Hello, just registered and this will be my first post. I wasn't getting very far with Google research and the OVPN troubleshooting page. Thought I would throw my issue out here and see if anyone had any ideas.
I've encountered this problem twice where the OVPN Access Server is running fine and doing it's job, but for some reason the Web Admin UI becomes unreachable. Everything else seems to work as intended. Last time a simple server restart resolved the problem, but I'd like to find a way to avoid it or simply fix it without booting VPN users. Some basic info-
OVPN Access Server Version: 2.8.7
When I run netstat I can see the openvpn-openssl listening on 0.0.0.0:443.
I'm pretty new to running an Access Server, but I believe that service should be listening on the server's local address correct? Any ideas why this would change randomly?
Thanks for any help!
Access Server Web UI randomly becomes unavailable
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Jul 20, 2021 5:23 pm
-
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: Access Server Web UI randomly becomes unavailable
OpenVPN AS version 2.8.7 is fair old at this point and has some known security issues that have been since resolved.
I would recommend upgrading to either version 2.8.8 or 2.9.2. Then see if you still experience problems with the web interface.
When a service shows in netstat as running on IP 0.0.0.0, then this indicates it is bound to all network interfaces. As such, that indicate it is on the server's local address.
When you have problems access the web UI via port 443, can you also try accessing it via port 943 instead?
When the problem is occurring, are you running the OpenVPN client and is the client actively connected?
I would recommend upgrading to either version 2.8.8 or 2.9.2. Then see if you still experience problems with the web interface.
When a service shows in netstat as running on IP 0.0.0.0, then this indicates it is bound to all network interfaces. As such, that indicate it is on the server's local address.
When you have problems access the web UI via port 443, can you also try accessing it via port 943 instead?
When the problem is occurring, are you running the OpenVPN client and is the client actively connected?
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Jul 20, 2021 5:23 pm
Re: Access Server Web UI randomly becomes unavailable
I have not gone through an upgrade with one of these before. Are they fairly seamless? Any issues with past configs being reset?
I believe that's what I set originally, for it to listen on all interfaces. I'm not sure if this is useful, but I just checked the init.log and the Admin UI has some random IP address assigned to it. This is not even a subnet we use at any of our locations. I can putty into the access server just fine and access everything from CLI. I don't know how it got this IP address.When a service shows in netstat as running on IP 0.0.0.0, then this indicates it is bound to all network interfaces. As such, that indicate it is on the server's local address.
I can't use 443 or 943. I am not running the client myself, but I have about 7 employees that are working on it just fine. Seems to only be the Web UI that's acting up.When you have problems access the web UI via port 443, can you also try accessing it via port 943 instead?
When the problem is occurring, are you running the OpenVPN client and is the client actively connected?
-
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: Access Server Web UI randomly becomes unavailable
Each of the upgrades from 2.8.7 to 2.8.8 I have done has gone seamlessly.
OpenVPN AS makes a backup copy of each of the configuration files on each restart, including when an upgrade is performed.
You can find the configuration files in /usr/local/openvpn_as/etc/db
Backups can be found in sub-directories named with the date/time the backup was made. If you run into any problems, you can restore the configuration from these backups.
By default, the Admin UI web server is available through two different methods. The first is directly via port 943. The second is passed through the VPN service itself to the web server. This is performed through a Unix socket file. My guess is the random address you are seeing in the init.log may not be an IP, but rather is the socket identification number.KVPN wrote: ↑Tue Jul 20, 2021 6:36 pmI believe that's what I set originally, for it to listen on all interfaces. I'm not sure if this is useful, but I just checked the init.log and the Admin UI has some random IP address assigned to it. This is not even a subnet we use at any of our locations. I can putty into the access server just fine and access everything from CLI. I don't know how it got this IP address.
Do you have any other software/service running on the same server that modifies iptables or the system firewall?
The other possibility I can think of is the kernel might be performing an Out of Memory (OOM) kill against the web service while still leaving the VPN services running. But this should only occur if the system is extremely starved on available ram.
You may want to open a ticket with OpenVPN AS support so they can review the logs for you. There is only so much that can be accomplished through the forums.
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Access Server Web UI randomly becomes unavailable
+1 to that. The Support team are a fine bunch, regardless what you may have heard! The link is also down there in my signature.chilinux wrote: ↑Tue Jul 20, 2021 9:50 pmDo you have any other software/service running on the same server that modifies iptables or the system firewall?
The other possibility I can think of is the kernel might be performing an Out of Memory (OOM) kill against the web service while still leaving the VPN services running. But this should only occur if the system is extremely starved on available ram.
You may want to open a ticket with OpenVPN AS support so they can review the logs for you. There is only so much that can be accomplished through the forums.
I had a thought. The OP says s/he is not using the VPN. Perhaps the server is behind NAT, and KVPN is also behind the same NAT?
If so you need to go to the Access Server's internal IP address, the address which is receiving UDP 1194 and TCP 443 and 943 packets from outside. That would be the NAT address used by the router, not the external address OF the router.
Another "solution" to that problem is sometimes called "hairpin NAT", but it's ugly and I never recommend it.
Good luck, regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support