How restart OpenVPN server



  • Hello

    When i change some setting in OpenVPN server (IP or other) it isn't possible to connect to OPENVPN server any more, unless reset pfsense computer.
    Is possible restart only OPENVPN server ???



  • Could you provide us detailed steps on how to reproduce this, please?



  • When change any setting in PPTP server, automaticly PPTP server restart and close all connection.
    In linux system PPTP server restart by command /etc/init.d/pptp restart
    When change any setting in OPENVPN server, to have to restart computer, otherwise server dont work.



  • This is log file and error. Why does this error, if reset computer OPENVPN server start normaly.

    Nov 15 23:45:50 openvpn[5569]: Exiting
    Nov 15 23:45:50 openvpn[5569]: TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
    Nov 15 23:45:50 openvpn[5569]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
    Nov 15 23:45:50 openvpn[5569]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006



  • I have version: 1.0.1
    built on Sun Oct 29 01:07:16 UTC 2006
    And I get the same problem. It was working normally until today. I have had it up for about 2 days.
    If I reboot the pf it works with changes, the changes get written to config.xml, but the openvpn server doesn't shutdown.



  • Greetings,

    i have same problem with OpenVPN
    Ill try many ports but with same result… When i restart pfsense, everything works fine, but when i try change settings in OpenVPN than openvpn shut down with this error message :

    TCP/UDP: Socket bind failed on local address [undef]:15888: Address already in use



  • OpenVPN isn't being killed properly. I don't know why, maybe the machines you're using are slower (specs?).

    If you want to help, please run this from a pfSense terminal (from the shell, not from the console menu):

    /usr/bin/time -h sh -c 'RUNNING=`ps ax | grep openvpn | grep -v grep`; while [ -n "$RUNNING" ]; do RUNNING=`ps ax | grep openvpn | grep -v grep`;  done' | & awk '{print $3}' & echo '' | php -q
    

    The output should be something like:

    [1] 87559 87560
    0.58s
    [1]  + Exit 1                        /usr/bin/time -h sh -c  ... |&
           Done                          awk {print $3}
    

    I'm interested in the second line, "0.58s" in this example.



  • [1] 1621 1622

    0.17s

    [1]    Exit 1                        /usr/bin/time -h sh -c  … |&
          Done                          awk {print $3}

    Computer configuration :
    Pentium 2 - 500 Mhz
    256 MBRam



  • Here are my specs:
    I have dual machines running a CARP config, but only one is running openvpn.
    Pentium D 915
    1GB RAM
    2x 80GB HD (SATA)
    2x Onboard Gb NIC
    2x Intel Pro 1000PT Nic

    Here is the output from the command at the shell:
    [1] 58131 58132
    0.00s
    [1]  + Done                          /usr/bin/time -h sh -c  … |& awk {print $3}

    Thanks for the help.



  • Thanks for the quick replies. We're studying what the best way to fix it is. In the meanwhile, if you need to restart OpenVPN after performing changes to the config screen, issue:

    echo "" | php -q
    


  • echo "" | php -q
    

    Same problem :( this dont help… i must restart whole box :(

    Ill try 3 boxes and clean installation. First time all appear ok and i can change openvpn config without problem and its restart without error... but after some hours happend this after changing options :(

    Nov 16 17:09:55 openvpn[14308]: Exiting
    Nov 16 17:09:55 openvpn[14308]: TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
    Nov 16 17:09:55 openvpn[14308]: Control Channel Authentication: using '/etc/tls_auth.key' as a OpenVPN static key file
    Nov 16 17:09:55 openvpn[14308]: WARNING: file '/etc/tls_auth.key' is group or others accessible
    Nov 16 17:09:55 openvpn[14308]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
    Nov 16 17:09:55 openvpn[14308]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006

    P.S. Sorry for my bad english :D But i think you understand me :)



  • @bosko:

    This is log file and error. Why does this error, if reset computer OPENVPN server start normaly.

