[SOLVED] Turnkey Linux OpenVPN template issues?

[mattlach]

Hey all,

Can anyone help me troubleshoot this? I downloaded the turnkey linux openvpn template from the PVE web interface and installed it into a new LXC container.

I believe I set it up as a host correctly using the first time configuration in the console, and my port forward rule for port 1194 on my pfSense firewall/router LOOKS good, but when I create a cert and put it on a client computer, it just times out without being able to make a connection:

matt@LXDE01:~/Certs$ sudo openvpn --config ubuntu_box.ovpn
Wed Jan  4 11:43:44 2017 OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016
Wed Jan  4 11:43:44 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Wed Jan  4 11:43:44 2017 Control Channel Authentication: tls-auth using INLINE static key file
Wed Jan  4 11:43:44 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan  4 11:43:44 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan  4 11:43:44 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jan  4 11:43:44 2017 UDPv4 link local: [undef]
Wed Jan  4 11:43:44 2017 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Wed Jan  4 11:44:44 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jan  4 11:44:44 2017 TLS Error: TLS handshake failed
Wed Jan  4 11:44:44 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Jan  4 11:44:44 2017 Restart pause, 2 second(s)
Wed Jan  4 11:44:46 2017 Control Channel Authentication: tls-auth using INLINE static key file
Wed Jan  4 11:44:46 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan  4 11:44:46 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan  4 11:44:46 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jan  4 11:44:46 2017 UDPv4 link local: [undef]
Wed Jan  4 11:44:46 2017 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Wed Jan  4 11:45:46 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jan  4 11:45:46 2017 TLS Error: TLS handshake failed
Wed Jan  4 11:45:46 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Jan  4 11:45:46 2017 Restart pause, 2 second(s)

Can anyone suggest any troubleshooting steps? I'm not that seasoned with openVPN so I'm not quite sure where to start, and would appreciate any help.

Thanks,
Matt

 

[wolfgang]

Hi,

the /dev/net/tun is not availible

you can make a tun dev or
make a bind mount form the host to the container.

make a tun dev

service openvpn stop
mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tun
service openvpn start

 

[mattlach]

Hi,

the /dev/net/tun is not availible

you can make a tun dev or
make a bind mount form the host to the container.

make a tun dev

service openvpn stop
mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tun
service openvpn start

Much appreciated. I will try these now.

I'm curious though, since the tar.gz packages on turnkey linux are specifically for LXC use, is there a reason they don't create these on their own?

--Matt

 

[mattlach]

Hi,

the /dev/net/tun is not availible

you can make a tun dev or
make a bind mount form the host to the container.

make a tun dev

service openvpn stop
mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tun
service openvpn start

Hmm. After doing these steps, restarting the OpenVPN service fails.

# service openvpn start
[FAIL] Starting virtual private network daemon: server failed!

I wanted to look in /ver/log/openvpn for the log files to see what went wrong, but the folder is empty.

I have tried rebooting (the container, not the server) and it still doesn't work.

Any ideas?

Thanks,
Matt

 

[mattlach]

Maybe the solution here is to run an OpenVPN server inside of a VM instead? I had hoped to do it in a container for the sake of efficiency (particularly when it comes to RAM, I have more CPU capacity than I know what to do with).

If I were to put a Ubuntu Server LTS install in a VM, I wonder what the minimum amount of RAM I can get away with assigning for a dedicated OpenVPN VM might be, without having it swapping all the time. 512MB? Less?

 

[wolfgang]

Hi can you send the output of
Then you must get a good error msg

cd /etc/openvpn
openvpn serverconfig

 

[mattlach]

Hi can you send the output of
Then you must get a good error msg

cd /etc/openvpn
openvpn serverconfig

I appreciate the help, but this message confuses me. What would you like me to send the output of?

Thanks,
Matt

 

[wolfgang]

Go to dir /etc/openvpn

cd /etc/openvpn

stop the openvpn service

service openvpn stop

start the openvpn manual

openvpn server.conf

now you get output from openvpn and see if something goes wrong.

 

[mattlach]

Go to dir /etc/openvpn

cd /etc/openvpn

stop the openvpn service

service openvpn stop

start the openvpn manual

openvpn server.conf

now you get output from openvpn and see if something goes wrong.

Wolfgang,

Thank you for your explanation.

Looks like the tun device is the issue again.

