[Solved] Client dont want to connect: Linux ip addr add failed

[Kammermark]

Hello,

I am migrating my 30 clients from one VPN to a new one. Old VPN server runs with version 2.3.4 on a raspberry 3, new server runs with version 2.4.0 on a vServer with debian. Some of the clients do not want to connect with the new server. I get an error I do not understand.

View OriginalSERVER

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.9.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
tls-auth tls-auth.key 0
dh dh.pem
auth SHA256
cipher AES-128-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
status openvpn.log
verb 4
management 127.0.0.1 5555
client-config-dir ccd
client-to-client
log-append /var/log/openvpn.log

View OriginalCLIENT

client
proto udp
remote xx.xx.xx.xx 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-128-CBC
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
verb 5
<ca>
blablabla
</ca>
<cert>
blablabla
</cert>
<key>
blablabla
</key>
key-direction 1
<tls-auth>
blablabla
</tls-auth>

The log from server is:

Code: Select all

Sat Nov 18 10:46:45 2017 us=395857 xx.xx.xx.xx:15902 VERIFY OK: depth=1, CN=ChangeMe
Sat Nov 18 10:46:45 2017 us=396132 xx.xx.xx.xx:15902 VERIFY OK: depth=0, CN=myclient
Sat Nov 18 10:46:45 2017 us=459968 xx.xx.xx.xx:15902 peer info: IV_VER=2.4.0
Sat Nov 18 10:46:45 2017 us=460051 xx.xx.xx.xx:15902 peer info: IV_PLAT=linux
Sat Nov 18 10:46:45 2017 us=460069 xx.xx.xx.xx:15902 peer info: IV_PROTO=2
Sat Nov 18 10:46:45 2017 us=460080 xx.xx.xx.xx:15902 peer info: IV_NCP=2
Sat Nov 18 10:46:45 2017 us=460091 xx.xx.xx.xx:15902 peer info: IV_LZ4=1
Sat Nov 18 10:46:45 2017 us=460101 xx.xx.xx.xx:15902 peer info: IV_LZ4v2=1
Sat Nov 18 10:46:45 2017 us=460121 xx.xx.xx.xx:15902 peer info: IV_LZO=1
Sat Nov 18 10:46:45 2017 us=460145 xx.xx.xx.xx:15902 peer info: IV_COMP_STUB=1
Sat Nov 18 10:46:45 2017 us=460165 xx.xx.xx.xx:15902 peer info: IV_COMP_STUBv2=1
Sat Nov 18 10:46:45 2017 us=460176 xx.xx.xx.xx:15902 peer info: IV_TCPNL=1
Sat Nov 18 10:46:45 2017 us=496957 xx.xx.xx.xx:15902 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES128-GCM-SHA256, 3072 bit RSA
Sat Nov 18 10:46:45 2017 us=497060 xx.xx.xx.xx:15902 [myclient] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:15902
Sat Nov 18 10:46:45 2017 us=497344 myclient/xx.xx.xx.xx:15902 OPTIONS IMPORT: reading client specific options from: ccd/myclient
Sat Nov 18 10:46:45 2017 us=500596 myclient/xx.xx.xx.xx:15902 MULTI: Learn: 10.9.2.64 -> myclient/xx.xx.xx.xx:15902
Sat Nov 18 10:46:45 2017 us=500625 myclient/xx.xx.xx.xx:15902 MULTI: primary virtual IP for myclient/xx.xx.xx.xx:15902: 10.9.2.64
Sat Nov 18 10:46:46 2017 us=773966 myclient/xx.xx.xx.xx:15902 PUSH: Received control message: 'PUSH_REQUEST'
Sat Nov 18 10:46:46 2017 us=774086 myclient/xx.xx.xx.xx:15902 SENT CONTROL [myclient]: 'PUSH_REPLY,route-gateway 10.9.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.9.2.64 10.9.2.65,peer-id 11,cipher AES-256-GCM' (status=1)
Sat Nov 18 10:46:46 2017 us=774126 myclient/xx.xx.xx.xx:15902 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
Sat Nov 18 10:46:46 2017 us=774240 myclient/xx.xx.xx.xx:15902 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Nov 18 10:46:46 2017 us=774260 myclient/xx.xx.xx.xx:15902 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

