search

freifunk-berlin / firmware

DEPRECATED: Build system for Berlin firmware. Please user the pinned falter-repos instead
https://berlin.freifunk.net
GNU General Public License v3.0
74 stars 34 forks source link

OpenVPN fails to connect to IPv6-enabled VPN03-gateway #422

Closed SvenRoederer closed 6 years ago

SvenRoederer commented 7 years ago

I had lost VPN-connection. this is related to the fact that openvpn tries to connect to the VPN03-gateway which has IPv6-address published (2001:bf7:b101:1::10).

Cause seems to be the openVPN-hotplug of "freifunk-berlin-openvpn-files" line 28 - setting the "local address". This address will be IPv4 only and so fails for IPv6. 

Fri Feb 17 06:00:00 2017 cron.info crond[3323]: USER root pid 10581 cmd ifup wan
Fri Feb 17 06:00:00 2017 daemon.notice netifd: wan (30188): udhcpc: received SIGTERM
Fri Feb 17 06:00:00 2017 daemon.notice netifd: Interface 'wan' is now down
Fri Feb 17 06:00:00 2017 daemon.notice netifd: Interface 'wan' is setting up now
Fri Feb 17 06:00:00 2017 daemon.info dnsmasq[2008]: reading /tmp/resolv.conf.auto
Fri Feb 17 06:00:00 2017 daemon.info dnsmasq[2008]: using local addresses only for domain lan
Fri Feb 17 06:00:00 2017 daemon.info dnsmasq[2008]: using nameserver 85.214.20.141#53
Fri Feb 17 06:00:00 2017 daemon.info dnsmasq[2008]: using nameserver 213.73.91.35#53
Fri Feb 17 06:00:00 2017 daemon.info dnsmasq[2008]: using nameserver 194.150.168.168#53
Fri Feb 17 06:00:00 2017 daemon.info dnsmasq[2008]: using nameserver 2001:4ce8::53#53
Fri Feb 17 06:00:00 2017 daemon.info dnsmasq[2008]: using nameserver 2001:910:800::12#53
Fri Feb 17 06:00:00 2017 user.notice ff-userlog: WAN interface went down
Fri Feb 17 06:00:00 2017 user.notice ff-vpn-hotplug: Stopping OpenVPN
Fri Feb 17 06:00:00 2017 daemon.notice netifd: wan (10623): udhcpc: started, v1.25.1
Fri Feb 17 06:00:00 2017 daemon.err openvpn(ffvpn)[30389]: event_wait : Interrupted system call (code=4)
Fri Feb 17 06:00:01 2017 daemon.notice openvpn(ffvpn)[30389]: /sbin/ifconfig ffvpn 0.0.0.0
Fri Feb 17 06:00:01 2017 daemon.notice netifd: Network device 'ffvpn' link is down
Fri Feb 17 06:00:01 2017 daemon.notice netifd: Interface 'ffvpn' has link connectivity loss
Fri Feb 17 06:00:01 2017 daemon.notice netifd: Interface 'ffvpn' is now down
Fri Feb 17 06:00:01 2017 daemon.notice openvpn(ffvpn)[30389]: SIGTERM[hard,] received, process exiting
Fri Feb 17 06:00:01 2017 daemon.notice netifd: Interface 'ffvpn' is disabled
Fri Feb 17 06:00:01 2017 daemon.notice netifd: wan (10623): udhcpc: sending discover
Fri Feb 17 06:00:01 2017 daemon.notice netifd: wan (10623): udhcpc: sending select for 192.168.8.195
Fri Feb 17 06:00:01 2017 daemon.notice netifd: wan (10623): udhcpc: lease of 192.168.8.195 obtained, lease time 7200
Fri Feb 17 06:00:01 2017 user.notice ff-userlog: OpenVPN connection went down
Fri Feb 17 06:00:01 2017 daemon.notice netifd: Interface 'wan' is now up
Fri Feb 17 06:00:01 2017 daemon.info dnsmasq[2008]: reading /tmp/resolv.conf.auto
Fri Feb 17 06:00:01 2017 daemon.info dnsmasq[2008]: using local addresses only for domain lan
Fri Feb 17 06:00:01 2017 daemon.info dnsmasq[2008]: using nameserver 85.214.20.141#53
Fri Feb 17 06:00:01 2017 daemon.info dnsmasq[2008]: using nameserver 213.73.91.35#53
Fri Feb 17 06:00:01 2017 daemon.info dnsmasq[2008]: using nameserver 194.150.168.168#53
