OpenVPN Issue – [Resolved 4 Apr 16]

jits

**  Resolved in .. VPN / OpenVPN / Client Specific Overrides.

** /30 addressing removed and replaced with /24 address.
** Example : removed 10.192.168.12/30 and replaced with 10.192.168.12/24.

** Logs now show…

Mon Apr 04 22:47:19 2016 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{535AE7AA-F3DF-4F97-BDD8-E88CDD18FA4A}.tap
Mon Apr 04 22:47:19 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 10.192.168.0/10.192.168.12/255.255.255.0 [SUCCEEDED]
Mon Apr 04 22:47:19 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.192.168.12/255.255.255.0 on interface {535AE7AA-F3DF-4F97-BDD8-E88CDD18FA4A} [DHCP-serv: 10.192.168.254, lease-time: 31536000]
Mon Apr 04 22:47:19 2016 Successful ARP Flush on interface [11] {535AE7AA-F3DF-4F97-BDD8-E88CDD18FA4A}
Mon Apr 04 22:47:20 2016 Initialization Sequence Completed

Hello.

I am running latest and greatest…community edition.

2.3-RC (amd64)
built on Mon Apr 04 07:32:16 CDT 2016
FreeBSD 10.3-RELEASE

Intel(R) Atom(TM) CPU D510 @ 1.66GHz
4 CPUs: 1 package(s) x 2 core(s) x 2 HTT threads

I do have a problem with OpenVPN clients who can connect into the VPN, but are unable to communicate further. Anyone else having this problem?

Jits.

OpenVPN clients

cremesk

for me help's a reboot..

Ofloo

What do you mean by further?

• Add allow rule to the firewall?
• If it's to the web NAT rules?
• other IP routes, did you properly advertise the IP routes the router has to the client?
• …

Please explain closer, there's several things I can understand from your question, all with different solutions.

johnpoz

so did this use to work and after the upgrade to this snapshot it failed.. Or is this a new setup?

What I can tell you is I am using CE

2.3-RC (amd64)
built on Sun Apr 03 14:24:26 CDT 2016

And I am currently remote oopenvpn in and not having any issues getting to anything.  I don't really like upgrading while I am gone to a new snapshot.. If something happens to fail, I am kind of locked out and wife would be pissed no internet until I get home sort of thing ;)

serialdie

no issues here.

jits

my apologies…

It's Monday.

This is an upgrade from 2.2.6 version. I've rebooted and then thought that perhaps I need to resend the client files to the users after the upgrade. That made sense to me. I resent to myself, and on the client side, when logging in this is what I get...

Mon Apr 04 14:19:22 2016 OpenVPN 2.3.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun  8 2015
Mon Apr 04 14:19:22 2016 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
Enter Management Password:
Mon Apr 04 14:19:23 2016 Control Channel Authentication: using 'gateway-luna-udp-3396-Paperlips-tls.key' as a OpenVPN static key file
Mon Apr 04 14:19:23 2016 UDPv4 link local (bound): [undef]
Mon Apr 04 14:19:23 2016 UDPv4 link remote: [AF_INET]X.X.106.2:3396
Mon Apr 04 14:19:24 2016 [GPOServer] Peer Connection Initiated with [AF_INET]X.X.106.2:3396
Mon Apr 04 14:19:26 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Apr 04 14:19:26 2016 open_tun, tt->ipv6=0
Mon Apr 04 14:19:26 2016 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{C4F2E093-407F-483C-BBAC-0A1AD555208A}.tap
Mon Apr 04 14:19:26 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 10.192.168.12/10.192.168.12/255.255.255.252 [SUCCEEDED]
Mon Apr 04 14:19:26 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.192.168.12/255.255.255.252 on interface {C4F2E093-407F-483C-BBAC-0A1AD555208A} [DHCP-serv: 10.192.168.14, lease-time: 31536000]
Mon Apr 04 14:19:26 2016 Successful ARP Flush on interface [13] {C4F2E093-407F-483C-BBAC-0A1AD555208A}
Mon Apr 04 14:19:57 2016 SIGTERM[hard,] received, process exiting

And..on the server side, this is what I get…

Apr 4 14:21:54 	openvpn 	32873 	Paperlips/192.168.1.177:52769 [Paperlips] Inactivity timeout (--ping-restart), restarting
Apr 4 14:19:23 	openvpn 	32873 	Paperlips/192.168.1.177:52769 send_push_reply(): safe_cap=940
Apr 4 14:19:21 	openvpn 	32873 	192.168.1.177:52769 [Paperlips] Peer Connection Initiated with [AF_INET]192.168.1.177:52769 

