# can't connect with openvpn

## curmudgeon

I have literally spent more than six months trying to get this working, but to no avail. The support people at the VPN provider are completely incompetent (better add a "in my opinion" there for legal reasons), but I am wondering if something in Gentoo (particularly the setup scripts) is contributing to the problem.

Simple routing table (no VPN):

```

$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         192.168.0.1     0.0.0.0         UG    3      0        0 net0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

192.168.0.1     0.0.0.0         255.255.255.0   U     0      0        0 net0

```

Configuration file (leaving out the inline files and altering the name of the remote host):

```

auth-retry interact

auth-user-pass

client

dev tun

cipher AES-256-CBC

explicit-exit-notify 2

ifconfig-nowarn

key-direction 1

mute 20

persist-key

persist-tun

proto udp

redirect-gateway

remote remote.vpnprovider.net 53

remote-cert-tls server

route 0.0.0.0 0.0.0.0

route-delay 2

route-method exe

verb 3

```

Start the vpn iwth /etc/init.d/openvpn.vpn (with the above configuration in /etc/openvpn/vpn.conf)

Here is the entire session from /var/log/messages:

```

Jan  3 13:55:25 system openvpn[2093]: OpenVPN 2.3.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH] [IPv6] built on Sep 17 2016

Jan  3 13:55:25 system openvpn[2093]: library versions: OpenSSL 1.0.2j  26 Sep 2016

Jan  3 13:55:38 system openvpn[2097]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Jan  3 13:55:38 system openvpn[2097]: Control Channel Authentication: tls-auth using INLINE static key file

Jan  3 13:55:38 system openvpn[2097]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  3 13:55:38 system openvpn[2097]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  3 13:55:38 system openvpn[2097]: Socket Buffers: R=[212992->212992] S=[212992->212992]

Jan  3 13:55:38 system openvpn[2097]: UDPv4 link local (bound): [undef]

Jan  3 13:55:38 system openvpn[2097]: UDPv4 link remote: [AF_INET]45.74.63.3:53

Jan  3 13:55:38 system openvpn[2097]: TLS: Initial packet from [AF_INET]45.74.63.3:53, sid=daf41aff 3542d48e

Jan  3 13:55:38 system openvpn[2097]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Jan  3 13:55:39 system openvpn[2097]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=VPN, OU=IT, CN=VPN, name=VPN, emailAddress=mail@host.domain

Jan  3 13:55:39 system openvpn[2097]: Validating certificate key usage

Jan  3 13:55:39 system openvpn[2097]: ++ Certificate has key usage  00a0, expects 00a0

Jan  3 13:55:39 system openvpn[2097]: VERIFY KU OK

Jan  3 13:55:39 system openvpn[2097]: Validating certificate extended key usage

Jan  3 13:55:39 system openvpn[2097]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Jan  3 13:55:39 system openvpn[2097]: VERIFY EKU OK

Jan  3 13:55:39 system openvpn[2097]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=VPN, OU=IT, CN=VPN, name=VPN, emailAddress=mail@host.domain

Jan  3 13:55:41 system openvpn[2097]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'

Jan  3 13:55:41 system openvpn[2097]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

Jan  3 13:55:41 system openvpn[2097]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Jan  3 13:55:41 system openvpn[2097]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  3 13:55:41 system openvpn[2097]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Jan  3 13:55:41 system openvpn[2097]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  3 13:55:41 system openvpn[2097]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Jan  3 13:55:41 system openvpn[2097]: [VPN] Peer Connection Initiated with [AF_INET]45.74.63.3:53

Jan  3 13:55:43 system openvpn[2097]: SENT CONTROL [VPN]: 'PUSH_REQUEST' (status=1)

Jan  3 13:55:43 system openvpn[2097]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 45.74.63.4,dhcp-option DNS 8.8.4.4,sndbuf 393216,rcvbuf 393216,route-gateway 45.74.63.129,topology subnet,ping 10,ping-restart 120,ifconfig 45.74.63.133 255.255.255.192'

Jan  3 13:55:43 system openvpn[2097]: OPTIONS IMPORT: timers and/or timeouts modified

Jan  3 13:55:43 system openvpn[2097]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified

Jan  3 13:55:43 system openvpn[2097]: Socket Buffers: R=[212992->425984] S=[212992->425984]

Jan  3 13:55:43 system openvpn[2097]: OPTIONS IMPORT: --ifconfig/up options modified

Jan  3 13:55:43 system openvpn[2097]: OPTIONS IMPORT: route options modified

Jan  3 13:55:43 system openvpn[2097]: OPTIONS IMPORT: route-related options modified

Jan  3 13:55:43 system openvpn[2097]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Jan  3 13:55:43 system openvpn[2097]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=net0 HWADDR=00:11:22:33:44:55

Jan  3 13:55:43 system openvpn[2097]: TUN/TAP device tun0 opened

Jan  3 13:55:43 system openvpn[2097]: TUN/TAP TX queue length set to 100

Jan  3 13:55:43 system openvpn[2097]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Jan  3 13:55:43 system openvpn[2097]: /bin/ifconfig tun0 45.74.63.133 netmask 255.255.255.192 mtu 1500 broadcast 45.74.63.191

Jan  3 13:55:43 system openvpn[2097]: /etc/openvpn/up.sh tun0 1500 1557 45.74.63.133 255.255.255.192 init

Jan  3 13:55:45 system openvpn[2097]: /bin/route add -net 45.74.63.3 netmask 255.255.255.255 gw 192.168.0.1

Jan  3 13:55:45 system openvpn[2097]: /bin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 45.74.63.129

Jan  3 13:55:45 system openvpn[2097]: /bin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 45.74.63.129

Jan  3 13:55:45 system openvpn[2097]: /bin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 45.74.63.129

Jan  3 13:55:45 system openvpn[2097]: Initialization Sequence Completed

Jan  3 13:55:45 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:55:45 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:55:48 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:55:50 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:55:53 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:55:55 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:55:55 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:00 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:00 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:03 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:05 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:05 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:08 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:10 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:10 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:13 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:15 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:16 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:18 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:21 system openvpn[2097]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 13:56:21 system openvpn[2097]: NOTE: --mute triggered...

Jan  3 13:58:14 system openvpn[2097]: 75 variation(s) on previous 20 message(s) suppressed by --mute

Jan  3 13:58:14 system openvpn[2097]: SIGTERM received, sending exit notification to peer

Jan  3 13:58:16 system openvpn[2097]: /bin/route del -net 0.0.0.0 netmask 0.0.0.0

Jan  3 13:58:16 system openvpn[2097]: /bin/route del -net 45.74.63.3 netmask 255.255.255.255

Jan  3 13:58:16 system openvpn[2097]: /bin/route del -net 0.0.0.0 netmask 128.0.0.0

Jan  3 13:58:16 system openvpn[2097]: /bin/route del -net 128.0.0.0 netmask 128.0.0.0

Jan  3 13:58:16 system openvpn[2097]: /etc/openvpn/down.sh tun0 1500 1557 45.74.63.133 255.255.255.192 init

Jan  3 13:58:16 system openvpn[2097]: Closing TUN/TAP interface

Jan  3 13:58:16 system openvpn[2097]: /bin/ifconfig tun0 0.0.0.0

Jan  3 13:58:16 system openvpn[2097]: SIGTERM[soft,exit-with-notification] received, process exiting

