openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

OpenVPN Removes Existing Routes on the Wrong Interface on Disconnect

Open nbauernfeind opened this issue 1 year ago • 2 comments

Description: If I connect to the vpn from inside of the vpn network, then the routing table is left broken after disconnect.

To Reproduce:

  1. Look for the existing route:
$  sudo netstat -rn | grep "10.10/22"
10.10/22           link#15            UCS               en0      !
  1. connect to vpn; note that it fails to add a route for 10.10/22:
$ sudo netstat -rn | grep -e utun5 -e "10.10/22"
10.10/22           link#15            UCS               en0      !
10.10.5/24         10.10.5.5          UGSc            utun5
10.10.5.1/32       10.10.5.5          UGSc            utun5
10.10.5.5          10.10.5.6          UH              utun5
  1. disconnect from vpn; now the en0 route is completely missing
$ sudo netstat -rn | grep -e utun5 -e "10.10/22"

Note that if I connect once more, it successfully adds the route to utun5:

$ sudo netstat -rn | grep -e utun5 -e "10.10/22"
10.10/22           10.10.5.5          UGSc            utun5
10.10.5/24         10.10.5.5          UGSc            utun5
10.10.5.1/32       10.10.5.5          UGSc            utun5
10.10.5.5          10.10.5.6          UH              utun5

Expected behavior: When disconnecting from the vpn, only remove routes that belong to the utun interface. One could argue they want the vpn route to actually go through the vpn while connected and then restore the original route when disconnected.

Work around: Bounce wifi/network connection to reestablish proper routes through en0. (Also, don't connect to vpn from said network... but in this particular case I forgot to disconnect from the vpn while I was still away from home.)

Desktop:

  • System: Apple M2 Max
  • OS: 13.4 (22F66)
  • Tunnelblick 4.0.0beta11 (build 5910)
  • OpenVPN v2.6.6 w/SSL v3.0.12w
  • Synology Inc VPN Server v1.4.4-2855

I'm not sure how to tell what version of OpenVPN the synology server is running.

nbauernfeind avatar Nov 15 '23 00:11 nbauernfeind

same thing happen to me

oluwatosinolamilekan avatar Nov 24 '23 03:11 oluwatosinolamilekan

Tested and successfully replicated on macOS Monterey 12.7.4 (21H1123) and it seems that "File exists" is not considered an error by the route command, causing OpenVPN to incorrectly believe that it has added the route (which then leads to the erroneous removal of the pre-existing route). An idea could be to parse the output of the route command and mark it as an error. What do you guys think? @cron2 @schwabe

itsGiaan avatar Mar 26 '24 14:03 itsGiaan