Openvpn route errors

I have a Slate running 3.025 . I have two different OpenVPN servers I use(different endpoint options for me). One is a OPNSense device and other is Linux. I have the OpenVPN connection to the OPNSense box working fine.

I went to build my server and it works just fine on the laptop, when I take the config and install it on the slate it required a password.

My configuration on the Linux machine is certificates only with password protection on the certificates. I gave up and decided just to add a password to the private key so it would play nice with my Slate.
Log
Mon Dec 2 10:51:28 2019 user.info : 1317: gl-vpn-client>> Start, vpnpath=/etc/openvpn/ovpn2, serverfile=slate.ovpn
Mon Dec 2 10:51:28 2019 user.info : 1373: gl-vpn-client>> glconfig.openvpn.ovpn=/etc/openvpn/ovpn2/slate.ovpn, glconfig.openvpn.clientid=ovpn2
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6299]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6299]: library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
Mon Dec 2 10:51:33 2019 daemon.warn openvpn[6306]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: Outgoing Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: Incoming Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: UDP link local: (not bound)
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=db2a3215 5bef79ab
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: VERIFY OK: depth=1, CN=DropCA
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: VERIFY KU OK
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: Validating certificate extended key usage
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: VERIFY EKU OK
Mon Dec 2 10:51:33 2019 daemon.notice openvpn[6306]: VERIFY OK: depth=0, CN=host.name
Mon Dec 2 10:51:34 2019 daemon.notice openvpn[6306]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Dec 2 10:51:34 2019 daemon.notice openvpn[6306]: [host.name] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: SENT CONTROL [host.name]: ‘PUSH_REQUEST’ (status=1)
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: PUSH: Received control message: ‘PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM’
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: OPTIONS IMPORT: timers and/or timeouts modified
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: OPTIONS IMPORT: --ifconfig/up options modified
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: OPTIONS IMPORT: route options modified
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: OPTIONS IMPORT: peer-id set
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: OPTIONS IMPORT: adjusting link_mtu to 1624
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: OPTIONS IMPORT: data channel crypto options modified
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: Data Channel: using negotiated cipher ‘AES-256-GCM’
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: TUN/TAP device tun0 opened
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: TUN/TAP TX queue length set to 100
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Mon Dec 2 10:51:35 2019 daemon.notice openvpn[6306]: /etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init
Mon Dec 2 10:51:37 2019 daemon.notice openvpn[6306]: /sbin/route add -net xx.xx.xx.xx netmask 255.255.255.255 gw 172.20.10.1
Mon Dec 2 10:51:37 2019 daemon.warn openvpn[6306]: ERROR: Linux route add command failed: external program exited with error status: 1
Mon Dec 2 10:51:37 2019 daemon.notice openvpn[6306]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Mon Dec 2 10:51:37 2019 daemon.warn openvpn[6306]: ERROR: Linux route add command failed: external program exited with error status: 1
Mon Dec 2 10:51:37 2019 daemon.notice openvpn[6306]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Mon Dec 2 10:51:38 2019 daemon.warn openvpn[6306]: ERROR: Linux route add command failed: external program exited with error status: 1
Mon Dec 2 10:51:38 2019 daemon.notice openvpn[6306]: /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5
Mon Dec 2 10:51:38 2019 daemon.warn openvpn[6306]: ERROR: Linux route add command failed: external program exited with error status: 1
Mon Dec 2 10:51:47 2019 daemon.notice openvpn[7613]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Dec 2 10:51:47 2019 daemon.notice openvpn[7613]: library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
Mon Dec 2 10:51:47 2019 daemon.warn openvpn[7623]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Dec 2 10:51:47 2019 daemon.notice openvpn[7623]: Outgoing Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Mon Dec 2 10:51:47 2019 daemon.notice openvpn[7623]: Incoming Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Mon Dec 2 10:51:47 2019 daemon.notice openvpn[7623]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Mon Dec 2 10:51:47 2019 daemon.notice openvpn[7623]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Dec 2 10:51:47 2019 daemon.notice openvpn[7623]: UDP link local: (not bound)
Mon Dec 2 10:51:47 2019 daemon.notice openvpn[7623]: UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Mon Dec 2 10:51:47 2019 daemon.notice openvpn[7623]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Dec 2 10:51:48 2019 daemon.notice openvpn[7623]: TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=a1b73c98 6238f0e1
Mon Dec 2 10:51:48 2019 daemon.notice openvpn[7623]: VERIFY OK: depth=1, CN=DropCA
Mon Dec 2 10:51:48 2019 daemon.notice openvpn[7623]: VERIFY KU OK
Mon Dec 2 10:51:48 2019 daemon.notice openvpn[7623]: Validating certificate extended key usage
Mon Dec 2 10:51:48 2019 daemon.notice openvpn[7623]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Dec 2 10:51:48 2019 daemon.notice openvpn[7623]: VERIFY EKU OK
Mon Dec 2 10:51:48 2019 daemon.notice openvpn[7623]: VERIFY OK: depth=0, CN=host.name
Mon Dec 2 10:51:48 2019 daemon.notice openvpn[7623]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Dec 2 10:51:48 2019 daemon.notice openvpn[7623]: [host.name] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: SENT CONTROL [host.name]: ‘PUSH_REQUEST’ (status=1)
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: PUSH: Received control message: ‘PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9,peer-id 1,cipher AES-256-GCM’
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: OPTIONS IMPORT: timers and/or timeouts modified
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: OPTIONS IMPORT: --ifconfig/up options modified
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: OPTIONS IMPORT: route options modified
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: OPTIONS IMPORT: peer-id set
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: OPTIONS IMPORT: adjusting link_mtu to 1624
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: OPTIONS IMPORT: data channel crypto options modified
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: Data Channel: using negotiated cipher ‘AES-256-GCM’
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Mon Dec 2 10:51:49 2019 daemon.err openvpn[7623]: ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)
Mon Dec 2 10:51:49 2019 daemon.notice openvpn[7623]: Exiting due to fatal error
Mon Dec 2 10:51:54 2019 daemon.notice openvpn[6306]: GID set to nogroup
Mon Dec 2 10:51:54 2019 daemon.notice openvpn[6306]: UID set to nobody
Mon Dec 2 10:51:54 2019 daemon.warn openvpn[6306]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Mon Dec 2 10:51:54 2019 daemon.notice openvpn[6306]: Initialization Sequence Completed
Mon Dec 2 10:51:54 2019 daemon.notice openvpn[6306]: /sbin/route del -net xx.xx.xx.xx netmask 255.255.255.255
Mon Dec 2 10:51:54 2019 daemon.warn openvpn[6306]: ERROR: Linux route delete command failed: external program exited with error status: 1
Mon Dec 2 10:51:54 2019 daemon.notice openvpn[6306]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Mon Dec 2 10:51:54 2019 daemon.warn openvpn[6306]: ERROR: Linux route delete command failed: external program exited with error status: 1
Mon Dec 2 10:51:54 2019 daemon.notice openvpn[6306]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Mon Dec 2 10:51:54 2019 daemon.warn openvpn[6306]: ERROR: Linux route delete command failed: external program exited with error status: 1
Mon Dec 2 10:51:54 2019 daemon.notice openvpn[6306]: Closing TUN/TAP interface
Mon Dec 2 10:51:54 2019 daemon.notice openvpn[6306]: /sbin/ifconfig tun0 0.0.0.0
Mon Dec 2 10:51:54 2019 daemon.warn openvpn[6306]: Linux ip addr del failed: external program exited with error status: 1
Mon Dec 2 10:51:54 2019 daemon.notice openvpn[6306]: /etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init
Mon Dec 2 10:51:54 2019 daemon.notice openvpn[6306]: SIGINT[hard,] received, process exiting
Mon Dec 2 10:52:08 2019 user.info : 1317: gl-vpn-client>> Stop, vpnpath=/etc/openvpn/ovpn2, serverfile=slate.ovpn

