Discussion:
[Openvpn-users] 2.4.0 , address on tun inteface problem after reconnect to another server, linux
Dmitry Melekhov
2017-01-26 05:54:59 UTC
Permalink
Hello!

We run two openvpn servers, one of them has network 192.168.205.0/24 on
tun and another has 192.168.206.0/24 on tun.

These servers are behind NAT.

Yesterday I rebooted NAT devices, after this we hit problem.


We have Centos 6 client, which runs openvpn 2.4.0 too.

Before NAT device reboot it was connected to openvpn server 1 and it had
address 192.168.205.16 on it's tun0.

Then, after NAT is rebooted client lost connectivity, and, thus tried
another openvpn server (I changed IP addresses to names)

Jan 25 13:00:28 bkk openvpn[12557]: [inetgw1] Inactivity timeout
(--ping-restart), restarting
Jan 25 13:00:28 bkk openvpn[12557]: SIGUSR1[soft,ping-restart] received,
process restarting
Jan 25 13:00:28 bkk openvpn[12557]: Restart pause, 5 second(s)
Jan 25 13:00:33 bkk openvpn[12557]: WARNING: No server certificate
verification method has been enabled. See
http://openvpn.net/howto.html#mitm for more info.
Jan 25 13:00:33 bkk openvpn[12557]: TCP/UDP: Preserving recently used
remote address: [AF_INET]server1:1194
Jan 25 13:00:33 bkk openvpn[12557]: Socket Buffers: R=[112640->112640]
S=[112640->112640]
Jan 25 13:00:33 bkk openvpn[12557]: UDP link local: (not bound)
Jan 25 13:00:33 bkk openvpn[12557]: UDP link remote: [AF_INET]server1:1194
Jan 25 13:01:33 bkk openvpn[12557]: TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Jan 25 13:01:33 bkk openvpn[12557]: TLS Error: TLS handshake failed
Jan 25 13:01:33 bkk openvpn[12557]: SIGUSR1[soft,tls-error] received,
process restarting
Jan 25 13:01:33 bkk openvpn[12557]: Restart pause, 5 second(s)
Jan 25 13:01:38 bkk openvpn[12557]: WARNING: No server certificate
verification method has been enabled. See
http://openvpn.net/howto.html#mitm for more info.
Jan 25 13:01:38 bkk openvpn[12557]: TCP/UDP: Preserving recently used
remote address: [AF_INET]server2:1194
Jan 25 13:01:38 bkk openvpn[12557]: Socket Buffers: R=[112640->112640]
S=[112640->112640]
Jan 25 13:01:38 bkk openvpn[12557]: UDP link local: (not bound)
Jan 25 13:01:38 bkk openvpn[12557]: UDP link remote: [AF_INET]server2:1194
Jan 25 13:01:33 bkk openvpn[12557]: TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Jan 25 13:01:33 bkk openvpn[12557]: TLS Error: TLS handshake failed
Jan 25 13:01:33 bkk openvpn[12557]: SIGUSR1[soft,tls-error] received,
process restarting
Jan 25 13:01:33 bkk openvpn[12557]: Restart pause, 5 second(s)
Jan 25 13:01:38 bkk openvpn[12557]: WARNING: No server certificate
verification method has been enabled. See
http://openvpn.net/howto.html#mitm for more info.
Jan 25 13:01:38 bkk openvpn[12557]: TCP/UDP: Preserving recently used
remote address: [AF_INET]server2:1194
Jan 25 13:01:38 bkk openvpn[12557]: Socket Buffers: R=[112640->112640]
S=[112640->112640]
Jan 25 13:01:38 bkk openvpn[12557]: UDP link local: (not bound)
Jan 25 13:01:38 bkk openvpn[12557]: UDP link remote: [AF_INET]server2:1194
Jan 25 13:01:38 bkk openvpn[12557]: TLS: Initial packet from
[AF_INET]server2:1194, sid=ec086083 b9575e66
Jan 25 13:01:38 bkk openvpn[12557]: VERIFY OK: depth=1, C=RU, ST=Udm,
L=Izhevsk, O=Belkam, OU=UIT, CN=vpn.belkam.com,
emailAddress=***@belkam.com
Jan 25 13:01:38 bkk openvpn[12557]: VERIFY OK: depth=0, C=RU, ST=Udm,
L=Izhevsk, O=Belkam, OU=UIT, CN=inetgw2, emailAddress=***@belkam.com
Jan 25 13:01:38 bkk openvpn[12557]: Control Channel: TLSv1.2, cipher
TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Jan 25 13:01:38 bkk openvpn[12557]: [inetgw2] Peer Connection Initiated
with [AF_INET]server2:1194
Jan 25 13:01:39 bkk openvpn[12557]: SENT CONTROL [inetgw2]:
'PUSH_REQUEST' (status=1)
Jan 25 13:01:39 bkk openvpn[12557]: PUSH: Received control message:
'PUSH_REPLY,explicit-exit-notify 3,route 192.168.206.1,topology
net30,ping 10,ping-restart 120,route 192.168.0.0 255.255.0.0,route
10.0.0.0 255
.0.0.0,ifconfig 192.168.206.16 192.168.206.15,peer-id 14,cipher AES-256-GCM'

