[Solved] Restarted OpenVPN and now no clients can be found

[ghostcorps]

Hi Guys

I was trying to add a new client to the VPN but after I restarted the OpenVPN server, neither the new or the previous clients are connecting.

I have cleaned the PIds but to no effect.

Eventhough I am useing FreeBSD, I am still quite new to networking etc, I think I broke my hosts file while trying to make it look clean and pretty what do you think?


Here are the configs for the three machines. Pls note the webserver and database are jailed servers.

OpenVPN Server

/etc/hosts

Code: Select all

::1                         localhost
127.0.0.1                 localhost
203.x.x.212              host host.isp.com
203.x.x.213              webserver mydomain.com
203.x.x.214              database
192.168.254.1           host
192.168.254.2           webserver
192.168.254.7           database

#/usr/local/etc/openvpn/server.conf

Code: Select all

local 203.x.x.212
port 3000
dev tap
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh1024.pem
server 192.168.254.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /usr/local/etc/openvpn/ccd
route 192.168.254.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
max-clients 10
user root
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

#/usr/local/etc/openvpn/ipp.txt

Code: Select all

webserver,192.168.254.2
database,192.168.254.7

#/usr/local/etc/openvpn/ccd/webserver

Code: Select all

ifconfig-push 192.168.254.2

#/usr/local/etc/openvpn/ccd/database

Code: Select all

ifconfig-push 192.168.254.7

#/etc/rc.conf

Code: Select all

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_if="tap"
# Jail Settings
jail_webserver_ip_multi0="tap0|192.168.254.2 mtu 1500 netmask 255.255.255.255"
jail_database_ip_multi0="tap0|192.168.254.7 mtu 1500 netmask 255.255.255.255"

Database

#/etc/hosts

Code: Select all

::1                   localhost
127.0.0.1                   localhost
203.x.x.212                host host.isp.com
203.x.x.213                webserver mydomain.com
203.x.x.214                database

#/usr/local/etc/openvpn/client.conf

Code: Select all

client
dev tap
proto udp
remote 203.x.x.212 2501
resolv-retry infinite
nobind
persist-key
persist-tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/database.crt
key /usr/local/etc/openvpn/keys/database.key
ns-cert-type server
comp-lzo
verb 3
mute 20
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log

/etc/rc.conf

Code: Select all

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/client.conf"
openvpn_if="tap"

Restart log
#/var/log/openvpn.log

Code: Select all

3:32:00 2011 SIGUSR1[soft,tls-error] received, process restarting
3:32:00 2011 Restart pause, 2 second(s)
3:32:02 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
3:32:02 2011 Re-using SSL/TLS context
3:32:02 2011 LZO compression initialized
3:32:02 2011 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
3:32:02 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
3:32:02 2011 Local Options hash (VER=V4): 'd79ca330'
3:32:02 2011 Expected Remote Options hash (VER=V4): 'f7df56b8'
3:32:02 2011 Socket Buffers: R=[42080->65536] S=[9216->65536]
3:32:02 2011 UDPv4 link local: [undef]
3:32:02 2011 UDPv4 link remote: 203.x.x.212:2501

Webserver

#/etc/hosts

Code: Select all

::1                   localhost
127.0.0.1                   localhost
203.x.x.212                host host.isp.com
203.x.x.213                webserver mydomain.com
203.x.x.214                database

#/usr/local/etc/openvpn/client.conf

Code: Select all

client
dev tap
proto udp
remote 203.x.x.212 3000
resolv-retry infinite
nobind
persist-key
persist-tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/webserver.crt
key /usr/local/etc/openvpn/keys/webserver.key
ns-cert-type server
comp-lzo
verb 3
mute 20
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log

/etc/rc.conf

Code: Select all

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/client.conf"
openvpn_if="tap"

Restart log
#/var/log/openvpn.log

Code: Select all

Tue Jul 26 13:34:55 2011 SIGUSR1[soft,tls-error] received, process restarting
Tue Jul 26 13:34:55 2011 Restart pause, 2 second(s)
Tue Jul 26 13:34:57 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or
Tue Jul 26 13:34:57 2011 Re-using SSL/TLS context
Tue Jul 26 13:34:57 2011 LZO compression initialized
Tue Jul 26 13:34:57 2011 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jul 26 13:34:57 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jul 26 13:34:57 2011 Local Options hash (VER=V4): 'd79ca330'
Tue Jul 26 13:34:57 2011 Expected Remote Options hash (VER=V4): 'f7df56b8'
Tue Jul 26 13:34:57 2011 Socket Buffers: R=[42080->65536] S=[9216->65536]
Tue Jul 26 13:34:57 2011 UDPv4 link local: [undef]
Tue Jul 26 13:34:57 2011 UDPv4 link remote: 203.x.x.212:3000

[ghostcorps]

Nevermind. I fixed it... somehow lol

[Mimiko]

Write how you did it please.