```

The device is created:

```

$ /bin/ifconfig

[...]

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 45.74.63.133  netmask 255.255.255.192  destination 45.74.63.133

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 25  overruns 0  frame 0

        TX packets 47  bytes 3900 (3.8 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

Routing table with VPN "active" (unable to send or receive any traffic):

```

$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         45.74.63.129    128.0.0.0       UG    0      0        0 tun0

default         45.74.63.129    0.0.0.0         UG    0      0        0 tun0

default         192.168.0.1     0.0.0.0         UG    3      0        0 net0

45.74.63.3      192.168.0.1     255.255.255.255 UGH   0      0        0 net0

45.74.63.128    0.0.0.0         255.255.255.192 U     0      0        0 tun0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

128.0.0.0       45.74.63.129    128.0.0.0       UG    0      0        0 tun0

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 net0

```

Don't understand the purpose of the 128.0.0.0 route, and why are there two default gateways - that doesn't look right? Also, 45.74.63.3 is not in the same subnet as 45.74.63.133 (with a 255.255.255.192 netmask).

Any ideas that would get this working would be greatly appreciated. Thank you in advance.Last edited by curmudgeon on Tue Jan 03, 2017 5:10 pm; edited 1 time in total

----------

## bbgermany

Hi,

could you please remove the following lines from your config:

```

redirect-gateway 

route 0.0.0.0 0.0.0.0 

route-delay 2 

route-method exe

```

and add the following instead

```

pull

```

Please post the log afterwards again.

Thank you and greets, bb

----------

## curmudgeon

Logs from /var/log/messages:

```

Jan  3 16:51:23 system openvpn[3019]: OpenVPN 2.3.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH] [IPv6] built on Sep 17 2016

Jan  3 16:51:23 system openvpn[3019]: library versions: OpenSSL 1.0.2j  26 Sep 2016

Jan  3 16:51:41 system openvpn[3024]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Jan  3 16:51:41 system openvpn[3024]: Control Channel Authentication: tls-auth using INLINE static key file

