Client service won't restart; "failed to query password"

[rewford]

Hello forum,

I have a RaspPi running OpenVPN client, connecting to another RaspPi running server. The client is in my house in Germany, the server is back in the US. I don't have easy access to the server.

Everything runs fine, and has been for over a 1 year. I have the client service configured to run at system startup, using --askpass in the config file. That works correctly. I can start the client service with 'sudo systemctl start openvpn-client@client.service' and that works correctly. The problem is, if there is ever a network problem that causes the VPN connection to stop, it will NOT restart automatically. I have keep-alive and ping-restart setup.

The error when the client service is trying to restart is

Code: Select all

Failed to query password: Time expired
ERROR: Failed retrieving username or password

If the client service has stopped, I can restart it manually, using the --ask-pass in the config file.

What am I doing wrong? Should the client service be able to restart just like it does at system startup or systemctl start?

I have provided a truncated log file that shows the error; I can post the entire 700 line log file, if it's needed.

thanks,
Rick

My info below.

Code: Select all

openvpn --version
OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>

Code: Select all

uname -a
Linux TannenPi 5.10.63-v7+ #1496 SMP Wed Dec 1 15:58:11 GMT 2021 armv7l GNU/Linux

View OriginalServer

Server conf not available

View OriginalClient

client
dev tun
proto udp
remote x.y.z.171 19840
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name xxxxx name
cipher AES-256-CBC
auth SHA256
auth-nocache
askpass /etc/openvpn/client/xxxx.pw
keepalive 10 120
verb 4
<ca>
-----BEGIN CERTIFICATE-----
-----END OpenVPN Static key V1-----
</tls-crypt>
auth-user-pass login.conf

Code: Select all

Sun Feb 13 11:02:11 2022 us=840123 /sbin/ip link set dev tun0 up mtu 1500
Sun Feb 13 11:02:11 2022 us=852744 /sbin/ip addr add dev tun0 10.8.0.3/24 broadcast 10.8.0.255
Sun Feb 13 11:02:11 2022 us=865048 /sbin/ip route add x.y.z.171/32 via 192.168.1.1
Sun Feb 13 11:02:11 2022 us=876625 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Sun Feb 13 11:02:11 2022 us=887588 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Sun Feb 13 11:02:11 2022 us=898619 Initialization Sequence Completed
Sun Feb 13 11:41:31 2022 us=433641 Recursive routing detected, drop tun packet to [AF_INET]x.y.z.171:19840
Sun Feb 13 11:41:46 2022 us=879904 Recursive routing detected, drop tun packet to [AF_INET]x.y.z.171:19840
Sun Feb 13 11:42:01 2022 us=165009 Recursive routing detected, drop tun packet to [AF_INET]x.y.z.171:19840
Sun Feb 13 11:42:16 2022 us=525133 Recursive routing detected, drop tun packet to [AF_INET]x.y.z.171:19840
Sun Feb 13 11:42:31 2022 us=776100 Recursive routing detected, drop tun packet to [AF_INET]x.y.z.171:19840
Sun Feb 13 11:42:46 2022 us=918005 Recursive routing detected, drop tun packet to [AF_INET]x.y.z.171:19840
Sun Feb 13 11:43:02 2022 us=141964 Recursive routing detected, drop tun packet to [AF_INET]x.y.z.171:19840
Sun Feb 13 11:43:17 2022 us=533874 [xxxxx] Inactivity timeout (--ping-restart), restarting
Sun Feb 13 11:43:17 2022 us=535044 TCP/UDP: Closing socket
Sun Feb 13 11:43:17 2022 us=535347 /sbin/ip route del x.y.z.171/32
RTNETLINK answers: No such process
Sun Feb 13 11:43:17 2022 us=545899 ERROR: Linux route delete command failed: external program exited with error status: 2
Sun Feb 13 11:43:17 2022 us=546125 /sbin/ip route del 0.0.0.0/1
Sun Feb 13 11:43:17 2022 us=556368 /sbin/ip route del 128.0.0.0/1
Sun Feb 13 11:43:17 2022 us=566628 Closing TUN/TAP interface
Sun Feb 13 11:43:17 2022 us=566901 /sbin/ip addr del dev tun0 10.8.0.3/24
Sun Feb 13 11:43:17 2022 us=700295 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 13 11:43:17 2022 us=700468 Restart pause, 5 second(s)
Failed to query password: Timer expired
Sun Feb 13 11:44:52 2022 us=841485 ERROR: Failed retrieving username or password
Sun Feb 13 11:44:52 2022 us=841721 Exiting due to fatal error

[TinCanTech]

See --auth-nocache in the manual.

[rewford]

See --auth-nocache in the manual.

I believe that has solved the problem! Thank you, very much. I read about auth-nocache, but didn't put the two together. I assumed it could re-read the creds from the askpass file just like at the beginning, but, as I understand it better, it looks like it reads the p/w file at startup before it becomes a daemon.

Initial testing shows it works.

Thank you.

[zwippet]

See --auth-nocache in the manual.

I believe that has solved the problem! Thank you, very much. I read about auth-nocache, but didn't put the two together. I assumed it could re-read the creds from the askpass file just like at the beginning, but, as I understand it better, it looks like it reads the p/w file at startup before it becomes a daemon.

Initial testing shows it works.

Thank you.

So what is the solution? Maybe my knowledge is not so good and don't understand what manual says. I've a tekst file with a password and start VPN in shell in background. But after a while it disconnects with

Code: Select all

2023-05-21 12:31:34 SIGUSR1[soft,ping-restart] received, process restarting
2023-05-21 12:31:34 Restart pause, 5 second(s)
Failed to query password: Timer expired
2023-05-21 12:33:09 ERROR: Failed retrieving username or password
2023-05-21 12:33:09 Exiting due to fatal error