I was already tormented. Kick in the right direction. So, there is an OpenVPN server on ubunt, three clients cling to it - two Windows and one Android. The keys for all three clients are different. Client configs are identical. Two clients work as hours, and with one (screw) permanent troubles. They appear as a string.

Recursive routing detected, tun tun packet to [AF_INET] 35.XX.XXX.72: 3000

after that the tunnel falls. Usually this line appeared when the laptop fell asleep and lost its connection to the WiFi network. The problem was solved by rebooting the entire laptop (reconnection, reloading the OpenVPN client did not have an effect). Now these lines appear immediately after the connection is established.

Now the specifics:

Server config

port 3000 proto udp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh2048.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 tls-server tls-auth /etc/openvpn/keys/ta.key 0 tls-timeout 120 auth sha1 cipher AES-256-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log verb 4 mute 10 explicit-exit-notify 1

Client config

 client dev tun proto udp redirect-gateway def1 remote 35.XXX.XXX.72 3000 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ca ca.crt cert anton.crt key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 4 mute 10 tls-client auth SHA1 status openvpn-status.log log openvpn.log

Customer log

 Wed Jun 28 00:33:18 2017 us=77031 Current Parameter Settings: Wed Jun 28 00:33:18 2017 us=77031 config = 'client.ovpn' Wed Jun 28 00:33:18 2017 us=77031 mode = 0 Wed Jun 28 00:33:18 2017 us=77031 show_ciphers = DISABLED Wed Jun 28 00:33:18 2017 us=77031 show_digests = DISABLED Wed Jun 28 00:33:18 2017 us=77031 show_engines = DISABLED Wed Jun 28 00:33:18 2017 us=77031 genkey = DISABLED Wed Jun 28 00:33:18 2017 us=77031 key_pass_file = '[UNDEF]' Wed Jun 28 00:33:18 2017 us=77031 show_tls_ciphers = DISABLED Wed Jun 28 00:33:18 2017 us=77031 connect_retry_max = 0 Wed Jun 28 00:33:18 2017 us=77031 NOTE: --mute triggered... Wed Jun 28 00:33:18 2017 us=77031 281 variation(s) on previous 10 message(s) suppressed by --mute Wed Jun 28 00:33:18 2017 us=77031 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017 Wed Jun 28 00:33:18 2017 us=77031 Windows version 6.2 (Windows 8 or greater) 64bit Wed Jun 28 00:33:18 2017 us=77031 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10 Enter Management Password: Wed Jun 28 00:33:18 2017 us=92662 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Wed Jun 28 00:33:18 2017 us=92662 Need hold release from management interface, waiting... Wed Jun 28 00:33:18 2017 us=498898 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Wed Jun 28 00:33:18 2017 us=608274 MANAGEMENT: CMD 'state on' Wed Jun 28 00:33:18 2017 us=608274 MANAGEMENT: CMD 'log all on' Wed Jun 28 00:33:18 2017 us=717652 MANAGEMENT: CMD 'echo all on' Wed Jun 28 00:33:18 2017 us=733279 MANAGEMENT: CMD 'hold off' Wed Jun 28 00:33:18 2017 us=733279 MANAGEMENT: CMD 'hold release' Wed Jun 28 00:33:19 2017 us=467645 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jun 28 00:33:19 2017 us=467645 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jun 28 00:33:19 2017 us=467645 LZO compression initializing Wed Jun 28 00:33:19 2017 us=467645 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ] Wed Jun 28 00:33:19 2017 us=467645 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] Wed Jun 28 00:33:19 2017 us=467645 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client' Wed Jun 28 00:33:19 2017 us=467645 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server' Wed Jun 28 00:33:19 2017 us=467645 TCP/UDP: Preserving recently used remote address: [AF_INET]35.XX.XXX.72:3000 Wed Jun 28 00:33:19 2017 us=467645 Socket Buffers: R=[65536->65536] S=[65536->65536] Wed Jun 28 00:33:19 2017 us=467645 UDP link local: (not bound) Wed Jun 28 00:33:19 2017 us=467645 UDP link remote: [AF_INET]35.XX.XXX.72:3000 Wed Jun 28 00:33:19 2017 us=483279 MANAGEMENT: >STATE:1498599199,WAIT,,,,,, Wed Jun 28 00:33:19 2017 us=686398 MANAGEMENT: >STATE:1498599199,AUTH,,,,,, Wed Jun 28 00:33:19 2017 us=702031 TLS: Initial packet from [AF_INET]35.XX.XXX.72:3000, sid=8208d47f e3397048 Wed Jun 28 00:33:19 2017 us=920776 VERIFY OK: depth=1, C=UA, ST=Kh, L=Kharkiv, O=Anton, OU=MyOrganizationalUnit, CN=Anton CA, name=VPN, emailAddress=anton.tramp@gmail.com Wed Jun 28 00:33:19 