Streisand: Unable to connect to OpenVPN after fresh install

Created on 29 Mar 2018  路  5Comments  路  Source: StreisandEffect/streisand

I did a two fresh installs of Streisand using the local provision and also remote provision. The host is a VPS with full root access. Tor bridge and Wireguard are working out of the box but OpenVPN (direct or obfuscated) as well as Shadowsocks don't work. Looking at the logs on the server, it looks like there something related to IPv6. For information I don't have any IPv6 address on this machine so maybe I need to disable the IPv6 stack completely.

Expected behavior:

Client should connected to the host using the provided OVPN configuration.

Actual Behavior:

Steps to Reproduce:

  1. Install streisand
  2. Connect to the web page and download one of the openvpn configuration file
  3. Use either Linux or OpenVPN on Android to connect to the host

On the client:

# sudo openvpn 195.XXX.YYY.ZZZ-direct.ovpn

Thu Mar 29 15:40:32 2018 OpenVPN 2.4.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar  1 2018
Thu Mar 29 15:40:32 2018 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.10
Thu Mar 29 15:40:32 2018 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Mar 29 15:40:32 2018 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 29 15:40:32 2018 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Mar 29 15:40:32 2018 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 29 15:40:32 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]195.XXX.YYY.ZZZ:636
Thu Mar 29 15:40:32 2018 Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Mar 29 15:40:32 2018 Attempting to establish TCP connection with [AF_INET]195.XXX.YYY.ZZZ:636 [nonblock]
Thu Mar 29 15:40:33 2018 TCP: connect to [AF_INET]195.XXX.YYY.ZZZ:636 failed: Connection reset by peer
Thu Mar 29 15:40:33 2018 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Thu Mar 29 15:40:33 2018 Restart pause, 5 second(s)
Thu Mar 29 15:40:38 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]195.XXX.YYY.ZZZ:636
Thu Mar 29 15:40:38 2018 Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Mar 29 15:40:38 2018 Attempting to establish TCP connection with [AF_INET]195.XXX.YYY.ZZZ:636 [nonblock]
Thu Mar 29 15:40:39 2018 TCP: connect to [AF_INET]195.XXX.YYY.ZZZ:636 failed: Connection refused
Thu Mar 29 15:40:39 2018 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Thu Mar 29 15:40:39 2018 Restart pause, 5 second(s)
Thu Mar 29 15:40:44 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]195.XXX.YYY.ZZZ:636
Thu Mar 29 15:40:44 2018 Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Mar 29 15:40:44 2018 Attempting to establish TCP connection with [AF_INET]195.XXX.YYY.ZZZ:636 [nonblock]
Thu Mar 29 15:40:45 2018 TCP: connect to [AF_INET]195.XXX.YYY.ZZZ:636 failed: Connection reset by peer
Thu Mar 29 15:40:45 2018 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Thu Mar 29 15:40:45 2018 Restart pause, 5 second(s)

On the server:

root@myvpn:~# journalctl -r
-- Logs begin at Thu 2018-03-29 10:54:21 CEST, end at Thu 2018-03-29 15:51:19 CEST. --
Mar 29 15:51:19 myvpn sshd[7113]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 29 15:51:10 myvpn stunnel[1537]: LOG3[538]: SSL_accept: Peer suddenly disconnected
Mar 29 15:50:40 myvpn stunnel[1537]: LOG3[537]: SSL_accept: Peer suddenly disconnected
Mar 29 15:50:10 myvpn stunnel[1537]: LOG3[536]: SSL_accept: Peer suddenly disconnected
Mar 29 15:49:40 myvpn stunnel[1537]: LOG3[535]: SSL_accept: Peer suddenly disconnected
Mar 29 15:41:39 myvpn stunnel[1537]: LOG3[519]: SSL_accept: Peer suddenly disconnected
Mar 29 15:41:09 myvpn stunnel[1537]: LOG3[518]: SSL_accept: Peer suddenly disconnected
Mar 29 15:41:09 myvpn ovpn-server[6903]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mar 29 15:41:09 myvpn systemd[1]: Started OpenVPN connection to server.
Mar 29 15:41:09 myvpn ovpn-server[6903]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 29 15:41:09 myvpn ovpn-server[6903]: Note: cannot open ipp.txt for READ/WRITE
Mar 29 15:41:09 myvpn systemd[1]: [email protected]: PID file /run/openvpn/server.pid not readable (yet?) after start: No such file or directory
Mar 29 15:41:09 myvpn systemd[1]: Starting OpenVPN connection to server...
Mar 29 15:41:09 myvpn systemd[1]: Started OpenVPN service.
Mar 29 15:40:46 myvpn ntpd[3220]: Deleting interface #20 tun0, 10.8.0.1#123, interface stats: received=0, sent=0, dropped=0, active_time=6 secs
Mar 29 15:40:44 myvpn systemd[1]: [email protected]: Failed with result 'exit-code'.
Mar 29 15:40:44 myvpn systemd[1]: [email protected]: Unit entered failed state.
Mar 29 15:40:44 myvpn systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Mar 29 15:40:40 myvpn ntpd[3220]: new interface(s) found: waking up resolver
Mar 29 15:40:40 myvpn ntpd[3220]: Listen normally on 20 tun0 10.8.0.1:123
Mar 29 15:40:39 myvpn stunnel[1537]: LOG3[517]: SSL_accept: Peer suddenly disconnected
Mar 29 15:40:39 myvpn ovpn-server[6843]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mar 29 15:40:39 myvpn systemd[1]: Started OpenVPN connection to server.
Mar 29 15:40:39 myvpn ovpn-server[6843]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 29 15:40:39 myvpn ovpn-server[6843]: Note: cannot open ipp.txt for READ/WRITE
Mar 29 15:40:39 myvpn systemd[1]: [email protected]: PID file /run/openvpn/server.pid not readable (yet?) after start: No such file or directory
Mar 29 15:40:39 myvpn systemd[1]: Started OpenVPN service.
Mar 29 15:40:39 myvpn systemd[1]: Starting OpenVPN connection to server...
Mar 29 15:40:34 myvpn ntpd[3220]: Deleting interface #18 tun0, 10.8.0.1#123, interface stats: received=0, sent=0, dropped=0, active_time=14625 secs
Mar 29 15:40:32 myvpn systemd[1]: [email protected]: Failed with result 'exit-code'.
Mar 29 15:40:32 myvpn systemd[1]: [email protected]: Unit entered failed state.
Mar 29 15:40:32 myvpn systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE

streisand-diagnostics.md

### Ansible Information

* Ansible version: 2.5.0
* Ansible system: Linux
* Host OS: Archlinux
* Host OS version:  NA
* Python interpreter: python
* Python version: 3.6.4

### Streisand Information

* Streisand Git revision: bae2cb531330d69e2a2e307c09a7e17770ff8881
* Streisand Git clone has untracked changes: no
* Genesis role: existing-server
* Custom SSH key: True

### Enabled Roles

* Shadowsocks enabled:  True
* Wireguard enabled: True
* OpenVPN enabled: True
* stunnel enabled: True
* Tor enabled: True
* Openconnect enabled: True
* TinyProxy enabled: True
* SSH forward user enabled: True
* L2TP enabled: False
* Configured number of VPN clients: 10

Additional Details:

Log output from Ansible or other relevant services (link to Gist for longer output):

Target Cloud Provider:
Operating System of target host:

Ubuntu 16.04

Operating System of client:

Archlinux and also Android.

Version of Ansible, using ansible --version :

ansible 2.5.0
python version = 2.7.14

Output from git rev-parse HEAD in your Streisand directory :

bae2cb531330d69e2a2e307c09a7e17770ff8881

EDIT: I tried to completely disable IPv6 using the instructions found at the bottom of this post https://www.linuxbabe.com/ubuntu/disable-ipv6-on-ubuntu but OpenVPN service fails to start on boot.

