[Bug] OpenVPN Default Route directive from server ignored

Question

23

[Bug] OpenVPN Default Route directive from server ignored

asked 2017-10-15 15:25:38 +0300

tobru

5372 ●27 ●33 ●33

https://tobru.ch/

updated 2017-10-16 16:16:49 +0300

ghling

4414 ●58 ●89 ●96

Using an OpenVPN connection from Settings -> VPN does not set the default route via the VPN to route all traffic through the VPN connection. The connection is successfully initiated, but the default route is not touched.

[root@Sailfish nemo]# ip r
default via 192.168.25.1 dev wlan0 
80.254.77.XX dev vpn0  scope link 
80.254.79.YY via 192.168.25.1 dev wlan0 
80.254.79.ZZ dev vpn0  scope link 
93.94.246.0/25 dev vpn0  proto kernel  scope link  src 93.94.246.XXX 
192.168.25.0/24 dev wlan0  proto kernel  scope link  src 192.168.25.AAA 
192.168.25.1 dev wlan0  scope link

The default route still goes via the WLAN connections default router.

Without VPN connected the routing table looks like this:

[root@Sailfish nemo]# ip r  
default via 192.168.25.1 dev wlan0 
192.168.25.0/24 dev wlan0  proto kernel  scope link  src 192.168.25.189 
192.168.25.1 dev wlan0  scope link

What do I have to do that all connections are routed through OpenVPN?

edit retag flag offensive close delete

Comments

1

Having no default gateway routing through the tunnel is not necessarily a bug in SFOS. Having a proper configuration which mandates all traffic trough the tunnel and no corresponding routing on the client would make this a SFSO bug. I'll remove the bug tag; please re-add it if you are sure this is a SFOS bug.

Maus ( 2017-10-15 16:17:39 +0300 )edit

2

I can confirm that this is a bug in SFOS. My OpenVPN server is configured to push a default route via the VPN tunnel to the client (push "redirect-gateway def1 bypass-dhcp"). This works on every other device except Sailfish (had the issue both on my Jolla C and now on my Xperia X) where the default route is not set. Furthermore, privilege downgrading (best practice to drop the privileges of the connection to user and group "nobody") does not to work either. It is not only ignored but causes the connection attempt with the server to fail.

ghling ( 2017-10-16 16:15:12 +0300 )edit

Having no default gateway routing through the tunnel is not necessarily a bug in SFOS. Having a proper configuration which mandates all traffic trough the tunnel and no corresponding routing on the client would make this a SFSO bug. I'll remove the bug tag; please re-add it if you are sure this is a SFOS bug.
Maus ( 2017-10-15 16:17:39 +0300 )edit
I can confirm that this is a bug in SFOS. My OpenVPN server is configured to push a default route via the VPN tunnel to the client (push "redirect-gateway def1 bypass-dhcp"). This works on every other device except Sailfish (had the issue both on my Jolla C and now on my Xperia X) where the default route is not set. Furthermore, privilege downgrading (best practice to drop the privileges of the connection to user and group "nobody") does not to work either. It is not only ignored but causes the connection attempt with the server to fail.
ghling ( 2017-10-16 16:15:12 +0300 )edit

Answer 1

0

answered 2017-10-15 15:40:46 +0300

Maus
2032 ●20 ●42 ●54

updated 2017-10-15 15:55:45 +0300

OpenVPN does not set a default route without a (remote, local) configuration that tells it to do so. I see that some address ranges are routed through the tunnel, and these are likely set on your client by an OpenVPN server push command. It is possible to let the server send a push command that causes all traffic to go through the tunnel. I'd guess that the server configuration doesn't do that with your connection intentionally. For example, the VPN server may not be a full internet router, but only lets you access those networks covered by the push commands.