[ghostcorps]

Unfortunately it was some kind of false positive.

I changed the hosts file on the jailed servers to both looked as below then restarted all instances:

#/etc/hosts

Code: Select all

::1                             localhost
127.0.0.1                     localhost
203.x.x.212                  host.isp.com host
203.x.x.213                  mydomain.com webserver
203.x.x.214                  database

That seemed to work but Openvpn crashed later on, and now Openvpn on the jailed servers won't start.

Here are the logs of the failed startup:

#/var/log/openvpn.log

Code: Select all

Tue Jul 26 11:44:40 2011 OpenVPN 2.1.1 amd64-portbld-freebsd8.1 [SSL] [LZO2] built on May 31 2011
Tue Jul 26 11:44:40 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jul 26 11:44:40 2011 LZO compression initialized
Tue Jul 26 11:44:40 2011 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jul 26 11:44:40 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jul 26 11:44:40 2011 Local Options hash (VER=V4): 'd79ca330'
Tue Jul 26 11:44:40 2011 Expected Remote Options hash (VER=V4): 'f7df56b8'
Tue Jul 26 11:44:40 2011 Socket Buffers: R=[42080->65536] S=[9216->65536]
Tue Jul 26 11:44:40 2011 UDPv4 link local: [undef]
Tue Jul 26 11:44:40 2011 UDPv4 link remote: 203.x.x.212:3000
Tue Jul 26 11:44:40 2011 TLS: Initial packet from 203.x.x.212:3000, sid=fb6722ef d7fb7682
Tue Jul 26 11:44:40 2011 VERIFY OK: depth=1, /C=AU/ST=CA/L=Melbourne/O=none/CN=vpnserver/name=host/emailAddress=mail@mail.com
Tue Jul 26 11:44:40 2011 VERIFY OK: nsCertType=SERVER
Tue Jul 26 11:44:40 2011 VERIFY OK: depth=0, /C=AU/ST=CA/L=Melbourne/O=none/CN=host.isp.com/name=host/emailAddress=mail@mail.com
Tue Jul 26 11:44:40 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jul 26 11:44:40 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 26 11:44:40 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jul 26 11:44:40 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 26 11:44:40 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Jul 26 11:44:40 2011 [host.isp.com] Peer Connection Initiated with 174.137.139.212:2501
Tue Jul 26 11:44:42 2011 SENT CONTROL [host.isp.com]: 'PUSH_REQUEST' (status=1)
Tue Jul 26 11:44:42 2011 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.254.1,ping 10,ping-restart 120,ifconfig 192.168.254.2 255.255.255.0'
Tue Jul 26 11:44:42 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 26 11:44:42 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 26 11:44:42 2011 OPTIONS IMPORT: route-related options modified
openvpn: writing to routing socket: No such process
Tue Jul 26 11:44:42 2011 Cannot allocate TUN/TAP dev dynamically
Tue Jul 26 11:44:42 2011 Exiting

I am still looking into it.

[Mimiko]

I'm not good at linux. But.
Using ipp.txt for defining ips for clients its not good. ipp.txt is just a snapshopt made by OpenVPN and it may be overwrited by OpenVPN any time.
You have done good changing hosts on server, because defining names for clients who get dinamic IP is not good. Maybe files in ccd does give static ip to clients, I cannot say this dfinetly.

As for log, the last log you gave is from some client. Did you check if the tap device exists in the system?

[ghostcorps]

Thanks, I have restarted the server and it is working again.

I am sorry I couldn't provide any better info on the error, except to say that it looks like prior to rebooting the Openvpn clients had started but were not showing in top (the list of processes). Even so, I could not contact them by the vpn ip and ifconfig was not showing an ip on tap0.

After rebooting they are showing an ip and connecting correctly.

I prefer to not reboot a production server, but it works for more issues lol


Thanks again for your time. I'll be back if I find any new info, or if it drops out again lol

[Mimiko]

I prefer to not reboot a production server, but it works for more issues lol

I fought that this is only for Windows system, where 85% of problemes resolves after a reboot. But in linux is so too. (

[ghostcorps]

I prefer to not reboot a production server, but it works for more issues lol

I fought that this is only for Windows system, where 85% of problemes resolves after a reboot. But in linux is so too. (

lol! Yes even in Unix and Unix like systems a reboot can fix many issues. For example: when some services crash they leave PID (Process Identification Number) files behind which can block the services from restarting. Think of it like a process leaving tasks behind in the task manager. Normally these PIDs can be deleted and the process restarted, but sometimes it isn't possible to figure out every process involved (AFAIK), only a reboot can ensure you killed them all off.

Of course sometimes, this has the opposite effect where a change to a shared configuration file causes a program to crash, but on reboot it is loaded into other important services which can cause the whole system to fail!