Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
Hi, On Thu, Oct 21, 2010 at 2:03 PM, Alberto Gonzalez Iniesta a...@inittab.org wrote: I've got a new -2 package (same location) with upstream's solution, instead of mine. Would you mind testing it? That would probably be the one I upload to close this report. I've just tested this package (built on Oct 21) and the problem seems to be fixed. Thanks -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
On Fri, Oct 22, 2010 at 03:29:11PM +0300, Teodor MICU wrote: Hi, On Thu, Oct 21, 2010 at 2:03 PM, Alberto Gonzalez Iniesta a...@inittab.org wrote: I've got a new -2 package (same location) with upstream's solution, instead of mine. Would you mind testing it? That would probably be the one I upload to close this report. I've just tested this package (built on Oct 21) and the problem seems to be fixed. Great! Thanks a lot, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
On Fri, Oct 15, 2010 at 05:45:48PM +0300, Teodor MICU wrote: Hi, On Fri, Oct 15, 2010 at 3:39 PM, Alberto Gonzalez Iniesta a...@inittab.org wrote: Could you try with this package [1]? [1] http://etc.inittab.org/~agi/openvpn_2.1.3-2_i386.deb I've reverted the original config on the oVPN server and with the -2 package it works fine as on v2.1.0. Hi Teodor, I've got a new -2 package (same location) with upstream's solution, instead of mine. Would you mind testing it? That would probably be the one I upload to close this report. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
On Thu, Oct 14, 2010 at 01:15:49PM +0300, Teodor MICU wrote: Hi, On Thu, Oct 14, 2010 at 11:37 AM, Alberto Gonzalez Iniesta a...@inittab.org wrote: Hi, could you attach (without sensitive data) the server and client configurations? Sure. The real company addresses and names were replaced with generic names. Hi Teodor, I think I found the bug. But you can help me confirm this (and solve the problem for the time being). Could you try this (on the server config): Change: push route remote_host 255.255.255.255 net_gateway To: push route OPENVPN_REMOTE_PEER 255.255.255.255 net_gateway Seems there's something wrong with 'remote_host'. I'll check the source now. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
On Thu, Oct 14, 2010 at 01:15:49PM +0300, Teodor MICU wrote: Hi, On Thu, Oct 14, 2010 at 11:37 AM, Alberto Gonzalez Iniesta a...@inittab.org wrote: Hi, could you attach (without sensitive data) the server and client configurations? Sure. The real company addresses and names were replaced with generic names. Hi Teodor, Could you try with this package [1]? THanks [1] http://etc.inittab.org/~agi/openvpn_2.1.3-2_i386.deb -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
Hi, On Fri, Oct 15, 2010 at 2:45 PM, Alberto Gonzalez Iniesta a...@inittab.org wrote: I think I found the bug. But you can help me confirm this (and solve the problem for the time being). Could you try this (on the server config): Change: push route remote_host 255.255.255.255 net_gateway To: push route OPENVPN_REMOTE_PEER 255.255.255.255 net_gateway Yes, it works with this configuration change on the oVPN server. I'll test the deb package too. Thanks -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
Hi, On Fri, Oct 15, 2010 at 3:39 PM, Alberto Gonzalez Iniesta a...@inittab.org wrote: Could you try with this package [1]? [1] http://etc.inittab.org/~agi/openvpn_2.1.3-2_i386.deb I've reverted the original config on the oVPN server and with the -2 package it works fine as on v2.1.0. The weird thing about pushing 'remote_host' from the server is that I have another oVPN server which has almost the same configuration but the problem was not for both. The differences on the working oVPN server are: - OPENVPN_REMOTE_PEER host is not from the REMOTE_SUBNET network (it is the external gateway); - using public IP addresses for clients (instead of private); Ok. I've found that on the working oVPN server I'm not using push remote_host because its not needed due to point #1. Mystery solved. :) Thanks -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