Jan  3 16:51:41 system openvpn[3024]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  3 16:51:41 system openvpn[3024]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  3 16:51:41 system openvpn[3024]: Socket Buffers: R=[212992->212992] S=[212992->212992]

Jan  3 16:51:41 system openvpn[3024]: UDPv4 link local (bound): [undef]

Jan  3 16:51:41 system openvpn[3024]: UDPv4 link remote: [AF_INET]45.74.63.3:53

Jan  3 16:51:41 system openvpn[3024]: TLS: Initial packet from [AF_INET]45.74.63.3:53, sid=472ad2af fc6d09d0

Jan  3 16:51:41 system openvpn[3024]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Jan  3 16:51:41 system openvpn[3024]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=VPN, OU=IT, CN=VPN, name=VPN, emailAddress=mail@host.domain

Jan  3 16:51:41 system openvpn[3024]: Validating certificate key usage

Jan  3 16:51:41 system openvpn[3024]: ++ Certificate has key usage  00a0, expects 00a0

Jan  3 16:51:41 system openvpn[3024]: VERIFY KU OK

Jan  3 16:51:41 system openvpn[3024]: Validating certificate extended key usage

Jan  3 16:51:41 system openvpn[3024]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Jan  3 16:51:41 system openvpn[3024]: VERIFY EKU OK

Jan  3 16:51:41 system openvpn[3024]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=VPN, OU=IT, CN=VPN, name=VPN, emailAddress=mail@host.domain

Jan  3 16:51:43 system openvpn[3024]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'

Jan  3 16:51:43 system openvpn[3024]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

Jan  3 16:51:43 system openvpn[3024]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Jan  3 16:51:43 system openvpn[3024]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  3 16:51:43 system openvpn[3024]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Jan  3 16:51:43 system openvpn[3024]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  3 16:51:43 system openvpn[3024]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Jan  3 16:51:43 system openvpn[3024]: [VPN] Peer Connection Initiated with [AF_INET]45.74.63.3:53

Jan  3 16:51:45 system openvpn[3024]: SENT CONTROL [VPN]: 'PUSH_REQUEST' (status=1)

Jan  3 16:51:45 system openvpn[3024]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 45.74.63.4,dhcp-option DNS 8.8.4.4,sndbuf 393216,rcvbuf 393216,route-gateway 45.74.63.129,topology subnet,ping 10,ping-restart 120,ifconfig 45.74.63.139 255.255.255.192'

Jan  3 16:51:45 system openvpn[3024]: OPTIONS IMPORT: timers and/or timeouts modified

Jan  3 16:51:45 system openvpn[3024]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified

Jan  3 16:51:45 system openvpn[3024]: Socket Buffers: R=[212992->425984] S=[212992->425984]

Jan  3 16:51:45 system openvpn[3024]: OPTIONS IMPORT: --ifconfig/up options modified

Jan  3 16:51:45 system openvpn[3024]: OPTIONS IMPORT: route options modified

Jan  3 16:51:45 system openvpn[3024]: OPTIONS IMPORT: route-related options modified

Jan  3 16:51:45 system openvpn[3024]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Jan  3 16:51:45 system openvpn[3024]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=net0 HWADDR=00:11:22:33:44:55

Jan  3 16:51:45 system openvpn[3024]: TUN/TAP device tun0 opened

Jan  3 16:51:45 system openvpn[3024]: TUN/TAP TX queue length set to 100

Jan  3 16:51:45 system openvpn[3024]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Jan  3 16:51:45 system openvpn[3024]: /bin/ifconfig tun0 45.74.63.139 netmask 255.255.255.192 mtu 1500 broadcast 45.74.63.191

Jan  3 16:51:45 system openvpn[3024]: /etc/openvpn/up.sh tun0 1500 1557 45.74.63.139 255.255.255.192 init

Jan  3 16:51:45 system openvpn[3024]: /bin/route add -net 45.74.63.3 netmask 255.255.255.255 gw 192.168.0.1

Jan  3 16:51:45 system openvpn[3024]: /bin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 45.74.63.129

Jan  3 16:51:45 system openvpn[3024]: /bin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 45.74.63.129

Jan  3 16:51:45 system openvpn[3024]: Initialization Sequence Completed

Jan  3 16:51:46 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:46 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:46 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:49 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:49 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:52 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:52 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:52 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:54 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:54 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:57 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:57 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:59 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:51:59 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:52:02 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:52:02 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:52:04 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:52:04 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:52:04 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:52:07 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:52:09 system openvpn[3024]: NOTE: --mute triggered...

Jan  3 16:53:58 system openvpn[3024]: 88 variation(s) on previous 20 message(s) suppressed by --mute

Jan  3 16:53:58 system openvpn[3024]: SIGTERM received, sending exit notification to peer

Jan  3 16:53:59 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:53:59 system openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

Jan  3 16:54:00 system openvpn[3024]: /bin/route del -net 45.74.63.3 netmask 255.255.255.255

Jan  3 16:54:00 system openvpn[3024]: /bin/route del -net 0.0.0.0 netmask 128.0.0.0

Jan  3 16:54:00 system openvpn[3024]: /bin/route del -net 128.0.0.0 netmask 128.0.0.0

Jan  3 16:54:00 system openvpn[3024]: /etc/openvpn/down.sh tun0 1500 1557 45.74.63.139 255.255.255.192 init

Jan  3 16:54:00 system openvpn[3024]: Closing TUN/TAP interface

Jan  3 16:54:00 system openvpn[3024]: /bin/ifconfig tun0 0.0.0.0

Jan  3 16:54:00 system openvpn[3024]: SIGTERM[soft,exit-with-notification] received, process exiting

```

Routing table is slightly different (the second default route is gone), but I still can't send or receive traffic:

```

$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         45.74.63.129    128.0.0.0       UG    0      0        0 tun0

default         192.168.0.1     0.0.0.0         UG    3      0        0 net0

45.74.63.3      192.168.0.1     255.255.255.255 UGH   0      0        0 net0

45.74.63.128    0.0.0.0         255.255.255.192 U     0      0        0 tun0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

128.0.0.0       45.74.63.129    128.0.0.0       UG    0      0        0 tun0

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 net0

```

Last edited by curmudgeon on Wed Jan 04, 2017 9:05 am; edited 1 time in total

----------

## szatox

Your last routing tables looks reasonably.

This looks like a trouble:

 *Quote:*   

> openvpn[3024]: write to TUN/TAP : Invalid argument (code=22)

 

I'd try switching from TUN to TAP first  :Smile:  You may find some hints in logs.

----------

## bbgermany

 *szatox wrote:*   

> Your last routing tables looks reasonably.
> 
> This looks like a trouble:
> 
>  *Quote:*   openvpn[3024]: write to TUN/TAP : Invalid argument (code=22) 
> ...

 

This wont help fixing this issue. According to a lot of google entries, comp-lzo is the problem.

Please add to your config file the following line:

```

comp-lzo

```

and try again. Also check for the permissions on /dev/tun. Sometimes they can be the problem as well.

greets, bb

----------

## curmudgeon

 *szatox wrote:*   

> Your last routing tables looks reasonably.
> 
> This looks like a trouble:
> 
>  *Quote:*   openvpn[3024]: write to TUN/TAP : Invalid argument (code=22) 
> ...

 

Ended up with less information than before:

Log:

```

Jan  4 00:27:09 system openvpn[4846]: OpenVPN 2.3.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH] [IPv6] built on Sep 17 2016

Jan  4 00:27:09 system openvpn[4846]: library versions: OpenSSL 1.0.2j  26 Sep 2016

Jan  4 00:27:30 system openvpn[4851]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Jan  4 00:27:30 system openvpn[4851]: Control Channel Authentication: tls-auth using INLINE static key file

Jan  4 00:27:30 system openvpn[4851]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  4 00:27:30 system openvpn[4851]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  4 00:27:30 system openvpn[4851]: Socket Buffers: R=[212992->212992] S=[212992->212992]

Jan  4 00:27:30 system /etc/init.d/openvpn.purevpn-lax[4821]: WARNING: openvpn.purevpn-lax has started, but is inactive

Jan  4 00:27:30 system openvpn[4851]: UDPv4 link local (bound): [undef]

Jan  4 00:27:30 system openvpn[4851]: UDPv4 link remote: [AF_INET]172.111.235.2:53

Jan  4 00:27:31 system openvpn[4851]: TLS: Initial packet from [AF_INET]172.111.235.2:53, sid=cdc412ca 803bceea

Jan  4 00:27:31 system openvpn[4851]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Jan  4 00:27:31 system openvpn[4851]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=VPN, OU=IT, CN=VPN, name=VPN, emailAddress=mail@host.domain

Jan  4 00:27:31 system openvpn[4851]: Validating certificate key usage

Jan  4 00:27:31 system openvpn[4851]: ++ Certificate has key usage  00a0, expects 00a0

Jan  4 00:27:31 system openvpn[4851]: VERIFY KU OK

Jan  4 00:27:31 system openvpn[4851]: Validating certificate extended key usage

Jan  4 00:27:31 system openvpn[4851]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Jan  4 00:27:31 system openvpn[4851]: VERIFY EKU OK

Jan  4 00:27:31 system openvpn[4851]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=VPN, OU=IT, CN=VPN, name=VPN, emailAddress=mail@host.domain

