Hi,
I'm running vyos rolling-release and trying to implement a openvpn tunnel through nordvpn.
the tunnel interface is comming up but no traffic is going through (not even connected network).
Difference between VRF and not VRF is only the following:
pulled routes will work without VRF.
pulled routes with VRF can't be set cause next-hop gateway is invalid in "ip route add" command.
I try with TCP and UDP, no difference whatsoever.
I have another OpenVPN Tunnel Interface that's working totally fine but it seems NordVPN Servers using different configuration and pulling more than usual.
VyOS Version
Version: VyOS 1.4-rolling-202105091233 Release Train: sagitta Built by: [email protected] Built on: Mon 10 May 2021 01:17 UTC Build UUID: 16e2a31e-3c5f-439f-a83b-a4f53e323948 Build Commit ID: de6089c11d73f2 Architecture: x86_64 Boot via: installed image System type: KVM guest Hardware vendor: QEMU Hardware model: Standard PC (Q35 + ICH9, 2009) Hardware S/N: Hardware UUID: 03af5309-80d8-4dea-ab69-bee239b95706 Copyright: VyOS maintainers and contributors
Interface Config
authentication { password XXXXXX username XXXXX } device-type tun encryption { cipher aes256 } hash sha512 ipv6 { disable-forwarding } mode client openvpn-option client openvpn-option "resolv-retry infinite" openvpn-option remote-random openvpn-option nobind openvpn-option "tun-mtu 1500" openvpn-option "tun-mtu-extra 32" openvpn-option "mssfix 1450" openvpn-option persist-key openvpn-option persist-tun openvpn-option "ping 15" openvpn-option "ping-restart 0" openvpn-option ping-timer-rem openvpn-option "reneg-sec 0" openvpn-option "comp-lzo no" openvpn-option "remote-cert-tls server" openvpn-option "auth-user-pass /config/auth/nordvpn/nordvpnauth.txt" openvpn-option "verb 3" openvpn-option pull openvpn-option fast-io openvpn-option "cipher AES-256-CBC" openvpn-option "auth SHA512" openvpn-option "key-direction 1" openvpn-option "--dev vtun2" openvpn-option route-nopull openvpn-option "proto tcp" openvpn-option "remote 152.89.162.251 443" persistent-tunnel protocol tcp-active remote-address 152.89.162.251 remote-host 152.89.162.251 remote-port 443 tls { auth-file /config/auth/nordvpn/nordvpn_shared.key ca-cert-file /config/auth/nordvpn/nordvpn_ca.crt } vrf NordVPN
Routing Table for VRF NordVPN
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR, f - OpenFabric, > - selected route, * - FIB route, q - queued, r - rejected, b - backup VRF NordVPN: S>* 0.0.0.0/0 [1/0] is directly connected, vtun2, weight 1, 00:07:51 K * 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 01w6d03h C>* 10.7.1.0/24 is directly connected, vtun2, 00:07:51 S>* 152.89.162.251/32 [1/0] is directly connected, pppoe0 (vrf default), weight 1, 00:21:50
VRF Config
protocols { static { route 0.0.0.0/0 { interface vtun2 { } } route 152.89.162.251/32 { interface pppoe0 { vrf default } } } } table 100
Log-File
May 31 14:20:59 tony vyos-configd[674]: Received message: {"type": "node", "data": "VYOS_TAGNODE_VALUE=vtun2/usr/libexec/vyos/conf_mode/interfaces-openvpn.py"} May 31 14:20:59 tony openvpn-vtun2[22382]: DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5. May 31 14:20:59 tony openvpn-vtun2[22382]: WARNING: file '/config/auth/nordvpn/nordvpn_shared.key' is group or others accessible May 31 14:20:59 tony openvpn-vtun2[22382]: WARNING: file '/config/auth/nordvpn/nordvpnauth.txt' is group or others accessible May 31 14:20:59 tony openvpn-vtun2[22382]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 May 31 14:20:59 tony openvpn-vtun2[22382]: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 May 31 14:20:59 tony openvpn-vtun2[22382]: WARNING: --ping should normally be used with --ping-restart or --ping-exit May 31 14:20:59 tony openvpn-vtun2[22382]: NOTE: --fast-io is disabled since we are not using UDP May 31 14:20:59 tony openvpn-vtun2[22382]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication May 