(Solved) OpenVPN lost connectivity

chpalmer

Some logs-

| Dec 1 23:15:32[/t][/t] openvpn[633]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either --route-gateway or --ifconfig options

| Dec 1 23:15:32[/t] openvpn[633]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.31.125.0

| Dec 1 23:15:32[/t] openvpn[633]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either --route-gateway or --ifconfig options

| Dec 1 23:15:32[/t] openvpn[633]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.30.15.0 |

|

|

|

jimp

Is this an SSL/TLS remote access setup with client-specific overrides?

If so, what options do you have specified in the overrides, and what do the contents of /var/etc/openvpn-csc/<server id="">/ <common name="">look like?</common></server>

chpalmer

Hi JimP

Its a peer to peer shared key setup.

jimp

Hmm, nothing should have changed for shared key. Are those log messages found on both sides? Are both sides 2.3?
Can you share the contents of the /var/etc/openvpn/*.conf files? Or at least the lines inside with ifconfig and route (No need to see keys or anything secret)

chpalmer

~~Actually might be a bigger issue somewhere else.

I cant get to anything behind the firewall with port forward rules Ive had for years. (Outside of the VPN.)

I simply disable firewall rules when Im not using them as I use the VPN instead.~~  Im letting one of the sites update to the latest snap and will report back.

Axe that- loose nut behind the wheel!

Working on your requests now.

One side is 2.2.5 and the two test sites are 2.3

All 2.2.5 sites working fine.

chpalmer

dev ovpnc1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 173.xxx.xxx.26
lport 1194
management /var/etc/openvpn/client1.sock unix
remote Box.MyIP.com 1194
ifconfig 10.10.1.2 10.10.1.1
route 172.31.125.0 255.255.255.0
route 172.30.15.0 255.255.255.248
route 192.168.25.0 255.255.255.0
secret /var/etc/openvpn/client1.secret 
comp-lzo adaptive
topology subnet

jimp

Hmm it's adding topology there when it shouldn't be added for shared key. I'll take a look in the code and find a fix.

chpalmer

This is from the 2.2.5 side in case it helps.  :)

Dec 2 10:30:42     openvpn[16323]: Inactivity timeout (--ping-restart), restarting
Dec 2 10:30:42     openvpn[16323]: SIGUSR1[soft,ping-restart] received, process restarting
Dec 2 10:30:44     openvpn[16323]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 2 10:30:44     openvpn[16323]: Re-using pre-shared static key
Dec 2 10:30:44     openvpn[16323]: Preserving previous TUN/TAP instance: ovpns1
Dec 2 10:30:44     openvpn[16323]: UDPv4 link local (bound): [AF_INET]xx.1xx.xxx.1x8:1194
Dec 2 10:30:44     openvpn[16323]: UDPv4 link remote: [undef]
Dec 2 10:31:17     openvpn[16323]: Peer Connection Initiated with [AF_INET]1xx.xxx.xxx.x6:1194
Dec 2 10:31:18     openvpn[16323]: Initialization Sequence Completed
Dec 2 10:31:25     openvpn[16323]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.10.1.1 10.10.1.2', remote='ifconfig 10.10.1.0 10.10.1.1'

chpalmer

I was able to modify my config files on both affected machines and everything came back fine. So no other underlying issues. (But you knew that already.)  :)

jimp

OK I just pushed a fix, you can gitsync to pick it up in a few minutes, or wait until the next snapshot build and upgrade that way.

chpalmer

Thanks JimP