Jan  4 00:27:32 system openvpn[4851]: WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'

Jan  4 00:27:32 system openvpn[4851]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1589', remote='link-mtu 1558'

Jan  4 00:27:32 system openvpn[4851]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'

Jan  4 00:27:32 system openvpn[4851]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

Jan  4 00:27:32 system openvpn[4851]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Jan  4 00:27:32 system openvpn[4851]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  4 00:27:32 system openvpn[4851]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Jan  4 00:27:32 system openvpn[4851]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  4 00:27:32 system openvpn[4851]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Jan  4 00:27:32 system openvpn[4851]: [VPN] Peer Connection Initiated with [AF_INET]172.111.235.2:53

Jan  4 00:27:34 system openvpn[4851]: SENT CONTROL [VPN]: 'PUSH_REQUEST' (status=1)

Jan  4 00:27:35 system openvpn[4851]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 172.111.235.3,dhcp-option DNS 8.8.4.4,sndbuf 393216,rcvbuf 393216,route-gateway 172.111.235.97,topology subnet,ping 10,ping-restart 120,ifconfig 172.111.235.103 255.255.255.224'

Jan  4 00:27:35 system openvpn[4851]: OPTIONS IMPORT: timers and/or timeouts modified

Jan  4 00:27:35 system openvpn[4851]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified

Jan  4 00:27:35 system openvpn[4851]: Socket Buffers: R=[212992->425984] S=[212992->425984]

Jan  4 00:27:35 system openvpn[4851]: OPTIONS IMPORT: --ifconfig/up options modified

Jan  4 00:27:35 system openvpn[4851]: OPTIONS IMPORT: route options modified

Jan  4 00:27:35 system openvpn[4851]: OPTIONS IMPORT: route-related options modified

Jan  4 00:27:35 system openvpn[4851]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Jan  4 00:27:35 system openvpn[4851]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=net0 HWADDR=00:11:22:33:44:55

Jan  4 00:27:35 system openvpn[4851]: TUN/TAP device tap0 opened

Jan  4 00:27:35 system openvpn[4851]: TUN/TAP TX queue length set to 100

Jan  4 00:27:35 system openvpn[4851]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Jan  4 00:27:35 system openvpn[4851]: /bin/ifconfig tap0 172.111.235.103 netmask 255.255.255.224 mtu 1500 broadcast 172.111.235.127

Jan  4 00:27:35 system openvpn[4851]: /etc/openvpn/up.sh tap0 1500 1589 172.111.235.103 255.255.255.224 init

Jan  4 00:27:35 system openvpn[4851]: /bin/route add -net 172.111.235.2 netmask 255.255.255.255 gw 192.168.0.1

Jan  4 00:27:35 system openvpn[4851]: /bin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 172.111.235.97

Jan  4 00:27:35 system openvpn[4851]: /bin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 172.111.235.97

Jan  4 00:27:35 system openvpn[4851]: Initialization Sequence Completed

Jan  4 00:28:32 system kernel: CPU3: Core temperature/speed normal

Jan  4 00:31:32 system openvpn[4851]: event_wait : Interrupted system call (code=4)

Jan  4 00:31:32 system openvpn[4851]: SIGTERM received, sending exit notification to peer

Jan  4 00:31:34 system openvpn[4851]: /bin/route del -net 172.111.235.2 netmask 255.255.255.255

Jan  4 00:31:34 system openvpn[4851]: /bin/route del -net 0.0.0.0 netmask 128.0.0.0

Jan  4 00:31:34 system openvpn[4851]: /bin/route del -net 128.0.0.0 netmask 128.0.0.0

Jan  4 00:31:34 system openvpn[4851]: /etc/openvpn/down.sh tap0 1500 1589 172.111.235.103 255.255.255.224 init

Jan  4 00:31:34 system openvpn[4851]: Closing TUN/TAP interface

Jan  4 00:31:34 system openvpn[4851]: /bin/ifconfig tap0 0.0.0.0

Jan  4 00:31:34 system openvpn[4851]: SIGTERM[soft,exit-with-notification] received, process exiting

```

Ifconfig:

```

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 172.111.235.103  netmask 255.255.255.224  broadcast 172.111.235.127

        inet6 fe80::e46f:4dff:fe42:3b14  prefixlen 64  scopeid 0x20<link>

        ether e6:6f:4d:42:3b:14  txqueuelen 100  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 2  bytes 168 (168.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

Route:

```

$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         172.111.235.97  128.0.0.0       UG    0      0        0 tap0

default         192.168.0.1     0.0.0.0         UG    3      0        0 net0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

128.0.0.0       172.111.235.97  128.0.0.0       UG    0      0        0 tap0

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 net0

172.111.235.2   192.168.0.1     255.255.255.255 UGH   0      0        0 net0

172.111.235.96  0.0.0.0         255.255.255.224 U     0      0        0 tap0

```

Last edited by curmudgeon on Wed Jan 04, 2017 11:28 am; edited 1 time in total

----------

## curmudgeon

 *bbgermany wrote:*   

> This wont help fixing this issue. According to a lot of google entries, comp-lzo is the problem.
> 
> Please add to your config file the following line:
> 
> ```
> ...

