Openvpn – RTNETLINK answers: File exists — OpenVPN errors

openvpnroute

I have a bunch of servers that connect to the world through a "gateway" server that uses a NAT to redirect to the internet.

I am trying to connect the gateway server to a VPN client through an OpenVPN config file. when I connect it returns an error "RTNETLINK answers: File exists". I don't have any firewall or port issues as a connection from an internal client using the same OpenVPN file works just fine.

here is my routing table prior to the VPN connection

192.168.110.0   *               255.255.255.224 U     0      0        0 eth1
10.149.0.0      *               255.255.0.0     U     0      0        0 ib0
link-local      *               255.255.0.0     U     1002   0        0 eth0
link-local      *               255.255.0.0     U     1003   0        0 eth1
link-local      *               255.255.0.0     U     1004   0        0 ib0
10.141.0.0      *               255.255.0.0     U     0      0        0 eth0
default         192.168.110.1   0.0.0.0         UG    0      0        0 eth1

here is the routing table after the connection is established and it blurts the error out:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
24.248.180.0    10.2.113.1      255.255.255.240 UG    0      0        0 tun0
192.168.110.0   *               255.255.255.224 U     0      0        0 eth1
10.2.113.0      *               255.255.255.0   U     0      0        0 tun0
10.0.0.0        10.2.113.1      255.255.252.0   UG    0      0        0 tun0
10.149.0.0      *               255.255.0.0     U     0      0        0 ib0
link-local      *               255.255.0.0     U     1002   0        0 eth0
link-local      *               255.255.0.0     U     1003   0        0 eth1
link-local      *               255.255.0.0     U     1004   0        0 ib0
10.141.0.0      *               255.255.0.0     U     0      0        0 eth0
default         192.168.110.1   0.0.0.0         UG    0      0        0 eth1

I think the problem is in the second line but if i delete that I will loose my external connection to the server correct?

is there a way to have the OpenVPN connection work without manually having to modify the route table. Or, is there a way to modify the route table to not have this error occur and have OpenVPN do its job?

Best Answer

You won't be able to diagnose the error you are getting purely by looking at the route tables.

That particular error is almost always related to you trying to add a new route that is identical to a route that already exists on your system. If you bump up your OpenVPN logging you should see what route command is failing in your logs.

OpenVPN is slightly dumb about how it applies routes. It doesn't do any checks to see if a route is already configured. If a route is configured within the configuration or pushed by the server, your client will attempt to add the route, even if it already exists. So sometimes this 'error' can be treated as a warning. Depending on the specific route and how it is being applied to the system.

Related Solutions

Linux – Port forward + openVPN + iptables

Try these rules on your gateway:

-A PREROUTING -i $VPN_INTERFACE -p tcp -m tcp --dport 80 -j DNAT --to-destination $INTERNAL_IP_DESTINATION:80
-A POSTROUTING -o $VPN_INTERFACE -j SNAT --to-source $VPN_IP_OF_SERVER
-A POSTROUTING -o $LAN_INTERFACE -j SNAT --to-source $LAN_IP_OF_SERVER

1st. one makes the port forwarding.
2nd. makes the source nat so every packet comming out of the VPN uses the server IP
3rd. makes the packets forwarded to the internal IP, have the soure nat of the server lan ip

OpenVPN – Configure Multiple Clients on the Same Host

You would need to elaborate somewhat further what it is you are trying to do. A rough sketch with IP addresses of the hosts involved and a listing of your routing table(s) would help a lot understanding your problem.

my server doesn't seem to configure the tun0 device properly

It is possible for an ifconfig command to fail - maybe you should check the logs for that and post the relevant excerpts.

I want to set up the dual client box such that a computer whose gateway is set to eth0:0 gets all their traffic routed through one OpenVPN tunnel, and a computer whose gateway is set to eth0:1 gets all their traffic routed through a different OpenVPN tunnel

ip rule add from $IP_ETH00 table us_table

That's probably not the best way to achieve what you really want - which seems to be different routes for different clients. While it is possible to add iptables -t mangle rules to mark packets for different criteria, there would be no set of criteria being able to distinguish between eth0:0 and eth0:1 as the input interface (which is due to the way IP aliasing is implemented).

What you can do however is simply set up something like

ip rule add from <ip-of-your-client-for-the-us-table> table us_table

which would eliminate the need for IP aliases in your configuration entirely since the routing decision would be done based on source and destination IP addresses, no matter which interface the packet came in at.

copy_routing_table "us_table"

You've omitted the source of copy_routing_table - if it does what I suspect it does, you would end up with your entire main routing table in us_table. If your main routing table already contains routes potentially conflicting with what you're defining in the script, you might end up using them instead of your newly-added routes. This is especially a concern since you are adding a new default route in your up-script:

 ip route add default via $4 table us_table

As you already have a default route in your "main" table and add another one "via $4" (which is wrong BTW, as $4 would represent a local IP address of the router's own tun interface - you should use "dev $1" instead) without deleting the old route. You should prepend ip route del default table us_table here - and probably something similar for the other routes you add as well.

And this here:

From 192.168.1.133: icmp_seq=2 Redirect Host(New nexthop: 192.168.1.1)

is a message from 192.168.1.133 which is getting the packet for 98.137.149.56 (yahoo.com) and routing it out through 192.168.1.1. Since 192.168.1.133 knows (by evaluation of the interface netmask) that your host is in the same network as 192.168.1.1, you get notified to use 192.168.1.1 directly in the first place.

Best Answer

Related Solutions

Linux – Port forward + openVPN + iptables

OpenVPN – Configure Multiple Clients on the Same Host

Related Topic