Page MenuHomeVyOS Platform

OpenVPN not working in vyos-1.3-rolling-20201101 and after
Closed, ResolvedPublicBUG

Description

Hello,

OpenVPN isn't working in vyos-1.3-rolling-20201101 and after, gives this error:

Nov 11 18:23:03 firewall vyos-configd[754]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/interfaces-openvpn.pyVYOS_TAGNODE_VALUE=vtun0"}
Nov 11 18:23:03 firewall vyos-configd[754]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/interfaces-openvpn.pyVYOS_TAGNODE_VALUE=vtun1"}

The interface never comes up.

vyos-1.3-rolling-20201029 works, so it probably have something to do with the commits on october 30/31

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.3-rolling-20201101
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

danielpo renamed this task from OpenVPN not working in vyos-1.3-rolling-20201101 and afte to OpenVPN not working in vyos-1.3-rolling-20201101 and after.Wed, Nov 11, 6:33 PM
danielpo created this task.
pasik added a subscriber: pasik.Wed, Nov 11, 9:32 PM

I believe this may be related to the following error messages I have:

Nov 13 04:44:32 vyos openvpn-vtun0[28831]: Options error: Bad protocol: 'tcp-passive'.  Allowed protocols with --proto option: [proto-uninitialized] [udp] [tcp-server] [tcp-client] [tcp] [udp4] [tcp4-server] [tcp4-client] [tcp4] [udp6] [tcp6-server] [tcp6-client] [tcp6]

Appears they renamed the protocols for anyone utilizing TCP.

@Zer0t3ch Can you share your configuration?

c-po changed the task status from Open to In progress.Fri, Nov 13, 10:59 AM
c-po claimed this task.
c-po triaged this task as High priority.
This comment was removed by Viacheslav.
Viacheslav added a comment.EditedFri, Nov 13, 1:41 PM

In the new version client configuration

vyos@r4-roll:~$ sudo cat /run/openvpn/vtun10.conf | grep proto
proto tcp-active
vyos@r4-roll:~$

In VyOS 1.3-rolling-202010151549

$  sudo cat /run/openvpn/vtun10.conf | grep proto
proto tcp-client

Not sure, but it section server in template
https://github.com/vyos/vyos-1x/blob/current/data/templates/openvpn/server.conf.tmpl#L16

c-po changed the task status from In progress to Needs testing.Fri, Nov 13, 1:57 PM
kroy added a subscriber: kroy.Fri, Nov 13, 4:18 PM

The check on DH length is backwards.

Fix is: https://github.com/vyos/vyos-1x/pull/605

Viacheslav added a comment.EditedFri, Nov 13, 5:30 PM

Server conf

set interfaces openvpn vtun0 encryption cipher 'aes256gcm'
set interfaces openvpn vtun0 encryption disable-ncp
set interfaces openvpn vtun0 hash 'sha512'
set interfaces openvpn vtun0 local-host '100.64.0.1'
set interfaces openvpn vtun0 local-port '1194'
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 openvpn-option 'tls-version-min 1.3'
set interfaces openvpn vtun0 openvpn-option 'comp-lzo no'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 protocol 'tcp-passive'
set interfaces openvpn vtun0 server client client1 ip '10.10.3.2'
set interfaces openvpn vtun0 server client client1 subnet '10.10.3.0/29'
set interfaces openvpn vtun0 server client client1 subnet '10.20.0.0/16'
set interfaces openvpn vtun0 server subnet '10.10.3.0/29'
set interfaces openvpn vtun0 server topology 'subnet'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/central.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/ovpn/dh.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/central.key'

Client conf

set interfaces openvpn vtun10 encryption cipher 'aes256gcm'
set interfaces openvpn vtun10 encryption disable-ncp
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 mode 'client'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'tcp-active'
set interfaces openvpn vtun10 remote-host '100.64.0.1'
set interfaces openvpn vtun10 remote-port '1194'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/ovpn/branch1.crt'
set interfaces openvpn vtun10 tls key-file '/config/auth/ovpn/branch1.key'
set interfaces openvpn vtun10 use-lzo-compression

Server log

Nov 13 19:26:30 r5 systemd[1]: Starting OpenVPN connection to vtun0...
Nov 13 19:26:30 r5 openvpn-vtun0[18089]: DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5.
Nov 13 19:26:30 r5 openvpn-vtun0[18089]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Nov 13 19:26:30 r5 openvpn-vtun0[18089]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Nov 13 19:26:30 r5 openvpn-vtun0[18089]: MANAGEMENT: unix domain socket listening on /run/openvpn/openvpn-mgmt-intf
Nov 13 19:26:30 r5 systemd[1]: Started OpenVPN connection to vtun0.
Nov 13 19:26:30 r5 openvpn-vtun0[18089]: Diffie-Hellman initialized with 2048 bit key
Nov 13 19:26:30 r5 openvpn-vtun0[18089]: RESOLVE: Cannot resolve host address: 100.64.0.1:1194 (Address family for hostname not supported)
Nov 13 19:26:30 r5 openvpn-vtun0[18089]: Exiting due to fatal error
Nov 13 19:26:30 r5 systemd[1]: openvpn@vtun0.service: Main process exited, code=exited, status=1/FAILURE
Nov 13 19:26:30 r5 systemd[1]: openvpn@vtun0.service: Failed with result 'exit-code'.
Nov 13 19:26:35 r5 zebra[916]: if_zebra_speed_update: vtun0 old speed: 0 new speed: 10
Nov 13 19:26:35 r5 systemd[1]: openvpn@vtun0.service: Service RestartSec=5s expired, scheduling restart.
Nov 13 19:26:35 r5 systemd[1]: openvpn@vtun0.service: Scheduled restart job, restart counter is at 3.
Nov 13 19:26:35 r5 systemd[1]: Stopped OpenVPN connection to vtun0.

