search

angristan / openvpn-install

Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.
https://stanislas.blog
MIT License
13.56k stars 2.96k forks source link

Server not working after system reboot (CentOS #572

Closed grogolo closed 1 year ago

grogolo commented 4 years ago

Hello,

Can anyone tell me why my server not working after reboot? I use script on fresh CentOS 7.

angristan commented 4 years ago

What do you mean by "not working"? Please be specific in issues. Also, which provider are you using?

grogolo commented 4 years ago

Not working means not connecting (everything works fine after server install without reboot). In OpenVPN client I've "Connecting to xxx via UDPv4" and "timeout". Provider? My CentOS is istalled on VM (QNAP NAS).

HenryNe commented 4 years ago

Is openvpn running after boot? Check with systemctl status openvpn@server

Was public IP changed?

randshell commented 4 years ago

@angristan can we finish with PR #417 and merge it so we can exclude this type of issues on CentOS?

wgalafassijr commented 4 years ago

Same issue here. Centos 7.8.2003 Open vpn is running and port is listening ok. systemctl status openvpn@server ● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled) Active: inactive (dead)

After reboot can't connect anymore.

Some fix for this?

wgalafassijr commented 4 years ago

Disabling firewalld allow user to connect, but no traffic is passing (like browsing internet)

wgalafassijr commented 4 years ago

Tried with Centos 8 with same resul.

bayars commented 4 years ago

@wgalafassijr I see your systemctl status answer that;

Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)

Disabled meaning, systemctl enable openvpn-server@server have never worked before. You have to run this command: systemctl enable openvpn-server@server I tried right now. That's working in new centos's. I didn't see any problem in the script.

If it doesn't solve the problem, could you share those informations after reboot the server?

If you're enabled ipv6 configurations;

randshell commented 4 years ago

Disabled meaning, systemctl enable openvpn-server@server have never worked before.

He checked openvpn@.service that it's different than openvpn-server@.service. On CentOS the script uses openvpn-server@server so the other one shows as disabled. https://github.com/angristan/openvpn-install/blob/5e2e67f78df9f92a8d7ce92338a8f6e653c0c149/openvpn-install.sh#L920-L922

Disabling firewalld allow user to connect, but no traffic is passing (like browsing internet)

Then it's a firewalld issue not systemd. @wgalafassijr enable firewalld again and use the script from PR #417 to confirm the issue.

The link is https://raw.githubusercontent.com/BornToBeRoot/openvpn-install/master/openvpn-install.sh

wgalafassijr commented 4 years ago

Disabled meaning, systemctl enable openvpn-server@server have never worked before.

He checked openvpn@.service that it's different than openvpn-server@.service. On CentOS the script uses openvpn-server@server so the other one shows as disabled.

https://github.com/angristan/openvpn-install/blob/5e2e67f78df9f92a8d7ce92338a8f6e653c0c149/openvpn-install.sh#L920-L922

Disabling firewalld allow user to connect, but no traffic is passing (like browsing internet)

Then it's a firewalld issue not systemd. @wgalafassijr enable firewalld again and use the script from PR #417 to confirm the issue.

The link is https://raw.githubusercontent.com/BornToBeRoot/openvpn-install/master/openvpn-install.sh

to make work i have to use:

firewall-cmd --add-port=1194/udp firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --add-port=1194/udp firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.25.244 firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.25.244 firewall-cmd --reload

wgalafassijr commented 4 years ago

  • lsb_release ( in redhat-lsb.x86_64 package on centos8 )

  • route -n

  • iptables -L -t nat

  • iptables -L

  • firewall-cmd --list-all-zones

  • journalctl -xe | grep openvpn

@wgalafassijr I see your systemctl status answer that;

Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)

Disabled meaning, systemctl enable openvpn-server@server have never worked before. You have to run this command: systemctl enable openvpn-server@server I tried right now. That's working in new centos's. I didn't see any problem in the script.

If it doesn't solve the problem, could you share those informations after reboot the server?

* lsb_release ( in redhat-lsb.x86_64 package on centos8 )

* route -n

* iptables -L -t nat

* iptables -L

* firewall-cmd --list-all-zones

* journalctl -xe | grep openvpn

If you're enabled ipv6 configurations;

* ip6tables -L

* ip6tables -L -t nat

only work after i ran manually (centos 8) firewall-cmd --add-port=1149/udp firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --add-port=1149/udp firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.25.244 firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.25.244 firewall-cmd --reload

bellow the info you requested.

lsb_release ( in redhat-lsb.x86_64 package on centos8 ) LSB Version: :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch

route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.25.1 0.0.0.0 UG 100 0 0 eth0 10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 192.168.25.1 0.0.0.0 255.255.255.255 UH 100 0 0 eth0 192.168.25.128 0.0.0.0 255.255.255.128 U 100 0 0 eth0

iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain POSTROUTING (policy ACCEPT) target prot opt source destination
MASQUERADE all -- 10.8.0.0/24 anywhere

