OpenVPN not connecting anymore

jpcyrenneITX

Good day,

I have a production AWS Netgate firewall (2.1.5-RELEASE (amd64)) I use to connect different linux machines (CentOS6).  I know it's an old version, but There's practically always something connected and I can't afford to break it.

I noticed that if I upgade openvpn on my servers (CentOS6) they stop working.  I need to stay at version 2.4.3 or I start getting errors.  For this I have a work around to get me to our slow season and update everything.

Q1: when I upgrade the Netgate AWS instance, will I have to generate new keys to work with updated openvpn clients?

My real issue is with new instances I launch in AWS.  I have an AMI (worked well up to now, for sure a month or two ago) and when I launch openvpn it doesn't work.

/var/log/messages :
Jul  8 22:01:51 comix openvpn[4718]: OpenVPN 2.4.3 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  6 2017
Jul  8 22:01:51 comix openvpn[4718]: library versions: OpenSSL 1.0.1k-fips 8 Jan 2015, LZO 2.08
Jul  8 22:01:51 comix openvpn[4719]: WARNING: –ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Jul  8 22:01:51 comix openvpn[4719]: TCP/UDP: Preserving recently used remote address: [AF_INET]107.21.225.83:1195
Jul  8 22:01:51 comix openvpn[4719]: UDP link local (bound): [AF_INET][undef]:0
Jul  8 22:01:51 comix openvpn[4719]: UDP link remote: [AF_INET]107.21.225.83:1195
Jul  8 22:01:52 comix openvpn[4719]: [Netgate VPN Server] Peer Connection Initiated with [AF_INET]107.21.225.83:1195
Jul  8 22:01:53 comix openvpn[4719]: TUN/TAP device tun0 opened
Jul  8 22:01:53 comix openvpn[4719]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jul  8 22:01:53 comix openvpn[4719]: /sbin/ip link set dev tun0 up mtu 1500
Jul  8 22:01:53 comix openvpn[4719]: /sbin/ip addr add dev tun0 10.150.201.105/-1 broadcast 255.255.255.255
Jul  8 22:01:53 comix openvpn[4719]: Linux ip addr add failed: external program exited with error status: 1
Jul  8 22:01:53 comix openvpn[4719]: Exiting due to fatal error

Seems it can't create routes and tun0 won't come up? (may be wrong here)

Would anyone have an idea?

Thank you in advance,

JP

jpcyrenneITX

Didn't get a reply from my last post and I would really need/apprecite some help.

I can't use OpenVPN anymore?

Here's another AWS instance (with AMI - used to work fine).  Tun won't come up and create routes :

tail -f /var/log/messages:
Aug 15 16:06:57 assurancetourix openvpn[54409]: OpenVPN 2.4.3 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  6 2017
Aug 15 16:06:57 assurancetourix openvpn[54409]: library versions: OpenSSL 1.0.1k-fips 8 Jan 2015, LZO 2.08
Aug 15 16:06:57 assurancetourix openvpn[54410]: WARNING: –ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Aug 15 16:06:57 assurancetourix openvpn[54410]: TCP/UDP: Preserving recently used remote address: [AF_INET]107.21.225.83:1195
Aug 15 16:06:57 assurancetourix openvpn[54410]: UDP link local (bound): [AF_INET][undef]:0
Aug 15 16:06:57 assurancetourix openvpn[54410]: UDP link remote: [AF_INET]107.21.225.83:1195
Aug 15 16:06:58 assurancetourix openvpn[54410]: [Netgate VPN Server] Peer Connection Initiated with [AF_INET]107.21.225.83:1195
Aug 15 16:07:00 assurancetourix openvpn[54410]: TUN/TAP device tun0 opened
Aug 15 16:07:00 assurancetourix openvpn[54410]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Aug 15 16:07:00 assurancetourix openvpn[54410]: /sbin/ip link set dev tun0 up mtu 1500
Aug 15 16:07:00 assurancetourix openvpn[54410]: /sbin/ip addr add dev tun0 10.150.201.103/-1 broadcast 255.255.255.255
Aug 15 16:07:00 assurancetourix openvpn[54410]: Linux ip addr add failed: external program exited with error status: 1
Aug 15 16:07:00 assurancetourix openvpn[54410]: Exiting due to fatal error

$ ip addr
1: lo: <loopback,up,lower_up>mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
      valid_lft forever preferred_lft forever
2: eth0: <broadcast,multicast,up,lower_up>mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 06:82:e3:9c:76:81 brd ff:ff:ff:ff:ff:ff
    inet 172.31.13.246/20 brd 172.31.15.255 scope global eth0
      valid_lft forever preferred_lft forever
    inet6 fe80::482:e3ff:fe9c:7681/64 scope link
      valid_lft forever preferred_lft forever

$ ifconfig
eth0      Link encap:Ethernet  HWaddr 06:82:E3:9C:76:81
          inet addr:172.31.13.246  Bcast:172.31.15.255  Mask:255.255.240.0
          inet6 addr: fe80::482:e3ff:fe9c:7681/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:4401425 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8414513 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:890917319 (849.6 MiB)  TX bytes:11347582578 (10.5 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:892974 errors:0 dropped:0 overruns:0 frame:0
          TX packets:892974 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:12374509946 (11.5 GiB)  TX bytes:12374509946 (11.5 GiB)

$ uname -a
Linux assurancetourix.intellifest.com 4.4.51-40.58.amzn1.x86_64 #1 SMP Tue Feb 28 21:57:17 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Presently patching with SSH tunels, I need to get this fixed.

Thanks in advance,

JP</broadcast,multicast,up,lower_up></loopback,up,lower_up>

jpcyrenneITX

May have to do with the latest updates and the -1 netmask from what I read online?

JP

jpcyrenneITX

Tue Aug 15 20:59:42 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Aug 15 20:59:42 2017 /sbin/ip addr add dev tun0 10.150.201.103/-1 broadcast 255.255.255.255
Error: ??? prefix is expected rather than "10.150.201.103/-1".

How to correct that?

JP

jpcyrenneITX

I fixed it by downgrading the OpenVPN version on the client side (AWS EC2 instance).

$ yum list openvpn
Loaded plugins: priorities, update-motd, upgrade-helper
1023 packages excluded due to repository priority protections
Installed Packages
openvpn.x86_64                                                                2.3.14-1.el6                                                                      installed
Available Packages
openvpn.x86_64                                                                2.4.3-1.19.amzn1                                                                  amzn-updates

Seems like AWS updates my AMI images at launch… I never did a yum update.

Is this fix a big security issue?

Will it all work out if I update my present main Netgate pfSense AWS instance to 2.3.4?  Will it generate the roght configs to work with OpenVPN 2..4.3 ?

Thank you,

JP