Ubuntu Server 12.04 - webmin & OpenVPN have both stopped

[amgmartin]

(I have also posted this to askubuntu.com but have not found the answer yet...)

I work for a small company that has an off-site Windows 2012 server which hosts two other virtual servers via VirtualBox; one of these is an Ubuntu 12.04 server which runs OpenVPN. The set-up was configured before I joined the company, and the previous tech guy has since left.

I got news this morning that users cannot connect to our VPN. I confirmed from my own PC that connection to the VPN was being refused (AUTH_FAILED - it is configured to authenticate against active directory on the Win2012 server and I triple-checked my credentials are correct).

I suspected the failure may have been due to the recent Heartbleed bug and that any updated OpenVPN clients might require the host be updated too, so I logged into the Ubuntu server and issued "sudo apt-get update" and "sudo apt-get upgrade" - OpenVPN was one of the packages to get updated.

I issued a "sudo reboot" on the Ubuntu server and tried to connect via OpenVPN again but it still fails (AUTH_FAILED).

I then suspected that because the server and clients had been updated that I might need to issue everyone new certificates (though I hope this won't be necessary!?), so I tried to administer OpenVPN users & certificates via Webmin... however, opening the Webmin web-interface also failed (connection timed out on "https :// (ubuntu-server-ip) :10000"). I have issued a "sudo service webmin restart" and it reports "Stopping Webmin server in /usr/share/webmin", "Starting Webmin server in /usr/share/webmin", "Pre-loaded WebminCore"; but further attempts to connect from the the Win2012 host PC still time out (I have also temporarily disabled the firewall and tried different browsers, but the results are the same)

Both of these services were working fine when I last tried a few weeks ago, and no-one has made any manual changes to the server settings in the intervening time.

Any ideas what might have caused these issues, and what I can do to fix them?

[amgmartin]

What Version of OpenVPN Are you using .. is it Access Server ?

I'm not certain. Does this help? ...

Code: Select all

$ openvpn --version
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 13 2014

[amgmartin]

Previously we set up new users and certificates via Webmin (possibly using a third party plugin - this was configured before I joined the company and there has been very little internal documentation). Currently, as well as users not being able to connect to OpenVPN, I cannot access Webmin.

I guess the sudden lack of connectivity to both services is linked?

I'd really appreciate some help in troubleshooting the cause of the problem, and possible in repairing it.

Also, you should consider upgrading to v233 since the Heartbleed exploit.

Yesterday I did issue a "sudo apt-get update" and "sudo apt-get upgrade"; one of the packages updated was openvpn. Evidently this is not sufficient to update to v233, can you please let me know what else I need to do to update the software? Thanks

[amgmartin]

Thanks for your help, I have followed your link and updated OpenVPN to v233...

Code: Select all

$ openvpn --version
OpenVPN 2.3.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Apr 10 2014

... however clients still cannot connect. This is the log from OpenVPN GUI when I try to connect:

Code: Select all

Thu Apr 24 09:34:16 2014 OpenVPN 2.3.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Apr  9 2014
Thu Apr 24 09:34:23 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Apr 24 09:34:23 2014 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443
Thu Apr 24 09:34:23 2014 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
Thu Apr 24 09:34:23 2014 TCPv4_CLIENT link local: [undef]
Thu Apr 24 09:34:23 2014 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Thu Apr 24 09:34:23 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 24 09:34:23 2014 VERIFY OK: depth=1, C=xx, ST=xxxxxx, L=xxxxxxxx, O=xxxxxxxxxx, emailAddress=xxxxxxxxxx
Thu Apr 24 09:34:23 2014 VERIFY OK: depth=0, C=xx, ST=xxxxxx, L=xxxxxxxx, O=xxxxxxxxxx, OU=xxxxxx, CN=xxx-vpn-server-key, emailAddress=xxxxxxxxxx
Thu Apr 24 09:34:27 2014 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Apr 24 09:34:27 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 24 09:34:27 2014 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Apr 24 09:34:27 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 24 09:34:27 2014 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Thu Apr 24 09:34:27 2014 [xxx-vpn-server-key] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:443
Thu Apr 24 09:34:29 2014 AUTH: Received control message: AUTH_FAILED
Thu Apr 24 09:34:29 2014 SIGUSR1[soft,auth-failure] received, process restarting

The error appears to be AUTH_FAILED. Our OpenVPN setup is configured to authenticate against Active Directory on the Windows 2012 server - this used to work fine until recently and no-one has manually changed any settings in the intervening time. I can still access other services which authenticate against my AD account (for example our FTP server) it is only OpenVPN which is reporting AUTH problems.

Any suggestions of what I can try to fix this and/or to investigate further?

Sorry, we cannot help with third party software

I understand. If you could just help with getting OpenVPN working that'd be great. Thanks again for any assistance you can provide.

[amgmartin]

Ah-ha! Solved it ... I eventually found the problem was the virtualbox host-only network adapter on Windows 2012 had reverted to its default ip address (though I'm not sure why), so the ubuntu guest which had a public ip on eth0 (bridged) and local ip on eth1 (host-only) could no longer communicate via eth1 and as such could accept connection requests via the public IP but could not make a ldap binding via eth1 in order to authenticate users - hence the AUTH_FAILED messages. This is also why I could not access the webmin interface from the host server.

Thank you for your help.