Page MenuHomeVyOS Platform
Create Task
Maniphest T1380

OpenVPN Interfaces does not work in WAN Load Balancing
Closed, ResolvedPublicBUG
Actions

Description

Hi.

In the process of testing VyOs 1.2.1 we found a bug with wan-load-balancing.
The kernel does not allow add routing tables with OpenVPN Interfaces.

OpenVPN Interface (one of multiple):

# show interfaces openvpn vtun9
 description "Description"
 firewall {
     in {
         name ALLOW_EST_REL
     }
     local {
         name TO-ROUTER-FROM-VPN
     }
     out {
         name FROM-ROUTER-TO-XXX
     }
 }
 mode client
 openvpn-option "--persist-key --persist-tun --nobind --comp-lzo no"
 openvpn-option "--resolv-retry infinite"
 protocol udp
 remote-host hostanme
 remote-port 1194
 tls {
     ca-cert-file /config/auth/ca.crt
     cert-file /config/auth/client.crt
     key-file /config/auth/client.key
 }

Static Route:

interface-route 172.40.9.0/24 {
     next-hop-interface vtun9 {
     }
 }

S>* 172.40.9.0/24 [1/0] is directly connected, vtun9, 21:57:39
K>* 172.40.9.1/32 [0/0] via 172.40.9.9, vtun9, 21:57:54

In logs we see:

wan_lb: failure to insert default route on active path with this command: ip route replace table 210 default dev vtun9 via 172.40.9.1

We try to execute command manual, and recieve error:

# ip route replace table 210 default dev vtun9 via 172.40.9.1
Error: Nexthop has invalid gateway.

I found here: https://forums.gentoo.org/viewtopic-t-1092382-highlight-.html that this is a linux-kernel bug.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

lbv2rus created this task.May 14 2019, 2:31 PM
pasik added a subscriber: pasik.May 14 2019, 6:04 PM
syncer assigned this task to zsdc.Aug 31 2019, 12:28 AM
syncer triaged this task as Low priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
lbv2rus closed this task as Resolved.Oct 18 2019, 8:54 PM

fixed in 1.2.3

c-po edited projects, added VyOS 1.2 Crux (VyOS 1.2.3); removed VyOS 1.3 Equuleus.Oct 19 2019, 6:26 AM
c-po set Is it a breaking change? to Unspecified (possibly destroys the router).
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.3) board.Nov 16 2019, 11:45 PM