31 14:20:59 tony openvpn-vtun2[22382]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication May 31 14:20:59 tony openvpn-vtun2[22382]: TCP/UDP: Preserving recently used remote address: [AF_INET]152.89.162.251:443 May 31 14:20:59 tony openvpn-vtun2[22382]: Socket Buffers: R=[1048576->1048576] S=[1048576->1048576] May 31 14:20:59 tony openvpn-vtun2[22382]: Attempting to establish TCP connection with [AF_INET]152.89.162.251:443 [nonblock] May 31 14:21:00 tony openvpn-vtun2[22382]: TCP connection established with [AF_INET]152.89.162.251:443 May 31 14:21:00 tony openvpn-vtun2[22382]: TCP_CLIENT link local: (not bound) May 31 14:21:00 tony openvpn-vtun2[22382]: TCP_CLIENT link remote: [AF_INET]152.89.162.251:443 May 31 14:21:00 tony openvpn-vtun2[22382]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay May 31 14:21:00 tony openvpn-vtun2[22382]: TLS: Initial packet from [AF_INET]152.89.162.251:443, sid=7b345daf 05f91b65 May 31 14:21:00 tony openvpn-vtun2[22382]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this May 31 14:21:00 tony openvpn-vtun2[22382]: VERIFY OK: depth=2, /C=PA/O=NordVPN/CN=NordVPN_Root_CA May 31 14:21:00 tony openvpn-vtun2[22382]: VERIFY OK: depth=1, /C=PA/O=NordVPN/CN=NordVPN_CA5 May 31 14:21:00 tony openvpn-vtun2[22382]: VERIFY KU OK May 31 14:21:00 tony openvpn-vtun2[22382]: Validating certificate extended key usage May 31 14:21:00 tony openvpn-vtun2[22382]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication May 31 14:21:00 tony openvpn-vtun2[22382]: VERIFY EKU OK May 31 14:21:00 tony openvpn-vtun2[22382]: VERIFY OK: depth=0, /CN=ch259.nordvpn.com May 31 14:21:02 tony openvpn-vtun2[22382]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA May 31 14:21:02 tony openvpn-vtun2[22382]: [ch259.nordvpn.com] Peer Connection Initiated with [AF_INET]152.89.162.251:443 May 31 14:21:03 tony openvpn-vtun2[22382]: SENT CONTROL [ch259.nordvpn.com]: 'PUSH_REQUEST' (status=1) May 31 14:21:03 tony openvpn-vtun2[22382]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' May 31 14:21:03 tony openvpn-vtun2[22382]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) May 31 14:21:03 tony openvpn-vtun2[22382]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) May 31 14:21:03 tony openvpn-vtun2[22382]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: timers and/or timeouts modified May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: compression parms modified May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified May 31 14:21:03 tony openvpn-vtun2[22382]: Socket Buffers: R=[1048576->1048576] S=[1048576->1048576] May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: --ifconfig/up options modified May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: route-related options modified May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: peer-id set May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: adjusting link_mtu to 1659 May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: data channel crypto options modified May 31 14:21:03 tony openvpn-vtun2[22382]: Data Channel: using negotiated cipher 'AES-256-GCM' May 31 14:21:03 tony openvpn-vtun2[22382]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key May 31 14:21:03 tony openvpn-vtun2[22382]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key May 31 14:21:03 tony openvpn-vtun2[22382]: TUN/TAP device vtun2 opened May 31 14:21:03 tony openvpn-vtun2[22382]: TUN/TAP TX queue length set to 100 May 31 14:21:03 tony openvpn-vtun2[22382]: /usr/libexec/vyos/system/unpriv-ip link set dev vtun2 up mtu 1500 May 31 14:21:03 tony openvpn-vtun2[22382]: /usr/libexec/vyos/system/unpriv-ip addr add dev vtun2 10.7.1.2/24 broadcast 10.7.1.255 May 31 14:21:03 tony openvpn-vtun2[22382]: GID set to openvpn May 31 14:21:03 tony openvpn-vtun2[22382]: UID set to openvpn May 31 14:21:03 tony openvpn-vtun2[22382]: Initialization Sequence Completed
Cheers