Closed witte-de-with closed 7 years ago
cpu
commented
7 years ago Hi @i-s-o-g-r-a-m - thanks for taking the time to file an issue.
When that service has failed, the VPN won't work.
To be 100% clear - when you say VPN here you mean an OpenConnect VPN connection fails to work? I suspect that's the case but its best to confirm :-)
witte-de-with
commented
7 years ago @cpu ah, yeah I should clarify that a bit: so I can still make a successful VPN connection from my laptop (using Viscosity on macOS), but then no network traffic will seem to make it through -- I can't talk to the world -- until disconnecting again from the Streisand-based VPN. If I go and start the service manually after ssh'ing in, everything is back to working as expected. But again: this doesn't prevent a successful VPN connection -- it just prevents me from actually sending traffic over the VPN once connected. It's weird because I only started to see this recently. It may be that it just happens sometimes and not other times if it is a race-y thing. I happen to reboot the VPS that the VPN is hosted on quite a bit -- maybe others do not do this, so don't see the problem. Thanks!
cpu
commented
7 years ago @i-s-o-g-r-a-m Thanks for clarifying. That definitely sounds like the behaviour I would expect if the problem was with the firewall rules. Looking at the streisand-openconnect.service it's doing nothing other than applying a firewall rule. I also notice in the journalctl output that you shared there's an iptables error:
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
I think that -w option is exactly what we need as a quick fix. The manual says:
-w, --wait [seconds]
Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will
be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained.
This option will make the program wait (indefinitely or for optional seconds) until the exclusive lock can be
obtained.I think you're right that this is a race-y thing. There's a couple other services (openvpn, l2tp-ipsec, and wireguard) that also setup iptables rules at boot. Long term there's probably a better way to manage a system-wide firewall than with a combination of ufw and iptables thrown through /etc/init.d. I opened https://github.com/jlund/streisand/issues/950 to track that larger effort.
In the mean time I'll add -w across the iptables invocations in the services and we can see if that prevents the race from happening on your system.
cpu
commented
7 years ago I have a PR up to add --wait to all of the iptables invocations: https://github.com/jlund/streisand/pull/951 I would be interested in hearing if this branch prevents any further issues with openconnect for you after reboots.
witte-de-with
commented
7 years ago @cpu Thank you! Looks like you got this sorted out, and some folks have already tested it. Let me know if I can help any further with testing, etc. Thanks again for your work on Streisand 👍
cpu
commented
7 years ago @i-s-o-g-r-a-m Thanks! It's merged to master now. Please let me know if you run into this bug again now that we believe its fixed. I appreciate the bug report!
witte-de-with
commented
7 years ago @cpu will do, thanks again!
Expected behavior:
All Streisand-related services to start up after bouncing a VM that has been Streisand-provisioned.
Actual Behavior:
Lately I'm seeing one service failing to start up pretty frequently on boot (this is Ubuntu on Linode) -- see
systemctl statusoutput below. When that service has failed, the VPN won't work. If I ssh in and start the service, things work again. Here's the status info:Steps to Reproduce:
Provision a Linode Streisand instance, then reboot the instance. The service above will fail to start.