    Nov 15 23:45:50 openvpn[5569]: Exiting
    Nov 15 23:45:50 openvpn[5569]: TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
    Nov 15 23:45:50 openvpn[5569]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
    Nov 15 23:45:50 openvpn[5569]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006

    Yeah, same problem here… openvpn is not running when I run it from the command line:

    # /usr/local/sbin/openvpn --config /var/etc/openvpn_server0.conf 
    
    Nov 22 16:03:20 router openvpn[7506]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr  6 2006
    Nov 22 16:03:20 router openvpn[7506]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
    Nov 22 16:03:20 router openvpn[7506]: TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
    Nov 22 16:03:20 router openvpn[7506]: Exiting
    

    I can't seem to find what is using 1194 when openvpn is not running.



  • From a shell issue a sockstat command to see what processes are listening on what ports.



  • @sullrich:

    From a shell issue a sockstat command to see what processes are listening on what ports.

    *root     check_relo 326   11 udp4   :1194                :

    so something is wrong with check reload status… when i kill this process everything works fine!



  • Eh, this doesn't make any sense.  check_reload_status doesn't even open a socket.



  • @sullrich:

    From a shell issue a sockstat command to see what processes are listening on what ports.

    Yeah, I've got another whole mess attached apparently:

    # sockstat | grep 1194
    root     sleep      3078  10 udp4   *:1194                *:*
    root     sh         1463  10 udp4   *:1194                *:*
    _dhcp    dhclient   1306  10 udp4   *:1194                *:*
    root     dhclient   1259  10 udp4   *:1194                *:*
    root     check_relo 659   10 udp4   *:1194                *:*
    


  • sockstat | grep 1194

    root    check_relo 405  11 udp4  *:1194                :

    i try this many times… but when i try change openvpn settings, check_reload_status block port 1194. When i kill it everything work fine and i can change openvpn settings without any problem until next restart...
    After restart, openvpn run ok until i try change some options...



  • cheers,

    verified this problem on all my embedded systems and 2 firewalls
    with strong i386 hardware.

    kind regards
    dairaen



  • Please upgrade to http://www.pfsense.com/~sullrich/1.0.1-SNAPSHOT-11-25-2006/ and see if the problem persists.



  • cheers,

    i am not at the office right now, so i can't test the
    snapshot bevore next week; i will report if it fixes the bug.

    kind regards
    dairaen



  • @sullrich:

    Please upgrade to http://www.pfsense.com/~sullrich/1.0.1-SNAPSHOT-11-25-2006/ and see if the problem persists.

    Sorry but no change for me :(

    sockstat | grep 1194

    root    check_relo 387  11 udp4  *:1194                :

    Nov 28 14:14:45 openvpn[1558]: Exiting
    Nov 28 14:14:45 openvpn[1558]: TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
    Nov 28 14:14:45 openvpn[1558]: Control Channel Authentication: using '/etc/tls_auth.key' as a OpenVPN static key file
    Nov 28 14:14:45 openvpn[1558]: WARNING: file '/etc/tls_auth.key' is group or others accessible
    Nov 28 14:14:45 openvpn[1558]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
    Nov 28 14:14:45 openvpn[1558]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
    Nov 28 14:14:44 openvpn[381]: SIGTERM[hard,] received, process exiting
    Nov 28 14:14:41 openvpn[381]: /etc/rc.filter_configure tun0 1500 1542 192.168.50.1 192.168.50.2 init
    Nov 28 14:14:41 openvpn[381]: event_wait : Interrupted system call (code=4)
    ^^^^ After save openVPN config without any changes ^^^^

