OpenVPN client does not pass some of mandatory configuration parameters to UP and ROUTE-UP scripts.
I was trying to to set up my VPN routing on OpenWRT 19.07 using UP and ROUTE-UP scripts as I did it before on other platforms but step into an issue.
I found out that some of the most important mandatory configuration parameter to be passed to UP/ROUTE-UP scripts are ignored or lost somewhere along the way.
The most important parameter that is lost/ignored is ''route_vpn_gateway'.
According OpenVPN 2.4 MAN page/reference manual:
1) The 'up' and 'route-up' commands are useful for specifying route commands which route IP traffic into the tunnel.
2) A huge set of configuration parameters are passed to these scripts via environment variables.
3) Besides all of these parameters there is a mandatory parameter that is critical for configuring routing of other networks through vpn tunnel: 'route_vpn_gateway'
4) The 'route_vpn_gateway' environment variable is described in the OpenVPN documentation as follows:
The default gateway used by --route options, as specified in either the --route-gateway option
or the second parameter to --ifconfig when --dev tun is specified. Set prior to --up script execution.
After setting up my 'up' and 'route-up' scripts I figured out that at least two mandatory parameters are ignored or lost somewhere along the way:
$route_vpn_gateway
$ifconfig_remote
My client config is created according to official documentation and works fine on other systems (Ubuntu, AdvancedTomato).
The portion of the client config related to UP and ROUTE-UP script startup is configured as follows:
...
script-security 2
route-noexec
up /etc/openvpn/pbr-ovpn-up.sh
route-up /etc/openvpn/pbr-ovpn-up.sh
...
Thirst of all I have verified that the '--route-gateway' option is really passes from server to client by examining OpenVPN events in the system log.
I found a record confirming the '--route-gateway' option is pushed by the server and received by client on every connection establishment:
Sun Apr 18 08:32:30 2021 daemon.notice openvpn(vul_fra_client2)[4063]:
PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,socket-flags TCP_NODELAY,ifconfig 10.8.0.3 255.255.255.0,peer-id 0'
route-gateway 10.8.0.1
To re-confirm the issue I saved the whole bundle of parameters passed to 'up' and 'route-up' scripts to the system log.
#!/usr/bin/env sh
SCRIPT_NAME_POSU="pbr-ovpn-up"
env | logger -t "${SCRIPT_NAME_POSU} [$$]"
set | logger -t "${SCRIPT_NAME_POSU} [$$]"
And then performed a search by keywords 'route' and 'ifconfig':
Sun Apr 18 08:32:30 2021 daemon.notice openvpn(vul_fra_client2)[4063]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_broadcast=10.8.0.255
Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_netmask=255.255.255.0
Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_local=10.8.0.3
Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_broadcast='10.8.0.255'
Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_local='10.8.0.3'
Sun Apr 18 08:32:31 2021 user.notice pbr-ovpn-up [4206]: ifconfig_netmask='255.255.255.0'
As you can see from the output the $route_vpn_gateway environment variable was not passed to the script, just like '$ifconfig_remote'.
I am really not very interested in the presence of '$ifconfig_remote' variable but $route_vpn_gateway is critical for my routing scripts.
HOW TO REPRODUCE:
1) Create a simple OpenVPN client/server installation (a simple instruction from digitalocean could be used).
2) Create a simple script /etc/openvpn/up.sh
Example contents could be something like this:
3) Add the following lines to the standard ovpn client config file:
As you wish you can remove 'route-noexec' and 'route-up' directives and leave only 'script-security 2' and 'up /etc/openvpn/up.sh' (I was testing both script types).
script-security 2
route-noexec
up /etc/openvpn/pbr-ovpn-up.sh
route-up /etc/openvpn/pbr-ovpn-up.sh
4) Establish VPN connection.
5) Examine system log for output from the script.
You will see that the most of the variables were successfully passed to the script but '$route_vpn_gateway' and '$ifconfig_remote'
Maintainer: @nbd168 Environment: arm_cortex-a15_neon-vfpv4 Netgear Nighthawk X4S R7800 Linux R7800 4.14.221 #0 SMP Mon Feb 22 15:36:55 2021 armv7l GNU/Linux OpenWrt 19.07-SNAPSHOT r11312-e9c0c5021c OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] OpenSSL 1.1.1j 16 Feb 2021, LZO 2.10
Description:
OpenVPN client does not pass some of mandatory configuration parameters to UP and ROUTE-UP scripts.
I was trying to to set up my VPN routing on OpenWRT 19.07 using UP and ROUTE-UP scripts as I did it before on other platforms but step into an issue. I found out that some of the most important mandatory configuration parameter to be passed to UP/ROUTE-UP scripts are ignored or lost somewhere along the way. The most important parameter that is lost/ignored is ''route_vpn_gateway'.
According OpenVPN 2.4 MAN page/reference manual: 1) The 'up' and 'route-up' commands are useful for specifying route commands which route IP traffic into the tunnel. 2) A huge set of configuration parameters are passed to these scripts via environment variables. 3) Besides all of these parameters there is a mandatory parameter that is critical for configuring routing of other networks through vpn tunnel: 'route_vpn_gateway' 4) The 'route_vpn_gateway' environment variable is described in the OpenVPN documentation as follows:
After setting up my 'up' and 'route-up' scripts I figured out that at least two mandatory parameters are ignored or lost somewhere along the way:
My client config is created according to official documentation and works fine on other systems (Ubuntu, AdvancedTomato). The portion of the client config related to UP and ROUTE-UP script startup is configured as follows:
Thirst of all I have verified that the '--route-gateway' option is really passes from server to client by examining OpenVPN events in the system log. I found a record confirming the '--route-gateway' option is pushed by the server and received by client on every connection establishment:
route-gateway 10.8.0.1
To re-confirm the issue I saved the whole bundle of parameters passed to 'up' and 'route-up' scripts to the system log.
And then performed a search by keywords 'route' and 'ifconfig':
root@R7800:~# logread | egrep ".*route_.*|.*ifconfig_.*"
As you can see from the output the $route_vpn_gateway environment variable was not passed to the script, just like '$ifconfig_remote'. I am really not very interested in the presence of '$ifconfig_remote' variable but $route_vpn_gateway is critical for my routing scripts.
HOW TO REPRODUCE: 1) Create a simple OpenVPN client/server installation (a simple instruction from digitalocean could be used). 2) Create a simple script /etc/openvpn/up.sh Example contents could be something like this:
3) Add the following lines to the standard ovpn client config file: As you wish you can remove 'route-noexec' and 'route-up' directives and leave only 'script-security 2' and 'up /etc/openvpn/up.sh' (I was testing both script types).
4) Establish VPN connection. 5) Examine system log for output from the script. You will see that the most of the variables were successfully passed to the script but '$route_vpn_gateway' and '$ifconfig_remote'
Thank you in advance!