Answer the question
In order to leave comments, you need to log in
A
A
andrewgherz2020-05-13 11:02:36
andrewgherz, 2020-05-13 11:02:36
What is the cause of the error in OpenVPN?
There is an OpenVPN server on vps and a client router on OpenWRT.
Server config
port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_jWkL84xg2YXPxlKx.crt
key server_jWkL84xg2YXPxlKx.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_jWkL84xg2YXPxlKx.crt
key server_jWkL84xg2YXPxlKx.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
Client config
client
proto udp
explicit-exit-notify
remote XXX:XXX:XXX:XXX 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_jWkL84xg2YXPxlKx name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
status /etc/openvpn/openvpn.log
verb 6
proto udp
explicit-exit-notify
remote XXX:XXX:XXX:XXX 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_jWkL84xg2YXPxlKx name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
status /etc/openvpn/openvpn.log
verb 6
When connecting to OpenVPN ip route sh shows this:
[email protected]:~# ip route sh
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.80.1 dev eth1 src 192.168.80.52
10.8.0.0/24 dev tun0 scope link src 10.8.0.2
128.0.0.0/1 via 10.8.0.1 dev tun0
192.168.0.0/24 dev br-lan scope link src 192.168.0.1
192.168.80.0/24 dev eth1 scope link src 192.168.80.52
XXX:XXX:XXX:XXX via 192.168.80.1 dev eth1After some time, the following error appears in the router console:
Recursive routing detected, drop tun packet to [AF_INET]
And ip route sh shows:
[email protected]:~# ip route sh
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.80.1 dev eth1 src 192.168.80.52
10.8.0.0/24 dev tun0 scope link src 10.8.0.2
128.0.0.0/1 via 10.8.0.1 dev tun0
192.168.0.0/24 dev br-lan scope link src 192.168.0.1
192.168.80.0/24 dev eth1 scope link src 192.168.80.52What could be the reason?
2 answer(s)
@andrewgherz
H
hint000, 2020-05-13 @andrewgherz
XXX:XXX:XXX:XXX via 192.168.80.1 dev eth1
Write this route statically, nail it down. Who knows why it falls off, maybe for a second the link disappears and is restored, and OpenVPN does not notice this event. Well, you can still play around with different options for the keepalive parameter, I'm not sure what will help, but it won't get worse.
Similar questions
A
A
M
K
N
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question