Tue Jan 10 15:34:01 2017 us=118810 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
Tue Jan 10 15:34:01 2017 us=118852 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Tue Jan 10 15:34:01 2017 us=120107 Diffie-Hellman initialized with 2048 bit key
Tue Jan 10 15:34:01 2017 us=122102 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key file
Tue Jan 10 15:34:01 2017 us=122147 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 10 15:34:01 2017 us=122168 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 10 15:34:01 2017 us=122218 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Jan 10 15:34:01 2017 us=122261 Socket Buffers: R=[212992->131072] S=[212992->131072]
Tue Jan 10 15:34:01 2017 us=122403 ROUTE_GATEWAY xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx IFACE=eth0 HWADDR=0a:f9:91:f7:f0:76
Tue Jan 10 15:34:01 2017 us=122448 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Tue Jan 10 15:34:01 2017 us=122467 Exiting due to fatal error

I know I created it per your directions above, but when I go check, it is missing. Does it have to be created again on every reboot of the container?

Is there a good way to automate this? I could put your directions on how to create the tun above into a scrip, and run it through cron on boot, but am I assured that it will run before the OpenVPN service starts if I do this?

Thanks again for all your help,
Matt

 

[wolfgang]

I know I created it per your directions above, but when I go check, it is missing. Does it have to be created again on every reboot of the container?

yes

make a LSBInitScrtipt like this and save it in /etc/init.d/tun

#! /bin/sh
### BEGIN INIT INFO
# Provides:          tun
# Required-Start:    $network
# Required-Stop:     $openvpn
# Default-Start:     S 1 2
# Default-Stop:      0 6
# Short-Description: Make a tun device.
# Description:       Create a tundev for openvpn
### END INIT INFO

# Aktionen
case "$1" in
    start)
        mkdir /dev/net
        mknod /dev/net/tun c 10 200
        chmod 666 /dev/net/tun
        ;;
    stop)
        rm /dev/net/tun
        rmdir /dev/net
        ;;
    restart)
        #do nothing!
        ;;
esac

exit 0

And activat it

chmod 755 /etc/init.d/tun
update-rc.d tun defaults

 

[mattlach]

yes

make a LSBInitScrtipt like this and save it in /etc/init.d/tun

#! /bin/sh
### BEGIN INIT INFO
# Provides:          tun
# Required-Start:    $network
# Required-Stop:     $openvpn
# Default-Start:     S 1 2
# Default-Stop:      0 6
# Short-Description: Make a tun device.
# Description:       Create a tundev for openvpn
### END INIT INFO

# Aktionen
case "$1" in
    start)
        mkdir /dev/net
        mknod /dev/net/tun c 10 200
        chmod 666 /dev/net/tun
        ;;
    stop)
        rm /dev/net/tun
        rmdir /dev/net
        ;;
    restart)
        #do nothing!
        ;;
esac

exit 0

And activat it

chmod 755 /etc/init.d/tun
update-rc.d tun defaults

Wolfgang,

greatly appreciated.

Thank you very much.

--Matt

 

[mattlach]

One more question if you don't mind, since you seem very knowledgeable about these things.

I followed this guide in order to tunnel all of my traffic through the VPN.

My OpenVPN lxc resides on the 10.0.1.0/24 subnet, and my OpenVPN tun subnet is 10.0.5.0/24, so I replaced the IP addresses respectively in the iptables entries.

All traffic now flows through the VPN which is good, but I can't seem to get DNS to work through the VPN.

I first tried my internal DNS (10.0.1.1) in the server.conf file with push "dhcp-option DNS 10.0.1.1"

Then I tried instead adding googles DNS (8.8.8.8 and 8.8.4.4) to no avail.

When my client is connected to the VPN I can still not reach the DNS.

I THINK I can actually reach the outside world. (if I ping using IP's only I get responses) but DNS just doesn't seem to work.

Any suggestions?

Thanks,
Matt

 

[mattlach]

One more question if you don't mind, since you seem very knowledgeable about these things.

I followed this guide in order to tunnel all of my traffic through the VPN.

My OpenVPN lxc resides on the 10.0.1.0/24 subnet, and my OpenVPN tun subnet is 10.0.5.0/24, so I replaced the IP addresses respectively in the iptables entries.

All traffic now flows through the VPN which is good, but I can't seem to get DNS to work through the VPN.

I first tried my internal DNS (10.0.1.1) in the server.conf file with push "dhcp-option DNS 10.0.1.1"

Then I tried instead adding googles DNS (8.8.8.8 and 8.8.4.4) to no avail.

When my client is connected to the VPN I can still not reach the DNS.

I THINK I can actually reach the outside world. (if I ping using IP's only I get responses) but DNS just doesn't seem to work.

Any suggestions?

Thanks,
Matt

Never mind, this solved my DNS problems.

Thanks for all of your help. I'm marking this as solved now. Hopefully it will help others in the future.

--Matt