Access Server Web UI randomly becomes unavailable

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
KVPN
OpenVpn Newbie
Posts: 2
Joined: Tue Jul 20, 2021 5:23 pm

Access Server Web UI randomly becomes unavailable

Post by KVPN » Tue Jul 20, 2021 5:35 pm

Hello, just registered and this will be my first post. I wasn't getting very far with Google research and the OVPN troubleshooting page. Thought I would throw my issue out here and see if anyone had any ideas.

I've encountered this problem twice where the OVPN Access Server is running fine and doing it's job, but for some reason the Web Admin UI becomes unreachable. Everything else seems to work as intended. Last time a simple server restart resolved the problem, but I'd like to find a way to avoid it or simply fix it without booting VPN users. Some basic info-

OVPN Access Server Version: 2.8.7
When I run netstat I can see the openvpn-openssl listening on 0.0.0.0:443.

I'm pretty new to running an Access Server, but I believe that service should be listening on the server's local address correct? Any ideas why this would change randomly?

Thanks for any help!

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: Access Server Web UI randomly becomes unavailable

Post by chilinux » Tue Jul 20, 2021 6:25 pm

OpenVPN AS version 2.8.7 is fair old at this point and has some known security issues that have been since resolved.

I would recommend upgrading to either version 2.8.8 or 2.9.2. Then see if you still experience problems with the web interface.

When a service shows in netstat as running on IP 0.0.0.0, then this indicates it is bound to all network interfaces. As such, that indicate it is on the server's local address.

When you have problems access the web UI via port 443, can you also try accessing it via port 943 instead?

When the problem is occurring, are you running the OpenVPN client and is the client actively connected?

KVPN
OpenVpn Newbie
Posts: 2
Joined: Tue Jul 20, 2021 5:23 pm

Re: Access Server Web UI randomly becomes unavailable

Post by KVPN » Tue Jul 20, 2021 6:36 pm

chilinux wrote:
Tue Jul 20, 2021 6:25 pm
OpenVPN AS version 2.8.7 is fair old at this point and has some known security issues that have been since resolved.

I would recommend upgrading to either version 2.8.8 or 2.9.2. Then see if you still experience problems with the web interface.
I have not gone through an upgrade with one of these before. Are they fairly seamless? Any issues with past configs being reset?
When a service shows in netstat as running on IP 0.0.0.0, then this indicates it is bound to all network interfaces. As such, that indicate it is on the server's local address.
I believe that's what I set originally, for it to listen on all interfaces. I'm not sure if this is useful, but I just checked the init.log and the Admin UI has some random IP address assigned to it. This is not even a subnet we use at any of our locations. I can putty into the access server just fine and access everything from CLI. I don't know how it got this IP address.
When you have problems access the web UI via port 443, can you also try accessing it via port 943 instead?

When the problem is occurring, are you running the OpenVPN client and is the client actively connected?
I can't use 443 or 943. I am not running the client myself, but I have about 7 employees that are working on it just fine. Seems to only be the Web UI that's acting up.

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: Access Server Web UI randomly becomes unavailable

Post by chilinux » Tue Jul 20, 2021 9:50 pm

KVPN wrote:
Tue Jul 20, 2021 6:36 pm
chilinux wrote:
Tue Jul 20, 2021 6:25 pm
OpenVPN AS version 2.8.7 is fair old at this point and has some known security issues that have been since resolved.

I would recommend upgrading to either version 2.8.8 or 2.9.2. Then see if you still experience problems with the web interface.
I have not gone through an upgrade with one of these before. Are they fairly seamless? Any issues with past configs being reset?
Each of the upgrades from 2.8.7 to 2.8.8 I have done has gone seamlessly.

OpenVPN AS makes a backup copy of each of the configuration files on each restart, including when an upgrade is performed.

You can find the configuration files in /usr/local/openvpn_as/etc/db

Backups can be found in sub-directories named with the date/time the backup was made. If you run into any problems, you can restore the configuration from these backups.
KVPN wrote:
Tue Jul 20, 2021 6:36 pm
chilinux wrote:
Tue Jul 20, 2021 6:25 pm
When a service shows in netstat as running on IP 0.0.0.0, then this indicates it is bound to all network interfaces. As such, that indicate it is on the server's local address.
I believe that's what I set originally, for it to listen on all interfaces. I'm not sure if this is useful, but I just checked the init.log and the Admin UI has some random IP address assigned to it. This is not even a subnet we use at any of our locations. I can putty into the access server just fine and access everything from CLI. I don't know how it got this IP address.
By default, the Admin UI web server is available through two different methods. The first is directly via port 943. The second is passed through the VPN service itself to the web server. This is performed through a Unix socket file. My guess is the random address you are seeing in the init.log may not be an IP, but rather is the socket identification number.
KVPN wrote:
Tue Jul 20, 2021 6:36 pm
chilinux wrote:
Tue Jul 20, 2021 6:25 pm
When you have problems access the web UI via port 443, can you also try accessing it via port 943 instead?

When the problem is occurring, are you running the OpenVPN client and is the client actively connected?
I can't use 443 or 943. I am not running the client myself, but I have about 7 employees that are working on it just fine. Seems to only be the Web UI that's acting up.
Do you have any other software/service running on the same server that modifies iptables or the system firewall?

The other possibility I can think of is the kernel might be performing an Out of Memory (OOM) kill against the web service while still leaving the VPN services running. But this should only occur if the system is extremely starved on available ram.

You may want to open a ticket with OpenVPN AS support so they can review the logs for you. There is only so much that can be accomplished through the forums.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Access Server Web UI randomly becomes unavailable

Post by openvpn_inc » Wed Jul 21, 2021 12:41 am

chilinux wrote:
Tue Jul 20, 2021 9:50 pm
KVPN wrote:
Tue Jul 20, 2021 6:36 pm
chilinux wrote:
Tue Jul 20, 2021 6:25 pm
When you have problems access the web UI via port 443, can you also try accessing it via port 943 instead?

When the problem is occurring, are you running the OpenVPN client and is the client actively connected?
I can't use 443 or 943. I am not running the client myself, but I have about 7 employees that are working on it just fine. Seems to only be the Web UI that's acting up.
Do you have any other software/service running on the same server that modifies iptables or the system firewall?

The other possibility I can think of is the kernel might be performing an Out of Memory (OOM) kill against the web service while still leaving the VPN services running. But this should only occur if the system is extremely starved on available ram.

You may want to open a ticket with OpenVPN AS support so they can review the logs for you. There is only so much that can be accomplished through the forums.
+1 to that. The Support team are a fine bunch, regardless what you may have heard! ;) The link is also down there in my signature.

I had a thought. The OP says s/he is not using the VPN. Perhaps the server is behind NAT, and KVPN is also behind the same NAT?

If so you need to go to the Access Server's internal IP address, the address which is receiving UDP 1194 and TCP 443 and 943 packets from outside. That would be the NAT address used by the router, not the external address OF the router.

Another "solution" to that problem is sometimes called "hairpin NAT", but it's ugly and I never recommend it.

Good luck, regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply