Hi Lukas, small world :-)
On Wed, Aug 11, 2021 at 04:06:38PM +0200, Lukas Tribus wrote:
> in an environment with 2 openvpn instances (one TCP and one UDP),
> previous unattended-upgrades of the openvpn package in Ubuntu 18.04
> caused outages, because the UDP based instance was unable to add
> routes to the kernel:
>
> /sbin/ip route add 192.168.20.0/24 via 10.20.30.2
> ERROR: Linux route add command failed: external program exited with
> error status: 2
> /sbin/ip route add 10.20.30.0/24 via 10.20.30.2
> ERROR: Linux route add command failed: external program exited with
> error status: 2
As Antonio says, it would be good to have a bit more log output
(with --verb 3 or 4) here.
What does "ip route" show before/after starting the UDP instance?
> iproute2 return code 2 indicates a kernel error.
>
> The openvpn instances downgrade privileges to nogroup/nobody, so the
> removal of the routes also fail, but when removing the tun interface,
> the routes will vanish anyway.
Permission errors should be correctly logged as such, and downgrading
should only happen after ifconfig/route setup.
[..]
> I'm wondering if somebody has seen issues like this. Of course the
> error comes from the kernel, this could be some race condition due to
> two processes inserting routes at the same moment or something, but I
> have to find a way to do this reliably.
I've never heard about race conditions of this sort.
Are you trying to insert the *same* /24? Or does each instance have
their own subnets?
> I'm also wondering about error handling. Failing to add routes means
> we have a non-working openvpn instance, but the ip route return code
> is only logged; it does not trigger a fatal exit of openvpn itself. So
> the parent process/process supervisor cannot possibly be aware of any
> problems.
This is intentional, to some extent, to gracefully handle client side
issues ("the server pushes 192.168.1.0/24, but this is used as client
side LAN, so cannot be installed").
On the server side, maybe we should fail hard in this case... but it's
the same code. And the code is 15+ years old, so nobody around today
really knows for sure why certain design decisions have been made back
then...
(I inherited that mess, I just wanted to add IPv6 support :-) )
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