Mar 29 16:03:31 myvpn systemd[1]: [email protected]: Failed with result 'exit-code'.
Mar 29 16:03:31 myvpn systemd[1]: [email protected]: Unit entered failed state.
Mar 29 16:03:31 myvpn systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE

EDIT2:
Commenting the following lines in /etc/hosts helped a bit:

#::1     localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters

But still not connecting. Now I'm noticing an _out of memory_ error. Maybe linked to this bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=406895

Mar 29 16:14:13 myvpn stunnel[571]: LOG3[1]: SSL_accept: Peer suddenly disconnected
Mar 29 16:14:13 myvpn openvpn[1692]: out of memory [1692]
Mar 29 16:14:13 myvpn ovpn-server[1692]: MULTI: TCP INIT maxclients=1024 maxevents=1028
Mar 29 16:14:13 myvpn ovpn-server[1692]: IFCONFIG POOL LIST
Mar 29 16:14:13 myvpn ovpn-server[1692]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mar 29 16:14:13 myvpn ovpn-server[1692]: MULTI: multi_init called, r=256 v=256
Mar 29 16:14:13 myvpn ovpn-server[1692]: UID set to nobody
Mar 29 16:14:13 myvpn ovpn-server[1692]: GID set to nogroup
Mar 29 16:14:13 myvpn ovpn-server[1692]: TCPv4_SERVER link remote: [AF_UNSPEC]
Mar 29 16:14:13 myvpn ovpn-server[1692]: TCPv4_SERVER link local (bound): [AF_INET][undef]:636
Mar 29 16:14:13 myvpn ovpn-server[1692]: Listening for incoming TCP connection on [AF_INET][undef]:636
Mar 29 16:14:13 myvpn ovpn-server[1692]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Mar 29 16:14:13 myvpn ovpn-server[1692]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mar 29 16:14:13 myvpn ovpn-server[1692]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Mar 29 16:14:13 myvpn ovpn-server[1692]: /sbin/ip addr add dev tun1 local 10.8.0.1 peer 10.8.0.2
Mar 29 16:14:13 myvpn systemd[1]: Started OpenVPN connection to server.
Mar 29 16:14:13 myvpn ovpn-server[1692]: /sbin/ip link set dev tun1 up mtu 1500
Mar 29 16:14:13 myvpn ovpn-server[1692]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 29 16:14:13 myvpn ovpn-server[1692]: TUN/TAP TX queue length set to 100
Mar 29 16:14:13 myvpn ovpn-server[1692]: TUN/TAP device tun1 opened
Mar 29 16:14:12 myvpn ovpn-server[1692]: ROUTE_GATEWAY 195.XXX.YYY.1/255.255.248.0 IFACE=ens3 HWADDR=52:ac:00:e2:a0:18
Mar 29 16:14:12 myvpn ovpn-server[1692]: 2 variation(s) on previous 3 message(s) suppressed by --mute
Mar 29 16:14:12 myvpn ovpn-server[1692]: NOTE: --mute triggered...
Mar 29 16:14:12 myvpn ovpn-server[1692]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mar 29 16:14:12 myvpn ovpn-server[1692]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mar 29 16:14:12 myvpn ovpn-server[1692]: Diffie-Hellman initialized with 2048 bit key
Mar 29 16:14:12 myvpn ovpn-server[1692]: Note: cannot open ipp.txt for READ/WRITE
Mar 29 16:14:12 myvpn ovpn-server[1692]: mlockall call succeeded
Mar 29 16:14:12 myvpn systemd[1]: [email protected]: PID file /run/openvpn/server.pid not readable (yet?) after start: No such file or directory
Mar 29 16:14:12 myvpn ovpn-server[1690]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Mar 29 16:14:12 myvpn ovpn-server[1690]: OpenVPN 2.4.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar  1 2018
Mar 29 16:14:12 myvpn systemd[1]: Starting OpenVPN connection to server...
Mar 29 16:14:12 myvpn systemd[1]: Started OpenVPN service.
Mar 29 16:14:05 myvpn ntpd[886]: Deleting interface #8 tun1, 10.8.0.1#123, interface stats: received=0, sent=0, dropped=0, active_time=21 secs
Mar 29 16:14:03 myvpn systemd[1]: [email protected]: Failed with result 'exit-code'.
Mar 29 16:14:03 myvpn systemd[1]: [email protected]: Unit entered failed state.
Mar 29 16:14:03 myvpn systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Mar 29 16:13:44 myvpn ntpd[886]: new interface(s) found: waking up resolver
Mar 29 16:13:44 myvpn ntpd[886]: Listen normally on 8 tun1 10.8.0.1:123
Mar 29 16:13:44 myvpn ntpd[886]: Listen normally on 7 tun0 10.9.0.1:123
Mar 29 16:13:43 myvpn systemd[1]: Started OpenVPN service.
Mar 29 16:13:42 myvpn stunnel[571]: LOG3[0]: SSL_accept: Peer suddenly disconnected
Mar 29 16:13:42 myvpn openvpn[1622]: out of memory [1622]
Mar 29 16:13:42 myvpn ovpn-server[1622]: MULTI: TCP INIT maxclients=1024 maxevents=1028
Mar 29 16:13:42 myvpn ovpn-server[1622]: IFCONFIG POOL LIST
Mar 29 16:13:42 myvpn ovpn-server[1622]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mar 29 16:13:42 myvpn ovpn-server[1622]: MULTI: multi_init called, r=256 v=256
Mar 29 16:13:42 myvpn ovpn-server[1622]: UID set to nobody
Mar 29 16:13:42 myvpn ovpn-server[1622]: GID set to nogroup
Mar 29 16:13:42 myvpn ovpn-server[1622]: TCPv4_SERVER link remote: [AF_UNSPEC]
Mar 29 16:13:42 myvpn ovpn-server[1622]: TCPv4_SERVER link local (bound): [AF_INET][undef]:636
Mar 29 16:13:42 myvpn ovpn-server[1622]: Listening for incoming TCP connection on [AF_INET][undef]:636
Mar 29 16:13:42 myvpn ovpn-server[1622]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Mar 29 16:13:42 myvpn systemd[1]: Started OpenVPN connection to server-udp.
Mar 29 16:13:42 myvpn ovpn-server[1622]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mar 29 16:13:42 myvpn systemd[1]: Started OpenVPN connection to server.
Mar 29 16:13:42 myvpn ovpn-server[1622]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Mar 29 16:13:42 myvpn ovpn-server[1622]: /sbin/ip addr add dev tun1 local 10.8.0.1 peer 10.8.0.2
Mar 29 16:13:42 myvpn ovpn-server[1622]: /sbin/ip link set dev tun1 up mtu 1500
Mar 29 16:13:42 myvpn ovpn-server[1622]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0



