Page MenuHomeVyOS Platform
Create Task
Maniphest T2285

2nd openvpn vtun not getting started
Closed, InvalidPublic
Actions

Description

The first vtun0 gets started normally, the 2nd one commits without errors but no daemon is started, no vtun1.conf or ccd/vtun1 is created in /run/openvpn and nothing about vtun1 is in the journal.

# sudo systemctl status openvpn@vtun1
● [email protected] - OpenVPN connection to vtun1
   Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/[email protected]
           └─override.conf
   Active: inactive (dead)
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
Apr 13 12:50:33 rt-home sudo[7558]:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/bin/mv /tmp/config.boot.7552 /opt/vyatta/etc/config/archive/config.boot
Apr 13 12:50:31 rt-home systemd[1]: opt-vyatta-config-tmp-new_config_3152.mount: Succeeded.
Apr 13 12:50:30 rt-home sudo[7525]: pam_unix(sudo:session): session closed for user root
Apr 13 12:50:28 rt-home sudo[7525]: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Apr 13 12:50:28 rt-home sudo[7525]:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/bin/sh -c VYOS_TAGNODE_VALUE='vtun1' /usr/libexec/vyos/conf_mode/interfaces-openvpn.py

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling-202004120117
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

jjakob created this task.Apr 13 2020, 11:03 AM
jjakob assigned this task to c-po.
jjakob triaged this task as High priority.
jjakob created this object in space S1 VyOS Public.
c-po added a comment.Apr 13 2020, 11:48 AM

Can you share me a configuration?

c-po added a comment.Apr 13 2020, 11:58 AM

Using the following configuration on 1.3-rolling-202004131043 I see two tunnels running:

set interfaces openvpn vtun10 description 'foo baaaaaz'
set interfaces openvpn vtun10 local-address 10.255.1.1
set interfaces openvpn vtun10 local-host '172.18.204.10'
set interfaces openvpn vtun10 local-port '3000'
set interfaces openvpn vtun10 mode 'site-to-site'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 remote-address '10.255.1.2'
set interfaces openvpn vtun10 remote-host '172.18.201.10'
set interfaces openvpn vtun10 remote-port '3000'
set interfaces openvpn vtun10 shared-secret-key-file '/config/auth/openvpn-1.key'


set interfaces openvpn vtun20 description 'foo bar baz'
set interfaces openvpn vtun20 local-address 10.255.2.1
set interfaces openvpn vtun20 local-host '172.18.204.10'
set interfaces openvpn vtun20 local-port '2000'
set interfaces openvpn vtun20 mode 'site-to-site'
set interfaces openvpn vtun20 persistent-tunnel
set interfaces openvpn vtun20 protocol 'udp'
set interfaces openvpn vtun20 remote-address '10.255.1.2'
set interfaces openvpn vtun20 remote-host '172.18.201.10'
set interfaces openvpn vtun20 remote-port '2000'
set interfaces openvpn vtun20 shared-secret-key-file '/config/auth/openvpn-1.key'
openvpn   4078  0.2  0.1  11784  6804 ?        Ss   13:57   0:00 /usr/sbin/openvpn --daemon openvpn-vtun10 --config vtun10.conf --status vtun10.status 30 --writepid vtun10.pid
openvpn   4122  0.0  0.1  11784  6848 ?        Ss   13:57   0:00 /usr/sbin/openvpn --daemon openvpn-vtun20 --config vtun20.conf --status vtun20.status 30 --writepid vtun20.pid
jjakob added a comment.EditedApr 13 2020, 12:55 PM
vyos@rt-home# show openvpn 
 openvpn vtun0 {
     encryption {
         ncp-ciphers aes256gcm
     }
     hash sha512
     keep-alive {
         failure-count 60
         interval 59
     }
     mode server
     persistent-tunnel
     server {
         client jernej-note3 {
             ip x.x..7.10
         }
         client-ip-pool {
             start x.x.7.127
         }
         domain-name home
         max-connections 10
         push-route x.x.0.0/24
         subnet x.x.7.0/24
         topology subnet
     }
     tls {
         ca-cert-file /config/auth/openvpn/ca.crt
         cert-file /config/auth/openvpn/rt-home.crt
         crypt-file /config/auth/openvpn/tls.key
         key-file /config/auth/openvpn/rt-home.key
     }
 }
 openvpn vtun1 {
     description b
     device-type tun
     disable
     encryption {
         ncp-ciphers aes256gcm
     }
     hash sha512
     keep-alive {
         failure-count 60
         interval 59
     }
     local-port 1195
     mode server
     persistent-tunnel
     server {
         client jernej-note3 {
             ip x.x.8.10
         }
         client-ip-pool {
             start x.x.8.6
             stop x.x.0.3
         }
         domain-name home
         max-connections 10
         push-route x.x.0.0/24
         subnet x.x.8.0/24
         topology subnet
     }
     tls {
         ca-cert-file /config/auth/openvpn/ca.crt
         cert-file /config/auth/openvpn/rt-home.crt
         crypt-file /config/auth/openvpn/tls.key
         key-file /config/auth/openvpn/rt-home.key
     }
 }
[edit interfaces]

I tried removing client-ip-pool if it was a issue with it, no difference.

vyos@rt-home# delete openvpn vtun1 server client-ip-pool 
[edit interfaces]
vyos@rt-home# commit
[ interfaces openvpn vtun1 ]
Warning: Client "jernej-note3" IP x.x.8.10 is in server IP pool, it is not reserved for this client.
Diffie-Hellman prime file is unspecified, assuming ECDH


[edit interfaces]
vyos@rt-home# ps afx|grep vpn
 2204 ?        Ss     0:00 /usr/sbin/openvpn --daemon openvpn-vtun0 --config vtun0.conf --status vtun0.status 30 --writepid vtun0.pid
 3370 pts/0    S+     0:00                      \_ grep vpn
[edit interfaces]

BTW this is 202004120117 with vyos-1x built from the PR for the pool addition today. I can try updating the whole image with a newer one as the pool PR was merged now.

jjakob closed this task as Invalid.Apr 13 2020, 12:58 PM
jjakob moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.

Sorry for the noise, it was disabled. I forgot to save the config before upgrading, doh.

erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 7:07 AM
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 30 2022, 2:02 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.