Closed grogolo closed 1 year ago
What do you mean by "not working"? Please be specific in issues. Also, which provider are you using?
Not working means not connecting (everything works fine after server install without reboot). In OpenVPN client I've "Connecting to xxx via UDPv4" and "timeout". Provider? My CentOS is istalled on VM (QNAP NAS).
Is openvpn running after boot? Check with
systemctl status openvpn@server
Was public IP changed?
@angristan can we finish with PR #417 and merge it so we can exclude this type of issues on CentOS?
Same issue here. Centos 7.8.2003 Open vpn is running and port is listening ok. systemctl status openvpn@server â— openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled) Active: inactive (dead)
After reboot can't connect anymore.
Some fix for this?
Disabling firewalld allow user to connect, but no traffic is passing (like browsing internet)
Tried with Centos 8 with same resul.
@wgalafassijr I see your systemctl status answer that;
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
Disabled meaning, systemctl enable openvpn-server@server have never worked before. You have to run this command: systemctl enable openvpn-server@server I tried right now. That's working in new centos's. I didn't see any problem in the script.
If it doesn't solve the problem, could you share those informations after reboot the server?
If you're enabled ipv6 configurations;
Disabled meaning, systemctl enable openvpn-server@server have never worked before.
He checked openvpn@.service
that it's different than openvpn-server@.service
. On CentOS the script uses openvpn-server@server
so the other one shows as disabled.
https://github.com/angristan/openvpn-install/blob/5e2e67f78df9f92a8d7ce92338a8f6e653c0c149/openvpn-install.sh#L920-L922
Disabling firewalld allow user to connect, but no traffic is passing (like browsing internet)
Then it's a firewalld issue not systemd. @wgalafassijr enable firewalld again and use the script from PR #417 to confirm the issue.
The link is https://raw.githubusercontent.com/BornToBeRoot/openvpn-install/master/openvpn-install.sh
Disabled meaning, systemctl enable openvpn-server@server have never worked before.
He checked
openvpn@.service
that it's different thanopenvpn-server@.service
. On CentOS the script usesopenvpn-server@server
so the other one shows as disabled.Disabling firewalld allow user to connect, but no traffic is passing (like browsing internet)
Then it's a firewalld issue not systemd. @wgalafassijr enable firewalld again and use the script from PR #417 to confirm the issue.
The link is https://raw.githubusercontent.com/BornToBeRoot/openvpn-install/master/openvpn-install.sh
to make work i have to use:
firewall-cmd --add-port=1194/udp firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --add-port=1194/udp firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.25.244 firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.25.244 firewall-cmd --reload
lsb_release ( in redhat-lsb.x86_64 package on centos8 )
route -n
iptables -L -t nat
iptables -L
firewall-cmd --list-all-zones
journalctl -xe | grep openvpn
@wgalafassijr I see your systemctl status answer that;
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
Disabled meaning, systemctl enable openvpn-server@server have never worked before. You have to run this command: systemctl enable openvpn-server@server I tried right now. That's working in new centos's. I didn't see any problem in the script.
If it doesn't solve the problem, could you share those informations after reboot the server?
* lsb_release ( in redhat-lsb.x86_64 package on centos8 ) * route -n * iptables -L -t nat * iptables -L * firewall-cmd --list-all-zones * journalctl -xe | grep openvpn
If you're enabled ipv6 configurations;
* ip6tables -L * ip6tables -L -t nat
only work after i ran manually (centos 8) firewall-cmd --add-port=1149/udp firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --add-port=1149/udp firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.25.244 firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.25.244 firewall-cmd --reload
bellow the info you requested.