    Nov 28 14:13:04 openvpn[381]: Need IPv6 code in mroute_extract_addr_from_packet
    Nov 28 14:13:04 openvpn[381]: Initialization Sequence Completed
    Nov 28 14:13:04 openvpn[381]: UDPv4 link remote: [undef]
    Nov 28 14:13:04 openvpn[381]: UDPv4 link local (bound): [undef]:1194
    Nov 28 14:13:01 openvpn[302]: /etc/rc.filter_configure tun0 1500 1542 192.168.50.1 192.168.50.2 init
    Nov 28 14:13:01 openvpn[302]: /sbin/ifconfig tun0 192.168.50.1 192.168.50.2 mtu 1500 netmask 255.255.255.255 up
    Nov 28 14:13:01 openvpn[302]: TUN/TAP device /dev/tun0 opened
    Nov 28 14:13:01 openvpn[302]: gw 85.70.189.50
    Nov 28 14:13:01 openvpn[302]: Control Channel Authentication: using '/etc/tls_auth.key' as a OpenVPN static key file
    Nov 28 14:13:01 openvpn[302]: WARNING: file '/etc/tls_auth.key' is group or others accessible
    Nov 28 14:13:01 openvpn[302]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
    Nov 28 14:13:01 openvpn[302]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
    ^^^^ Normal RESTART ^^^^



  • At this point I am at a loss.  Will have to discuss it with the other devs.  We are all really confused on this one.



  • Same problem on my box ???.

    root    lighttpd  1785  10 tcp4  *:1194                :
    root    check_relo 339  10 tcp4  *:1194                :

    Hope you find the problem soon, good luck anyway!



  • Still nothing new about this problem ? I try every snapshot but without any progress :(



  • The only thing you can do is to make your changes and save, click the disable box to disable tunnel and then restart pf, and when its up again, click box to enable tunnel again.



  • Same problem here and at a friends system and at work, too… even switching to another port did not work (only for one day - using 1195 now) and the system at work... still no changes  :'(



  • I have the same issue (and have had for a while now), the OpenVPN server tells me whatever port number I'm using is already in use.  I've tried with the latest snapshot (Jan 7/06), same issue.



  • Known issue. It's covered in 3-4 other threads but there is no solution as of yet.



  • I'm having the same problem with my server in UDP mode. TCP mode works perfectly for me. Looking at the listening server processes with "sockstat -l" reveals:

    _dhcp    dhclient  794  10 udp4  *:1194                :
    root    dhclient  697  10 udp4  *:1194                :

    Apparently, the dhclient process is listening on UDP port 1194 …  ???

    FYI, my box is connected at the WAN side through DHCP to my ISP. In the OpenVPN server, I enabled dynamic dns clients.



  • There is some kind of bug where processes are inheriting other socket descriptors.



  • Thanks for the information Scott!

    I did some more testing and I saw the same problem now with the OpenVPN server in TCP mode. Hence I think it doesn't matter if the connection is through TCP or UDP, the same problem shows up. Rebooting solves the problem. The problem also seems to happen at random.

    If there is anything I can do to help you finding the problem (socket descriptors being reused?), I'll be happy to do more testing!



  • Hi Scott,

    I noticed your Check-In 16202 on the CVS trac and I modified my /etc/inc/filter.inc as shown. Now in my case, OpenVPN is again (re)starting normally without the socket descriptors being reused by other processes! It works in both TCP and UDP server mode now (I use TCP for roadwarriors and UDP for site to site).

    I will do some more extensive testing one of these days.

    Thanks for the nice solution! :)



  • Great!  Glad to hear that it has solved the issues.



  • I'm testing the updated filter.inc file as well.  I'll let you know in 24h if the OpenVPN tunnel is still up.  It usually dies after a couple hours for me.



  • I tried last snapshot from 22.01.07 and openVPN work great !

    Thanks for this fix !



  • it´s working for me aswell !!! :D



  • Y E A H

    Scott you rule !

    Happy to see this bug to be gone  ;D



  • Yep, everything is A-OK for me too.  The tunnel didn't go down once.  I guess I'll just install the 1-22-07 snapshot now.



  • I need to implement this solution for a couple of temporary sites I am setting up for a weeks time :(.

    I need to run them from a LiveCD.

    How can I create a LiveCD with this fix in.

    Please note that I am predominately a windows man, don't have much BSD/Linux experience and no machines other than a production firewall running pfSense :).



  • Just fetch a new livecd from the snapshotserver instead a 1.0.1 release from the mirrors that has this bug fixed: http://snapshots.pfsense.org/FreeBSD6/RELENG_1/


Log in to reply