Client Auth Error on auto-reconnect following network interruption
Posted: Tue Sep 25, 2018 2:20 am
Hi Everyone,
Sorry to bother, but I have an odd problem that I can't seem to find an answer to (If I've missed something obvious, I apologise in advance!)...
I've set up an OpenVPN Access Server on a VPS I use (I tried several times to do a full install of OpenVPN server from scratch, but just couldn't actually get it to work, even looking at several different sources.. so I used the Access Server .deb file and got it working straight away), and have two clients, which can happily connect, and communicate through the VPN etc..
Issue however comes through some testing I've been doing in preparation for deployment. One client is a Headless Pi Zero W, which I plan to locate in a remote location, and want to be able to connect to remotely through the VPN to give me access to some things behind it. I have set it up with an auto-login profile, and the VPN starts perfectly when it boots. However, if I simulate a network issue, or a server issue by either manually shutting down either the full VPS server instance, or from within the OpenVPN Access Server admin section itself, and then turn it back on, the Pi always fails to reconnect citing an Auth Error... If after the auth error I manually restart the openvpn service, it logs in straight away, no issues.
Nothing I appear to be doing is actually fixing this. Any thoughts?
For reference, here is the log output on the Pi when it fails (I've replaced the IP and port with <server_ip_and_port> for security):
The Client Config in Question (minus all secure info):
And finally, additional parameters added into the server conf (and the client conf even though I know they are visible above) via the Access Server web interface:
The additionals were added from looking at a million posts (at least it seems like it!) and trying to see if anything would work.... I'm not sure what they all do to be fair!
Its worth noting that the Pi Zero W is using the wlan0 interface (which I have a hunch may be the root of the problems). Also tun0 stays listed throughout all the time the server is down and the pi is auto-attempting to reconnect, but after the AUTH_FAILED issue the entry to tun0 is no longer listed. A simply work around would be to check for the presence of tun0 with a cron script, and start the openvpn client again if not, but that's a workaround, not a solution.
Any help would be hugely appreciated! and Thank you in advance!
Owen.
Sorry to bother, but I have an odd problem that I can't seem to find an answer to (If I've missed something obvious, I apologise in advance!)...
I've set up an OpenVPN Access Server on a VPS I use (I tried several times to do a full install of OpenVPN server from scratch, but just couldn't actually get it to work, even looking at several different sources.. so I used the Access Server .deb file and got it working straight away), and have two clients, which can happily connect, and communicate through the VPN etc..
Issue however comes through some testing I've been doing in preparation for deployment. One client is a Headless Pi Zero W, which I plan to locate in a remote location, and want to be able to connect to remotely through the VPN to give me access to some things behind it. I have set it up with an auto-login profile, and the VPN starts perfectly when it boots. However, if I simulate a network issue, or a server issue by either manually shutting down either the full VPS server instance, or from within the OpenVPN Access Server admin section itself, and then turn it back on, the Pi always fails to reconnect citing an Auth Error... If after the auth error I manually restart the openvpn service, it logs in straight away, no issues.
Nothing I appear to be doing is actually fixing this. Any thoughts?
For reference, here is the log output on the Pi when it fails (I've replaced the IP and port with <server_ip_and_port> for security):
Code: Select all
Sat Sep 22 05:28:23 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 22 05:28:23 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_ip_and_port>
Sat Sep 22 05:28:23 2018 Socket Buffers: R=[87380->200000] S=[16384->200000]
Sat Sep 22 05:28:23 2018 Attempting to establish TCP connection with [AF_INET]<server_ip_and_port> [nonblock]
Sat Sep 22 05:28:24 2018 TCP: connect to [AF_INET]<server_ip_and_port> failed: Connection refused
Sat Sep 22 05:28:24 2018 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Sat Sep 22 05:28:24 2018 Restart pause, 5 second(s)
Sat Sep 22 05:28:29 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 22 05:28:29 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 22 05:28:29 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_ip_and_port>
Sat Sep 22 05:28:29 2018 Socket Buffers: R=[163840->200000] S=[163840->200000]
Sat Sep 22 05:28:29 2018 UDP link local: (not bound)
Sat Sep 22 05:28:29 2018 UDP link remote: [AF_INET]<server_ip_and_port>
Sat Sep 22 05:28:29 2018 TLS: Initial packet from [AF_INET]<server_ip_and_port>, sid=b6a20603 c7873341
Sat Sep 22 05:28:29 2018 VERIFY OK: depth=1, CN=OpenVPN CA
Sat Sep 22 05:28:29 2018 VERIFY OK: nsCertType=SERVER
Sat Sep 22 05:28:29 2018 VERIFY OK: depth=0, CN=OpenVPN Server
Sat Sep 22 05:28:29 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1558'
Sat Sep 22 05:28:29 2018 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'
Sat Sep 22 05:28:29 2018 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Sat Sep 22 05:28:29 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Sep 22 05:28:29 2018 [OpenVPN Server] Peer Connection Initiated with [AF_INET]<server_ip_and_port>
Sat Sep 22 05:28:30 2018 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Sat Sep 22 05:28:30 2018 AUTH: Received control message: AUTH_FAILED
Sat Sep 22 05:28:30 2018 SIGTERM[soft,auth-failure] received, process exiting
Code: Select all
# Automatically generated OpenVPN client config file
# Generated on Tue Sep 25 03:06:18 2018 by
# Default Cipher
cipher AES-256-CBC
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=<client_username>
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=<client_info>/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=<server_ip_and_port>
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN, Inc.
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote <server_ip_and_port> udp
remote <server_ip_and_port> udp
remote <server_ip_and_port> tcp
remote <server_ip_and_port> udp
remote <server_ip_and_port> udp
remote <server_ip_and_port> udp
remote <server_ip_and_port> udp
remote <server_ip_and_port> udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
# Extra user-defined configuration
float
resolv-retry infinite
persist-tun
persist-key
ping-timer-rem
keepalive 30 120
connect-retry 120 120
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
Code: Select all
SERVER CONF:
float
resolv-retry infinite
persist-tun
persist-key
ping-timer-rem
keepalive 30 120
CLIENT CONF:
float
resolv-retry infinite
persist-tun
persist-key
ping-timer-rem
keepalive 30 120
connect-retry 120 120
Its worth noting that the Pi Zero W is using the wlan0 interface (which I have a hunch may be the root of the problems). Also tun0 stays listed throughout all the time the server is down and the pi is auto-attempting to reconnect, but after the AUTH_FAILED issue the entry to tun0 is no longer listed. A simply work around would be to check for the presence of tun0 with a cron script, and start the openvpn client again if not, but that's a workaround, not a solution.
Any help would be hugely appreciated! and Thank you in advance!
Owen.