation, so this Issue can be closed 
(or not).

Original comment by jkbull...@gmail.com on 15 Mar 2011 at 5:16

[GoogleCodeExporter]

Original comment by jkbull...@gmail.com on 2 Apr 2011 at 6:53

• Changed state: Configuration

[GoogleCodeExporter]

Solution (1) worked perfect for me. I was having the exact same issue! Thank 
you.

Original comment by leonardo...@gmail.com on 4 Mar 2015 at 2:08