[SOLVED] Turnkey Linux OpenVPN template issues?

mattlach

Member
Mar 23, 2016
154
13
18
Boston, MA
Hey all,

Can anyone help me troubleshoot this? I downloaded the turnkey linux openvpn template from the PVE web interface and installed it into a new LXC container.

I believe I set it up as a host correctly using the first time configuration in the console, and my port forward rule for port 1194 on my pfSense firewall/router LOOKS good, but when I create a cert and put it on a client computer, it just times out without being able to make a connection:

Code:
matt@LXDE01:~/Certs$ sudo openvpn --config ubuntu_box.ovpn
Wed Jan  4 11:43:44 2017 OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016
Wed Jan  4 11:43:44 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Wed Jan  4 11:43:44 2017 Control Channel Authentication: tls-auth using INLINE static key file
Wed Jan  4 11:43:44 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan  4 11:43:44 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan  4 11:43:44 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jan  4 11:43:44 2017 UDPv4 link local: [undef]
Wed Jan  4 11:43:44 2017 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Wed Jan  4 11:44:44 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jan  4 11:44:44 2017 TLS Error: TLS handshake failed
Wed Jan  4 11:44:44 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Jan  4 11:44:44 2017 Restart pause, 2 second(s)
Wed Jan  4 11:44:46 2017 Control Channel Authentication: tls-auth using INLINE static key file
Wed Jan  4 11:44:46 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan  4 11:44:46 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan  4 11:44:46 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jan  4 11:44:46 2017 UDPv4 link local: [undef]
Wed Jan  4 11:44:46 2017 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Wed Jan  4 11:45:46 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jan  4 11:45:46 2017 TLS Error: TLS handshake failed
Wed Jan  4 11:45:46 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Jan  4 11:45:46 2017 Restart pause, 2 second(s)
Can anyone suggest any troubleshooting steps? I'm not that seasoned with openVPN so I'm not quite sure where to start, and would appreciate any help.

Thanks,
Matt
 

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
5,543
371
103
Hi,

the /dev/net/tun is not availible

you can make a tun dev or
make a bind mount form the host to the container.

make a tun dev
Code:
service openvpn stop
mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tun
service openvpn start
 

mattlach

Member
Mar 23, 2016
154
13
18
Boston, MA
Hi,

the /dev/net/tun is not availible

you can make a tun dev or
make a bind mount form the host to the container.

make a tun dev
Code:
service openvpn stop
mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tun
service openvpn start

Much appreciated. I will try these now.

I'm curious though, since the tar.gz packages on turnkey linux are specifically for LXC use, is there a reason they don't create these on their own?

--Matt
 

mattlach

Member
Mar 23, 2016
154
13
18
Boston, MA
Hi,

the /dev/net/tun is not availible

you can make a tun dev or
make a bind mount form the host to the container.

make a tun dev
Code:
service openvpn stop
mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tun
service openvpn start

Hmm. After doing these steps, restarting the OpenVPN service fails.

Code:
# service openvpn start
[FAIL] Starting virtual private network daemon: server failed!
I wanted to look in /ver/log/openvpn for the log files to see what went wrong, but the folder is empty.

I have tried rebooting (the container, not the server) and it still doesn't work.

Any ideas?

Thanks,
Matt
 

mattlach

Member
Mar 23, 2016
154
13
18
Boston, MA
Maybe the solution here is to run an OpenVPN server inside of a VM instead? I had hoped to do it in a container for the sake of efficiency (particularly when it comes to RAM, I have more CPU capacity than I know what to do with).

If I were to put a Ubuntu Server LTS install in a VM, I wonder what the minimum amount of RAM I can get away with assigning for a dedicated OpenVPN VM might be, without having it swapping all the time. 512MB? Less?
 

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
5,543
371
103
Hi can you send the output of
Then you must get a good error msg

cd /etc/openvpn
openvpn serverconfig
 

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
5,543
371
103
Go to dir /etc/openvpn

Code:
cd /etc/openvpn
stop the openvpn service
Code:
service openvpn stop
start the openvpn manual
Code:
openvpn server.conf
now you get output from openvpn and see if something goes wrong.
 

mattlach

Member
Mar 23, 2016
154
13
18
Boston, MA
Go to dir /etc/openvpn

Code:
cd /etc/openvpn
stop the openvpn service
Code:
service openvpn stop
start the openvpn manual
Code:
openvpn server.conf
now you get output from openvpn and see if something goes wrong.
Wolfgang,

Thank you for your explanation.

Looks like the tun device is the issue again.

