On vpn connection I'm getting "Linux route add command failed", but I'm not pushing any routes on server.conf

Question

I have a Ubuntu 16.04 server. I configured 2 clients and server. The goal is to connect those two clients to the server and ssh from one to another. I can connect on Linux Mint, adding vpn connection by right clicking on internet connection icon and specifying .ovpn file. Unfortunately, I can't connect with the same server and the second similar client configuration on Raspberry Pi Stretch using:

sudo openvpn --config client2.ovpn

I'm getting

ERROR: Linux route add command failed: external program exited with error status: 2

Full response:

Wed Nov 20 11:33:49 2019 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Wed Nov 20 11:33:49 2019 library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
Wed Nov 20 11:33:49 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Nov 20 11:33:50 2019 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Nov 20 11:33:50 2019 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Nov 20 11:33:50 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]51.75.127.237:1194
Wed Nov 20 11:33:50 2019 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Nov 20 11:33:50 2019 UDP link local: (not bound)
Wed Nov 20 11:33:50 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Wed Nov 20 11:33:50 2019 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Nov 20 11:33:50 2019 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=bd06e3d1 f7c41b7e
Wed Nov 20 11:33:50 2019 VERIFY OK: depth=1, C=PL, ST=PDK, L=X, O=K, OU=K, CN=K CA, name=server, emailAddress=some_email
Wed Nov 20 11:33:50 2019 VERIFY KU OK
Wed Nov 20 11:33:50 2019 Validating certificate extended key usage
Wed Nov 20 11:33:50 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Nov 20 11:33:50 2019 VERIFY EKU OK
Wed Nov 20 11:33:50 2019 VERIFY OK: depth=1, C=PL, ST=PDK, L=X, O=K, OU=K, CN=K CA, name=server, emailAddress=some_email
Wed Nov 20 11:33:50 2019 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Nov 20 11:33:50 2019 [server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Wed Nov 20 11:33:51 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Nov 20 11:33:51 2019 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9'
Wed Nov 20 11:33:51 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Nov 20 11:33:51 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Nov 20 11:33:51 2019 OPTIONS IMPORT: route options modified
Wed Nov 20 11:33:51 2019 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Nov 20 11:33:51 2019 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Nov 20 11:33:51 2019 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Nov 20 11:33:51 2019 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Nov 20 11:33:51 2019 ROUTE_GATEWAY 192.168.8.1/255.255.255.0 IFACE=eth1 HWADDR=0c:5b:8f:27:9a:64
Wed Nov 20 11:33:51 2019 TUN/TAP device tun1 opened
Wed Nov 20 11:33:51 2019 TUN/TAP TX queue length set to 100
Wed Nov 20 11:33:51 2019 /sbin/ip link set dev tun1 up mtu 1500
Wed Nov 20 11:33:51 2019 /sbin/ip addr add dev tun1 local 10.8.0.10 peer 10.8.0.9
Wed Nov 20 11:33:51 2019 /etc/openvpn/update-resolv-conf tun1 1500 1570 10.8.0.10 10.8.0.9 init
Wed Nov 20 11:33:51 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.9
RTNETLINK answers: File exists
Wed Nov 20 11:33:51 2019 ERROR: Linux route add command failed: external program exited with error status: 2
Wed Nov 20 11:33:51 2019 GID set to nogroup
Wed Nov 20 11:33:51 2019 UID set to nobody
Wed Nov 20 11:33:51 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Nov 20 11:33:51 2019 Initialization Sequence Completed

My server.conf:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC   # AES
auth  SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

my client.ovpn:

client
dev tun
proto udp
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb3
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>

Many thanks for any ideas.

Answer 1

Normally the error RTNETLINK answers: File exists happens when OpenVPN client is trying to add a route that already exists on the client machine. Then, OpenVPN will generate an error message:

ERROR: Linux route add command failed: external program exited with error status: 2

Can you check this client machine network settings to ensure that you don't have any route to 10.8.0.0/24 network?

Answer 2

You are pushing a route, the route to your OpenVPN gateway (and/or subnet):

/sbin/ip route add 10.8.0.0/24 via 10.8.0.9 is being called, your error stems from you already having a route to that host or subnet. Check your active routes on the client (e.g. ip r) to confirm.

You also shouldn't use LZO compression with encryption because of VORACLE