search

OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.99k stars 3.01k forks source link

Tunnel fails shortly after being created #237

Open lukasjvdm opened 1 year ago

lukasjvdm commented 1 year ago

Describe the bug I am setting up vpn tunnels between multiple RockPi's (clients) on my home network and a cloud VM (server). After connecting a client to the server a timeout consistently occurs, after which the client attempts to reinitialize a new tunnel resulting in a tun0 and tun1. This seems to cause a conflict such that I can no longer access the RockPi via the VPN tunnel created initially. I have generated the server.conf and client.conf files via PiVPN.

To Reproduce 1) Set up server and client with the following configuration Server: dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee.crt key /etc/openvpn/easy-rsa/pki/private/vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee.key dh none ecdh-curve prime256v1 topology subnet server 10.8.0.0 255.255.255.0

Set your primary domain name server address for clients

    push "dhcp-option DOMAIN searchdomain.example.com" 
    push "dhcp-option DNS 9.9.9.9"
    push "dhcp-option DNS 149.112.112.112"
    # Prevent DNS leaks on Windows
    push "block-outside-dns"
    # Override the Client default gateway by using 0.0.0.0/1 and
    # 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
    # overriding but not wiping out the original default gateway.
    push "redirect-gateway def1"
    client-to-client
    client-config-dir /etc/openvpn/ccd
    keepalive 15 120
    remote-cert-tls client
    tls-version-min 1.2
    tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
    #cipher AES-256-CBC
    auth SHA256
    user openvpn
    group openvpn
    persist-key
    persist-tun
    crl-verify /etc/openvpn/crl.pem
    status /var/log/openvpn-status.log 20
    status-version 3
    syslog
    verb 4
    #DuplicateCNs allow access control on a less-granular, per user basis.
    #Remove # if you will manage access by user instead of device. 
    #duplicate-cn
    # Generated for use by PiVPN.io

client: client dev tun proto udp remote 160.119.253.173 1194 resolv-retry infinite nobind remote-cert-tls server tls-version-min 1.2 verify-x509-name vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee name

cipher AES-256-CBC

    auth SHA256
    auth-nocache
    verb 3
    persist-tun
    log-append /var/log/openvpn/the.log

2) Set up tunnel by running client.conf as daemon on RockPi and wait a few minutes for timeout

Expected behavior Upon creating tunnel, tun0 will be set up. After timeout occurs on client side, tun1 will be initialized alongside existing tun0 (client side). Pi will then no longer be accessible from VM through vpn tunnel.

Version information (please complete the following information):

Additional context

example logs

From client side (/var/log/openvpn/the.log) Fri Feb 3 06:58:53 2023 [vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee] Inactivity timeout (--ping-restart), restarting Fri Feb 3 06:58:53 2023 SIGUSR1[soft,ping-restart] received, process restarting Fri Feb 3 06:58:53 2023 Restart pause, 5 second(s) Fri Feb 3 06:58:58 2023 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Fri Feb 3 06:58:58 2023 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Fri Feb 3 06:58:58 2023 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Fri Feb 3 06:58:58 2023 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Fri Feb 3 06:58:58 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]160.119.253.173:1194 Fri Feb 3 06:58:58 2023 Socket Buffers: R=[212992->212992] S=[212992->212992] Fri Feb 3 06:58:58 2023 UDP link local: (not bound) Fri Feb 3 06:58:58 2023 UDP link remote: [AF_INET]160.119.253.173:1194 Fri Feb 3 06:58:58 2023 TLS: Initial packet from [AF_INET]160.119.253.173:1194, sid=4a610490 41177b45 Fri Feb 3 06:58:59 2023 VERIFY OK: depth=1, CN=ChangeMe Fri Feb 3 06:58:59 2023 VERIFY KU OK Fri Feb 3 06:58:59 2023 Validating certificate extended key usage Fri Feb 3 06:58:59 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Fri Feb 3 06:58:59 2023 VERIFY EKU OK Fri Feb 3 06:58:59 2023 VERIFY X509NAME OK: CN=vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee Fri Feb 3 06:58:59 2023 VERIFY OK: depth=0, CN=vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee Fri Feb 3 06:58:59 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1 Fri Feb 3 06:58:59 2023 [vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee] Peer Connection Initiated with [AF_INET]160.119.253.173:1194 Fri Feb 3 06:59:00 2023 SENT CONTROL [vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee]: 'PUSH_REQUEST' (status=1) Fri Feb 3 06:59:00 2023 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN searchdomain.example.com,dhcp-option DNS 9.9.9.9,dhcp-option DNS 149.112.112.112,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.8.0.12 255.255.255.0,peer-id 4,cipher AES-256-GCM' Fri Feb 3 06:59:00 2023 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.4.7) Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: timers and/or timeouts modified Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: --ifconfig/up options modified Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: route options modified Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: route-related options modified Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: peer-id set Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: adjusting link_mtu to 1624 Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: data channel crypto options modified Fri Feb 3 06:59:00 2023 Data Channel: using negotiated cipher 'AES-256-GCM' Fri Feb 3 06:59:00 2023 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Fri Feb 3 06:59:00 2023 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Fri Feb 3 06:59:00 2023 Preserving previous TUN/TAP instance: tun1 Fri Feb 3 06:59:00 2023 Initialization Sequence Completed Fri Feb 3 07:02:43 2023 [vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee] Inactivity timeout (--ping-restart), restarting