areopenvpn kinbug

Most helpful comment

@Frichetten, @alphazo sorry to hear you're having issues with OpenVPN.

I believe I have found the culprit - a server configuration which aims to secure the installation seems to have had unintended side effects.

Within both /etc/openvpn/server.conf and /etc/openvpn/server-udp.conf comment out mlock directive:

for example:

# Avoid paging secrets to disk.
# mlock

then a simple systemctl restart openvpn should do the trick.

All 5 comments

I was running into the same problem on Ubuntu. I fixed it by changing one of the lines in the .ovpn config. By removing the line starting with "route" and ending with "net_gateway" the problem was fixed. (Not that that should be the official fix. Something is going on here and warrants more investigation)

@Frichetten, @alphazo sorry to hear you're having issues with OpenVPN.

I believe I have found the culprit - a server configuration which aims to secure the installation seems to have had unintended side effects.

Within both /etc/openvpn/server.conf and /etc/openvpn/server-udp.conf comment out mlock directive:

for example:

# Avoid paging secrets to disk.
# mlock

then a simple systemctl restart openvpn should do the trick.

Thanks @alimakki this fixed the issue. It's funny because I noticed that configuration option when inspecting the openvpn config file because I never used it before.
So everything if working fine now even with IPv6 fully disabled.

Glad to hear it @alphazo. @Frichetten I hope that resolved your issue as well.

@alimakki, Worked like a charm! Thank you for that instant fix! :)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

timXTM picture timXTM  路  6Comments

Blubberx picture Blubberx  路  4Comments

markwyner picture markwyner  路  3Comments

wicknet picture wicknet  路  5Comments

NightMachinary picture NightMachinary  路  5Comments