Carousel is a LIE!

OpenWRT/VPN/NTPD

23 Apr 2006

I've been setting up OpenVPN on my wife's iBook, using 3.0-RC2 of Tunnelblick. It works well, but I did come across one bit of weirdness.

I'm using OpenVPN in bridging mode. The network looks like this:

iBook <-> WRT54G <-> Home Network <-> Firewall <-> Internet

When OpenVPN bridging is going on, the iBook appears to be sitting on the Home Network. During testing, I was able to ping the Firewall box and other boxes on the Home Network, but I was unable to connect to websites on the Internet, and pinging Internet hosts got me this error:

ping: sendto: No buffer space available
ping: wrote www.google.ca 64 chars, ret=-1

I've run into this problem before, but the last time it was because one end of the tunnel went down -- not the case now.

I tried looking at netstat -m but it all looked good:

98 mbufs in use:
        94 mbufs allocated to data
        3 mbufs allocated to socket names and addresses
        1 mbufs allocated to Appletalk data blocks
145/368 mbuf clusters in use
760 Kbytes allocated to network (41% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines

...which pretty much matches what I've seen when I've had this message before in other situations. netstat -s was a little more interesting:

icmp:
        266 calls to icmp_error
        0 errors not generated 'cuz old message was icmp
        Output histogram:
                echo reply: 2
                destination unreachable: 266
        0 messages with bad code fields
        0 messages < minimum length
        0 bad checksums
        0 messages with bad length
        0 multicast echo requests ignored
        0 multicast timestamp requests ignored
        Input histogram:
                echo reply: 865
                destination unreachable: 284
                routing redirect: 18
                echo: 2
        2 message responses generated
        ICMP address mask responses are disabled

"Destination unreachable"? WTF? I had a look at the interfaces, and saw three tap instances. Not only that: tap1 was the one being used by Tunnelblick, but tap0 was the default gateway. That can't be right, right? Right. Turned out there was another, older instance of OpenVPN running that should've been killed long ago. Kill that, kill Tunnelblick, restart Tunnelblick, and all is well.

I'm hoping I won't have this crop up again; it's not in my wife's nature to start looking for rogue tap interfaces screwing up the routing tables if her Internet connection goes down. :-)

One other problem I had with the WRT54G was bridging and setting the time. See, OpenVPN starts at boot on this thing, and it needs a tap interface. Since we're doing bridging, it needs to be bridged to the outside interface -- vlan1 on OpenWRT, the Linux firmware I'm using. In order to make that work, I get the firewall script to create the bridge right before it runs all the firewall rules. That happens right before OpenVPN starts, which happens right before OpenNTPD runs, which happens right before the boot scripts finish and we're open for business. Firewall, then OpenVPN, then OpenNTPD. Got it?

Setting the time is important because otherwise OpenVPN will complain that the iBook is connecting using an SSL certificate that's not valid yet, and refuses to connect. Well, no problem -- ntpd -s takes care of that, right? Wrong: every time I checked the date, the time was 1999. (Yeah, I could've tried to set the hardware clock to something more reasonable, but that's a stupid hack.)

ntpd -s was running but not setting the time. tcpdump on my NTP server showed that there were no NTP requests coming from the WRT after it booted. Yet I could kill ntpd, start it up again, and it would set the time right away. I tried ntpclient, but it behaved in exactly the same way.

In the end, I couldn't find out what was going on. I suspect it's a problem related to the bridge I set up -- ntpd binds to vlan1, then for some reason things stop working once the bridge is set up. I can't be sure without a serial port, though -- still haven't figured out logging on this thing -- so I used a slightly less awful hack: running ntpclient to set the time just before bridging starts, then running openntpd after as usual. It just dodges the problem, rather than fixing it, but it works.

Tags:

8 Comments

From: Peter
01-August-2006-06:24:40

I had the same problem.. I noticed it would be corrected on a reboot but would come back every few days. I thought it was a more serious problem but never noticed the extra openvpn process. Thanks!

From: Eric
05-June-2006-13:02:58

Had trouble with Parallels and tunnelblick/openvpn - I thought - tried Tunnelblick 3 rc2 on ppc 10.4.6 - same thing:
dreaded ping: sendto: No buffer space available. Reverted back to Tunnelblick 3 rc1 - works!

From: AC
15-May-2006-11:06:13

I've just stumbled upon a very similar problem; after installing Parallels onto a fully functional OSX/Tunnelblick install, Tunnelblick does the same thing (destination unreachable).

I'm looking for a bit more clarification on:

"“Destination unreachable”? WTF? I had a look at the interfaces, and saw three tap instances. Not only that: tap1 was the one being used by Tunnelblick, but tap0 was the default gateway. That can’t be right, right? Right. Turned out there was another, older instance of OpenVPN running that should’ve been killed long ago. Kill that, kill Tunnelblick, restart Tunnelblick, and all is well."