lsb_release ( in redhat-lsb.x86_64 package on centos8 ) LSB Version: :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.25.1 0.0.0.0 UG 100 0 0 eth0 10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 192.168.25.1 0.0.0.0 255.255.255.255 UH 100 0 0 eth0 192.168.25.128 0.0.0.0 255.255.255.128 U 100 0 0 eth0
iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination
Chain INPUT (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.8.0.0/24 anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bvtsonar
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
home target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
internal target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
work target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
journalctl -xe | grep openvpn May 17 22:09:12 localhost.localdomain groupadd[1837]: group added to /etc/group: name=openvpn, GID=992 May 17 22:09:12 localhost.localdomain groupadd[1837]: group added to /etc/gshadow: name=openvpn May 17 22:09:12 localhost.localdomain groupadd[1837]: new group: name=openvpn, GID=992 May 17 22:09:12 localhost.localdomain useradd[1844]: new user: name=openvpn, UID=995, GID=992, home=/etc/openvpn, shell=/sbin/nologin May 17 22:09:39 localhost.localdomain systemd[1]: Created slice system-openvpn\x2dserver.slice. -- Subject: Unit system-openvpn\x2dserver.slice has finished start-up -- Unit system-openvpn\x2dserver.slice has finished starting up. -- Subject: Unit openvpn-server@server.service has begun start-up -- Unit openvpn-server@server.service has begun starting up. May 17 22:09:39 localhost.localdomain openvpn[2639]: OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 May 17 22:09:39 localhost.localdomain openvpn[2639]: library versions: OpenSSL 1.1.1c FIPS 28 May 2019, LZO 2.08 -- Subject: Unit openvpn-server@server.service has finished start-up -- Unit openvpn-server@server.service has finished starting up. May 17 22:09:39 localhost.localdomain openvpn[2639]: CRL: loaded 1 CRLs from file crl.pem May 17 22:09:39 localhost.localdomain openvpn[2639]: ECDH curve prime256v1 added May 17 22:09:39 localhost.localdomain openvpn[2639]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key May 17 22:09:39 localhost.localdomain openvpn[2639]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication May 17 22:09:39 localhost.localdomain openvpn[2639]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key May 17 22:09:39 localhost.localdomain openvpn[2639]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication May 17 22:09:39 localhost.localdomain openvpn[2639]: TUN/TAP device tun0 opened May 17 22:09:39 localhost.localdomain openvpn[2639]: TUN/TAP TX queue length set to 100 May 17 22:09:39 localhost.localdomain openvpn[2639]: /sbin/ip link set dev tun0 up mtu 1500 May 17 22:09:39 localhost.localdomain openvpn[2639]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255 May 17 22:09:39 localhost.localdomain openvpn[2639]: Could not determine IPv4/IPv6 protocol. Using AF_INET May 17 22:09:39 localhost.localdomain openvpn[2639]: Socket Buffers: R=[212992->212992] S=[212992->212992] May 17 22:09:39 localhost.localdomain openvpn[2639]: UDPv4 link local (bound): [AF_INET][undef]:1149 May 17 22:09:39 localhost.localdomain openvpn[2639]: UDPv4 link remote: [AF_UNSPEC] May 17 22:09:39 localhost.localdomain openvpn[2639]: GID set to nobody May 17 22:09:39 localhost.localdomain openvpn[2639]: UID set to nobody May 17 22:09:39 localhost.localdomain openvpn[2639]: MULTI: multi_init called, r=256 v=256 May 17 22:09:39 localhost.localdomain openvpn[2639]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0 May 17 22:09:39 localhost.localdomain openvpn[2639]: IFCONFIG POOL LIST May 17 22:09:39 localhost.localdomain openvpn[2639]: Initialization Sequence Completed -- Subject: Unit iptables-openvpn.service has begun start-up -- Unit iptables-openvpn.service has begun starting up. -- Subject: Unit iptables-openvpn.service has finished start-up -- Unit iptables-openvpn.service has finished starting up.
to make work i have to use: firewall-cmd --add-port=1194/udp firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --add-port=1194/udp firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.25.244 firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.25.244 firewall-cmd --reload
417 fixes it.
is already published?
is already published?
The changes work but they aren't merged to master yet.
is already published?
The changes work but they aren't merged to master yet.
some eta to be merged?
Hello, Gentle reminder about this issue.
Hope this can get merged soon. Fixed in CentOS 7 with this commands.
Closing as duplicate of https://github.com/angristan/openvpn-install/issues/356
Hello,
Can anyone tell me why my server not working after reboot? I use script on fresh CentOS 7.