so it had to get address 192.168.206.16 on it's tun0

But address on tun0 is still 192.168.205.16 (!) :

tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.205.16 P-t-P:192.168.205.15
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2962804 errors:0 dropped:0 overruns:0 frame:0
TX packets:2347402 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1955924218 (1.8 GiB) TX bytes:429175247 (409.2 MiB)


I.e. it was not changed to new one, although it was provided by server.


Don't know is there such problem with 2.3, because it is very rare
condition in our environment.


Could you tell me is this expected behavior and, if yes, is there any
workaround , something like dhcp-release for windows?

Thank you!
Gert Doering
2017-01-26 06:59:42 UTC
Permalink
Hi,
Post by Dmitry Melekhov
Could you tell me is this expected behavior and, if yes, is there any
workaround , something like dhcp-release for windows?
This is a bug - on SIGUSR1 reconnect with --persist-tun, if options change
(like: "new IP address") these is wrongly ignored.

This is trac #812, and it was already fixed - to be released as part of
2.4.1 "soon" (in the coming weeks).

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Dmitry Melekhov
2017-01-26 07:10:01 UTC
Permalink
Post by Gert Doering
Hi,
Post by Dmitry Melekhov
Could you tell me is this expected behavior and, if yes, is there any
workaround , something like dhcp-release for windows?
This is a bug - on SIGUSR1 reconnect with --persist-tun, if options change
(like: "new IP address") these is wrongly ignored.
This is trac #812, and it was already fixed - to be released as part of
2.4.1 "soon" (in the coming weeks).
gert
Thank you!

I'll try to patch and rebuild 2.4.0.
Gert Doering
2017-01-26 07:49:42 UTC
Permalink
Hi,
Post by Dmitry Melekhov
Post by Gert Doering
This is trac #812, and it was already fixed - to be released as part of
2.4.1 "soon" (in the coming weeks).
I'll try to patch and rebuild 2.4.0.
I've appended the patch below, for easier searching. Fairly trivial :-)

gert

From bf72ae68c05922c289056f2f851ed36014449cdf Mon Sep 17 00:00:00 2001
From: Selva Nair <***@gmail.com>
Date: Tue, 3 Jan 2017 16:42:18 -0500
Subject: [PATCH] Fix push options digest update

Trac: #812

Signed-off-by: Selva Nair <***@gmail.com>
Acked-by: Steffan Karger <***@fox-it.com>
Message-Id: <1483479738-17672-1-git-send-email-***@gmail.com>
URL: https://www.mail-archive.com/openvpn-***@lists.sourceforge.net/msg13816.html
Signed-off-by: Gert Doering <***@greenie.muc.de>
(cherry picked from commit a5dbf8c8dab23c47407c3f833c4f4aae52408af1)
---
src/openvpn/push.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index f5154756..c9c04a63 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -692,8 +692,8 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
{
continue;
}
+ md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1);
}
- md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1);
}

int
--
2.11.0
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
debbie10t
2017-01-26 11:31:52 UTC
Permalink
Post by Dmitry Melekhov
Post by Gert Doering
Hi,
Post by Dmitry Melekhov
Could you tell me is this expected behavior and, if yes, is there any
workaround , something like dhcp-release for windows?
This is a bug - on SIGUSR1 reconnect with --persist-tun, if options change
(like: "new IP address") these is wrongly ignored.
This is trac #812, and it was already fixed - to be released as part of
2.4.1 "soon" (in the coming weeks).
gert
Thank you!
I'll try to patch and rebuild 2.4.0.
Curiosity got me ..

Do you need --persist-* on your client ?

