OpenVPN not connecting anymore



  • Good day,

    I have a production AWS Netgate firewall (2.1.5-RELEASE (amd64)) I use to connect different linux machines (CentOS6).  I know it's an old version, but There's practically always something connected and I can't afford to break it.

    I noticed that if I upgade openvpn on my servers (CentOS6) they stop working.  I need to stay at version 2.4.3 or I start getting errors.  For this I have a work around to get me to our slow season and update everything.

    Q1: when I upgrade the Netgate AWS instance, will I have to generate new keys to work with updated openvpn clients?

    My real issue is with new instances I launch in AWS.  I have an AMI (worked well up to now, for sure a month or two ago) and when I launch openvpn it doesn't work.

    /var/log/messages :
    Jul  8 22:01:51 comix openvpn[4718]: OpenVPN 2.4.3 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  6 2017
    Jul  8 22:01:51 comix openvpn[4718]: library versions: OpenSSL 1.0.1k-fips 8 Jan 2015, LZO 2.08
    Jul  8 22:01:51 comix openvpn[4719]: WARNING: –ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
    Jul  8 22:01:51 comix openvpn[4719]: TCP/UDP: Preserving recently used remote address: [AF_INET]107.21.225.83:1195
    Jul  8 22:01:51 comix openvpn[4719]: UDP link local (bound): [AF_INET][undef]:0
    Jul  8 22:01:51 comix openvpn[4719]: UDP link remote: [AF_INET]107.21.225.83:1195
    Jul  8 22:01:52 comix openvpn[4719]: [Netgate VPN Server] Peer Connection Initiated with [AF_INET]107.21.225.83:1195
    Jul  8 22:01:53 comix openvpn[4719]: TUN/TAP device tun0 opened
    Jul  8 22:01:53 comix openvpn[4719]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Jul  8 22:01:53 comix openvpn[4719]: /sbin/ip link set dev tun0 up mtu 1500
    Jul  8 22:01:53 comix openvpn[4719]: /sbin/ip addr add dev tun0 10.150.201.105/-1 broadcast 255.255.255.255
    Jul  8 22:01:53 comix openvpn[4719]: Linux ip addr add failed: external program exited with error status: 1
    Jul  8 22:01:53 comix openvpn[4719]: Exiting due to fatal error

    Seems it can't create routes and tun0 won't come up? (may be wrong here)

    Would anyone have an idea?

    Thank you in advance,

    JP



  • Didn't get a reply from my last post and I would really need/apprecite some help.

    I can't use OpenVPN anymore?

    Here's another AWS instance (with AMI - used to work fine).  Tun won't come up and create routes :

    tail -f /var/log/messages:
    Aug 15 16:06:57 assurancetourix openvpn[54409]: OpenVPN 2.4.3 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  6 2017
    Aug 15 16:06:57 assurancetourix openvpn[54409]: library versions: OpenSSL 1.0.1k-fips 8 Jan 2015, LZO 2.08
    Aug 15 16:06:57 assurancetourix openvpn[54410]: WARNING: –ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
    Aug 15 16:06:57 assurancetourix openvpn[54410]: TCP/UDP: Preserving recently used remote address: [AF_INET]107.21.225.83:1195
    Aug 15 16:06:57 assurancetourix openvpn[54410]: UDP link local (bound): [AF_INET][undef]:0
    Aug 15 16:06:57 assurancetourix openvpn[54410]: UDP link remote: [AF_INET]107.21.225.83:1195
    Aug 15 16:06:58 assurancetourix openvpn[54410]: [Netgate VPN Server] Peer Connection Initiated with [AF_INET]107.21.225.83:1195
    Aug 15 16:07:00 assurancetourix openvpn[54410]: TUN/TAP device tun0 opened
    Aug 15 16:07:00 assurancetourix openvpn[54410]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Aug 15 16:07:00 assurancetourix openvpn[54410]: /sbin/ip link set dev tun0 up mtu 1500
    Aug 15 16:07:00 assurancetourix openvpn[54410]: /sbin/ip addr add dev tun0 10.150.201.103/-1 broadcast 255.255.255.255
    Aug 15 16:07:00 assurancetourix openvpn[54410]: Linux ip addr add failed: external program exited with error status: 1
    Aug 15 16:07:00 assurancetourix openvpn[54410]: Exiting due to fatal error

    $ ip addr
    1: lo: <loopback,up,lower_up>mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
          valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
          valid_lft forever preferred_lft forever
    2: eth0: <broadcast,multicast,up,lower_up>mtu 9001 qdisc mq state UP group default qlen 1000
        link/ether 06:82:e3:9c:76:81 brd ff:ff:ff:ff:ff:ff
        inet 172.31.13.246/20 brd 172.31.15.255 scope global eth0
          valid_lft forever preferred_lft forever
        inet6 fe80::482:e3ff:fe9c:7681/64 scope link
          valid_lft forever preferred_lft forever

    $ ifconfig
    eth0      Link encap:Ethernet  HWaddr 06:82:E3:9C:76:81
              inet addr:172.31.13.246  Bcast:172.31.15.255  Mask:255.255.240.0
              inet6 addr: fe80::482:e3ff:fe9c:7681/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
              RX packets:4401425 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8414513 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:890917319 (849.6 MiB)  TX bytes:11347582578 (10.5 GiB)

    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:65536  Metric:1
              RX packets:892974 errors:0 dropped:0 overruns:0 frame:0
              TX packets:892974 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1
              RX bytes:12374509946 (11.5 GiB)  TX bytes:12374509946 (11.5 GiB)

    $ uname -a
    Linux assurancetourix.intellifest.com 4.4.51-40.58.amzn1.x86_64 #1 SMP Tue Feb 28 21:57:17 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

    Presently patching with SSH tunels, I need to get this fixed.

    Thanks in advance,

    JP</broadcast,multicast,up,lower_up></loopback,up,lower_up>



  • May have to do with the latest updates and the -1 netmask from what I read online?

    JP



  • Tue Aug 15 20:59:42 2017 /sbin/ip link set dev tun0 up mtu 1500
    Tue Aug 15 20:59:42 2017 /sbin/ip addr add dev tun0 10.150.201.103/-1 broadcast 255.255.255.255
    Error: ??? prefix is expected rather than "10.150.201.103/-1".

    How to correct that?

    JP



  • I fixed it by downgrading the OpenVPN version on the client side (AWS EC2 instance).

    $ yum list openvpn
    Loaded plugins: priorities, update-motd, upgrade-helper
    1023 packages excluded due to repository priority protections
    Installed Packages
    openvpn.x86_64                                                                2.3.14-1.el6                                                                      installed
    Available Packages
    openvpn.x86_64                                                                2.4.3-1.19.amzn1                                                                  amzn-updates

    Seems like AWS updates my AMI images at launch… I never did a yum update.

    Is this fix a big security issue?

    Will it all work out if I update my present main Netgate pfSense AWS instance to 2.3.4?  Will it generate the roght configs to work with OpenVPN 2..4.3 ?

    Thank you,

    JP