Bug#808578: openvpn client adds wrong routes and blackholes a big chunk of networks

Sun, 20 Dec 2015 23:36:22 -0800 

Package: openvpn
Version: 2.3.4-5

Debian 8 Jessie amd64
I have a server and a client configured, the server is configured not to push a default route so that only the client adds a static route for the needed range but instead I get a route for a very big internet range which blackholes the entire 10.0.0.0/8 RFC1918 range. 

Don't know if this should go upstream so I'm hoping for some input here.

[root@box ~]# ifconfig tap0
tap0      Link encap:Ethernet  HWaddr e2:f3:f9:b6:d2:52
          inet addr:10.8.0.14  Bcast:255.255.255.254  Mask:252.0.0.0
          inet6 addr: fe80::e0f3:f9ff:feb6:d252/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:73 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:10518 (10.2 KiB)

[root@box ~]# ip route
default via 172.16.80.1 dev eth0
8.0.0.0/6 dev tap0  proto kernel  scope link  src 10.8.0.14
172.16.80.0/23 dev eth0  proto kernel  scope link  src 172.16.80.35
192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1

Some times I also get a route with a even smaller net like 8.0.0.0/5
What i'm expecting is either a 10.8.0.0/24 route as configured on the server or no route at all for. 

The same happens even if I comment out route-nopull on the client.
If I were to guess this must be related to me turning of the default route directive in the server config. 

/etc/openvpn/server.conf
port 1194
proto tcp

dev tun

ca ca.crt
cert server.crt
key server.key

management localhost 7505

dh dh2048.pem
server 10.8.0.0 255.255.255.0

;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

keepalive 10 120
comp-lzo

user nobody
group nogroup

max-clients 50
persist-key
persist-tun

;username-as-common-name
client-cert-not-required

script-security 3 system
auth-user-pass-verify /etc/openvpn/auth.py via-env

status openvpn-status.log
verb 5



/etc/openvpn/client.conf
client
remote x.x.x.x
port 1194
proto tcp
dev tap

ca ca.crt

route-nopull
comp-lzo

user nobody
group nogroup

persist-key
persist-tun

auth-user-pass login.txt

verb 5

Best regards
Tobias

Reply via email to