| View previous topic :: View next topic |
| Author |
Message |
mounty1
l33t
Joined: 06 Jul 2006
Posts: 942
Location: Queensland
|
 Posted: Sat May 11, 2019 2:44 am Post subject: OpenVPN client doesn't work; no tun device created |
 |
|
Hello, I'm trying to set up an openvpn client on a systemd-based installation but it doesn't work. The first point is that no tun interface exists. My configuration is: | Code: | setenv UV_ID zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
setenv UV_NAME zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
client
dev tun0
dev-type tun
remote zzzzzzzzzzzzzzzzzzzzzzzzzzz 19209 udp
remote zzzzzzzzzzzzzzzzzzzzzzzzzzz 19209 udp
remote-random
nobind
persist-tun
cipher AES-256-CBC
auth SHA512
verb 2
mute 3
push-peer-info
ping 10
ping-restart 60
hand-window 70
server-poll-timeout 4
reneg-sec 2592000
sndbuf 393216
rcvbuf 393216
max-routes 1000
remote-cert-tls server
comp-lzo no
auth-user-pass
key-direction 1
ca /etc/openvpn/client/CS/ca.cert
cert /etc/openvpn/client/CS/client1.crt
key /etc/openvpn/client/CS/client1.key
tls-auth /etc/openvpn/client/CS/ta.key 1
auth-user-pass /etc/openvpn/client/CS/auth
up /etc/openvpn/up.sh
down /etc/openvpn/down.sh |
and when I try: | # for I in stop start status ; do sleep 2 ; systemctl $I openvpn-client@CS.service ; done ; journalctl --since "10 seconds ago" -u openvpn-client@CS: | ● openvpn-client@CS.service - OpenVPN tunnel for CS
Loaded: loaded (/lib/systemd/system/openvpn-client@.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2019-05-11 12:38:14 AEST; 2s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 3351 (openvpn)
Status: "Pre-connection initialization successful"
CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client@CS.service
└─3351 /usr/sbin/openvpn --suppress-timestamps --nobind --config CS.conf
May 11 12:38:14 unesco openvpn[3351]: DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, >
May 11 12:38:14 unesco openvpn[3351]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 10 2019
May 11 12:38:14 unesco openvpn[3351]: library versions: mbed TLS 2.17.0, LZO 2.10
May 11 12:38:14 unesco openvpn[3351]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
May 11 12:38:14 unesco systemd[1]: Started OpenVPN tunnel for CS.
May 11 12:38:14 unesco openvpn[3351]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:14 unesco openvpn[3351]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:14 unesco openvpn[3351]: TCP/UDP: Preserving recently used remote address: [AF_INET]zzz.zzz.zzz.zzz:19209
May 11 12:38:14 unesco openvpn[3351]: UDP link local: (not bound)
May 11 12:38:14 unesco openvpn[3351]: UDP link remote: [AF_INET]zzz.zzz.zzz.zzz:19209
-- Logs begin at Tue 2019-04-30 09:23:00 AEST, end at Sat 2019-05-11 12:38:14 AEST. --
May 11 12:38:08 unesco openvpn[3324]: Server poll timeout, restarting
May 11 12:38:08 unesco openvpn[3324]: SIGUSR1[soft,server_poll] received, process restarting
May 11 12:38:08 unesco openvpn[3324]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
May 11 12:38:08 unesco openvpn[3324]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:08 unesco openvpn[3324]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:08 unesco openvpn[3324]: TCP/UDP: Preserving recently used remote address: [AF_INET]zzz.zzz.zzz.zzz:19209
May 11 12:38:08 unesco openvpn[3324]: UDP link local: (not bound)
May 11 12:38:08 unesco openvpn[3324]: UDP link remote: [AF_INET]zzz.zzz.zzz.zzz:19209
May 11 12:38:12 unesco openvpn[3324]: Server poll timeout, restarting
May 11 12:38:12 unesco openvpn[3324]: SIGUSR1[soft,server_poll] received, process restarting
May 11 12:38:12 unesco openvpn[3324]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
May 11 12:38:12 unesco openvpn[3324]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:12 unesco openvpn[3324]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:12 unesco openvpn[3324]: TCP/UDP: Preserving recently used remote address: [AF_INET]zzz.zzz.zzz.zzz:19209
May 11 12:38:12 unesco openvpn[3324]: UDP link local: (not bound)
May 11 12:38:12 unesco openvpn[3324]: UDP link remote: [AF_INET]zzz.zzz.zzz.zzz:19209
May 11 12:38:12 unesco openvpn[3324]: event_wait : Interrupted system call (code=4)
May 11 12:38:12 unesco openvpn[3324]: SIGTERM[hard,] received, process exiting
May 11 12:38:12 unesco systemd[1]: Stopping OpenVPN tunnel for CS...