To force the remote VPN server into being a generic internet gateway, use redirect-gateway def1 in your local configuration file.

edit flag offensive delete publish link

Comments

As I don't control the remote, I'm not sure what the remote sends. How can I update the local configuration to set the default gateway to the VPN connection?

tobru ( 2017-10-15 15:45:48 +0300 )edit

You can see what the remote sends by looking into the system journal. You could add this to your configuration file: redirect-gateway def1, but as written above, I doubt the remote server is configured for generic internet routing.

Maus ( 2017-10-15 15:54:34 +0300 )edit

For example, the VPN server may not be a full internet router

It is. The VPN service I'm using is made exactly for this use case.

To force the remote VPN server into being a generic internet gateway, use redirect-gateway def1 in your local configuration file.

How can I edit the local configuration when using the SailfishOS provided implementation? I don't see an option under "Settings -> VPN".

You can see what the remote sends by looking into the system journal.

There is not much logged:

openvpn[12291]: OpenVPN 2.3.13 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 14 2017
openvpn[12291]: library versions: OpenSSL 1.0.2h-fips  3 May 2016, LZO 2.09
openvpn[12291]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
openvpn[12291]: Attempting to establish TCP connection with [AF_INET]80.254.79.110:1194 [nonblock]
openvpn[12291]: TCP connection established with [AF_INET]80.254.79.110:1194
openvpn[12291]: TCPv4_CLIENT link local: [undef]
openvpn[12291]: TCPv4_CLIENT link remote: [AF_INET]80.254.79.110:1194
openvpn[12291]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
openvpn[12291]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1559', remote='link-mtu 1459'
openvpn[12291]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1400'
openvpn[12291]: [connect.swissvpn.net] Peer Connection Initiated with [AF_INET]80.254.79.110:1194
openvpn[12291]: TUN/TAP device vpn0 opened
openvpn[12291]: /usr/lib/connman/scripts/openvpn-script vpn0 1500 1559 80.254.65.240 255.255.255.128 init
openvpn[12291]: Initialization Sequence Completed

You could add this to your configuration file: redirect-gateway def1

I don't see a way to edit the configuration with the SailfishOS integrated VPN.

tobru ( 2017-10-15 17:53:17 +0300 )edit

IMHO push does not work with 2.1.1 and 2.1.2 - see https://together.jolla.com/question/167526/open-vpn-astrill-intex-aquafish/

cy8aer ( 2017-10-15 19:06:22 +0300 )edit

Answer 2

-1

answered 2017-10-15 16:04:34 +0300

pullrequest

1 ●1

Hi tobru,

I am on the community-build and had the same behavior. I do not know whether this works in the official version as well.

Attention: This is an intervention in the system and should only be executed if you know what you are doing. No liability for anything.

To replace the standard nameserver with the vpn-pushed-nameserver, I had to edit the connman service to start connman with the --nodnsproxy option.

edit flag offensive delete publish link

Comments

This is very valuable information to me, thank you, @pullrequest!

Maus ( 2017-10-15 16:19:12 +0300 )edit

1

To replace the standard nameserver with the vpn-pushed-nameserver

Thanks, but I don't talk about the nameserver but the default gateway to route all connections via the OpenVPN tunnel.

tobru ( 2017-10-15 17:54:19 +0300 )edit

Sorry, since I have probably read too fast and superficially. Setting the default route automatically works fine for me. Then take my answer no further.

pullrequest ( 2017-10-15 18:26:43 +0300 )edit

Accepted Answer

1

answered 2017-10-15 23:57:46 +0300

XFish
661 ●16 ●26 ●31

Already answered here: https://together.jolla.com/question/167526/open-vpn-astrill-intex-aquafish/

edit flag offensive delete publish link

Comments

2

Sadly this answer doesn't help =(

tobru ( 2017-10-16 22:44:41 +0300 )edit

Answer 4

5

answered 2017-10-16 16:47:03 +0300

ghling

4414 ●58 ●89 ●96

updated 2017-10-17 09:45:47 +0300

I have re-added the "bug" tag as this seems to be a bug in SFOS. The VPN client ignores the redirect-gateway def1 directive it receives from the server upon connection, which should set a new default route. Other routes pushed by the server are added as intended.

