(Solved) OpenVPN lost connectivity
-
2.3-ALPHA (i386)
built on Tue Dec 01 22:17:20 CST 2015I have two spur offices that I am testing on. Did upgrade tonight and lost VPN connectivity to both. Still have a way in so I can see the routers are working otherwise.
VPN still shows connected on both ends.
Site to Site.
| Client UDP:1194 | up | Tue Dec 1 23:16:36 2015 | 10.10.1.2 | x.x.x.138 | 6 KB | 7 KB |
-
Some logs-
| Dec 1 23:15:32[/t][/t] openvpn[633]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either --route-gateway or --ifconfig options
| Dec 1 23:15:32[/t] openvpn[633]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.31.125.0
| Dec 1 23:15:32[/t] openvpn[633]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either --route-gateway or --ifconfig options
| Dec 1 23:15:32[/t] openvpn[633]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.30.15.0 |
|
|
|
-
Is this an SSL/TLS remote access setup with client-specific overrides?
If so, what options do you have specified in the overrides, and what do the contents of /var/etc/openvpn-csc/<server id="">/ <common name="">look like?</common></server>
-
Hi JimP
Its a peer to peer shared key setup.
-
Hmm, nothing should have changed for shared key. Are those log messages found on both sides? Are both sides 2.3?
Can you share the contents of the /var/etc/openvpn/*.conf files? Or at least the lines inside with ifconfig and route (No need to see keys or anything secret) -
~~Actually might be a bigger issue somewhere else.
I cant get to anything behind the firewall with port forward rules Ive had for years. (Outside of the VPN.)
I simply disable firewall rules when Im not using them as I use the VPN instead.~~ Im letting one of the sites update to the latest snap and will report back.
Axe that- loose nut behind the wheel!
Working on your requests now.
One side is 2.2.5 and the two test sites are 2.3
All 2.2.5 sites working fine.
-
dev ovpnc1 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 173.xxx.xxx.26 lport 1194 management /var/etc/openvpn/client1.sock unix remote Box.MyIP.com 1194 ifconfig 10.10.1.2 10.10.1.1 route 172.31.125.0 255.255.255.0 route 172.30.15.0 255.255.255.248 route 192.168.25.0 255.255.255.0 secret /var/etc/openvpn/client1.secret comp-lzo adaptive topology subnet -
Hmm it's adding topology there when it shouldn't be added for shared key. I'll take a look in the code and find a fix.
-
This is from the 2.2.5 side in case it helps. :)
Dec 2 10:30:42 openvpn[16323]: Inactivity timeout (--ping-restart), restarting Dec 2 10:30:42 openvpn[16323]: SIGUSR1[soft,ping-restart] received, process restarting Dec 2 10:30:44 openvpn[16323]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 2 10:30:44 openvpn[16323]: Re-using pre-shared static key Dec 2 10:30:44 openvpn[16323]: Preserving previous TUN/TAP instance: ovpns1 Dec 2 10:30:44 openvpn[16323]: UDPv4 link local (bound): [AF_INET]xx.1xx.xxx.1x8:1194 Dec 2 10:30:44 openvpn[16323]: UDPv4 link remote: [undef] Dec 2 10:31:17 openvpn[16323]: Peer Connection Initiated with [AF_INET]1xx.xxx.xxx.x6:1194 Dec 2 10:31:18 openvpn[16323]: Initialization Sequence Completed Dec 2 10:31:25 openvpn[16323]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.10.1.1 10.10.1.2', remote='ifconfig 10.10.1.0 10.10.1.1' -
I was able to modify my config files on both affected machines and everything came back fine. So no other underlying issues. (But you knew that already.) :)
-
OK I just pushed a fix, you can gitsync to pick it up in a few minutes, or wait until the next snapshot build and upgrade that way.
-
Thanks JimP