The log from client is:

Code: Select all

Nov 18 09:46:43 myclient-ogn ovpn-myclient[2251]: OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2251]: library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2252]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2252]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2252]: Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2252]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2252]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2252]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2252]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2252]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2252]: UDP link local: (not bound)
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2252]: UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2252]: TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=d20b82ee ea6395d8
Nov 18 09:46:43 myclient-ogn ovpn-myclient[2252]: VERIFY OK: depth=1, CN=ChangeMe
Nov 18 09:46:44 myclient-ogn ovpn-myclient[2252]: Validating certificate key usage
Nov 18 09:46:44 myclient-ogn ovpn-myclient[2252]: ++ Certificate has key usage  00a0, expects 00a0
Nov 18 09:46:44 myclient-ogn ovpn-myclient[2252]: VERIFY KU OK
Nov 18 09:46:44 myclient-ogn ovpn-myclient[2252]: Validating certificate extended key usage
Nov 18 09:46:44 myclient-ogn ovpn-myclient[2252]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Nov 18 09:46:44 myclient-ogn ovpn-myclient[2252]: VERIFY EKU OK
Nov 18 09:46:44 myclient-ogn ovpn-myclient[2252]: VERIFY OK: depth=0, CN=server
Nov 18 09:46:45 myclient-ogn ovpn-myclient[2252]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES128-GCM-SHA256, 3072 bit RSA
Nov 18 09:46:45 myclient-ogn ovpn-myclient[2252]: [server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.9.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.9.2.64 10.9.2.65,peer-id 11,cipher AES-256-GCM'
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: OPTIONS IMPORT: route-related options modified
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: OPTIONS IMPORT: peer-id set
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: OPTIONS IMPORT: adjusting link_mtu to 1624
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: OPTIONS IMPORT: data channel crypto options modified
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: TUN/TAP device tun1 opened
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: TUN/TAP TX queue length set to 100
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: /sbin/ip link set dev tun1 up mtu 1500
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: /sbin/ip addr add dev tun1 10.9.2.64/-1 broadcast 255.255.255.254
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: Linux ip addr add failed: external program exited with error status: 1
Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: Exiting due to fatal error
Nov 18 09:46:46 myclient-ogn systemd[1]: openvpn@myclient.service: Main process exited, code=exited, status=1/FAILURE
Nov 18 09:46:46 myclient-ogn systemd[1]: openvpn@myclient.service: Unit entered failed state.
Nov 18 09:46:46 myclient-ogn systemd[1]: openvpn@myclient.service: Failed with result 'exit-code'

The ccd file for the client contains:

Code: Select all

ifconfig-push 10.9.2.64 10.9.2.65

I do not understand, where the "-1" in the client log comes from (10.9.2.64/-1).

Code: Select all

Nov 18 09:46:46 myclient-ogn ovpn-myclient[2252]: /sbin/ip addr add dev tun1 10.9.2.64/-1 broadcast 255.255.255.254

For me this seems to be wrong, but I did not find any informations, how to solve this. Does anyone have an idea?

Best regards
Konstantin

[TinCanTech]

The ccd file for the client contains:

Code: Select all

ifconfig-push 10.9.2.64 10.9.2.65

Invalid net30 pair ..

See the table here:
https://openvpn.net/index.php/open-sour ... tml#policy

[Kammermark]

Hello TinCanTech,

thanks for the fast answer. I forgot to say, that all clients are raspberrys. As far as I understand, the /30 is only important for window clients. Anyway I changed the ip to a valid /30 pair (145,146), and the error is still the same...

Best regards
Konstantin

[TinCanTech]

I changed the ip to a valid /30 pair (145,146), and the error is still the same..

You are not using net30

View OriginalSERVER

topology subnet
server 10.9.0.0 255.255.0.0

See --topology in The Manual v24x

[Kammermark]

Hell TinCanTech,

thank you, now I understand. With topology "subnet" the ccd file is different. It is now "ifconfig-push 10.9.2.64 255.255.0.0", and this works.

Best regards
Konstantin