From the Server log:

SENT CONTROL [vpn-client3]: 'PUSH_REPLY,route 10.10.10.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.10.12.14,route 10.10.11.1,topology net30,ping 10,ping-restart 120,ifconfig 10.10.11.30 10.10.11.29,peer-id 1' (status=1)

ip r output (of the relevant, pushed routes) on the phone:

10.10.10.0/24 via 10.10.11.29 dev vpn0

10.10.11.1 via 10.10.11.29 dev vpn0

10.10.11.29 dev vpn0 proto kernel scope link src 10.10.11.30

10.10.12.14 dev vpn0 scope link

Adding the option in the .conf file on the phone before importing it as suggested here did not solve this issue for me on the Xperia X (read: did not add the new default route upon connecting).

edit flag offensive delete publish link

Comments

1

I just checked the OVPN file I've used to configure the VPN (http://www.swissvpn.net/downloads/swissvpn.ovpn) and there is clearly redirect-gateway def1 defined. So it really appears to be a bug.

tobru ( 2017-10-16 22:41:55 +0300 )edit

Answer 5

0

answered 2017-11-29 12:45:26 +0300

Corvinux
391 ●6 ●7 ●9

updated 2017-11-29 13:05:22 +0300

@tobru What I've found out is that you just need to reboot you phone after you have imported your ".ovpn" file and then normally connect to your vpn provider, BTW, I'm using expressvpn*.ovpn" on my Sony Xperia X, SailfishOS 2.1.3.7 (Kymijoki) and it will default route to vpn0.

[root@SailfishX nemo]# ip r
default dev vpn0  scope link
.... via .... dev vpn0 
.... dev vpn0  scope link 
.... dev vpn0  proto kernel  scope link  src .... 
.... via .... dev wlan0 
...0/24 dev wlan0  proto kernel  scope link  src .... 
.... dev wlan0  scope link

edit flag offensive delete publish link

Answer 6

1

answered 2017-11-29 16:31:42 +0300

Pasko
937 ●11 ●26 ●27

Hi.

While I've been suspecting that the default route is set wrongly during VPN setup I must also say that using tcpdump in my Xperia X only shows traffic from my device to the VPN server and not anywhere else. Not even DNS querys which I also route through the VPN tunnel.

In my setup I also use redirect-gateway def1 (server and client) as well as push "dhcp-option DNS 172.26.0.1" (only in the server)

However, I don't use the beta VPN software provided by Jolla. I use SecureFishNet from openrepos, which is also based in connmand.

This is the tcpdump test I made, showing no traffic going outside the VPN:

[root@Sailfish nemo]pkcon refresh
[root@Sailfish nemo]pkcon install tcpdump
[root@Sailfish nemo]tcpdump -i rmnet_data0 host not 'server_ip_address'

In my case rmnet_data0 is the device associated with my cellular data PDP Context. If you change rmnet_data0 with vpn0 you should see ALL traffic going inside the VPN.

You may also try changing rmnet_data0 with wlan0 if you're using a WiFi network.

Summarizing:

1.- I think the default route issue is at least 'misguiding' :D

2.- I don't see any traffic going outside the vpn0 interface (including DNS queries).

Regards.

edit flag offensive delete publish link

Answer 7

1

answered 2017-12-29 21:10:55 +0300

Juma7C9

11 ●2 ●3

https://github.com/Juma7C...

updated 2017-12-29 21:12:52 +0300

I think the problem depends on the internals of Connman. As stated in an answer to a similar problem, the default gateway gets assigned to the first service, as can be seen using connmanctl services.

