SOLVED: OpenVPN broken after running over a year

chayes874
Posts: 25
Joined: Tue Jan 03, 2017 9:14 pm

SOLVED: OpenVPN broken after running over a year

Postby chayes874 » Mon May 15, 2017 11:42 pm

Sometime over this past weekend, my OpenVPN server failed. I can no longer reach my server via OpenVPN. I had custom certificates for about 8 users on various platforms and personally I was remotely logging into the system M-F almost daily. I tried uninstalling and re-installing OpenVPN - no change. Rebooted, power cycle, re-install, build custom certificates, use default certificates (yes, the new ones)... nothing. I'm getting timeouts like it can't reach the server.

Inside my network, I can reach the server without issues (obviously not using OpenVPN), so my system is still up and running. Using the Amahi iOS app, I can also reach the server and all my shared folders/files.

System 4.1.13-100.fc21.x86_64 ,x86_64
Platform 8.0.2-1
Core 6.0.1-1
OpenVPN 2.3.2

Any suggestions? Thanks.

chayes874
Posts: 25
Joined: Tue Jan 03, 2017 9:14 pm

Re: OpenVPN broken after running over a year

Postby chayes874 » Mon May 15, 2017 11:48 pm

Forgot to mention one thing - OpenVPN Tester is passing and showing green when I test my system with the default certificates.

User avatar
bigfoot65
Project Manager
Posts: 11924
Joined: Mon May 25, 2009 4:31 pm

Re: OpenVPN broken after running over a year

Postby bigfoot65 » Tue May 16, 2017 5:37 am

I can no longer reach my server via OpenVPN.
Verify that OpenVPN server is running:

Code: Select all

sudo systemctl status openvpn
Next provide the URL for:

Code: Select all

apaste --sysinfo
Check the /var/log/amahi-app-installer.log for errors.
ßîgƒσστ65
Applications Manager

My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 16GB RAM, 1TBx1+2TBx2+4TBx2

chayes874
Posts: 25
Joined: Tue Jan 03, 2017 9:14 pm

Re: OpenVPN broken after running over a year

Postby chayes874 » Tue May 16, 2017 8:24 am

sudo systemctl status openvpn
● openvpn.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)

However, I was doing this last night, but with the following command which I thought was correct:

Code: Select all

sudo systemctl status openvpn@amahi.service
Running this command currently returns the following:

openvpn@amahi.service - OpenVPN Robust And Highly Flexible Tunneling Application On amahi
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled)
Active: active (running) since Mon 2017-05-15 23:15:13 PDT; 8h ago
Process: 1102 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
Main PID: 1103 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@amahi.service
├─1103 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/amahi.pid --cd /etc/openvpn/ --config amahi.conf
└─1104 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/amahi.pid --cd /etc/openvpn/ --config amahi.conf

May 15 23:44:33 localhost.localdomain openvpn[1103]: 208.115.201.202:49764 PUSH: Received control message: 'PUSH_REQUEST'
May 15 23:44:33 localhost.localdomain openvpn[1103]: 208.115.201.202:49764 Delayed exit in 5 seconds
May 15 23:44:33 localhost.localdomain openvpn[1103]: 208.115.201.202:49764 SENT CONTROL [Amahi-Client-OpenVPN]: 'AUTH_FAILED' (status=1)
May 15 23:44:34 localhost.localdomain openvpn[1103]: 208.115.201.202:36638 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
May 15 23:44:34 localhost.localdomain openvpn[1103]: 208.115.201.202:36638 [Amahi-Client-OpenVPN] Peer Connection Initiated with [AF_INET]208.115.201.202:36638
May 15 23:44:35 localhost.localdomain openvpn[1103]: 208.115.201.202:36638 PUSH: Received control message: 'PUSH_REQUEST'
May 15 23:44:35 localhost.localdomain openvpn[1103]: 208.115.201.202:36638 Delayed exit in 5 seconds
May 15 23:44:35 localhost.localdomain openvpn[1103]: 208.115.201.202:36638 SENT CONTROL [Amahi-Client-OpenVPN]: 'AUTH_FAILED' (status=1)
May 15 23:44:38 localhost.localdomain openvpn[1103]: 208.115.201.202:49764 SIGTERM[soft,delayed-exit] received, client-instance exiting
May 15 23:44:40 localhost.localdomain openvpn[1103]: 208.115.201.202:36638 SIGTERM[soft,delayed-exit] received, client-instance exiting

Interesting... that IP address isn't familiar to me. Is that the Amahi OpenVPN checker tool trying to connect?
apaste --sysinfo
Gathering system info..............................Uploading (11.2KiB)...
Error: Server did not return a correct JSON response
Check the /var/log/amahi-app-installer.log for errors.
I see no errors below. Just me uninstalling and re-installing. Do I need to wipe out that cache?