Logs recorded from 02 APR…

Apr 4 14:21:54 	openvpn 	32873 	Paperlips/192.168.1.177:52769 [Paperlips] Inactivity timeout (--ping-restart), restarting
Apr 4 14:19:23 	openvpn 	32873 	Paperlips/192.168.1.177:52769 send_push_reply(): safe_cap=940
Apr 4 14:19:21 	openvpn 	32873 	192.168.1.177:52769 [Paperlips] Peer Connection Initiated with [AF_INET]192.168.1.177:52769
Apr 4 14:18:55 	openvpn 	32873 	x.x.132.52:63855 send_push_reply(): safe_cap=940
Apr 4 14:18:54 	openvpn 	32873 	x.x.167.158:60368 send_push_reply(): safe_cap=940
Apr 4 14:18:52 	openvpn 	32873 	x.x.132.52:63855 [C] Peer Connection Initiated with [AF_INET]x.x.132.52:63855
Apr 4 14:18:52 	openvpn 	32873 	x.x.96.41:50427 send_push_reply(): safe_cap=940
Apr 4 14:18:52 	openvpn 	32873 	x.x.167.158:60368 [C] Peer Connection Initiated with [AF_INET]x.x.167.158:60368
Apr 4 14:18:50 	openvpn 	32873 	x.x.96.41:50427 MULTI_sva: pool returned IPv4=10.192.168.2, IPv6=(Not enabled)
Apr 4 14:18:50 	openvpn 	32873 	x.x.96.41:50427 [car] Peer Connection Initiated with [AF_INET]x.x.96.41:50427
Apr 4 14:18:44 	openvpn 	32873 	x.x.167.158:60368 write UDPv4: No route to host (code=65)
Apr 4 14:18:44 	openvpn 	32873 	x.x.132.52:63855 write UDPv4: No route to host (code=65)
Apr 4 14:18:44 	openvpn 	32873 	x.x.96.41:50427 write UDPv4: No route to host (code=65)
Apr 4 14:18:42 	openvpn 	32873 	x.x.167.158:60368 write UDPv4: No route to host (code=65)
Apr 4 14:18:41 	openvpn 	32873 	x.x.96.41:50427 write UDPv4: No route to host (code=65)
Apr 4 14:18:40 	openvpn 	32873 	x.x.167.158:60368 write UDPv4: No route to host (code=65)
Apr 4 14:18:33 	openvpn 	32873 	Initialization Sequence Completed
Apr 4 14:18:33 	openvpn 	32873 	UDPv4 link remote: [undef]
Apr 4 14:18:33 	openvpn 	32873 	UDPv4 link local (bound): [AF_INET]x.x.106.2:3396
Apr 4 14:18:33 	openvpn 	32873 	/usr/local/sbin/ovpn-linkup ovpns2 1500 1602 10.192.168.1 255.255.255.0 init
Apr 4 14:18:33 	openvpn 	32873 	/sbin/ifconfig ovpns2 10.192.168.1 10.192.168.2 mtu 1500 netmask 255.255.255.0 up
Apr 4 14:18:33 	openvpn 	32873 	do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 4 14:18:33 	openvpn 	32873 	ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Apr 4 14:18:33 	openvpn 	32873 	TUN/TAP device /dev/tun2 opened
Apr 4 14:18:33 	openvpn 	32873 	TUN/TAP device ovpns2 exists previously, keep at program end
Apr 4 14:18:33 	openvpn 	32873 	Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
Apr 4 14:18:33 	openvpn 	32873 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 4 14:18:33 	openvpn 	32873 	Could not retrieve default gateway from route socket:: No such process (errno=3)
Apr 4 14:18:33 	openvpn 	32553 	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Apr 4 14:18:33 	openvpn 	32553 	OpenVPN 2.3.9 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Mar 31 2016
Apr 4 14:13:22 	openvpn 	31123 	S/x.x.82.18:53174 [s] Inactivity timeout (--ping-restart), restarting
Apr 4 14:11:22 	openvpn 	31123 	S/x.x.82.18:53174 send_push_reply(): safe_cap=940
Apr 4 14:11:20 	openvpn 	31123 	x.x.82.18:53174 [s] Peer Connection Initiated with [AF_INET]x.x.82.18:53174
Apr 4 14:10:54 	openvpn 	31123 	S/x.x.82.18:42576 send_push_reply(): safe_cap=940
Apr 4 14:10:52 	openvpn 	31123 	x.x.82.18:42576 [s] Peer Connection Initiated with [AF_INET]x.x.82.18:42576
Apr 4 13:41:26 	openvpn 	31123 	S/x.x.82.18:15892 [s] Inactivity timeout (--ping-restart), restarting
Apr 4 13:39:26 	openvpn 	31123 	S/x.x.82.18:15892 send_push_reply(): safe_cap=940
Apr 4 13:39:24 	openvpn 	31123 	x.x.82.18:15892 [s] Peer Connection Initiated with [AF_INET]x.x.82.18:15892
Apr 4 13:38:49 	openvpn 	31123 	S/x.x.82.18:55188 send_push_reply(): safe_cap=940
Apr 4 13:38:47 	openvpn 	31123 	x.x.82.18:55188 [s] Peer Connection Initiated with [AF_INET]x.x.82.18:55188
Apr 4 13:24:11 	openvpn 	31123 	Paperlips/x.x.96.41:40544 [Paperlips] Inactivity timeout (--ping-restart), restarting
Apr 4 13:13:05 	openvpn 	31123 	S/192.168.90.46:63234 [Sacha] Inactivity timeout (--ping-restart), restarting
Apr 4 13:07:08 	openvpn 	31123 	Paperlips/x.x.96.41:40544 send_push_reply(): safe_cap=940
Apr 4 13:07:06 	openvpn 	31123 	x.x.96.41:40544 [PaperClips] Peer Connection Initiated with [AF_INET]x.x.96.41:40544
Apr 4 12:55:22 	openvpn 	31123 	S/192.168.90.46:63234 send_push_reply(): safe_cap=940
Apr 4 12:55:20 	openvpn 	31123 	S/192.168.90.46:63234 MULTI_sva: pool returned IPv4=10.192.168.3, IPv6=(Not enabled)
Apr 4 12:55:20 	openvpn 	31123 	192.168.90.46:63234 [s] Peer Connection Initiated with [AF_INET]192.168.90.46:63234
Apr 4 12:31:06 	openvpn 	31123 	Sacha/192.168.90.46:57861 [s] Inactivity timeout (--ping-restart), restarting
Apr 4 11:49:20 	openvpn 	31123 	C/x.x.132.52:52432 send_push_reply(): safe_cap=940
Apr 4 11:49:18 	openvpn 	31123 	x.x.132.52:52432 [C] Peer Connection Initiated with [AF_INET]x.x.132.52:52432
Apr 4 11:46:41 	openvpn 	31123 	Paperlips/x.x.96.41:53734 [Paperlips] Inactivity timeout (--ping-restart), restarting
Apr 4 11:40:01 	openvpn 	31123 	Paperlips/x.x.96.41:53734 send_push_reply(): safe_cap=940
Apr 4 11:39:58 	openvpn 	31123 	x.x.96.41:53734 [Paperlips] Peer Connection Initiated with [AF_INET]x.x.96.41:53734
Apr 4 11:11:13 	openvpn 	31123 	Sacha/192.168.90.46:57861 send_push_reply(): safe_cap=940
Apr 4 11:11:10 	openvpn 	31123 	Sacha/192.168.90.46:57861 MULTI_sva: pool returned IPv4=10.192.168.3, IPv6=(Not enabled)
Apr 4 11:11:10 	openvpn 	31123 	192.168.90.46:57861 [s] Peer Connection Initiated with [AF_INET]192.168.90.46:57861
Apr 4 10:18:00 	openvpn 	31123 	C/x.x.167.158:50190 send_push_reply(): safe_cap=940
Apr 4 10:18:00 	openvpn 	31123 	C/x.x.132.52:55873 send_push_reply(): safe_cap=940
Apr 4 10:17:58 	openvpn 	31123 	carletta/x.x.96.41:35123 send_push_reply(): safe_cap=940
Apr 4 10:17:58 	openvpn 	31123 	x.x.132.52:55873 [C] Peer Connection Initiated with [AF_INET]x.x.132.52:55873
Apr 4 10:17:58 	openvpn 	31123 	x.x.167.158:50190 [C] Peer Connection Initiated with [AF_INET]5.189.167.158:50190
Apr 4 10:17:55 	openvpn 	31123 	carletta/x.x.96.41:35123 MULTI_sva: pool returned IPv4=10.192.168.2, IPv6=(Not enabled)
Apr 4 10:17:55 	openvpn 	31123 	209.59.96.41:35123 [c] Peer Connection Initiated with [AF_INET]x.x.96.41:35123
[/s][/s][/s][/s][/s][/s][/s][/s][/s]

