tun device ip address and route tables not set in latest CoreOS (1688.5.3)

[comphilip]

Everything works well (with docker host network mode) in CoreOS (1632.3.0). After CoreOS auto upgrade to 1688.5.3, openvpn cannot set tun device properly.

logs

openvpn_1 | Running 'openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --crl-verify /etc/openvpn/crl.pem ' openvpn_1 | Sat Apr 7 05:52:22 2018 OpenVPN 2.4.4 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 9 2017 openvpn_1 | Sat Apr 7 05:52:22 2018 library versions: LibreSSL 2.6.3, LZO 2.10 openvpn_1 | Sat Apr 7 05:52:22 2018 Diffie-Hellman initialized with 2048 bit key openvpn_1 | Sat Apr 7 05:52:22 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication openvpn_1 | Sat Apr 7 05:52:22 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication openvpn_1 | Sat Apr 7 05:52:22 2018 ROUTE_GATEWAY 172.31.32.1/255.255.240.0 IFACE=eth0 HWADDR=06:5f:cd:be:fa:a0 openvpn_1 | Sat Apr 7 05:52:22 2018 TUN/TAP device tun0 opened openvpn_1 | Sat Apr 7 05:52:22 2018 TUN/TAP TX queue length set to 100 openvpn_1 | Sat Apr 7 05:52:22 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 openvpn_1 | Sat Apr 7 05:52:22 2018 /sbin/ip link set dev tun0 up mtu 1500 openvpn_1 | Sat Apr 7 05:52:22 2018 /sbin/ip addr add dev tun0 local 192.168.250.1 peer 192.168.250.2 openvpn_1 | Sat Apr 7 05:52:22 2018 /sbin/ip route add 192.168.51.0/24 via 192.168.250.2 openvpn_1 | Sat Apr 7 05:52:22 2018 /sbin/ip route add 192.168.250.0/24 via 192.168.250.2 openvpn_1 | Sat Apr 7 05:52:22 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET openvpn_1 | Sat Apr 7 05:52:22 2018 Socket Buffers: R=[212992->212992] S=[212992->212992] openvpn_1 | Sat Apr 7 05:52:22 2018 UDPv4 link local (bound): [AF_INET][undef]:1194 openvpn_1 | Sat Apr 7 05:52:22 2018 UDPv4 link remote: [AF_UNSPEC] openvpn_1 | Sat Apr 7 05:52:22 2018 GID set to nogroup openvpn_1 | Sat Apr 7 05:52:22 2018 UID set to nobody openvpn_1 | Sat Apr 7 05:52:22 2018 MULTI: multi_init called, r=256 v=256 openvpn_1 | Sat Apr 7 05:52:22 2018 IFCONFIG POOL: base=192.168.250.4 size=62, ipv6=0 openvpn_1 | Sat Apr 7 05:52:22 2018 Initialization Sequence Completed

OpenVPN server started successfully according to logs. Not error messages, and it call /sbin/ip to set ip address and routes. But those /sbin/ip not worked

ip address

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000 link/ether 06:5f:cd:be:fa:a0 brd ff:ff:ff:ff:ff:ff inet 172.31.41.215/20 brd 172.31.47.255 scope global dynamic eth0 valid_lft 3106sec preferred_lft 3106sec inet6 fe80::45f:cdff:febe:faa0/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:43:a7:81:68 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:43ff:fea7:8168/64 scope link valid_lft forever preferred_lft forever 14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet6 fe80::e876:a319:2839:312f/64 scope link stable-privacy valid_lft forever preferred_lft forever

ip route:

default via 172.31.32.1 dev eth0 proto dhcp src 172.31.41.215 metric 1024 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 172.18.0.0/16 dev br-bb9f41f9be54 proto kernel scope link src 172.18.0.1 172.31.32.0/20 dev eth0 proto kernel scope link src 172.31.41.215 172.31.32.1 dev eth0 proto dhcp scope link src 172.31.41.215 metric 1024

I had to run /sbin/ip commands manually to fix the problem.

[comphilip]

I got a workaround to fix this issue. It seems ip command executes too early before tun device complete opened and initialized.

So I wrote a delay-ip.sh and mount as /etc/openvpn/delay-ip.sh

!/usr/bin/env bash

sleep 0.1 /sbin/ip $*

It just sleep 0.1 seconds before do actual ip command

Update openvpn.conf and add one line to tell openvpn call our ip commands instead of default one

iproute /etc/openvpn/delay-ip.sh

[bignay2000]

Any updates on this being solved? Really difficult to diagnose OpenVPN client and/or OpenVPN server if their is no error messages. My OpenVPN container works on Ubuntu and locally on the Docker for Mac, but not able to ping the lan from newer CoreOS versions.

Trying to figure out the workaround mentioned above...

[ajtucker]

I've had this issue for some time running OpebVPN in Docker on CoreOS, but not on other hosts. The delay-ip.sh workaround above solves it for me, thanks.