Code:
Tue Jan 10 15:34:01 2017 us=118810 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
Tue Jan 10 15:34:01 2017 us=118852 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Tue Jan 10 15:34:01 2017 us=120107 Diffie-Hellman initialized with 2048 bit key
Tue Jan 10 15:34:01 2017 us=122102 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key file
Tue Jan 10 15:34:01 2017 us=122147 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 10 15:34:01 2017 us=122168 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 10 15:34:01 2017 us=122218 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Jan 10 15:34:01 2017 us=122261 Socket Buffers: R=[212992->131072] S=[212992->131072]
Tue Jan 10 15:34:01 2017 us=122403 ROUTE_GATEWAY xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx IFACE=eth0 HWADDR=0a:f9:91:f7:f0:76
Tue Jan 10 15:34:01 2017 us=122448 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Tue Jan 10 15:34:01 2017 us=122467 Exiting due to fatal error
I know I created it per your directions above, but when I go check, it is missing. Does it have to be created again on every reboot of the container?

Is there a good way to automate this? I could put your directions on how to create the tun above into a scrip, and run it through cron on boot, but am I assured that it will run before the OpenVPN service starts if I do this?

Thanks again for all your help,
Matt
 

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
5,543
371
103
I know I created it per your directions above, but when I go check, it is missing. Does it have to be created again on every reboot of the container?
yes

make a LSBInitScrtipt like this and save it in /etc/init.d/tun

Code:
#! /bin/sh
### BEGIN INIT INFO
# Provides:          tun
# Required-Start:    $network
# Required-Stop:     $openvpn
# Default-Start:     S 1 2
# Default-Stop:      0 6
# Short-Description: Make a tun device.
# Description:       Create a tundev for openvpn
### END INIT INFO

# Aktionen
case "$1" in
    start)
        mkdir /dev/net
        mknod /dev/net/tun c 10 200
        chmod 666 /dev/net/tun
        ;;
    stop)
        rm /dev/net/tun
        rmdir /dev/net
        ;;
    restart)
        #do nothing!
        ;;
esac

exit 0
And activat it
Code:
chmod 755 /etc/init.d/tun
update-rc.d tun defaults
 

mattlach

Member
Mar 23, 2016
154
13
18
Boston, MA
yes

make a LSBInitScrtipt like this and save it in /etc/init.d/tun

Code:
#! /bin/sh
### BEGIN INIT INFO
# Provides:          tun
# Required-Start:    $network
# Required-Stop:     $openvpn
# Default-Start:     S 1 2
# Default-Stop:      0 6
# Short-Description: Make a tun device.
# Description:       Create a tundev for openvpn
### END INIT INFO

# Aktionen
case "$1" in
    start)
        mkdir /dev/net
        mknod /dev/net/tun c 10 200
        chmod 666 /dev/net/tun
        ;;
    stop)
        rm /dev/net/tun
        rmdir /dev/net
        ;;
    restart)
        #do nothing!
        ;;
esac

exit 0
And activat it
Code:
chmod 755 /etc/init.d/tun
update-rc.d tun defaults

Wolfgang,

greatly appreciated.

Thank you very much.

--Matt
 

mattlach

Member
Mar 23, 2016
154
13
18
Boston, MA
One more question if you don't mind, since you seem very knowledgeable about these things.

I followed this guide in order to tunnel all of my traffic through the VPN.

My OpenVPN lxc resides on the 10.0.1.0/24 subnet, and my OpenVPN tun subnet is 10.0.5.0/24, so I replaced the IP addresses respectively in the iptables entries.

All traffic now flows through the VPN which is good, but I can't seem to get DNS to work through the VPN.

I first tried my internal DNS (10.0.1.1) in the server.conf file with push "dhcp-option DNS 10.0.1.1"

Then I tried instead adding googles DNS (8.8.8.8 and 8.8.4.4) to no avail.

When my client is connected to the VPN I can still not reach the DNS.

I THINK I can actually reach the outside world. (if I ping using IP's only I get responses) but DNS just doesn't seem to work.

Any suggestions?

Thanks,
Matt
 

mattlach

Member
Mar 23, 2016
154
13
18
Boston, MA
One more question if you don't mind, since you seem very knowledgeable about these things.

I followed this guide in order to tunnel all of my traffic through the VPN.

My OpenVPN lxc resides on the 10.0.1.0/24 subnet, and my OpenVPN tun subnet is 10.0.5.0/24, so I replaced the IP addresses respectively in the iptables entries.

All traffic now flows through the VPN which is good, but I can't seem to get DNS to work through the VPN.

I first tried my internal DNS (10.0.1.1) in the server.conf file with push "dhcp-option DNS 10.0.1.1"

Then I tried instead adding googles DNS (8.8.8.8 and 8.8.4.4) to no avail.

When my client is connected to the VPN I can still not reach the DNS.

I THINK I can actually reach the outside world. (if I ping using IP's only I get responses) but DNS just doesn't seem to work.

Any suggestions?

Thanks,
Matt

Never mind, this solved my DNS problems.

Thanks for all of your help. I'm marking this as solved now. Hopefully it will help others in the future.

--Matt
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!