johnpoz

why would you have to send anything??  I just upgraded my 2.2.6 to 2.3 couple days back and openvpn working with exact same files.  Why would the config files change?  The certs sure wouldn't of..

serialdie

@johnpoz:

why would you have to send anything??  I just upgraded my 2.2.6 to 2.3 couple days back and openvpn working with exact same files.  Why would the config files change?  The certs sure wouldn't of..

+1 This.

jits

Correct. There are no changes made to the certs, so no need to re-issue them.

I left openvpn connecting and after a while, this is the error..

Mon Apr 04 17:21:25 2016 Warning: route gateway is not reachable on any active network adapters: 10.192.168.1

Why would this be?

Thanks…

cmb

Your client's receiving a /30, so yeah .1 isn't going to be reachable. What's your server-side OpenVPN config look like, primarily for DHCP?

jits

@cmb:

Your client's receiving a /30, so yeah .1 isn't going to be reachable. What's your server-side OpenVPN config look like, primarily for DHCP?

I will check to make sure when I reach back, but I think it is a mixture. Remote users log in and get assigned whatever IP address within subnet.

Other users, Remote Agents are assigned specific IP addresses within the same subnet. This because we build VM's for them to use billing software remotely, and print customer receipts locally. Within the VMs we use the NETUSE LPT1 to assign USB receipt printer back at their location.

This used to work before the upgrade to 2.3. Hope this help. Is there any further information I should provide?

Thanks…