Client log

Nov 13 19:22:13 r4-roll openvpn-vtun10[3638]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov 13 19:22:13 r4-roll openvpn-vtun10[3638]: RESOLVE: Cannot resolve host address: 100.64.0.1:1194 (Address family for hostname not supported)
Nov 13 19:22:13 r4-roll openvpn-vtun10[3638]: RESOLVE: Cannot resolve host address: 100.64.0.1:1194 (Address family for hostname not supported)
Nov 13 19:22:13 r4-roll openvpn-vtun10[3638]: Could not determine IPv4/IPv6 protocol
Nov 13 19:22:13 r4-roll openvpn-vtun10[3638]: SIGUSR1[soft,init_instance] received, process restarting
Nov 13 19:22:13 r4-roll openvpn-vtun10[3638]: Restart pause, 5 second(s)
Viacheslav added a comment.EditedFri, Nov 13, 5:48 PM

Fix for "remote-host" on client side
PR https://github.com/vyos/vyos-1x/pull/606

It was before rewriting openvpn to dict
https://github.com/vyos/vyos-1x/blob/b2c61e2127d83cc0a0e27092462b62c2e8e7eaa1/src/conf_mode/interfaces-openvpn.py#L860-L861

Without it, we get fail on the cliend side.

vyos@r4-roll# commit
[ interfaces openvpn vtun10 ]
{'auth_user_pass_file': '/run/openvpn/vtun10.pw',
 'daemon_group': 'openvpn',
 'daemon_user': 'openvpn',
 'device_type': 'tun',
 'encryption': {'cipher': 'aes256gcm', 'disable_ncp': {}},
 'hash': 'sha512',
 'ifname': 'vtun10',
 'keep_alive': {'failure_count': '60', 'interval': '10'},
 'mode': 'client',
 'persistent_tunnel': {},
 'protocol': 'tcp-active',
 'remote_host': ['100.64.0.1'],
 'remote_port': '1194',
 'server': {'topology': 'net30'},
 'tls': {'ca_cert_file': '/config/auth/ovpn/ca.crt',
         'cert_file': '/config/auth/ovpn/branch1.crt',
         'key_file': '/config/auth/ovpn/branch1.key'},
 'use_lzo_compression': {}}
Must specify "remote-host" with "tcp-active"

[[interfaces openvpn vtun10]] failed
Commit failed
[edit]
vyos@r4-roll#
c-po closed this task as Resolved.Fri, Nov 20, 11:58 AM
danielpo added a comment.EditedFri, Nov 20, 5:20 PM

Now this error appear when trying the latest image:

Nov 20 18:19:57 firewall openvpn-vtun0[5971]: Options error: --auth-user-pass fails with '/run/openvpn/vtun0.pw': No such file or directory (errno=2)
Nov 20 18:19:57 firewall openvpn-vtun1[5974]: WARNING: cannot stat file '/run/openvpn/vtun1.pw': No such file or directory (errno=2)

When adding pw files manually, i get this error:

openvpn-vtun0[7473]: RESOLVE: Cannot resolve host address: 1.2.3.4:1195 (Address family for hostname not supported)

Problem is in vtun0.conf, protocol is specified to tcp6-client, and I'm using Ipv4.

c-po added a comment.Fri, Nov 20, 10:58 PM

Please show us your config

c-po reopened this task as Open.Fri, Nov 20, 10:58 PM
authentication {
    password xxxx
    username xxxxx
}
device-type tun
encryption {
    cipher aes256
}
firewall {
    in {
        ipv6-name DENYv6_IN
        name DENY_IN
    }
    local {
        ipv6-name DENYv6_IN
        name DENY_IN
    }
}
hash sha256
mode client
openvpn-option "key-direction 1"
openvpn-option route-nopull
persistent-tunnel
protocol tcp-active
remote-host 1.2.3.4
remote-host 1.2.3.5
remote-port 1195
tls {
    ca-cert-file /config/auth/cert.ca
    auth-file  /config/auth/tls-auth
    tls-version-min 1.2
}
c-po added a comment.Sat, Nov 21, 12:24 PM

@danielpo thanks foe the config. A new rolling containig a fix for this issue was just published. A smoketest will be added today to ensure this wont happen again.

Thanks, works now.

c-po closed this task as Resolved.Sat, Nov 21, 4:35 PM
c-po changed the status of subtask T3074: openvpn site-to-site dosn't work from Open to Needs testing.Mon, Nov 23, 10:44 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Mon, Nov 23, 3:28 PM