From server side (/var/log/openvpn.log) Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: MULTI: multi_create_instance called Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Re-using SSL/TLS context Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ] Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ] Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA256,keysize 128,key-method 2,tls-server' Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA256,keysize 128,key-method 2,tls-client' Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 TLS: Initial packet from [AF_INET]41.216.204.204:23760, sid=868dca55 28b05f9d Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 VERIFY OK: depth=1, CN=ChangeMe Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 VERIFY KU OK Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Validating certificate extended key usage Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 VERIFY EKU OK Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 VERIFY OK: depth=0, CN=agent-2 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_VER=2.4.7 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_PLAT=linux Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_PROTO=2 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_NCP=2 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_LZ4=1 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_LZ4v2=1 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_LZO=1 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_COMP_STUB=1 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_COMP_STUBv2=1 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_TCPNL=1 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 [agent-2] Peer Connection Initiated with [AF_INET]41.216.204.204:23760 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: MULTI: new connection by client 'agent-2' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/agent-2 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: MULTI: Learn: 10.8.0.12 -> agent-2/41.216.204.204:23760 Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: MULTI: primary virtual IP for agent-2/41.216.204.204:23760: 10.8.0.12 Feb 3 06:59:00 vm594xjpu ovpn-server[10622]: agent-2/41.216.204.204:23760 PUSH: Received control message: 'PUSH_REQUEST' Feb 3 06:59:00 vm594xjpu ovpn-server[10622]: agent-2/41.216.204.204:23760 SENT CONTROL [agent-2]: 'PUSH_REPLY,dhcp-option DOMAIN searchdomain.example.com,dhcp-option DNS 9.9.9.9,dhcp-option DNS 149.112.112.112,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.8.0.12 255.255.255.0,peer-id 4,cipher AES-256-GCM' (status=1) Feb 3 06:59:00 vm594xjpu ovpn-server[10622]: agent-2/41.216.204.204:23760 Data Channel: using negotiated cipher 'AES-256-GCM' Feb 3 06:59:00 vm594xjpu ovpn-server[10622]: agent-2/41.216.204.204:23760 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ] Feb 3 06:59:00 vm594xjpu ovpn-server[10622]: agent-2/41.216.204.204:23760 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Feb 3 06:59:00 vm594xjpu ovpn-server[10622]: agent-2/41.216.204.204:23760 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

ifconfig from client side tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.12 netmask 255.255.255.0 destination 10.8.0.12 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.12 netmask 255.255.255.0 destination 10.8.0.12 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 3783 bytes 269287 (269.2 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6989 bytes 5973610 (5.9 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

schwabe commented 1 year ago

The logs never show that OpenVPN set up a tun0 device. Also this bug might be already be resolved in newer versions of OpenVPN. OpenVPN 2.4.4 is quite old at this point in time.

cron2 commented 1 year ago

So in the "ifconfig" output we can see a tun0 and tun1, but the openvpn log only shows tun1. So we need more client-side logs to show what is happening after tun0 was created.

One possible way this could be happening is if you have two openvpn processes running at the same time (on the same config file, or you downloaded + installed 2 copies of the pivpn client config with different names). Check with ps axwu | grep openvpn.

A crashing openvpn would not leave tun0 behind, so this really points to "2 openvpn processes" (and then they fight for the packets, breaking your VPN).