[SOLVED] Turnkey Linux OpenVPN template issues?

Discussion in 'Proxmox VE: Networking and Firewall' started by mattlach, Jan 4, 2017.

  1. mattlach

    mattlach Member

    Joined:
    Mar 23, 2016
    Messages:
    145
    Likes Received:
    12
    Hey all,

    Can anyone help me troubleshoot this? I downloaded the turnkey linux openvpn template from the PVE web interface and installed it into a new LXC container.

    I believe I set it up as a host correctly using the first time configuration in the console, and my port forward rule for port 1194 on my pfSense firewall/router LOOKS good, but when I create a cert and put it on a client computer, it just times out without being able to make a connection:

    Code:
    matt@LXDE01:~/Certs$ sudo openvpn --config ubuntu_box.ovpn
    Wed Jan  4 11:43:44 2017 OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016
    Wed Jan  4 11:43:44 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
    Wed Jan  4 11:43:44 2017 Control Channel Authentication: tls-auth using INLINE static key file
    Wed Jan  4 11:43:44 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Jan  4 11:43:44 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Jan  4 11:43:44 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
    Wed Jan  4 11:43:44 2017 UDPv4 link local: [undef]
    Wed Jan  4 11:43:44 2017 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
    Wed Jan  4 11:44:44 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Jan  4 11:44:44 2017 TLS Error: TLS handshake failed
    Wed Jan  4 11:44:44 2017 SIGUSR1[soft,tls-error] received, process restarting
    Wed Jan  4 11:44:44 2017 Restart pause, 2 second(s)
    Wed Jan  4 11:44:46 2017 Control Channel Authentication: tls-auth using INLINE static key file
    Wed Jan  4 11:44:46 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Jan  4 11:44:46 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Jan  4 11:44:46 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
    Wed Jan  4 11:44:46 2017 UDPv4 link local: [undef]
    Wed Jan  4 11:44:46 2017 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
    Wed Jan  4 11:45:46 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Jan  4 11:45:46 2017 TLS Error: TLS handshake failed
    Wed Jan  4 11:45:46 2017 SIGUSR1[soft,tls-error] received, process restarting
    Wed Jan  4 11:45:46 2017 Restart pause, 2 second(s)
    
    Can anyone suggest any troubleshooting steps? I'm not that seasoned with openVPN so I'm not quite sure where to start, and would appreciate any help.

    Thanks,
    Matt
     
  2. wolfgang

    wolfgang Proxmox Staff Member
    Staff Member

    Joined:
    Oct 1, 2014
    Messages:
    3,987
    Likes Received:
    240
    Hi,

    the /dev/net/tun is not availible

    you can make a tun dev or
    make a bind mount form the host to the container.

    make a tun dev
    Code:
    service openvpn stop
    mkdir /dev/net
    mknod /dev/net/tun c 10 200
    chmod 666 /dev/net/tun
    service openvpn start
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. mattlach

    mattlach Member

    Joined:
    Mar 23, 2016
    Messages:
    145
    Likes Received:
    12

    Much appreciated. I will try these now.

    I'm curious though, since the tar.gz packages on turnkey linux are specifically for LXC use, is there a reason they don't create these on their own?

    --Matt
     
  4. mattlach

    mattlach Member

    Joined:
    Mar 23, 2016
    Messages:
    145
    Likes Received:
    12

    Hmm. After doing these steps, restarting the OpenVPN service fails.

    Code:
    # service openvpn start
    [FAIL] Starting virtual private network daemon: server failed!
    
    I wanted to look in /ver/log/openvpn for the log files to see what went wrong, but the folder is empty.

    I have tried rebooting (the container, not the server) and it still doesn't work.

    Any ideas?

    Thanks,
    Matt
     
  5. mattlach

    mattlach Member

    Joined:
    Mar 23, 2016
    Messages:
    145
    Likes Received:
    12
    Maybe the solution here is to run an OpenVPN server inside of a VM instead? I had hoped to do it in a container for the sake of efficiency (particularly when it comes to RAM, I have more CPU capacity than I know what to do with).

    If I were to put a Ubuntu Server LTS install in a VM, I wonder what the minimum amount of RAM I can get away with assigning for a dedicated OpenVPN VM might be, without having it swapping all the time. 512MB? Less?
     
  6. wolfgang

    wolfgang Proxmox Staff Member
    Staff Member

    Joined:
    Oct 1, 2014
    Messages:
    3,987
    Likes Received:
    240
    Hi can you send the output of
    Then you must get a good error msg

    cd /etc/openvpn
    openvpn serverconfig
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. mattlach

    mattlach Member

    Joined:
    Mar 23, 2016
    Messages:
    145
    Likes Received:
    12
    I appreciate the help, but this message confuses me. What would you like me to send the output of?