2017 us=920776 VERIFY KU OK Wed Jun 28 00:33:19 2017 us=920776 Validating certificate extended key usage Wed Jun 28 00:33:19 2017 us=920776 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Jun 28 00:33:19 2017 us=920776 VERIFY EKU OK Wed Jun 28 00:33:19 2017 us=920776 VERIFY OK: depth=0, C=UA, ST=Kh, L=Kharkiv, O=Anton, OU=MyOrganizationalUnit, CN=anton-vpn-server, name=VPN, emailAddress=anton.tramp@gmail.com Wed Jun 28 00:33:20 2017 us=436401 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Wed Jun 28 00:33:20 2017 us=436401 [anton-vpn-server] Peer Connection Initiated with [AF_INET]35.XX.XXX.72:3000 Wed Jun 28 00:33:21 2017 us=702025 MANAGEMENT: >STATE:1498599201,GET_CONFIG,,,,,, Wed Jun 28 00:33:21 2017 us=702025 SENT CONTROL [anton-vpn-server]: 'PUSH_REQUEST' (status=1) Wed Jun 28 00:33:21 2017 us=905155 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0,peer-id 0,cipher AES-256-GCM' Wed Jun 28 00:33:21 2017 us=905155 OPTIONS IMPORT: timers and/or timeouts modified Wed Jun 28 00:33:21 2017 us=905155 OPTIONS IMPORT: --ifconfig/up options modified Wed Jun 28 00:33:21 2017 us=905155 OPTIONS IMPORT: route options modified Wed Jun 28 00:33:21 2017 us=905155 OPTIONS IMPORT: route-related options modified Wed Jun 28 00:33:21 2017 us=905155 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Jun 28 00:33:21 2017 us=905155 OPTIONS IMPORT: peer-id set Wed Jun 28 00:33:21 2017 us=905155 OPTIONS IMPORT: adjusting link_mtu to 1625 Wed Jun 28 00:33:21 2017 us=905155 OPTIONS IMPORT: data channel crypto options modified Wed Jun 28 00:33:21 2017 us=905155 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ] Wed Jun 28 00:33:21 2017 us=905155 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jun 28 00:33:21 2017 us=905155 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jun 28 00:33:21 2017 us=905155 interactive service msg_channel=0 Wed Jun 28 00:33:21 2017 us=920782 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=9 HWADDR=74:2f:68:ec:c7:19 Wed Jun 28 00:33:21 2017 us=967666 open_tun Wed Jun 28 00:33:21 2017 us=983295 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{FF62B73E-7D2A-4FAF-A38E-170927330DE4}.tap Wed Jun 28 00:33:21 2017 us=983295 TAP-Windows Driver Version 9.21 Wed Jun 28 00:33:21 2017 us=983295 TAP-Windows MTU=1500 Wed Jun 28 00:33:21 2017 us=983295 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.3/255.255.255.0 [SUCCEEDED] Wed Jun 28 00:33:21 2017 us=983295 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.3/255.255.255.0 on interface {FF62B73E-7D2A-4FAF-A38E-170927330DE4} [DHCP-serv: 10.8.0.254, lease-time: 31536000] Wed Jun 28 00:33:21 2017 us=983295 DHCP option string: 06080808 08080808 0404 Wed Jun 28 00:33:21 2017 us=983295 Successful ARP Flush on interface [13] {FF62B73E-7D2A-4FAF-A38E-170927330DE4} Wed Jun 28 00:33:22 2017 us=14532 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Wed Jun 28 00:33:22 2017 us=14532 MANAGEMENT: >STATE:1498599202,ASSIGN_IP,,10.8.0.3,,,, Wed Jun 28 00:33:27 2017 us=192720 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up Wed Jun 28 00:33:27 2017 us=192720 C:\Windows\system32\route.exe ADD 35.XX.XXX.72 MASK 255.255.255.255 192.168.0.1 Wed Jun 28 00:33:27 2017 us=208364 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4 Wed Jun 28 00:33:27 2017 us=208364 Route addition via IPAPI succeeded [adaptive] Wed Jun 28 00:33:27 2017 us=208364 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1 Wed Jun 28 00:33:27 2017 us=223975 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Wed Jun 28 00:33:27 2017 us=223975 Route addition via IPAPI succeeded [adaptive] Wed Jun 28 00:33:27 2017 us=223975 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1 Wed Jun 28 00:33:27 2017 us=239598 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Wed Jun 28 00:33:27 2017 us=239598 Route addition via IPAPI succeeded [adaptive] Wed Jun 28 00:33:27 2017 us=239598 Initialization Sequence Completed Wed Jun 28 00:33:27 2017 us=239598 MANAGEMENT: >STATE:1498599207,CONNECTED,SUCCESS,10.8.0.3,35.XX.XXX.72,3000,, Wed Jun 28 00:33:27 2017 us=255221 Recursive routing detected, drop tun packet to [AF_INET]35.XX.XXX.72:3000 Wed Jun 28 00:33:27 2017 us=255221 Recursive routing detected, drop tun packet to [AF_INET]35.XX.XXX.72:3000 Wed Jun 28 00:33:27 2017 us=255221 Recursive routing detected, drop tun packet to [AF_INET]35.XX.XXX.72:3000

Client routing table to raise the tunnel

 =========================================================================== Список интерфейсов 13...00 ff ff 62 b7 3e ......TAP-Windows Adapter V9 11...56 2f 68 ec c7 19 ......Виртуальный адаптер размещенной сети (Майкрософт) 10...16 2f 68 ec c7 19 ......Виртуальный адаптер Wi-Fi Direct (Майкрософт) 9...74 2f 68 ec c7 19 ......Qualcomm Atheros AR9285 Wireless Network Adapter 3...54 04 a6 2b 3a 2d ......Qualcomm Atheros AR8152 PCI-E Fast Ethernet Controller (NDIS 6.30) 1...........................Software Loopback Interface 1 6...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 12...00 00 00 00 00 00 00 e0 Адаптер Microsoft ISATAP #3 =========================================================================== IPv4 таблица маршрута =========================================================================== Активные маршруты: Сетевой адрес Маска сети Адрес шлюза Интерфейс Метрика 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.102 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.0.0 255.255.255.0 On-link 192.168.0.102 281 192.168.0.102 255.255.255.255 On-link 192.168.0.102 281 192.168.0.255 255.255.255.255 On-link 192.168.0.102 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.0.102 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.102 281 =========================================================================== Постоянные маршруты: Отсутствует IPv6 таблица маршрута =========================================================================== Активные маршруты: Метрика Сетевой адрес Шлюз 6 306 ::/0 On-link 1 306 ::1/128 On-link 6 306 2001::/32 On-link 6 306 2001:0:9d38:6abd:2c50:1cc8:3f57:ff99/128 On-link 6 306 fe80::/64 On-link 6 306 fe80::2c50:1cc8:3f57:ff99/128 On-link 1 306 ff00::/8 On-link 6 306 ff00::/8 On-link =========================================================================== Постоянные маршруты: Отсутствует

Client routing table after establishing connection

 =========================================================================== Список интерфейсов 13...00 ff ff 62 b7 3e ......TAP-Windows Adapter V9 11...56 2f 68 ec c7 19 ......Виртуальный адаптер размещенной сети (Майкрософт) 10...16 2f 68 ec c7 19 ......Виртуальный адаптер Wi-Fi Direct (Майкрософт) 9...74 2f 68 ec c7 19 ......Qualcomm Atheros AR9285 Wireless Network Adapter 3...54 04 a6 2b 3a 2d ......Qualcomm Atheros AR8152 PCI-E Fast Ethernet Controller (NDIS 6.30) 1...........................Software Loopback Interface 1 14...00 00 00 00 00 00 00 e0 Адаптер Microsoft ISATAP 6...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 12...00 00 00 00 00 00 00 e0 Адаптер Microsoft ISATAP #3 =========================================================================== IPv4 таблица маршрута =========================================================================== Активные маршруты: Сетевой адрес Маска сети Адрес шлюза Интерфейс Метрика 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.102 25 0.0.0.0 128.0.0.0 10.8.0.1 10.8.0.3 20 10.8.0.0 255.255.255.0 On-link 10.8.0.3 276 10.8.0.3 255.255.255.255 On-link 10.8.0.3 276 10.8.0.255 255.255.255.255 On-link 10.8.0.3 276 35.XX.XXX.72 255.255.255.255 192.168.0.1 192.168.0.102 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 128.0.0.0 128.0.0.0 10.8.0.1 10.8.0.3 20 192.168.0.0 255.255.255.0 On-link 192.168.0.102 281 192.168.0.102 255.255.255.255 On-link 192.168.0.102 281 192.168.0.255 255.255.255.255 On-link 192.168.0.102 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.0.102 281 224.0.0.0 240.0.0.0 On-link 10.8.0.3 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.102 281 255.255.255.255 255.255.255.255 On-link 10.8.0.3 276 =========================================================================== Постоянные маршруты: Отсутствует IPv6 таблица маршрута =========================================================================== Активные маршруты: Метрика Сетевой адрес Шлюз 1 306 ::1/128 On-link 13 276 fe80::/64 On-link 13 276 fe80::4d03:3341:75d7:ba6f/128 On-link 1 306 ff00::/8 On-link 13 276 ff00::/8 On-link =========================================================================== Постоянные маршруты: Отсутствует

From the server pings do not go to this client. The client cannot ping the server at 10.8.0.1 either. When pinging the server on the tcpdump server is empty. On the WireShark client it shows that the packet is gone. No answer. When trying to catch on the server with a telnet, WireShark shows a departed TCP packet, and then an ARP request chain Who is 10.8.0.1?

UPDATE Slightly localized problem. The problem arises only when the client connects to the Internet via WiFi. When connected via cable, everything works. It has been suggested that this is due to the adapter metrics (cable - 20, WiFi - 25, Tunnel - 20). Increased the metric of the tunnel to 30 - nothing has changed. The cable works, WiFi does not.

    1 answer 1

    Good day,

    I found your question through Google, since I have the same problem.

    Home router with LEDE 17.01, OpenVPN 2.4.2, another client with iOS 10.3.2 running, VPN routes all traffic, I see my SAMBA server. The problem occurred with a laptop under Windows 7 SP1, client OpenVPN 2.4.3, and the problem is the same as yours, I also use WiFi. I can connect to the server via ping, nslookup does not work, but I found "workaround" - https://www.snbforums.com/threads/beta-asuswrt-merlin-380-66-beta-is-now-available.38718 / page-7 # post-320981

    I have written a pull-filter ignore "redirect-gateway local def1" , since my server has this line. Everything started to work, but web traffic does not go through VPN, but I see my SAMBA server. Maybe this will help.

    • Thanks for the answer, but I just need to wrap the web traffic on the VPN - Anton Shchyrov