 

That was not particularly successful. I guess I need to recompile openvpn.

```

# /etc/init.d/openvpn.vpn start

 * Starting openvpn.vpn ...

Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/vpn.conf:6: comp-lzo (2.3.12)

Use --help for more information.

 * start-stop-daemon: failed to start `/usr/sbin/openvpn'

 * Check your logs to see why startup failed                                                                                  [ !! ]

 * WARNING: openvpn.vpn has started, but is inactive

```

----------

## bbgermany

Yeah, please recompile with lzo support. I looked at your log, and it seems, you are using PureVPN (am I right). According to the "ubuntu-guide" comp-lzo is necessary! You should also consider adding the tls.key, the ca.crt and your certfile/key (if you got those) with the following options:

```

ca caert.crt

cert yourcert.crt

key yourkey.key

tls-key yourtls.key 1

```

found at: https://webcache.googleusercontent.com/search?q=cache:gIa7zGDY1yAJ:https://support.purevpn.com/openvpn-configuration-guide-for-ubuntu+&cd=1&hl=de&ct=clnk&gl=de

Greets, bb

EDIT: Do not use the tap interface. Use the tun interface!

----------

## curmudgeon

 *bbgermany wrote:*   

> Yeah, please recompile with lzo support. I looked at your log, and it seems, you are using PureVPN (am I right). According to the "ubuntu-guide" comp-lzo is necessary! You should also consider adding the tls.key, the ca.crt and your certfile/key (if you got those) with the following options:
> 
> ```
> 
> ca caert.crt
> ...

 

Recompiled. Yes, the provide is PureVPN (I do not recommend them). Saw that guide Do not have Gnome. Do not want Gnome. Do not have networkmanager. Do not want networkmanager.

I have all of the external files inline (embedded in the configuration file) per the openvpn man page.

