(Solved) OpenVPN lost connectivity



  • 2.3-ALPHA (i386)
    built on Tue Dec 01 22:17:20 CST 2015

    I have two spur offices that I am testing on.  Did upgrade tonight and lost VPN connectivity to both.  Still have a way in so I can see the routers are working otherwise.

    VPN still shows connected on both ends.

    Site to Site.

    | Client UDP:1194 | up | Tue Dec 1 23:16:36 2015 | 10.10.1.2 | x.x.x.138 | 6 KB | 7 KB |



  • Some logs-

    | Dec 1 23:15:32[/t][/t] openvpn[633]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either --route-gateway or --ifconfig options

    | Dec 1 23:15:32[/t] openvpn[633]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.31.125.0

    | Dec 1 23:15:32[/t] openvpn[633]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either --route-gateway or --ifconfig options

    | Dec 1 23:15:32[/t] openvpn[633]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.30.15.0 |

    |

    |

    |


  • Rebel Alliance Developer Netgate

    Is this an SSL/TLS remote access setup with client-specific overrides?

    If so, what options do you have specified in the overrides, and what do the contents of /var/etc/openvpn-csc/<server id="">/ <common name="">look like?</common></server>



  • Hi JimP

    Its a peer to peer shared key setup.


  • Rebel Alliance Developer Netgate

    Hmm, nothing should have changed for shared key. Are those log messages found on both sides? Are both sides 2.3?
    Can you share the contents of the /var/etc/openvpn/*.conf files? Or at least the lines inside with ifconfig and route (No need to see keys or anything secret)



  • ~~Actually might be a bigger issue somewhere else.

    I cant get to anything behind the firewall with port forward rules Ive had for years. (Outside of the VPN.)

    I simply disable firewall rules when Im not using them as I use the VPN instead.~~  Im letting one of the sites update to the latest snap and will report back.

    Axe that- loose nut behind the wheel!

    Working on your requests now.

    One side is 2.2.5 and the two test sites are 2.3

    All 2.2.5 sites working fine.



  • dev ovpnc1
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 173.xxx.xxx.26
    lport 1194
    management /var/etc/openvpn/client1.sock unix
    remote Box.MyIP.com 1194
    ifconfig 10.10.1.2 10.10.1.1
    route 172.31.125.0 255.255.255.0
    route 172.30.15.0 255.255.255.248
    route 192.168.25.0 255.255.255.0
    secret /var/etc/openvpn/client1.secret 
    comp-lzo adaptive
    topology subnet
    
    

  • Rebel Alliance Developer Netgate

    Hmm it's adding topology there when it shouldn't be added for shared key. I'll take a look in the code and find a fix.



  • This is from the 2.2.5 side in case it helps.  :)

    Dec 2 10:30:42     openvpn[16323]: Inactivity timeout (--ping-restart), restarting
    Dec 2 10:30:42     openvpn[16323]: SIGUSR1[soft,ping-restart] received, process restarting
    Dec 2 10:30:44     openvpn[16323]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Dec 2 10:30:44     openvpn[16323]: Re-using pre-shared static key
    Dec 2 10:30:44     openvpn[16323]: Preserving previous TUN/TAP instance: ovpns1
    Dec 2 10:30:44     openvpn[16323]: UDPv4 link local (bound): [AF_INET]xx.1xx.xxx.1x8:1194
    Dec 2 10:30:44     openvpn[16323]: UDPv4 link remote: [undef]
    Dec 2 10:31:17     openvpn[16323]: Peer Connection Initiated with [AF_INET]1xx.xxx.xxx.x6:1194
    Dec 2 10:31:18     openvpn[16323]: Initialization Sequence Completed
    Dec 2 10:31:25     openvpn[16323]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.10.1.1 10.10.1.2', remote='ifconfig 10.10.1.0 10.10.1.1'
    
    


  • I was able to modify my config files on both affected machines and everything came back fine. So no other underlying issues. (But you knew that already.)  :)


  • Rebel Alliance Developer Netgate

    OK I just pushed a fix, you can gitsync to pick it up in a few minutes, or wait until the next snapshot build and upgrade that way.



  • Thanks JimP


Log in to reply