May 11 12:38:12 unesco systemd[1]: openvpn-client@CS.service: Succeeded.
May 11 12:38:12 unesco systemd[1]: Stopped OpenVPN tunnel for CS.
May 11 12:38:14 unesco systemd[1]: Starting OpenVPN tunnel for CS...
May 11 12:38:14 unesco openvpn[3351]: DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, >
May 11 12:38:14 unesco openvpn[3351]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 10 2019
May 11 12:38:14 unesco openvpn[3351]: library versions: mbed TLS 2.17.0, LZO 2.10
May 11 12:38:14 unesco openvpn[3351]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
May 11 12:38:14 unesco systemd[1]: Started OpenVPN tunnel for CS.
May 11 12:38:14 unesco openvpn[3351]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:14 unesco openvpn[3351]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:14 unesco openvpn[3351]: TCP/UDP: Preserving recently used remote address: [AF_INET]zzz.zzz.zzz.zzz:19209
May 11 12:38:14 unesco openvpn[3351]: UDP link local: (not bound)
May 11 12:38:14 unesco openvpn[3351]: UDP link remote: [AF_INET]zzz.zzz.zzz.zzz:19209 |
The kernel has CBC support, and /dev/net/tun exists. So why is there no tun0 device, and does it matter to getting the client working?
_________________
Michael Mounteney |
|
| Back to top |
|
 |
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6220
Location: Dallas area
|
| Posted: Sat May 11, 2019 10:32 am Post subject: |
|
|
This is what I see before the tun shows up (ip's omitted)
| Code: | UDP link remote: [AF_INET]
Peer Connection Initiated with [AF_INET]
TUN/TAP device tun0 opened |
If you don't get the remote link and peer connection the tun won't show.
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3493
|
| Posted: Sat May 11, 2019 11:00 am Post subject: |
|
|
Doesn't this option require you to create tun device manually before starting your VPN?
| Quote: |
May 11 12:38:12 unesco openvpn[3324]: Server poll timeout, restarting |
A firewall blocking your connection?
| Quote: | | May 11 12:38:12 unesco openvpn[3324]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables |
You have some scripts linked in your config, what do they do? |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6220
Location: Dallas area
|
| Posted: Sat May 11, 2019 11:39 am Post subject: |
|
|
| szatox wrote: | | Doesn't this option require you to create tun device manually before starting your VPN? |
I have that option, it will create it if it doesn't exist or reuse one if had been started in the past.
Edit to add:
| Code: | --persist-tun
Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. |
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
mounty1
l33t
Joined: 06 Jul 2006
Posts: 942
Location: Queensland
|
| Posted: Sat May 11, 2019 12:05 pm Post subject: Not sure |
|
|
Been working with some of the sysops ... apparently I am connecting, but disconnecting after 60 seconds owing to failing to respond to 'pings' (which are not real pings but openvpn keepalive packets). No tun interface is created.
_________________
Michael Mounteney |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6220
Location: Dallas area
|
| Posted: Sat May 11, 2019 12:08 pm Post subject: |
|
|
My openvpn.conf
| Code: | $ cat /etc/openvpn/openvpn.conf
client
dev tun
proto udp
remote xxxxxxxxxxxxxxxxxxxx xxxx
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
#auth-user-pass
auth-user-pass /etc/openvpn/openvpn.up
#comp-lzo
compress
verb 1
reneg-sec 0
crl-verify crl.pem
ca ca.crt
#disable occ
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/openvpn.rte.down"
route-up "/etc/openvpn/openvpn.rte.up"
route-delay 2
route-noexec
log-append /var/log/openvpn/openvpn.log
user openvpn
group openvpn |
ETA: If you run "verb 4" you'll get lots more info (I use it when troubleshooting, then turn it off)
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6220
Location: Dallas area
|
| Posted: Sat May 11, 2019 12:56 pm Post subject: |
|
|
I see you use "dev tun0" instead of "dev tun", in that case I'm not sure if it has to exist before you try and use it or not
| Code: | --dev tunX | tapX | null
TUN/TAP virtual network device ( X can be omitted for a dynamic device.) |
I use tun without the number, and I know it's created.
What does "ls -la /dev/net" show
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