Fri Feb 17 06:00:01 2017 daemon.info dnsmasq[2008]: using nameserver 2001:4ce8::53#53
Fri Feb 17 06:00:01 2017 daemon.info dnsmasq[2008]: using nameserver 2001:910:800::12#53
Fri Feb 17 06:00:02 2017 daemon.info odhcpd[1278]: Initial RA router lifetime 1, 1 address(es) available on br-dhcp
Fri Feb 17 06:00:02 2017 daemon.warn odhcpd[1278]: A default route is present but there is no public prefix on br-dhcp thus we don't announce a default route!
Fri Feb 17 06:00:04 2017 user.notice firewall: Reloading firewall due to ifup of wan (eth0)
Fri Feb 17 06:00:05 2017 user.notice ff-userlog: WAN interface is up
Fri Feb 17 06:00:05 2017 user.notice ff-vpn-hotplug: Starting OpenVPN on WAN interface
Fri Feb 17 06:00:06 2017 daemon.notice openvpn(ffvpn)[10823]: OpenVPN 2.4.0 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Feb 17 06:00:06 2017 daemon.notice openvpn(ffvpn)[10823]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Fri Feb 17 06:00:06 2017 daemon.warn openvpn(ffvpn)[10823]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Feb 17 06:00:06 2017 daemon.warn openvpn(ffvpn)[10823]: ******* WARNING *******: null cipher specified, no encryption will be used
Fri Feb 17 06:00:06 2017 daemon.notice openvpn(ffvpn)[10823]: TCP/UDP: Preserving recently used remote address: [AF_INET6]2001:bf7:b101:1::10:1194
Fri Feb 17 06:00:06 2017 daemon.err openvpn(ffvpn)[10823]: TCP/UDP: Socket bind failed: Addr to bind has no AF_INET6 record
Fri Feb 17 06:00:06 2017 daemon.notice openvpn(ffvpn)[10823]: Exiting due to fatal error
Fri Feb 17 06:00:11 2017 daemon.notice openvpn(ffvpn)[10826]: OpenVPN 2.4.0 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Feb 17 06:00:11 2017 daemon.notice openvpn(ffvpn)[10826]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Fri Feb 17 06:00:11 2017 daemon.warn openvpn(ffvpn)[10826]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Feb 17 06:00:11 2017 daemon.warn openvpn(ffvpn)[10826]: ******* WARNING *******: null cipher specified, no encryption will be used
Fri Feb 17 06:00:11 2017 daemon.notice openvpn(ffvpn)[10826]: TCP/UDP: Preserving recently used remote address: [AF_INET6]2001:bf7:b101:1::10:1194
Fri Feb 17 06:00:11 2017 daemon.err openvpn(ffvpn)[10826]: TCP/UDP: Socket bind failed: Addr to bind has no AF_INET6 record
Fri Feb 17 06:00:11 2017 daemon.notice openvpn(ffvpn)[10826]: Exiting due to fatal error
...
SvenRoederer commented 7 years ago

one option is to remove the AAAA record --> https://lists.berlin.freifunk.net/pipermail/berlin/2017-March/035378.html

But nobody cares for 3 weeks

SvenRoederer commented 7 years ago

another option is to restrict OpenVPN to IPv4 only, by use of the "proto"-option (udp4)

SvenRoederer commented 7 years ago

fixed by https://github.com/freifunk-berlin/firmware-packages/commit/118a1138094c56fb0f52609ed7aaf95bff595ba9 (option 2)

SvenRoederer commented 7 years ago

damn, udp4 is only avail from OpenVPN 2.4 and greater

SvenRoederer commented 7 years ago

as this issue was not seen before, using IPv6 in preference of IPv4, when both protos are avail, seems new to OpenVPN2.4. As Kathleen still uses OpenVPN2.3 this seems only relevant to Hedy-builds

SvenRoederer commented 6 years ago

a migration is still missing or defect

SvenRoederer commented 6 years ago

I have not seen this happening for a while, so I'll close.