Indeed, doing some tests I got:

[root@Sailfish openvpn]# connmanctl services
*AO home_wlan            wifi_94fd2e0368ad_686f6d655f776c616e_managed_psk
* R openvpn              vpn_ar2_mysite_dom_merproject_org
*   openvpn              vpn_par_mysite_dom_merproject_org
*   openvpn              vpn_sbg_mysite_dom_merproject_org
*A  I WIND               cellular_222883670243541_context1
    Vodafone-30452127    wifi_94fd2e0368ad_566f6461666f6e652d3330343532313237_managed_psk
[...]

[root@Sailfish openvpn]# ip route
default via 192.168.1.254 dev wlan0 
[vpn_remote_ip] via 192.168.1.254 dev wlan0 
192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.73 
192.168.1.254 dev wlan0  scope link 
192.168.128.1 via 192.168.128.13 dev vpn0 
192.168.128.13 dev vpn0  proto kernel  scope link  src 192.168.128.14 

[root@Sailfish openvpn]# connmanctl move-before vpn_ar2_mysite_dom_merproject_org wifi_94fd2e0368ad_686f6d655f776c616e_managed_psk
Moved vpn_ar2_mysite_dom_merproject_org before wifi_94fd2e0368ad_686f6d655f776c616e_managed_psk
[root@Sailfish openvpn]# connmanctl services
* R openvpn              vpn_ar2_mysite_dom_merproject_org
*AR home_wlan            wifi_94fd2e0368ad_686f6d655f776c616e_managed_psk
*   openvpn              vpn_par_mysite_dom_merproject_org
*   openvpn              vpn_sbg_mysite_dom_merproject_org
*A  I WIND               cellular_222883670243541_context1
    Vodafone-30452127    wifi_94fd2e0368ad_566f6461666f6e652d3330343532313237_managed_psk
[...]

[root@Sailfish openvpn]# ip route
default dev vpn0  scope link 
[my_vpn_ip] via 192.168.1.254 dev wlan0 
192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.73 
192.168.1.254 dev wlan0  scope link 
192.168.128.1 via 192.168.128.13 dev vpn0 
192.168.128.13 dev vpn0  proto kernel  scope link  src 192.168.128.14

By the way, the patch proposed on 01.org seems not to have been included upstream, as there is no mention of the redirect-gateway option. This means that adding a redirect-gateway in the client conf or pushing it by the server should have no effect, as long as Connman is involved.

A possible solution would be to add a GUI switch asking the user if he/she wishes to redirect all the traffic via the VPN, and if it so push the relative service on the top of the Connman's list.

As it is now, the chances the vpn will be used as the default gw are quite random, as I found out adding some different servers, all serving the same configuration (apart from different address ranges): some systematically got to be the default gateway, some others never. As it turns out it was because the former got pushed on the list on top of the wifi service, the latter below it.

edit flag offensive delete publish link

Comments

It's very sadly, that solution was found in 2013 and wasn't implemented in connman and openvpn projects.

In my case i don't need default gateway through vpn. I need default route through wifi/cellular networks and route only to my work local network through vpn.

I made connmanctl move-before wifi*** vpn*** and it worked for me. But if i disable and enable vpn connection in GUI then i have a strange situation. In connmanctl services vpn is still under wifi (connman remember this setting) but in ip r i see two default routes! And no pong from internet servers after ping to them. Command route del default either connmanctl move-before vpn*** wifi*** && connmanctl move-before wifi*** vpn*** (double swap) leave only one default route but i need to execute it every time after enabling vpn.

If adding a GUI switch is a problem, maybe users can write own hook-script that executes after "ifup vpn'?

fLegmatik ( 2019-02-15 06:15:56 +0300 )edit

[Bug] OpenVPN Default Route directive from server ignored

Comments

7 Answers

Comments

Comments

Comments

Comments

Comments

Question tools

Stats

Related questions

[Bug] OpenVPN Default Route directive from server ignored

Comments

7 Answers

Comments

Comments

Comments

Comments

Comments

Question tools

Public thread

Stats

Related questions