First, will post the usual

Log:

```

Jan  4 11:09:48 system openvpn[25413]: OpenVPN 2.3.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 

 4 2017

Jan  4 11:09:48 system openvpn[25413]: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08

Jan  4 11:10:01 system openvpn[25438]: NOTE: the current --script-security setting may allow this configuration to call user-defi

ned scripts

Jan  4 11:10:01 system openvpn[25438]: Control Channel Authentication: tls-auth using INLINE static key file

Jan  4 11:10:01 system openvpn[25438]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authen

tication

Jan  4 11:10:01 system openvpn[25438]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authen

tication

Jan  4 11:11:04 system openvpn[25438]: Socket Buffers: R=[212992->212992] S=[212992->212992]

Jan  4 11:11:04 system openvpn[25438]: UDPv4 link local (bound): [undef]

Jan  4 11:11:04 system openvpn[25438]: UDPv4 link remote: [AF_INET]45.74.61.2:53

Jan  4 11:11:05 system openvpn[25438]: TLS: Initial packet from [AF_INET]45.74.61.2:53, sid=02b7fbdf 3bf402cf

Jan  4 11:11:05 system openvpn[25438]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Jan  4 11:11:06 system openvpn[25438]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain

Jan  4 11:11:06 system openvpn[25438]: Validating certificate key usage

Jan  4 11:11:06 system openvpn[25438]: ++ Certificate has key usage  00a0, expects 00a0

Jan  4 11:11:06 system openvpn[25438]: VERIFY KU OK

Jan  4 11:11:06 system openvpn[25438]: Validating certificate extended key usage

Jan  4 11:11:06 system openvpn[25438]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Jan  4 11:11:06 system openvpn[25438]: VERIFY EKU OK

Jan  4 11:11:06 system openvpn[25438]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain

Jan  4 11:11:08 system openvpn[25438]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Jan  4 11:11:08 system openvpn[25438]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  4 11:11:08 system openvpn[25438]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Jan  4 11:11:08 system openvpn[25438]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jan  4 11:11:08 system openvpn[25438]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Jan  4 11:11:08 system openvpn[25438]: [PureVPN] Peer Connection Initiated with [AF_INET]45.74.61.2:53

Jan  4 11:11:10 system openvpn[25438]: SENT CONTROL [PureVPN]: 'PUSH_REQUEST' (status=1)

Jan  4 11:11:12 system openvpn[25438]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 45.74.61.1,dhcp-option DNS 8.8.4.4,sndbuf 393216,rcvbuf 393216,route-gateway 45.74.61.193,topology subnet,ping 10,ping-restart 120,ifconfig 45.74.61.213 255.255.255.224'

Jan  4 11:11:12 system openvpn[25438]: OPTIONS IMPORT: timers and/or timeouts modified

Jan  4 11:11:12 system openvpn[25438]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified

Jan  4 11:11:12 system openvpn[25438]: Socket Buffers: R=[212992->425984] S=[212992->425984]

Jan  4 11:11:12 system openvpn[25438]: OPTIONS IMPORT: --ifconfig/up options modified

Jan  4 11:11:12 system openvpn[25438]: OPTIONS IMPORT: route options modified

Jan  4 11:11:12 system openvpn[25438]: OPTIONS IMPORT: route-related options modified

Jan  4 11:11:12 system openvpn[25438]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Jan  4 11:11:12 system openvpn[25438]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=net0 HWADDR=00:11:22:33:44:55

Jan  4 11:11:12 system openvpn[25438]: TUN/TAP device tun0 opened

Jan  4 11:11:12 system openvpn[25438]: TUN/TAP TX queue length set to 100

Jan  4 11:11:12 system openvpn[25438]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Jan  4 11:11:12 system openvpn[25438]: /bin/ifconfig tun0 45.74.61.213 netmask 255.255.255.224 mtu 1500 broadcast 45.74.61.223

Jan  4 11:11:12 system openvpn[25438]: /etc/openvpn/up.sh tun0 1500 1558 45.74.61.213 255.255.255.224 init

Jan  4 11:11:12 system openvpn[25438]: /bin/route add -net 45.74.61.2 netmask 255.255.255.255 gw 192.168.0.1

Jan  4 11:11:12 system openvpn[25438]: /bin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 45.74.61.193

Jan  4 11:11:12 system openvpn[25438]: /bin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 45.74.61.193

Jan  4 11:11:12 system openvpn[25438]: Initialization Sequence Completed

Jan  4 11:15:18 system openvpn[25438]: event_wait : Interrupted system call (code=4)

Jan  4 11:15:18 system openvpn[25438]: SIGTERM received, sending exit notification to peer

Jan  4 11:15:21 system openvpn[25438]: /bin/route del -net 45.74.61.2 netmask 255.255.255.255

Jan  4 11:15:21 system openvpn[25438]: /bin/route del -net 0.0.0.0 netmask 128.0.0.0

Jan  4 11:15:21 system openvpn[25438]: /bin/route del -net 128.0.0.0 netmask 128.0.0.0

Jan  4 11:15:21 system openvpn[25438]: /etc/openvpn/down.sh tun0 1500 1558 45.74.61.213 255.255.255.224 init

Jan  4 11:15:21 system openvpn[25438]: Closing TUN/TAP interface

Jan  4 11:15:21 system openvpn[25438]: /bin/ifconfig tun0 0.0.0.0

Jan  4 11:15:21 system openvpn[25438]: SIGTERM[soft,exit-with-notification] received, process exiting

```

Ifconfig:

```

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 45.74.61.213  netmask 255.255.255.224  destination 45.74.61.213

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 43  bytes 3341 (3.2 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 35  bytes 2784 (2.7 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

Side question - are inet and destination supposed to be the same? Looks wrong to me.

Route:

```

$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         45.74.61.193    128.0.0.0       UG    0      0        0 tun0

default         192.168.0.1     0.0.0.0         UG    0      0        0 net0

45.74.61.2      192.168.0.1     255.255.255.255 UGH   0      0        0 net0

45.74.61.192    0.0.0.0         255.255.255.224 U     0      0        0 tun0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

128.0.0.0       45.74.61.193    128.0.0.0       UG    0      0        0 tun0

192.168.0.1     0.0.0.0         255.255.255.0   U     0      0        0 net0

```

That still looks wrong (45.74.61.2 is not on the same subnet as 45.74.61.192/255.255.255.224).

Is there any reason for making two routes (0.0.0.0/128.0.0.0 and 128.0.0.0/128.0.0.0) instead of just 0.0.0.0/0.0.0.0?

One more question here - what is supposed to happen with DNS? I see the push option for it in the log, but it is not taking effect. Is the script supposed to reset resolv.conf (like dhcp does)?

It does seem there was a connection established, but it is completely unusable:

```

$ ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=221 ms

64 bytes from 8.8.8.8: icmp_seq=9 ttl=45 time=221 ms

64 bytes from 8.8.8.8: icmp_seq=13 ttl=45 time=221 ms

64 bytes from 8.8.8.8: icmp_seq=14 ttl=45 time=221 ms

64 bytes from 8.8.8.8: icmp_seq=16 ttl=45 time=220 ms

64 bytes from 8.8.8.8: icmp_seq=17 ttl=45 time=222 ms

64 bytes from 8.8.8.8: icmp_seq=19 ttl=45 time=220 ms

64 bytes from 8.8.8.8: icmp_seq=20 ttl=45 time=220 ms

64 bytes from 8.8.8.8: icmp_seq=28 ttl=45 time=221 ms

^C

--- 8.8.8.8 ping statistics ---

29 packets transmitted, 9 received, 68% packet loss, time 28062ms

rtt min/avg/max/mdev = 220.172/221.169/222.280/0.781 ms

```

----------

## bbgermany

Hi,

you dont need gnome or even like in the guide unity. It just for picking the correct options for your config file. You could try using traceroute instead of ping for checking, if your traffic is going through the tunnel instead of your normal interface.

according to your inet/destination output. im not really sure, whether its correct or not. im checking when im home, i can try out with a connection there.

for dns check /etc/resolv.conf. maybe its modified by openvpn.

greets, bb

----------

## curmudgeon

 *bbgermany wrote:*   

> you dont need gnome or even like in the guide unity. It just for picking the correct options for your config file. You could try using traceroute instead of ping for checking, if your traffic is going through the tunnel instead of your normal interface.
> 
> according to your inet/destination output. im not really sure, whether its correct or not. im checking when im home, i can try out with a connection there.
> 
> for dns check /etc/resolv.conf. maybe its modified by openvpn.
> ...

 

I am more convinced than ever that there is some problem on their end.

This is what the device (and routing table) SHOULD look like (using a different provider):

```

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 10.10.6.22  netmask 255.255.255.255  destination 10.10.6.21

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 2  bytes 116 (116.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

$ /bin/route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         10.10.6.21      0.0.0.0         UG    0      0        0 tun0

10.10.6.1       10.10.6.21      255.255.255.255 UGH   0      0        0 tun0

10.10.6.21      0.0.0.0         255.255.255.255 UH    0      0        0 tun0

104.247.220.10  192.168.0.1     255.255.255.255 UGH   0      0        0 net0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 net0

```

I found the option (in /etc/conf.d/openvpn) to conrol whether or not openvpn updates resolv.conf.

----------

## szatox

 *Quote:*   

> Is there any reason for making two routes (0.0.0.0/128.0.0.0 and 128.0.0.0/128.0.0.0) instead of just 0.0.0.0/0.0.0.0?

 Yes. Routes with longer masks are prioritized over routes with shorter masks. This allows you to shadow your actual default route out when you're connected to VPN and then restore old setting. The single hold route (mask 32) has the longest mask possible and will always be prioritized over anything else, which lets you maintain the tunnel over public network rather than tunnel it in your tunnel in your tunnel in your tunnel in your [[ TTL=0 -> DROP ]]

----------

## bbgermany

 *curmudgeon wrote:*   

> ...
> 
> This is what the device (and routing table) SHOULD look like (using a different provider):
> 
> ```
> ...

 

As you can see with the different provider, you only have one default-route instead of two. have you checked the trafficway via traceroute already? this should show you, which hops/gateways are used for accessing the destination server.

i have an ipv6 provider and for v4 it looks like this:

```

root@server:~# traceroute 8.8.8.8 -n

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets

 1  192.168.0.254  0.471 ms  0.604 ms  0.780 ms

 2  192.168.0.254  1.076 ms  1.701 ms  1.962 ms

root@server:~#

```

for ipv6 via a tunnel:

```

root@server:~# traceroute6  2a00:1450:4001:817::2003 -n

»traceroute« zu 2a00:1450:4001:817::2003 (2a00:1450:4001:817::2003) von IPV6-Adress, Port 33434, von Port 50331, maximal 30 Sprünge, 60 Byte Pakete

 1  2001:6f8:900:XXXX  22.712 ms  22.681 ms  22.783 ms

 2  2001:6f8:862:1::c2e9:c729  22.839 ms  22.812 ms  23.149 ms

 3  2001:6f8:862:1::c2e9:c72c  23.643 ms  23.177 ms  23.371 ms

 4  2001:7f8::1b1b:0:1  43.154 ms  32.918 ms  89.490 ms

 5  2001:7f8::3b41:0:1  33.071 ms  32.798 ms  33.663 ms

 6  2001:4860:0:1::19f7  33.425 ms  33.719 ms  33.592 ms

 7  2001:4860:0:1::1b39  33.922 ms  33.630 ms  33.218 ms

 8  2a00:1450:4001:817::2003  33.499 ms  33.510 ms  33.046 ms

root@server:~# 

```

As you can see, it uses different gateways (please ignore that one is ipv4 and one is ipv6, its just for demontration).

greets, bb

----------

