OpenVPN not connecting anymore
-
Good day,
I have a production AWS Netgate firewall (2.1.5-RELEASE (amd64)) I use to connect different linux machines (CentOS6). I know it's an old version, but There's practically always something connected and I can't afford to break it.
I noticed that if I upgade openvpn on my servers (CentOS6) they stop working. I need to stay at version 2.4.3 or I start getting errors. For this I have a work around to get me to our slow season and update everything.
Q1: when I upgrade the Netgate AWS instance, will I have to generate new keys to work with updated openvpn clients?
My real issue is with new instances I launch in AWS. I have an AMI (worked well up to now, for sure a month or two ago) and when I launch openvpn it doesn't work.
/var/log/messages :
Jul 8 22:01:51 comix openvpn[4718]: OpenVPN 2.4.3 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 6 2017
Jul 8 22:01:51 comix openvpn[4718]: library versions: OpenSSL 1.0.1k-fips 8 Jan 2015, LZO 2.08
Jul 8 22:01:51 comix openvpn[4719]: WARNING: –ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Jul 8 22:01:51 comix openvpn[4719]: TCP/UDP: Preserving recently used remote address: [AF_INET]107.21.225.83:1195
Jul 8 22:01:51 comix openvpn[4719]: UDP link local (bound): [AF_INET][undef]:0
Jul 8 22:01:51 comix openvpn[4719]: UDP link remote: [AF_INET]107.21.225.83:1195
Jul 8 22:01:52 comix openvpn[4719]: [Netgate VPN Server] Peer Connection Initiated with [AF_INET]107.21.225.83:1195
Jul 8 22:01:53 comix openvpn[4719]: TUN/TAP device tun0 opened
Jul 8 22:01:53 comix openvpn[4719]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jul 8 22:01:53 comix openvpn[4719]: /sbin/ip link set dev tun0 up mtu 1500
Jul 8 22:01:53 comix openvpn[4719]: /sbin/ip addr add dev tun0 10.150.201.105/-1 broadcast 255.255.255.255
Jul 8 22:01:53 comix openvpn[4719]: Linux ip addr add failed: external program exited with error status: 1
Jul 8 22:01:53 comix openvpn[4719]: Exiting due to fatal errorSeems it can't create routes and tun0 won't come up? (may be wrong here)
Would anyone have an idea?
Thank you in advance,
JP
-
Didn't get a reply from my last post and I would really need/apprecite some help.
I can't use OpenVPN anymore?
Here's another AWS instance (with AMI - used to work fine). Tun won't come up and create routes :
tail -f /var/log/messages:
Aug 15 16:06:57 assurancetourix openvpn[54409]: OpenVPN 2.4.3 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 6 2017
Aug 15 16:06:57 assurancetourix openvpn[54409]: library versions: OpenSSL 1.0.1k-fips 8 Jan 2015, LZO 2.08
Aug 15 16:06:57 assurancetourix openvpn[54410]: WARNING: –ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Aug 15 16:06:57 assurancetourix openvpn[54410]: TCP/UDP: Preserving recently used remote address: [AF_INET]107.21.225.83:1195
Aug 15 16:06:57 assurancetourix openvpn[54410]: UDP link local (bound): [AF_INET][undef]:0
Aug 15 16:06:57 assurancetourix openvpn[54410]: UDP link remote: [AF_INET]107.21.225.83:1195
Aug 15 16:06:58 assurancetourix openvpn[54410]: [Netgate VPN Server] Peer Connection Initiated with [AF_INET]107.21.225.83:1195
Aug 15 16:07:00 assurancetourix openvpn[54410]: TUN/TAP device tun0 opened
Aug 15 16:07:00 assurancetourix openvpn[54410]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Aug 15 16:07:00 assurancetourix openvpn[54410]: /sbin/ip link set dev tun0 up mtu 1500
Aug 15 16:07:00 assurancetourix openvpn[54410]: /sbin/ip addr add dev tun0 10.150.201.103/-1 broadcast 255.255.255.255
Aug 15 16:07:00 assurancetourix openvpn[54410]: Linux ip addr add failed: external program exited with error status: 1
Aug 15 16:07:00 assurancetourix openvpn[54410]: Exiting due to fatal error$ ip addr
1: lo: <loopback,up,lower_up>mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <broadcast,multicast,up,lower_up>mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 06:82:e3:9c:76:81 brd ff:ff:ff:ff:ff:ff
inet 172.31.13.246/20 brd 172.31.15.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::482:e3ff:fe9c:7681/64 scope link
valid_lft forever preferred_lft forever$ ifconfig
eth0 Link encap:Ethernet HWaddr 06:82:E3:9C:76:81
inet addr:172.31.13.246 Bcast:172.31.15.255 Mask:255.255.240.0
inet6 addr: fe80::482:e3ff:fe9c:7681/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:4401425 errors:0 dropped:0 overruns:0 frame:0
TX packets:8414513 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:890917319 (849.6 MiB) TX bytes:11347582578 (10.5 GiB)lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:892974 errors:0 dropped:0 overruns:0 frame:0
TX packets:892974 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:12374509946 (11.5 GiB) TX bytes:12374509946 (11.5 GiB)$ uname -a
Linux assurancetourix.intellifest.com 4.4.51-40.58.amzn1.x86_64 #1 SMP Tue Feb 28 21:57:17 UTC 2017 x86_64 x86_64 x86_64 GNU/LinuxPresently patching with SSH tunels, I need to get this fixed.
Thanks in advance,
JP</broadcast,multicast,up,lower_up></loopback,up,lower_up>
-
May have to do with the latest updates and the -1 netmask from what I read online?
JP
-
Tue Aug 15 20:59:42 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Aug 15 20:59:42 2017 /sbin/ip addr add dev tun0 10.150.201.103/-1 broadcast 255.255.255.255
Error: ??? prefix is expected rather than "10.150.201.103/-1".How to correct that?
JP
-
I fixed it by downgrading the OpenVPN version on the client side (AWS EC2 instance).
$ yum list openvpn
Loaded plugins: priorities, update-motd, upgrade-helper
1023 packages excluded due to repository priority protections
Installed Packages
openvpn.x86_64 2.3.14-1.el6 installed
Available Packages
openvpn.x86_64 2.4.3-1.19.amzn1 amzn-updatesSeems like AWS updates my AMI images at launch… I never did a yum update.
Is this fix a big security issue?
Will it all work out if I update my present main Netgate pfSense AWS instance to 2.3.4? Will it generate the roght configs to work with OpenVPN 2..4.3 ?
Thank you,
JP