Client config:
client
dev tun
proto udp
remote host.name 1194
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
verb 3
key-direction 1

…REMOVED…


…REMOVED…


…REMOVED…


#
# 2048 bit OpenVPN static key
#
…REMOVED…

daemon
askpass /etc/openvpn/ovpn2/auth/passphrase.txt

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Happy to post the server config if that is wanted, but this post is already pretty long.

Anyone have any suggestions as to what to do next for troubleshooting?

I removed
user nobody
group nobody
from the config and the route add errors persist.

I can see the tun0 interface does come up

Do you have other routing rules in the routing table that cause VPN routing rules to fail to add?

Nope.
root@GL-AR750S:~# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.20.10.1 0.0.0.0 UG 0 0 0 eth1
172.20.10.0 0.0.0.0 255.255.255.240 U 0 0 0 eth1
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
The VPN subnet is 10.8.0.0/24.

At this point it seems like the fact that I am not using user/pw auth for OpenVPN seems to be the big differ here. The working config which is to an OPNSense gateway has a username/pw for it and the non-working config to the Ubuntu gateway just uses the certificate authentication.

Looks like the slate is running 2.4.5
OPNSense is running 2.4.8
Ubuntu Linux is running 2.4.4

I got this working. I think I had to enable client to client communication on the server side. This doesn’t make much sense, but I’m happy to have that anyway since this is my personal VPN server.