Chain OUTPUT (policy ACCEPT) target prot opt source destination

iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bvtsonar ACCEPT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT) target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT) target prot opt source destination

firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:

home target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

internal target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

work target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

journalctl -xe | grep openvpn May 17 22:09:12 localhost.localdomain groupadd[1837]: group added to /etc/group: name=openvpn, GID=992 May 17 22:09:12 localhost.localdomain groupadd[1837]: group added to /etc/gshadow: name=openvpn May 17 22:09:12 localhost.localdomain groupadd[1837]: new group: name=openvpn, GID=992 May 17 22:09:12 localhost.localdomain useradd[1844]: new user: name=openvpn, UID=995, GID=992, home=/etc/openvpn, shell=/sbin/nologin May 17 22:09:39 localhost.localdomain systemd[1]: Created slice system-openvpn\x2dserver.slice. -- Subject: Unit system-openvpn\x2dserver.slice has finished start-up -- Unit system-openvpn\x2dserver.slice has finished starting up. -- Subject: Unit openvpn-server@server.service has begun start-up -- Unit openvpn-server@server.service has begun starting up. May 17 22:09:39 localhost.localdomain openvpn[2639]: OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 May 17 22:09:39 localhost.localdomain openvpn[2639]: library versions: OpenSSL 1.1.1c FIPS 28 May 2019, LZO 2.08 -- Subject: Unit openvpn-server@server.service has finished start-up -- Unit openvpn-server@server.service has finished starting up. May 17 22:09:39 localhost.localdomain openvpn[2639]: CRL: loaded 1 CRLs from file crl.pem May 17 22:09:39 localhost.localdomain openvpn[2639]: ECDH curve prime256v1 added May 17 22:09:39 localhost.localdomain openvpn[2639]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key May 17 22:09:39 localhost.localdomain openvpn[2639]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication May 17 22:09:39 localhost.localdomain openvpn[2639]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key May 17 22:09:39 localhost.localdomain openvpn[2639]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication May 17 22:09:39 localhost.localdomain openvpn[2639]: TUN/TAP device tun0 opened May 17 22:09:39 localhost.localdomain openvpn[2639]: TUN/TAP TX queue length set to 100 May 17 22:09:39 localhost.localdomain openvpn[2639]: /sbin/ip link set dev tun0 up mtu 1500 May 17 22:09:39 localhost.localdomain openvpn[2639]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255 May 17 22:09:39 localhost.localdomain openvpn[2639]: Could not determine IPv4/IPv6 protocol. Using AF_INET May 17 22:09:39 localhost.localdomain openvpn[2639]: Socket Buffers: R=[212992->212992] S=[212992->212992] May 17 22:09:39 localhost.localdomain openvpn[2639]: UDPv4 link local (bound): [AF_INET][undef]:1149 May 17 22:09:39 localhost.localdomain openvpn[2639]: UDPv4 link remote: [AF_UNSPEC] May 17 22:09:39 localhost.localdomain openvpn[2639]: GID set to nobody May 17 22:09:39 localhost.localdomain openvpn[2639]: UID set to nobody May 17 22:09:39 localhost.localdomain openvpn[2639]: MULTI: multi_init called, r=256 v=256 May 17 22:09:39 localhost.localdomain openvpn[2639]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0 May 17 22:09:39 localhost.localdomain openvpn[2639]: IFCONFIG POOL LIST May 17 22:09:39 localhost.localdomain openvpn[2639]: Initialization Sequence Completed -- Subject: Unit iptables-openvpn.service has begun start-up -- Unit iptables-openvpn.service has begun starting up. -- Subject: Unit iptables-openvpn.service has finished start-up -- Unit iptables-openvpn.service has finished starting up.

randshell commented 4 years ago

to make work i have to use: firewall-cmd --add-port=1194/udp firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --add-port=1194/udp firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.25.244 firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.25.244 firewall-cmd --reload

417 fixes it.

wgalafassijr commented 4 years ago

417 fixes it.

is already published?

randshell commented 4 years ago

is already published?

The changes work but they aren't merged to master yet.

wgalafassijr commented 4 years ago

is already published?

The changes work but they aren't merged to master yet.

some eta to be merged?

marchelo2000 commented 3 years ago

Hello, Gentle reminder about this issue.

jcastilloalonso commented 2 years ago

Hope this can get merged soon. Fixed in CentOS 7 with this commands.

angristan commented 1 year ago

Closing as duplicate of https://github.com/angristan/openvpn-install/issues/356