We have moved to a new Sailfish OS Forum. Please start new discussions there.
14

VPN Client: Openvpn is not routing traffic through VPN [released]

Tracked by Jolla (In release)

asked 2017-07-10 16:47:10 +0200

stateoftheart gravatar image

updated 2017-08-31 14:26:19 +0200

VPN Client: Openvpn is not routing traffic through VPN

I observed the following routing table, if I manually use openvpn on the CLI:

0.0.0.0/1      via 10.0.0.5      dev tun0
default        via 192.168.0.100 dev wlan0
10.0.0.1       via 10.0.0.5      dev tun0
10.0.0.5       dev tun0  proto kernel  scope link  src 10.0.0.6
<vpn-ip>       via 192.168.0.100 dev wlan0
128.0.0.0/1    via 10.0.0.5      dev tun0
192.168.0.0/24 dev wlan0  proto kernel  scope link  src 192.168.0.100
192.168.0.1    dev wlan0  scope link

with the VPN Client the following routing table is created:

default        via 192.168.0.100 dev wlan0
10.0.0.1       via 10.0.0.5      dev vpn0
10.0.0.5       dev vpn0  proto kernel  scope link  src 10.0.0.6
<vpn-ip>       via 192.168.0.100 dev wlan0
192.168.0.0/24 dev wlan0  proto kernel  scope link  src 192.168.0.100
192.168.0.1    dev wlan0  scope link

Is this a bug, or is it the intended behavior? The traffic is not per default routed through the VPN. Suggestions how to make it possible?

I tried:

ip route add default via 10.0.0.5

which gave back the following error: "RTNETLINK answers: File exists"

Configs:

First page:

  • Server address
  • Certificate Authority file
  • OpenVPN password file

Advanced page:

  • Protocol type LZO Compression = adaptive
  • Prevent caching credentials
  • Enforce remote certificate type = server

Info: The OpenVpn configuration file crashes the VPN Client.

Log:

Jul 10 00:00:01 Sailfish openvpn[26397]: OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Jul 10 00:00:01 Sailfish openvpn[26397]: library versions: OpenSSL 1.0.2h-fips  3 May 2016, LZO 2.09
Jul 10 00:00:01 Sailfish openvpn[26397]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 10 00:00:01 Sailfish openvpn[26397]: UDPv4 link local: [undef]
Jul 10 00:00:01 Sailfish openvpn[26397]: UDPv4 link remote: [AF_INET]<vpn-ip>:<vpn-port>
Jul 10 00:00:03 Sailfish openvpn[26397]: [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] Peer Connection Initiated with [AF_INET]<vpn-ip>:<vpn-port>
Jul 10 00:00:05 Sailfish openvpn[26397]: TUN/TAP device vpn0 opened
Jul 10 00:00:05 Sailfish openvpn[26397]: /usr/lib/connman/scripts/openvpn-script vpn0 1500 1570 10.0.0.6 10.0.0.5 init
Jul 10 00:00:05 Sailfish openvpn[26397]: Initialization Sequence Completed
Jul 10 00:00:05 Sailfish connmand[624]: Adding host route failed (Network is unreachable)
Jul 10 00:00:05 Sailfish connmand[624]: Adding host route failed (Network is unreachable)
Jul 10 00:00:05 Sailfish connmand[624]: ipconfig state 4 ipconfig method 1
Jul 10 00:00:05 Sailfish connmand[624]: Adding host route failed (Network is unreachable)
Jul 10 00:00:05 Sailfish connmand[624]: Adding host route failed (Network is unreachable)
Jul 10 00:00:05 Sailfish connmand[624]: Adding host route failed (Network is unreachable)
Jul 10 00:00:05 Sailfish connmand[624]: Time request for server <time-server-ip?> failed (101/Network is unreachable)
Jul 10 00:00:05 Sailfish connmand[624]: Time request for server <time-server-ip?> failed (101/Network is unreachable)
Jul 10 00:00:05 Sailfish connmand[624]: Time request for server <time-server-ip?> failed (101/Network is unreachable)
Jul 10 00:00:05 Sailfish connmand[624]: Time request for server <time-server-ip?> failed (101/Network is unreachable)
Jul 10 00:00:05 Sailfish connmand[624]: Adding host route failed (Network is unreachable)
Jul 10 00:00:05 Sailfish connmand[624]: Adding host route failed (Network is unreachable)
Jul 10 00:00:05 Sailfish connmand[624]: Adding host route failed (Network is unreachable)

Edit: It is fixed for me in SF OS 2.1.1.26, but now a new bug arose:

If you disconnect from the VPN and reconnect to it again and get a new IP address from the VPN Server, the old address is not flushed from the routing table.