I'm pretty sure I don't have multiple tap instances, but I'm not sure how to check which is the default gateway. I'm assuming that the virtual adapter created by Parallels has somehow interfered with the proper default gateway for OSX/OpenVPN; when I try to establish a Tunnelblick connection, ALL network traffic says destination unreachable (OSX, VPN, Parallels VMs).

I'd greatly appreaciate any assistance if you happen to have the time.

Thanks!
AC
(iampsychosis AT yahoo DOT com)

From: Saint Aardvark
17-May-2006-19:17:20

The simplest way to check the default gateway is to start up the Terminal app (Applications -> Utilities, I believe) and run "netstat -rn". You'll see something like this: 



Internet:


Destination        Gateway            Flags    Refs      Use  Netif Expire


default            192.168.0.1        UGSc        0       33    en0


127.0.0.1          127.0.0.1          UH          2   121204    lo0


192.168.0          link#1             UC         13        0    en0


192.168.0.1        00:0e:0c:3a:ac:a2  UHLW        1    53128    en0   1162


192.168.0.2        00:0e:0c:2c:4c:2d  UHLW        1 25260647    en0   1147


The entry marked "default" is the one you're after. In this cae, it's
saying that the default gateway is 192.168.0.1.

If you want to see if you have multiple tap instances, just run
"ifconfig -a". You should see something like: 



en0: flags=8843 mtu 1500


        inet 192.168.0.74 netmask 0xffffff00 broadcast 192.168.0.255


        inet6 fe80::210:dcff:fe95:e03d%rl0 prefixlen 64 scopeid 0x1 


        ether 00:10:dc:95:e0:3d


        media: Ethernet autoselect (100baseTX )


        status: active


faith0: flags=8002 mtu 1500


lo0: flags=8049 mtu 16384


        inet6 ::1 prefixlen 128 


        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 


        inet 127.0.0.1 netmask 0xff000000 


ppp0: flags=8010 mtu 1500


In this case, you can see details for the en0, faith0, lo0 and ppp0
interfaces. If you see just one tap interface -- tap0, say -- well,
that's all you've got. If you see more -- tap0 and tap1, say -- then
you've got more than one.

Hope that helps!

From: oktokie
21-August-2006-09:27:10

I was looking for detailed installation guide in installing openntpd on my whiterussian and stumbled onto your page.

Coult it be that openntpd being unable to set correct time, maybe result from boot up time of the system being(there is no battery inside router...I think) way off time?

Try the last option when starting the ntpd.

The options are as follows:

-d Do not daemonize. If this option is specified, ntpd will run
in the foreground and log to stderr.

-f file Use file as the configuration file, instead of the default
/etc/ntpd.conf.

-S Do not set the time immediately at startup. This is the de-
fault.

-s Set the time immediately at startup if the local clock is off
by more than 180 seconds. Allows for a large time correc-
tion, eliminating the need to run rdate(8) before starting
ntpd.

This might help.

From: AC
22-May-2006-08:04:10

"netstat -m" in terminal returned - 



adam-s-computer:~ adam$ netstat -m


405 mbufs in use:


        401 mbufs allocated to data


        3 mbufs allocated to socket names and addresses


        1 mbufs allocated to Appletalk data blocks


578/1522 mbuf clusters in use


0/56 mbuf 4KB clusters in use


3369 Kbytes allocated to network (37% in use)


0 requests for memory denied


0 requests for memory delayed


0 calls to protocol drain routines


I looked at the other flags, and it looks like "-r" is the one to return that information; it returned what you posted above.

Thanks so much! :)

From: Saint Aardvark
23-May-2006-06:05:04

Yeah, it looks like -m in my browser too, but you've already figured out it's minus romeo november. Glad I was able to help!

From: Saint Aardvark
31-August-2006-06:57:47

Thanks for the suggestion, oktokie, but I had been trying the -s option w/o any success *when run from the bootup script* -- worked just fine if I logged in afterward and ran it by hand.

I did manage to fix this, though, by briefly configuring the ethernet interface, setting the time and then de-configuring it -- all before the firewall script runs. IOW: 



iptables -P INPUT ACCEPT    


iptables -P OUTPUT ACCEPT   


iptables -P FORWARD ACCEPT  


                            


ifconfig vlan1 add 192.168.23.9 netmask 255.255.255.0


/usr/sbin/ntpclient -c 1 -s -h 192.168.23.10


ifconfig vlan1 del 192.168.23.9 netmask 255.255.255.0


                                


iptables -P INPUT DROP      


iptables -P OUTPUT DROP     


iptables -P FORWARD DROP





# Next comes setting up bridging, then the rest of the firewall

Add a comment:

Name and email required; email is not displayed.

Name (required)
Email (required)
Website
The site is named after Saint ________ the Carpeted: (required)
Comment

Related Posts