Package: openvpn Version: 2.1.3-1 Severity: grave Justification: renders package unusable Hi, I've upgraded openvpn package after migration to 'squeeze'. One of the VPN connections is not working anymore and it adds 40 bogus routes that are not specified anywhere. It should add routes from the server, but it only adds the route to the internal oVPN subnet (it is a 'subnet' configuration) -- thus it renders the package unusable. I've attached the connection log from /var/log/syslog (some real info was replaced with generic names). Thanks -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (100, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.35 Debian configuration management sy ii libc6 2.11.2-6 Embedded GNU C Library: Shared lib ii liblzo2-2 2.03-2 data compression library ii libpam0g 1.1.1-6Pluggable Authentication Modules l ii libpkcs11-helper1 1.07-1 library that simplifies the intera ii libssl0.9.8 0.9.8o-2 SSL shared libraries ii net-tools 1.60-23The NET-3 networking toolkit ii openssl-blacklist 0.5-2 list of blacklisted OpenSSL RSA ke ii openvpn-blacklist 0.4list of blacklisted OpenVPN RSA sh openvpn recommends no packages. Versions of packages openvpn suggests: ii openssl 0.9.8o-2 Secure Socket Layer (SSL) binary a ii resolvconf1.46 name server information handler -- Configuration Files: /etc/default/openvpn changed: AUTOSTART=none OPTARGS= -- debconf information: openvpn/vulnerable_prng: openvpn/create_tun: false Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: Current Parameter Settings: Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: config = '/etc/openvpn/COMPANY-sfo.conf' Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: mode = 0 Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: persist_config = DISABLED Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: persist_mode = 1 Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: show_ciphers = DISABLED Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: NOTE: --mute triggered... Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: 255 variation(s) on previous 6 message(s) suppressed by --mute Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Sep 30 2010 Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: mlockall call succeeded Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Oct 14 10:57:48 frost ovpn-COMPANY-sfo[4070]: /usr/bin/openssl-vulnkey -q -b 1024 -m modulus omitted Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4070]: Control Channel Authentication: using 'keys/ta-sfo.key' as a OpenVPN static key file Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4070]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4070]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4070]: LZO compression initialized Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4070]: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4070]: Socket Buffers: R=[112640-131072] S=[112640-131072] Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4070]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4070]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4070]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4070]: Local Options hash (VER=V4): '02af3434' Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4070]: Expected Remote Options hash (VER=V4): '3f08d474' Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4073]: mlockall call succeeded Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4073]: UDPv4 link local: [undef] Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4073]: UDPv4 link remote: [AF_INET]OPENVPN_REMOTE_IPADDR:1194 Oct 14 10:57:49 frost ovpn-COMPANY-sfo[4073]: TLS: Initial packet from
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
On Thu, Oct 14, 2010 at 11:24:40AM +0300, Teodor wrote: Package: openvpn Version: 2.1.3-1 Severity: grave Justification: renders package unusable Hi, I've upgraded openvpn package after migration to 'squeeze'. One of the VPN connections is not working anymore and it adds 40 bogus routes that are not specified anywhere. It should add routes from the server, but it only adds the route to the internal oVPN subnet (it is a 'subnet' configuration) -- thus it renders the package unusable. I've attached the connection log from /var/log/syslog (some real info was replaced with generic names). Hi, could you attach (without sensitive data) the server and client configurations? Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
Hi, On Thu, Oct 14, 2010 at 11:37 AM, Alberto Gonzalez Iniesta a...@inittab.org wrote: Hi, could you attach (without sensitive data) the server and client configurations? Sure. The real company addresses and names were replaced with generic names. Thanks #== openvpn client options (linux) == client remote OPENVPN_REMOTE_PEER nobind tls-auth keys/ta-sfo.key ca keys/COMPANY_private_CA.crt cert keys/staff.crt key keys/staff.key comp-lzo no dev tun mlock mtu-test mute 6 mute-replay-warnings passtos #available only on Linux ping-timer-rem reneg-sec 0 tls-exit auth-user-pass pw_staff.txt auth-retry interact auth-nocache #mssfix 1400#use only on networks where the MTU test fails tls-remote /C=US/ST=../L=../O=../CN=.. ns-cert-type server verb 4 #route remote_host 255.255.255.255 10.0.0.1 #redirect-gateway def1 ##route network/IP [netmask] [gateway] [metric] COMPANY-sfo-server.conf Description: Binary data
