Hello, I am observing the behavior of OpenVPN 2.4.7 trying to connect to IP addresses it never should. The devices it is running on are Yocto based, embedded, 32bit MIPS and deployed in remote networks which are not under my control.
1) OpenVPN connects successfully to server (example.com, TCP, Port 443) TCP/UDP: Preserving recently used remote address: [AF_INET]a.b.c.d:443 Attempting to establish TCP connection with [AF_INET]a.b.c.d:443 [nonblock] TCP connection established with [AF_INET]a.b.c.d:443 TCP_CLIENT link local: (not bound) TCP_CLIENT link remote: [AF_INET]a.b.c.d:443 [server] Peer Connection Initiated with [AF_INET]a.b.c.d:443 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) TUN/TAP device vpn0 opened /sbin/ip link set dev vpn0 up mtu 1500 /sbin/ip addr add dev vpn0 local 10.176.x.y peer 10.176.x.z Initialization Sequence Completed Hint: - example.com is put in place if the real domain of the servers - a.b.c.d refers to one out of multiple IPv4 addresses assigned to example.com 2) Internet connectivity lost because wifi/ethernet/upstream connectivity got bad/lost: [server] Inactivity timeout (--ping-restart), restarting /sbin/ip addr del dev vpn0 local 10.176.x.y peer 10.176.x.z SIGUSR1[soft,ping-restart] received, process restarting 3) OpenVPN tries to reconnect: TCP/UDP: Preserving recently used remote address: [AF_INET]a.b.c.d:443 Attempting to establish TCP connection with [AF_INET]a.b.c.d:443 [nonblock] TCP: connect to [AF_INET]a.b.c.d:443 failed: Network is unreachable SIGUSR1[connection failed(soft),init_instance] received, process restarting 4) After a while, tries to resolve the domain again (and fails): RESOLVE: Cannot resolve host address: example.com:443 (Temporary failure in name resolution) RESOLVE: Cannot resolve host address: example.com:443 (Temporary failure in name resolution) Could not determine IPv4/IPv6 protocol SIGUSR1[soft,init_instance] received, process restarting 5) Optional: Wifi comes up again, interface gets IP address and route assigned (dhcpcd logs): wlan0: offered 192.168.0.2 from 192.168.0.1 wlan0: probing address 192.168.0.2/24 wlan0: leased 192.168.0.2 for 120 seconds wlan0: adding route to 192.168.0.0/24 wlan0: changing default route via 192.168.0.1 wlan0: deleting route to 169.254.0.0/16 6) OpenVPN suddenly tries to connect to a faulty IP: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.1:443 Attempting to establish TCP connection with [AF_INET]192.168.0.1:443 [nonblock] TCP: connect to [AF_INET]192.168.0.1:443 failed: Connection refused SIGUSR1[connection failed(soft),init_instance] received, process restarting In this case there seems to be a correlation to the router IP address in 5), but I have many more examples of unexplicable IP addresses (e.g. 1.1.1.11, 212.27.38.252, 192.168.246.123, ...), all of which are definitely not assigned to example.com. A log where I have absolutely now indication why a strange IP addres (not the routers one) suddenly shows up: TCP/UDP: Preserving recently used remote address: [AF_INET]a.b.c.d:443 Attempting to establish TCP connection with [AF_INET]a.b.c.d:443 [nonblock] TCP: connect to [AF_INET]a.b.c.d:443 failed: Network is unreachable SIGUSR1[connection failed(soft),init_instance] received, process restarting TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.246.123:443 Attempting to establish TCP connection with [AF_INET]192.168.246.123:443 [nonblock] TCP: connect to [AF_INET]192.168.246.123:443 failed: Network is unreachable SIGUSR1[connection failed(soft),init_instance] received, process restarting Use client (2.4.7) configuration: client dev vpn0 dev-type tun remote example.com 443 tcp nobind persist-key ca /path/to/ca cert /path/to/client-cert key /path/to/client-key remote-cert-tls server comp-lzo ping-restart 0 route-nopull route 10.x.y.z route 10.a.b.c connect-retry 5 30 Server configuration (Running 2.4.6): port 443 proto tcp dev tun ca /path/to/ca cert /path/to/server-cert key /path/to/server-key crl-verify /path/to/crl.pem dh /path/to/dh2048.pem server 10.x.0.0 255.255.0.0 push "route 10.x.x.x 255.255.255.0" push "redirect-gateway" push "dhcp-option DNS 10.176.0.1" push "dhcp-option WINS 10.176.0.1" keepalive 10 120 comp-lzo max-clients 16380 persist-key persist-tun status /path/to/openvpn-status.log 5 status-version 2 log-append /path/to/openvpn.log verb 0 tun-mtu 1500 script-security 2 client-connect "/path/to/script.sh" management 0.0.0.0 2194 /path/to/management-password I'd be very grateful for ideas on how I can investigate this. Kind regards, Reto _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
