Routing issue for version above 1.10.0

Got a problem with Viscosity or need help? Ask here!

kylezhang

Posts: 3
Joined: Thu Nov 25, 2021 2:48 pm

Post by kylezhang » Thu Nov 25, 2021 3:39 pm
Viscosity Client version: 1.10.0 and 1.10.1
OS: Windows 10 Pro 21H2 & Windows server 2019

Server: CentOS 7
OpenVPN version: openvpn-2.4.11-1.el7.x86_64

Problem:
After Viscosity Client connected to server.
I can ping and get response to/from the servers tun network IPs.
I can ping and get response to/from other VPN clients in that tun network.
But not other network. for example, other IP address of the server.

I have run tcpdump to diagnosis and found:
When ping from the client side to the servers tun network IPs, can saw icmp request from client and response from server.
When ping from the client side to the servers other IPs, no icmp request from client and response from server.

When ping from the servers tun network IPs to client , can saw icmp request from server and response from client.
When ping from the servers other IPs to client , can saw icmp request from server but no response from client.

It likely some routing issue on the client. BTW, it has set default gateway to the VPN tunnel on the client.
When ping from the client side to IPs outside the tun network. The client got the following error message:
Ping: transmit failed. General failure

I supose it might caused by some broken change on the new version.
I have tested on version 1.9.4, it works and didn't have this problem.

Please help take a look.

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Nov 25, 2021 6:59 pm
Hi kylezhang,

It sounds likely something about your setup may be incompatible with OpenVPN 2.5. Viscosity version 1.10 and later include OpenVPN 2.5 support.

As a temporary work-around you can drop back to using OpenVPN 2.4, by opening Viscosity's Preferences window, clicking on the Advanced tab, and changing to OpenVPN Version to 2.4. However I recommend getting your setup working under OpenVPN 2.5, as eventually OpenVPN 2.4 support will be dropped.

If you'd like for us to take a closer look for you, please post the information requested in the article linked below. Please feel free to censor out any sensitive information before posting, or you can email the details to our support email address.
https://www.sparklabs.com/support/kb/ar ... ort-staff/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

kylezhang

Posts: 3
Joined: Thu Nov 25, 2021 2:48 pm

Post by kylezhang » Thu Nov 25, 2021 9:43 pm
Dear James,

Thanks for your reply.
Unfortunately, change the OpenVPN version Advanced tab to 2.4 does not work.
Since version 1.9.4 works, we can use this version for now.

here is the VPN configuration:

client

remote myserver.example.com 1194 udp

dev tun

resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-256-CBC
auth SHA256
route-delay 4
verb 3
reneg-sec 0
comp-lzo

<ca>
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----

</ca>

<cert>
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN PRIVATE KEY-----
......
-----END PRIVATE KEY-----

</key>


Here is the Viscosity client log:

Nov 25 5:44:01 PM: State changed to Connecting
Nov 25 5:44:01 PM: Viscosity Windows 1.10 (1745)
Nov 25 5:44:01 PM: Running on Windows 10 2009 (19044) 64 bit
Nov 25 5:44:01 PM: Running on .NET Framework Version 4.8.04084.528372
Nov 25 5:44:01 PM: Checking reachability status of connection...
Nov 25 5:44:02 PM: Connection is reachable. Starting connection attempt.
Nov 25 5:44:02 PM: Interface Type: visctap0901
Nov 25 5:44:02 PM: Bringing up interface...
Nov 25 5:44:02 PM: OpenVPN 2.4.11 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on Oct 18 2021
Nov 25 5:44:02 PM: library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
Nov 25 5:44:22 PM: Resolving address: "xxxxxxxxxxx"
Nov 25 5:44:23 PM: Valid endpoint found: xxxxxxxxxxx:1194:udp
Nov 25 5:44:23 PM: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 25 5:44:23 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxxxxxx:1194
Nov 25 5:44:23 PM: Socket Buffers: R=[65536->65536] S=[65536->65536]
Nov 25 5:44:23 PM: UDP link local: (not bound)
Nov 25 5:44:23 PM: UDP link remote: [AF_INET]xxxxxxxxxxx:1194
Nov 25 5:44:23 PM: State changed to Authenticating
Nov 25 5:44:23 PM: TLS: Initial packet from [AF_INET]xxxxxxxxxxx:1194, sid=d40a1561 016c2cda
Nov 25 5:44:23 PM: VERIFY OK: depth=1, CN=XXX VPN Endpoints
Nov 25 5:44:23 PM: VERIFY OK: depth=0, CN=XXX VPN Servers
Nov 25 5:44:23 PM: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 384 bit EC, curve: secp384r1
Nov 25 5:44:23 PM: [XXX VPN Servers] Peer Connection Initiated with [AF_INET]xxxxxxxxxxx:1194
Nov 25 5:44:23 PM: State changed to Connecting
Nov 25 5:44:23 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:24 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:25 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:26 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:27 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:28 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:29 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:30 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:31 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:32 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:33 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:34 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:36 PM: SENT CONTROL [XXX VPN Servers]: 'PUSH_REQUEST' (status=1)
Nov 25 5:44:36 PM: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS xxx.xx.xx..2,redirect-gateway,route-gateway xx.xx.xx..193,topology subnet,ping 10,ping-restart 120,ifconfig xx.xx.xx..202 255.255.255.192,peer-id 8,cipher AES-256-GCM'
Nov 25 5:44:36 PM: OPTIONS IMPORT: timers and/or timeouts modified
Nov 25 5:44:36 PM: OPTIONS IMPORT: --ifconfig/up options modified
Nov 25 5:44:36 PM: OPTIONS IMPORT: route options modified
Nov 25 5:44:36 PM: OPTIONS IMPORT: route-related options modified
Nov 25 5:44:36 PM: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Nov 25 5:44:36 PM: OPTIONS IMPORT: peer-id set
Nov 25 5:44:36 PM: NOTE: --mute triggered...
Nov 25 5:44:36 PM: 2 variation(s) on previous 20 message(s) suppressed by --mute
Nov 25 5:44:36 PM: Data Channel: using negotiated cipher 'AES-256-GCM'
Nov 25 5:44:36 PM: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 25 5:44:36 PM: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 25 5:44:36 PM: interactive service msg_channel=0
Nov 25 5:44:36 PM: ROUTE_GATEWAY 192.168.123.1/255.255.255.0 I=4 HWADDR=18:db:f2:3b:73:74
Nov 25 5:44:36 PM: Awaiting adapter to come up...
Nov 25 5:44:36 PM: TAP-WIN32 device [XXX VPN Endpoints] opened: \\.\Global\{02CD089A-3019-4188-B14C-60DAD4707795}.tap, index: 9
Nov 25 5:44:36 PM: Set TAP-Windows TUN subnet mode network/local/netmask = xx.xx.xx..192/xx.xx.xx..202/255.255.255.192 [SUCCEEDED]
Nov 25 5:44:36 PM: Waiting for DNS Setup to complete...
Nov 25 5:44:37 PM: Successful ARP Flush on interface [9] {02CD089A-3019-4188-B14C-60DAD4707795}
Nov 25 5:44:41 PM: TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Nov 25 5:44:41 PM: IPv4 Route addition via management succeeded
Nov 25 5:44:41 PM: IPv4 Route deletion via management succeeded
Nov 25 5:44:41 PM: ROUTE: IPv4 route addition failed using management: �����Ѵ��ڡ� [status=5010 if_index=9]
Nov 25 5:44:41 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 25 5:44:41 PM: Initialization Sequence Completed
Nov 25 5:44:41 PM: DNS set to Full:
Server - xxx.xx.xx..2:53; Lookup Type - Any; Domains - None; Server is not reachable and will not be used.

Nov 25 5:44:41 PM: State changed to Connected

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Mon Nov 29, 2021 11:40 am
Hi kylezhang,

It looks like your redirect-gateway route (0/0) is clashing with another 0/0 route on the system for some reason. As a work around, could you try pushing
Code: Select all
redirect-gateway def1
instead from the server. This will instead set two routes, 0/1 and 1/1 which will not have issues with clashes and is generally a better way to redirect all traffic through the VPN.

We'll have a look and see if there's something in Viscosity causing the 0/0 route issue in the mean time, however as this is the only report of this, it is most likely something specific to your environment.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

kylezhang

Posts: 3
Joined: Thu Nov 25, 2021 2:48 pm

Post by kylezhang » Wed Dec 01, 2021 5:44 pm
Add
Code: Select all
redirect-gateway def1

Works. All networks are reachable.
Mon Nov 29, 2021 11:40 amEric wrote:
Hi kylezhang,

It looks like your redirect-gateway route (0/0) is clashing with another 0/0 route on the system for some reason. As a work around, could you try pushing
Code: Select all
redirect-gateway def1
instead from the server. This will instead set two routes, 0/1 and 1/1 which will not have issues with clashes and is generally a better way to redirect all traffic through the VPN.

We'll have a look and see if there's something in Viscosity causing the 0/0 route issue in the mean time, however as this is the only report of this, it is most likely something specific to your environment.

Regards,
Eric
5 posts Page 1 of 1