search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.3k stars 734 forks source link

Routes are not learned through OpenVPN site-to-site configuration #7269

Closed TotallyMonica closed 1 month ago

TotallyMonica commented 7 months ago

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug

While setting up a site-to-site VPN utilizing OpenVPN, routes were not being properly learned, requiring manual addition through the CLI and/or WebGUI.

To Reproduce

Steps to reproduce the behavior:

  1. Configure OpenVPN on relevant OPNsense instances as per https://docs.opnsense.org/manual/how-tos/sslvpn_instance_s2s.html
  2. Visit VPN -> OpenVPN -> Connection Status on either instance
  3. Observe that either end report ERROR: FreeBSD route add command failed: external program exited with error status: 1
  4. Visit System -> Routes -> Configuration
  5. Observe that the only routes learned are the OpenVPN tunnel network, not any of the site networks.
  6. Upon shutdown of OpenVPN, observe that either end report ERROR: FreeBSD route delete command failed: external program exited with error status: 1

Expected behavior

Routes are learned successfully through proper configuration of the OpenVPN server

Describe alternatives you considered

Accessing the CLI on both routers and running route add $network_in_cidr_format $destination_ovpn_ip_address completed successfully and correctly, after deleting using the relevant command and using the web GUI it added successfully as well, persisting after reboots

Screenshots

Server configuration: image image

Server routes learned (Via VPN -> OpenVPN -> Connection Status -> Routes) image

Server routes learned (Via System -> Routes -> Status) image

Client configuration: image

Client routes learned (Via VPN -> OpenVPN -> Connection Status -> Routes) image

Client routes learned (Via System -> Routes -> Status) image

Relevant log files

Server OpenVPN logs:

2024-02-22T09:41:39-06:00   Warning openvpn_server1  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:41:39-06:00   Warning openvpn_server1  WARNING: --keepalive option is missing from server config
2024-02-22T09:40:29-06:00   Error   openvpn_server1  event_wait : Interrupted system call (fd=-1,code=4)
2024-02-22T09:34:58-06:00   Warning openvpn_server1  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:34:58-06:00   Warning openvpn_server1  WARNING: --keepalive option is missing from server config
2024-02-22T09:34:55-06:00   Error   openvpn_server1  event_wait : Interrupted system call (fd=-1,code=4)
2024-02-22T09:34:40-06:00   Warning openvpn_server1  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:34:40-06:00   Warning openvpn_server1  WARNING: --keepalive option is missing from server config

Client OpenVPN logs:

2024-02-22T09:41:54-06:00   Warning openvpn_client1  ERROR: FreeBSD route add command failed: external program exited with error status: 1
2024-02-22T09:41:54-06:00   Warning openvpn_client1  ERROR: FreeBSD route add command failed: external program exited with error status: 1
2024-02-22T09:41:53-06:00   Warning openvpn_client1  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:41:53-06:00   Warning openvpn_client1  WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-02-22T09:39:36-06:00   Warning openvpn_client1  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:39:36-06:00   Warning openvpn_client1  WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-02-22T09:37:33-06:00   Warning openvpn_client1  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:37:33-06:00   Warning openvpn_client1  WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-02-22T09:35:18-06:00   Warning openvpn_client1  ERROR: FreeBSD route add command failed: external program exited with error status: 1
2024-02-22T09:35:16-06:00   Warning openvpn_client1  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:35:16-06:00   Warning openvpn_client1  WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-02-22T09:35:14-06:00   Warning openvpn_client1  ERROR: FreeBSD route add command failed: external program exited with error status: 1
2024-02-22T09:35:14-06:00   Warning openvpn_client1  ERROR: FreeBSD route delete command failed: external program exited with error status: 1

Note: Logs have been truncated due to their length. I am willing to provide full logs upon request.

Additional context

This has been performed in a virtual environment on VMware Workstation 16 Pro. Due to everything being virtualized and no sensitive information being used in these, I am willing to provide the configuration used on both the client and server endpoints to facilitate troubleshooting.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.1.2_1 (amd64). Intel Core i5-1135G7 (each VM has 4 cores) NICs: Intel 82545EM (Emulated through VMware) OpenVPN version: 2.6.9 Server network: 192.168.184.1/24 Client network: 192.168.208.1/24 OpenVPN tunnel network: 10.150.199.0/24

mimugmail commented 7 months ago

You need a client specific override with CN and set remote network there too

TotallyMonica commented 7 months ago

While it wasn't shown before, I do have that already on the server side, again configured as per the documentation image

TotallyMonica commented 7 months ago

I realized my prior screenshot didn't show the CSO settings, so here's the actual settings image

CitraIT commented 7 months ago

Please, select the proper tunnel in the field "Servers". It solved for me.

bicisteadm commented 5 months ago

Has anyone managed to solve it? I currently have the same problem. Proper tunnel in the field "Servers" i have selected.

Abraka commented 1 month ago

Same here: Warning openvpn_client1 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Notice openvpn_client1 /sbin/route add -net 192.168.5.0 10.100.10.1 255.255.255.0
Notice openvpn_client1 /sbin/route add -net 192.168.5.0 10.100.10.1 255.255.255.0

OPNsense-bot commented 1 month ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.