OpenVPN routing problems on Solaris

July 5, 2011

We use OpenVPN on Solaris 9 as our VPN service to users using tun interfaces. After a long time we decided to upgrade to the latest version (together with our home-made auth_ldap authentication module).  This post applies to version 2.2.1 (yet no official release announcement) but also applies to version 2.2.0.

After the installation the service seemed to go up, the user authentication worked but it was not possible for packets to pass through. The problem happened because for some reason after the initialisation openvpn removed the routing entries for the VPN subnet that should go through the tun interface.

After a more careful look at the log files the problem was during the initialisation. It added the routes with the corresponding route add net … but after the fork the routes where deleted with route del commands. The first “fix” was to add a line to the init script to manual add a route after the vpn was up.

Having a look at the source code, the problem was at the openvpn_exit() function that called the tun_abort() (which called do_close_tun() and delete_routes()) after the fork. Searching also in the trac found this link : https://community.openvpn.net/openvpn/ticket/53 that describes also the same behaviour.

The final solution was to produce a patch as described in the above link, and use this source code patch for the building of OpenVPN.

So people that have OpenVPN in tun mode at least in Solaris (haven’t tried it on Linux) and after an upgrade suddenly realise that things don’t work as supposed to, they should first try to add the routing command by hand with

route add vpn_subnet vpn_subnet_mask vpn_gateway_ip

and if this fixes the problem, then try to apply the solution found on the OpenVPN track

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: