Hi,
We are using OpenVPN to build up and tear down connections on-the-fly in a service of our own. In particular, we have certain routers which are running a Debian distribution on one end, and client side, the users are running Windows, where our service runs (not only do we need to be able to run OpenVPN instances, but we also have to manipulate the routing tables, so we need administrative access, which is why we use a service, as not all of our users run with admin privileges). With OpenVPN 2.0.9, I was noticing on my Vista dev system that occasionally I'd lose all Internet access - access to anything outside my own subnet. I was able to pin this down to the use of OpenVPN causing some problems when I would attempt to open a tunnel to a router for which I had already recently opened and closed a tunnel. Or so I thought. I switched to 2.1_rc19 to see if the problem had been addressed, and it seemingly had. I noticed today, however, that I had lost Internet connectivity once more upon attempting to create a tunnel - only this time (or perhaps, I was looking more closely this time?) it was when I was attempting to create a tunnel to a router that was not online. Ipconfig /renew restores the network, and sure enough, attempting to establish that tunnel again, when nothing is on the other side, is causing my networking to die the second time I attempt to establish the tunnel. Windows seems to be forgetting about its default gateway or something, as I can't go anywhere outside the local subnet. I've also tested our program on Windows XP installation (separate computer entirely) and the same problem occurred: second attempt to establish OpenVPN tunnel to a non-existent router results in loss of connectivity beyond the local subnet. Has anyone heard of anything like this? As I'm a complete newb when it comes to the OpenVPN source, does anyone have any suggestions for where I might start looking to address this? OpenVPN output: Wed Sep 02 13:57:48 2009 OpenVPN 2.1_rc19 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jul 16 2009 Wed Sep 02 13:57:48 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed Sep 02 13:57:48 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed Sep 02 13:57:48 2009 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ] Wed Sep 02 13:57:48 2009 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ] Wed Sep 02 13:57:48 2009 Local Options hash (VER=V4): '3514370b' Wed Sep 02 13:57:48 2009 Expected Remote Options hash (VER=V4): '239669a8' Wed Sep 02 13:57:48 2009 Socket Buffers: R=[8192->8192] S=[8192->8192] Wed Sep 02 13:57:48 2009 UDPv4 link local: [undef] Wed Sep 02 13:57:48 2009 UDPv4 link remote: 192.168.1.49:15003 Wed Sep 02 13:58:14 2009 TCP/UDP: Closing socket Wed Sep 02 13:58:14 2009 SIGTERM[hard,] received, process exiting Wed Sep 02 13:58:35 2009 OpenVPN 2.1_rc19 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jul 16 2009 Wed Sep 02 13:58:35 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed Sep 02 13:58:35 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed Sep 02 13:58:35 2009 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ] Wed Sep 02 13:58:35 2009 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ] Wed Sep 02 13:58:35 2009 Local Options hash (VER=V4): '3514370b' Wed Sep 02 13:58:35 2009 Expected Remote Options hash (VER=V4): '239669a8' Wed Sep 02 13:58:35 2009 Socket Buffers: R=[8192->8192] S=[8192->8192] Wed Sep 02 13:58:35 2009 UDPv4 link local: [undef] Wed Sep 02 13:58:35 2009 UDPv4 link remote: 192.168.1.49:15003 Wed Sep 02 13:59:01 2009 TCP/UDP: Closing socket Wed Sep 02 13:59:01 2009 SIGTERM[hard,] received, process exiting After this 2nd attempt, just prior to the penultimate line, my IM software lost connection (the first obvious symptom). Takes a /renew to bring it back up. The arguments I am passing to OpenVPN are: --client --dev tun --proto udp --pull --resolv-retry infinite --nobind --persist-key --persist-tun --tun-mtu 1500 --verb 3 --keepalive 10 120 --mute 20 --float --remote 192.168.1.49 15003 --ca "C:\Users\jcullison\AppData\Local\Temp\tmp3F43.tmp" --cert "C:\Users\jcullison\AppData\Local\Temp\tmp3F42.tmp" --key "C:\Users\jcullison\AppData\Local\Temp\tmp3F31.tmp" (The names of the certificate files change each time.) Since there is no instance of OpenVPN running on the target router at .49, I don't believe its command line, if it were running, matters. Regards, John Cullison Software Engineer Industrial Defender - Cyber Risk Protection <http://www.industrialdefender.com/> jculli...@industrialdefender.com 425-951-3567 FAX: 425-487-2288 Industrial Defender, Inc. 21312 30th Drive SE, Suite 102 Bothell, Washington USA 98021 21312 (c)Copyright 2009 Industrial Defender Inc. owns copyright content of this document and all attachments unless otherwise indicated. All rights reserved. Users of Industrial Defender Inc. software and tools associated with the software such as sales & marketing collateral, presentations, user manuals, training documentation etc. may not republish nor reproduce in whole or in part the information, in any form or by any means, in any manner whatsoever without the prior written permission of Industrial Defender Inc., and any such unauthorized use constitutes copyright infringement. An acknowledgment of the source must be included whenever Industrial Defender Inc. material is copied or published. If you require further information on a permitted use or license to reproduce or republish any material, address your inquiry to Industrial Defender Inc. 16 Chestnut Street, Suite 300, Foxborough, Massachusetts, 02035. Any infringement of Industrial Defender Inc. rights will result in appropriate legal action. Industrial Defender Inc. disclaims any and all liability for any consequences which may result from any unauthorized reproduction or use of this Work whatsoever. www.industrialdefender.com <http://www.industrialdefender.com/> ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