Or is it an option added by a config generator tool ?
EG: Network-manager

I would recommend reading the manual for each of the options your client
does use and deciding what is actually necessary.
Dmitry Melekhov
2017-01-26 11:55:20 UTC
Permalink
Post by debbie10t
Post by Dmitry Melekhov
Post by Gert Doering
Hi,
Post by Dmitry Melekhov
Could you tell me is this expected behavior and, if yes, is there any
workaround , something like dhcp-release for windows?
This is a bug - on SIGUSR1 reconnect with --persist-tun, if options change
(like: "new IP address") these is wrongly ignored.
This is trac #812, and it was already fixed - to be released as part of
2.4.1 "soon" (in the coming weeks).
gert
Thank you!
I'll try to patch and rebuild 2.4.0.
Curiosity got me ..
Do you need --persist-* on your client ?
Really, no, there is no desperate need in it in this particular case :-)

On the other hand , there is no contra, at least I don't see any...
Post by debbie10t
Or is it an option added by a config generator tool ?
EG: Network-manager
I would recommend reading the manual for each of the options your client
does use and deciding what is actually necessary.
Thank you for hint, I run openvpn since 2005 and never thought about
reading manual ;-)
debbie10t
2017-01-26 12:43:37 UTC
Permalink
Post by Dmitry Melekhov
Post by debbie10t
Post by Dmitry Melekhov
Post by Gert Doering
Hi,
Post by Dmitry Melekhov
Could you tell me is this expected behavior and, if yes, is there any
workaround , something like dhcp-release for windows?
This is a bug - on SIGUSR1 reconnect with --persist-tun, if options change
(like: "new IP address") these is wrongly ignored.
This is trac #812, and it was already fixed - to be released as part of
2.4.1 "soon" (in the coming weeks).
gert
Thank you!
I'll try to patch and rebuild 2.4.0.
Curiosity got me ..
Do you need --persist-* on your client ?
Really, no, there is no desperate need in it in this particular case :-)
On the other hand , there is no contra, at least I don't see any...
Other than the problem you are currently experiencing ..

--persist-* is necessary if you are dropping privileges.
(I am not aware of any other reason)
Post by Dmitry Melekhov
Post by debbie10t
Or is it an option added by a config generator tool ?
EG: Network-manager
I would recommend reading the manual for each of the options your client
does use and deciding what is actually necessary.
Thank you for hint, I run openvpn since 2005 and never thought about
reading manual ;-)
I presume you are ribbing me ;-)

OTOH, you would not be the first to march blindly into the fray !

It might be interesting to know the difference in hits between
the official docs and, for example, a wordpress or Pi tutorial ..

Regards
Dmitry Melekhov
2017-01-26 13:06:10 UTC
Permalink
Post by debbie10t
Post by Dmitry Melekhov
Post by debbie10t
Post by Dmitry Melekhov
Post by Gert Doering
Hi,
Post by Dmitry Melekhov
Could you tell me is this expected behavior and, if yes, is there any
workaround , something like dhcp-release for windows?
This is a bug - on SIGUSR1 reconnect with --persist-tun, if options change
(like: "new IP address") these is wrongly ignored.
This is trac #812, and it was already fixed - to be released as part of
2.4.1 "soon" (in the coming weeks).
gert
Thank you!
I'll try to patch and rebuild 2.4.0.
Curiosity got me ..
Do you need --persist-* on your client ?
Really, no, there is no desperate need in it in this particular case :-)
On the other hand , there is no contra, at least I don't see any...
Other than the problem you are currently experiencing ..
--persist-* is necessary if you are dropping privileges.
(I am not aware of any other reason)
And? Any reasons I can't drop privileges on server which provides
LAN-to-LAN link, although it acts as openvpn client?
And yes, I can not use it, because it is not server, so it has less
security problems.
So situation is absolutely as I wrote before- no desperate need.
Post by debbie10t
Post by Dmitry Melekhov
Post by debbie10t
Or is it an option added by a config generator tool ?
EG: Network-manager
I would recommend reading the manual for each of the options your client
does use and deciding what is actually necessary.
Thank you for hint, I run openvpn since 2005 and never thought about
reading manual ;-)
I presume you are ribbing me ;-)
You are right :-P ;-)
Post by debbie10t
OTOH, you would not be the first to march blindly into the fray !
No, you started fray by assuming I did not read man .
Post by debbie10t
It might be interesting to know the difference in hits between
the official docs and, for example, a wordpress or Pi tutorial ..
Well, I don't remember which tutorial I used more then 10 years ago :-(
Post by debbie10t
Regards
Fortunately this was known bug and now it is fixed on my servers :-)
And I see no reasons to discuss do I use or not user and group in config,
AFAIR, this is information I can't share according to internal policy ;-)

Thank you!

Loading...