    Thanks,
    Matt
     
  8. wolfgang

    wolfgang Proxmox Staff Member
    Staff Member

    Joined:
    Oct 1, 2014
    Messages:
    3,987
    Likes Received:
    240
    Go to dir /etc/openvpn

    Code:
    cd /etc/openvpn
    
    stop the openvpn service
    Code:
    service openvpn stop
    
    start the openvpn manual
    Code:
    openvpn server.conf
    
    now you get output from openvpn and see if something goes wrong.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. mattlach

    mattlach Member

    Joined:
    Mar 23, 2016
    Messages:
    145
    Likes Received:
    12
    Wolfgang,

    Thank you for your explanation.

    Looks like the tun device is the issue again.

    Code:
    Tue Jan 10 15:34:01 2017 us=118810 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
    Tue Jan 10 15:34:01 2017 us=118852 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
    Tue Jan 10 15:34:01 2017 us=120107 Diffie-Hellman initialized with 2048 bit key
    Tue Jan 10 15:34:01 2017 us=122102 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key file
    Tue Jan 10 15:34:01 2017 us=122147 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Jan 10 15:34:01 2017 us=122168 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Jan 10 15:34:01 2017 us=122218 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Tue Jan 10 15:34:01 2017 us=122261 Socket Buffers: R=[212992->131072] S=[212992->131072]
    Tue Jan 10 15:34:01 2017 us=122403 ROUTE_GATEWAY xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx IFACE=eth0 HWADDR=0a:f9:91:f7:f0:76
    Tue Jan 10 15:34:01 2017 us=122448 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
    Tue Jan 10 15:34:01 2017 us=122467 Exiting due to fatal error
    I know I created it per your directions above, but when I go check, it is missing. Does it have to be created again on every reboot of the container?

    Is there a good way to automate this? I could put your directions on how to create the tun above into a scrip, and run it through cron on boot, but am I assured that it will run before the OpenVPN service starts if I do this?

    Thanks again for all your help,
    Matt
     
  10. wolfgang

    wolfgang Proxmox Staff Member
    Staff Member

    Joined:
    Oct 1, 2014
    Messages:
    3,987
    Likes Received:
    240
    yes

    make a LSBInitScrtipt like this and save it in /etc/init.d/tun

    Code:
    #! /bin/sh
    ### BEGIN INIT INFO
    # Provides:          tun
    # Required-Start:    $network
    # Required-Stop:     $openvpn
    # Default-Start:     S 1 2
    # Default-Stop:      0 6
    # Short-Description: Make a tun device.
    # Description:       Create a tundev for openvpn
    ### END INIT INFO
    
    # Aktionen
    case "$1" in
        start)
            mkdir /dev/net
            mknod /dev/net/tun c 10 200
            chmod 666 /dev/net/tun
            ;;
        stop)
            rm /dev/net/tun
            rmdir /dev/net
            ;;
        restart)
            #do nothing!
            ;;
    esac
    
    exit 0
    
    And activat it
    Code:
    chmod 755 /etc/init.d/tun
    update-rc.d tun defaults
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. mattlach

    mattlach Member

    Joined:
    Mar 23, 2016
    Messages:
    145
    Likes Received:
    12

    Wolfgang,

    greatly appreciated.

    Thank you very much.

    --Matt
     
  12. mattlach

    mattlach Member

    Joined:
    Mar 23, 2016
    Messages:
    145
    Likes Received:
    12
    One more question if you don't mind, since you seem very knowledgeable about these things.

    I followed this guide in order to tunnel all of my traffic through the VPN.

    My OpenVPN lxc resides on the 10.0.1.0/24 subnet, and my OpenVPN tun subnet is 10.0.5.0/24, so I replaced the IP addresses respectively in the iptables entries.

    All traffic now flows through the VPN which is good, but I can't seem to get DNS to work through the VPN.

    I first tried my internal DNS (10.0.1.1) in the server.conf file with push "dhcp-option DNS 10.0.1.1"

    Then I tried instead adding googles DNS (8.8.8.8 and 8.8.4.4) to no avail.

    When my client is connected to the VPN I can still not reach the DNS.

    I THINK I can actually reach the outside world. (if I ping using IP's only I get responses) but DNS just doesn't seem to work.

    Any suggestions?

    Thanks,
    Matt
     
  13. mattlach

    mattlach Member

    Joined:
    Mar 23, 2016
    Messages:
    145
    Likes Received:
    12

    Never mind, this solved my DNS problems.

    Thanks for all of your help. I'm marking this as solved now. Hopefully it will help others in the future.

    --Matt
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice