Bug in ovpn-client: could not add address: already have ...
Posted: Fri Jan 08, 2010 8:23 pm
We are using RB750 (v4.2) as OpenVPN clients in our customer net (MAN, Ethernet, private IP range). They are configured to have default route on the OpenVPN interface, builded by command:
OpenVPN server is configured on Debian GNU Linux system (etch), with "fixed" IP address for allowed certificates -> each OpenVPN client always receive the same IP.
Four weeks was not problem with it, today we lost 3 of 5 clients from VPN (probably there was some interrupts of links between buildings). After investigation we found problem in OpenVPN client in Mikrotik. In logs we seen:
OpenVPN client interface was not running:
There was invalid IP address on this interface:
And still existed default route:
It looks like bug in ovpn-client interface, which is not removing IP address and default-gateway when connection to server is breaked (ovpn-client interface is go to "not running" state) and is renegotiated. We did some workaround for not loosing of clients from VPN (we relay on running VPN):
Where "ovpn-out" is name of ovpn-client interface. Workaround is not nice and perfect (there will stay old default route), better will be eliminate this bug by Mikrotik.
Code: Select all
/interface ovpn-client add name=ovpn-out connect-to=xxx.xxx.xxx.xxx port=1194 mode=ip user="xxxxx" password="xxxxx" profile=default certificate=xxxxx cipher=aes256 add-default-route=yes disabled=no;
Four weeks was not problem with it, today we lost 3 of 5 clients from VPN (probably there was some interrupts of links between buildings). After investigation we found problem in OpenVPN client in Mikrotik. In logs we seen:
Code: Select all
15:39:39 ovpn,info ovpn-out: initializing...
15:39:39 ovpn,info ovpn-out: dialing...
15:39:43 ovpn,info ovpn-out: using encoding - AES-256-CBC/SHA1
15:39:43 ovpn,info ovpn-out: connected
15:39:44 ovpn,error could not add address: already have such address (6)
15:39:44 ovpn,debug ovpn-out: disconnected <could not add address: already have such address (6)>
15:39:44 ovpn,info ovpn-out: terminating... - could not add address: already have such address (6)
15:39:44 ovpn,info ovpn-out: disconnected
Code: Select all
[admin@xxxxxxx] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
.... cuted .....
6 ovpn-out ovpn-out
Code: Select all
[admin@xxxxxxx] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
.... cuted .....
3 I 10.10.10.10/32 10.10.10.1 0.0.0.0 ovpn-out
Code: Select all
[admin@xxxxxxx] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 DS 0.0.0.0/0 10.10.10.1 1
.... cuted .....
Code: Select all
/system script add name=Remove-invalid-IP-from-ovpn-out policy=write,read source={:foreach i in=[/ip address find invalid and interface=ovpn-out] do={/ip address remove $i;};};
/system scheduler add name=Remove-invalid-IP-from-ovpn-out on-event=Remove-invalid-IP-from-ovpn-out policy=write,read interval=1m;