(Solved) OpenVPN lost connectivity
built on Tue Dec 01 22:17:20 CST 2015
I have two spur offices that I am testing on. Did upgrade tonight and lost VPN connectivity to both. Still have a way in so I can see the routers are working otherwise.
VPN still shows connected on both ends.
Site to Site.
| Client UDP:1194 | up | Tue Dec 1 23:16:36 2015 | 10.10.1.2 | x.x.x.138 | 6 KB | 7 KB |
| Dec 1 23:15:32[/t][/t] openvpn: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either --route-gateway or --ifconfig options
| Dec 1 23:15:32[/t] openvpn: OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.31.125.0
| Dec 1 23:15:32[/t] openvpn: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either --route-gateway or --ifconfig options
| Dec 1 23:15:32[/t] openvpn: OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.30.15.0 |
Is this an SSL/TLS remote access setup with client-specific overrides?
If so, what options do you have specified in the overrides, and what do the contents of /var/etc/openvpn-csc/<server id="">/ <common name="">look like?</common></server>
Its a peer to peer shared key setup.
Hmm, nothing should have changed for shared key. Are those log messages found on both sides? Are both sides 2.3?
Can you share the contents of the /var/etc/openvpn/*.conf files? Or at least the lines inside with ifconfig and route (No need to see keys or anything secret)
~~Actually might be a bigger issue somewhere else.
I cant get to anything behind the firewall with port forward rules Ive had for years. (Outside of the VPN.)
I simply disable firewall rules when Im not using them as I use the VPN instead.~~ Im letting one of the sites update to the latest snap and will report back.
Axe that- loose nut behind the wheel!
Working on your requests now.
One side is 2.2.5 and the two test sites are 2.3
All 2.2.5 sites working fine.
dev ovpnc1 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 173.xxx.xxx.26 lport 1194 management /var/etc/openvpn/client1.sock unix remote Box.MyIP.com 1194 ifconfig 10.10.1.2 10.10.1.1 route 172.31.125.0 255.255.255.0 route 172.30.15.0 255.255.255.248 route 192.168.25.0 255.255.255.0 secret /var/etc/openvpn/client1.secret comp-lzo adaptive topology subnet
Hmm it's adding topology there when it shouldn't be added for shared key. I'll take a look in the code and find a fix.
This is from the 2.2.5 side in case it helps. :)
Dec 2 10:30:42 openvpn: Inactivity timeout (--ping-restart), restarting Dec 2 10:30:42 openvpn: SIGUSR1[soft,ping-restart] received, process restarting Dec 2 10:30:44 openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 2 10:30:44 openvpn: Re-using pre-shared static key Dec 2 10:30:44 openvpn: Preserving previous TUN/TAP instance: ovpns1 Dec 2 10:30:44 openvpn: UDPv4 link local (bound): [AF_INET]xx.1xx.xxx.1x8:1194 Dec 2 10:30:44 openvpn: UDPv4 link remote: [undef] Dec 2 10:31:17 openvpn: Peer Connection Initiated with [AF_INET]1xx.xxx.xxx.x6:1194 Dec 2 10:31:18 openvpn: Initialization Sequence Completed Dec 2 10:31:25 openvpn: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.10.1.1 10.10.1.2', remote='ifconfig 10.10.1.0 10.10.1.1'
I was able to modify my config files on both affected machines and everything came back fine. So no other underlying issues. (But you knew that already.) :)
OK I just pushed a fix, you can gitsync to pick it up in a few minutes, or wait until the next snapshot build and upgrade that way.