Page MenuHomeVyOS Platform

OpenVPN: unable to commit changes when the interface is down/unknown state
In progress, NormalPublicBUG

Description

The below error is received when the openvpn tunnel is in unknown state and need to make any changes i.e set/delete related to the tunnel and it says that the tunnel doesn't exist. Making changes should not depend on the tunnel status.
As a workaround, I stopped the openvpn service and then I was able to commit the changes.

vyos@vyos# run show interfaces openvpn detail

vtun10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500

    link/none

    inet 10.10.0.1/24 scope global vtun10

       valid_lft forever preferred_lft forever


    RX:  bytes  packets  errors  dropped  overrun       mcast

             0        0       0        0        0           0

    TX:  bytes  packets  errors  dropped  carrier  collisions

           152        2       0        0        0           0

[edit]

vyos@vyos# comp

[edit interfaces openvpn vtun10 server]

+client gmillet_external {

+}

[edit]

vyos@vyos# sudo ip -json -detail link list dev vtun10

[{"ifindex":7,"ifname":"vtun10","flags":["POINTOPOINT","MULTICAST","NOARP","UP","LOWER_UP"],"mtu":1500,"qdisc":"pfifo_fast","operstate":"UNKNOWN","linkmode":"DEFAULT","group":"default","txqlen":500,"link_type":"none","promiscuity":0,"min_mtu":68,"max_mtu":65535,"linkinfo":{"info_kind":"tun","info_data":{"type":"tun","pi":false,"vnet_hdr":false,"multi_queue":false,"persist":false}},"inet6_addr_gen_mode":"none","num_tx_queues":1,"num_rx_queues":1,"gso_max_size":65536,"gso_max_segs":65535}]


vyos@vyos# commit

[ interfaces openvpn vtun10 ]

VyOS had an issue completing a command.


We are sorry that you encountered a problem while using VyOS.

There are a few things you can do to help us (and yourself):

- Contact us using the online help desk if you have a subscription:

  https://support.vyos.io/

- Make sure you are running the latest version of VyOS available at:

  https://vyos.net/get/

- Consult the community forum to see how to handle this issue:

  https://forum.vyos.io

- Join us on Slack where our users exchange help and advice:

  https://vyos.slack.com


When reporting problems, please include as much information as possible:

- do not obfuscate any data (feel free to contact us privately if your

  business policy requires it)

- and include all the information presented below


Report time:      2022-11-30 11:13:06

Image version:    VyOS 1.3.2

Release train:    equuleus


Built by:         Sentrium S.L.

Built on:         Mon 05 Sep 2022 09:23 UTC

Build UUID:       1ceaab3a-4f4e-4692-b551-7c05e1da0a77

Build commit ID:  7ce86511888635


Architecture:     x86_64

Boot via:         installed image

System type:      KVM guest


Hardware vendor:  QEMU

Hardware model:   Standard PC (i440FX + PIIX, 1996)

Hardware S/N:

Hardware UUID:    942ffd0e-8357-455f-878a-7bf236819378


Traceback (most recent call last):

  File "/usr/libexec/vyos/conf_mode/interfaces-openvpn.py", line 546, in <module>

    apply(c)

  File "/usr/libexec/vyos/conf_mode/interfaces-openvpn.py", line 536, in apply

    o.update(openvpn)

  File "/usr/lib/python3/dist-packages/vyos/ifconfig/interface.py", line 1269, in update

    self.set_alias(config.get('description', ''))

  File "/usr/lib/python3/dist-packages/vyos/ifconfig/interface.py", line 787, in set_alias

    tmp = self.get_interface('alias')

  File "/usr/lib/python3/dist-packages/vyos/ifconfig/control.py", line 176, in get_interface

    return self._get_command(self.config, name)

  File "/usr/lib/python3/dist-packages/vyos/ifconfig/control.py", line 59, in _get_command

    return self._command_get[name].get('format', lambda _: _)(self._cmd(cmd))

  File "/usr/lib/python3/dist-packages/vyos/ifconfig/control.py", line 52, in _cmd

    return cmd(command, self.debug)

  File "/usr/lib/python3/dist-packages/vyos/util.py", line 161, in cmd

    raise OSError(code, feedback)

PermissionError: [Errno 1] failed to run command: ip -json -detail link list dev vtun10

returned:

exit code: 1


noteworthy:

cmd 'ip -json -detail link list dev vtun10'

returned (out):


returned (err):

Device "vtun10" does not exist.


[[interfaces openvpn vtun10]] failed

Commit failed


Workaround:

vyos@vyos# sudo systemctl stop openvpn.service

[edit]

vyos@vyos# comp

[edit interfaces openvpn vtun10 server]

+client gmillet_external {

+}

[edit]

vyos@vyos# commit

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3.2
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

c-po changed the task status from Open to In progress.Jan 22 2023, 7:26 AM
c-po claimed this task.

Hi @SrividyaA,

can you provide me a full configuration so I can test and debug the issue?

Tested in a server/client setup:

Used easyrsa to generate the certificates:

cp -r /usr/share/easy-rsa/ /config/my-easy-rsa-config
cd /config/my-easy-rsa-config
mv vars.example vars
$./easyrsa init-pki
$./easyrsa build-ca
$./easyrsa gen-req central nopass
$./easyrsa sign-req server central
$./easyrsa gen-dh
$./easyrsa build-client-full branch1 nopass


sudo mkdir /config/auth/openvpn
sudo cp pki/ca.crt /config/auth/openvpn
sudo cp pki/dh.pem /config/auth/openvpn
sudo cp pki/private/central.key /config/auth/openvpn
sudo cp pki/issued/central.crt /config/auth/openvpn

Copied the client cert and key in the client device.

Server configuration:

set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '192.0.2.2'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server client branch1 ip '10.10.0.10'
set interfaces openvpn vtun10 server subnet '10.10.0.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/openvpn/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/openvpn/central.crt'
set interfaces openvpn vtun10 tls dh-file '/config/auth/openvpn/dh.pem'
set interfaces openvpn vtun10 tls key-file '/config/auth/openvpn/central.key'
set interfaces openvpn vtun10 use-lzo-compression

Client:

set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 mode 'client'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 remote-host '192.0.2.2'
set interfaces openvpn vtun10 remote-port '1194'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/openvpn/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/openvpn/branch1.crt'
set interfaces openvpn vtun10 tls key-file '/config/auth/openvpn/branch1.key'
set interfaces openvpn vtun10 use-lzo-compression

To make the tunnel unknown state, I tried reboot or client unreachable

Does it fail on the client or on the server? I am unable to reproduce this given the instructions above.

It fails on the server. I have reproduced the issue in our internal lab. Will share the details.