Is this behavior intended? Thanks for your investigation.

default dev vpn0  scope link
10.13.10.1 via 10.13.10.5 dev vpn0
10.13.10.5 dev vpn0  proto kernel  scope link  src 10.13.10.6
.
.
.
10.3.10.1 via 10.2.10.5 dev vpn0
10.2.10.1 via 10.3.10.5 dev vpn0
10.1.10.1 via 10.4.10.5 dev vpn0
<vpn-ip> via 192.168.0.100 dev wlan0
192.168.0.0/24 dev wlan0  proto kernel  scope link  src 192.168.0.100
192.168.0.1 dev wlan0  scope link
<vpn-ns1> dev vpn0  scope link
<vpn-ns2> dev vpn0  scope link

Edit2:

new thread opened on https://together.jolla.com/question/166581/vpn-client-openvpn-is-not-flushing-recent-connections/

closing this one...

edit retag flag offensive reopen delete

The question has been closed for the following reason "released in a software update" by stateoftheart
close date 2017-08-31 14:27:13.085677

Comments

1

Thanks for reporting this. Pointer to this added to Jolla Bugzilla.

jovirkku ( 2017-07-28 12:24:35 +0200 )edit
1

@stateoftheart I think you should open a new thread for the new bug and close this thread since the initially reported bug is fixed now.

Alex ( 2017-08-31 13:53:00 +0200 )edit

thank you for pointing this out.

I have created a new thread on https://together.jolla.com/question/166581/vpn-client-openvpn-is-not-flushing-recent-connections/

stateoftheart ( 2017-08-31 14:24:31 +0200 )edit

Seems like the same bug has resurfaced. Getting the original issue with 3.0.3.10

ixevix ( 2019-06-19 12:40:55 +0200 )edit

sorry, I couldn't reproduce it. for me it still works in 3.0.3.10:

[root@Sailfish nemo]# ip route
default         dev vpn0  scope link
10.0.0.0/16     dev vpn0  proto kernel  scope link  src 10.0.0.5
<vpn-ip>        via 192.168.0.100 dev wlan0
192.168.0.0/24  dev wlan0  proto kernel  scope link  src 192.168.0.100
192.168.0.100   dev wlan0  scope link
stateoftheart ( 2019-07-19 20:26:40 +0200 )edit

3 Answers

Sort by » oldest newest most voted
2

answered 2017-07-11 22:06:49 +0200

DarkTuring gravatar image

I know its not quite an answer but openVPN profiles for me only work with Securefishnet.

edit flag offensive delete publish link more

Comments

I suppose this is a duplicate, but there is a beginning of answer there: https://together.jolla.com/question/161342/trouble-with-vpn-tuntap-permission-denied/ Running the openvpn commands as root do work in 2.1.1.24, so I suppose there is a permission issue somewhere with the default Sailfish VPN GUI.

However, it seems I can't use Securefishnet as a workaround with my configuration files (although they do work on my computer or on Jolla C when using them as root from terminal). Securefishnet keeps showing "disconnected" even though my authentification information is correct, no idea why.

Kabouik ( 2017-07-31 05:16:05 +0200 )edit
2

answered 2017-07-29 11:18:27 +0200

soheilbalini gravatar image

I have the same problem since new release (2.1.1). The connection seems to work but no traffic is going through vpn. I felt like I should report this here to see if other ppl also having the same problem or not

edit flag offensive delete publish link more
2

answered 2017-07-29 13:37:01 +0200

JoJo gravatar image

I have the exact same problem as described by soheilbalina. No traffic trough vpn. If i use Securefishnet with the same accredentials it does work..

Too bad. I'd like to use it

edit flag offensive delete publish link more

Question tools

Follow
8 followers

Stats

Asked: 2017-07-10 16:47:10 +0200

Seen: 1,556 times

Last updated: Aug 31 '17