======= app uninstall begin @ 2017-05-15 20:57:20 -0700 ==========
Uninstalling app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
App: OpenVPN uninstalled
======= app uninstall end @ 2017-05-15 20:57:22 -0700 ==========
======= app install begin @ 2017-05-15 20:57:54 -0700 ==========
Installing app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
file /var/hda/tmp/amahi-download-cache/ebb40d5724a72ffdd5f9e23d10d6432087225ba8 written in cache
App: OpenVPN installed
======= app install end @ 2017-05-15 20:58:01 -0700 ==========
======= app uninstall begin @ 2017-05-15 21:00:08 -0700 ==========
Uninstalling app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
App: OpenVPN uninstalled
======= app uninstall end @ 2017-05-15 21:00:09 -0700 ==========
======= app install begin @ 2017-05-15 21:01:54 -0700 ==========
Installing app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
file /var/hda/tmp/amahi-download-cache/ebb40d5724a72ffdd5f9e23d10d6432087225ba8 picked up from cache.
App: OpenVPN installed
======= app install end @ 2017-05-15 21:02:00 -0700 ==========
======= app uninstall begin @ 2017-05-15 22:13:35 -0700 ==========
Uninstalling app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
App: OpenVPN uninstalled
======= app uninstall end @ 2017-05-15 22:13:37 -0700 ==========
======= app install begin @ 2017-05-15 22:22:07 -0700 ==========
Installing app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
file /var/hda/tmp/amahi-download-cache/ebb40d5724a72ffdd5f9e23d10d6432087225ba8 picked up from cache.
App: OpenVPN installed
======= app install end @ 2017-05-15 22:22:16 -0700 ==========
======= app uninstall begin @ 2017-05-15 23:13:21 -0700 ==========
Uninstalling app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
/var/hda/apps/wzjcdmbnqp/elevated/uninstall: line 1: cd: /etc/openvpn/: No such file or directory
App: OpenVPN uninstalled
======= app uninstall end @ 2017-05-15 23:13:23 -0700 ==========
======= app install begin @ 2017-05-15 23:15:05 -0700 ==========
Installing app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
file /var/hda/tmp/amahi-download-cache/ebb40d5724a72ffdd5f9e23d10d6432087225ba8 picked up from cache.
App: OpenVPN installed
======= app install end @ 2017-05-15 23:15:13 -0700 ==========

Thanks for the help!

User avatar
bigfoot65
Project Manager
Posts: 11924
Joined: Mon May 25, 2009 4:31 pm

Re: OpenVPN broken after running over a year

Postby bigfoot65 » Tue May 16, 2017 8:44 am

Interesting... that IP address isn't familiar to me. Is that the Amahi OpenVPN checker tool trying to connect?
Check that your HDA has the correct IP address assigned:

Code: Select all

ip address
It almost looks like the IP address for your ISP.
Gathering system info..............................Uploading (11.2KiB)...
This error may be a result of the first issue.

Might want to check out the Network Troubleshooting guidance.

Something appears to be amiss with your network.
ßîgƒσστ65
Applications Manager

My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 16GB RAM, 1TBx1+2TBx2+4TBx2

chayes874
Posts: 25
Joined: Tue Jan 03, 2017 9:14 pm

Re: OpenVPN broken after running over a year

Postby chayes874 » Tue May 16, 2017 9:00 am

100% sure that 208.115.201.202 IP is the Amahi OpenVPN checker from the member control panel. I clicked it again and got another entry from the IP in the log file about an authorization failure. The member control panel tool is reporting everything is good, if it means anything.

The IP address of the HDA on the internal network is correct. I'll keep hacking away at it here...

chayes874
Posts: 25
Joined: Tue Jan 03, 2017 9:14 pm

Re: OpenVPN broken after running over a year

Postby chayes874 » Tue May 16, 2017 10:55 am

Okay, I think I see an issue here. It doesn't look like Amahi is resolving my HDA name (Dynamic DNS) to the proper IP address. It looks like it is using an IP address from a month ago.

Without using my actual IP addresses, let me explain. Currently, my external IP address is 123.123.123.123 - verified by looking at the modem/router IP address and what is displayed in my Amahi User Control Panel. They both match.

When I attempt to connect to my HDA via an OpenVPN client, it is resolving to the wrong IP address. The address shown in my client log is a previous address for my HDA - 123.123.456.456. That IP address shows up in my Alert Log at the User Control Panel as being valid "about 1 month ago."

I think I can't connect because Amahi is resolving my HDA name (Dynamic DNS) to an old IP address. This is further corroborated by these problems showing up over the weekend and my IP address changing to a new address "3 days ago". It changed to this new address from that previous address that it's still trying to connect to.

chayes874
Posts: 25
Joined: Tue Jan 03, 2017 9:14 pm

Re: OpenVPN broken after running over a year

Postby chayes874 » Tue May 16, 2017 11:07 am

Okay, I verified that this is exactly the problem. Modifying the config file to use the current modem IP address, instead of the Dynamic DNS, results in a successful VPN connection. Looks like this one is in your court! ;)

Thanks for the help!

chayes874
Posts: 25
Joined: Tue Jan 03, 2017 9:14 pm

Re: OpenVPN broken after running over a year

Postby chayes874 » Tue May 16, 2017 6:16 pm

The offending line in the OpenVPN client log is:
TCP/UDP: Preserving recently used remote address: [AF_INET]123.123.456.456:1194

The problem is my router's external IP address has changed and so this preserved remote address is wrong. Why and where is this address preserved? I'm not seeing a way to force OpenVPN client (Windows/iOS), Tunnelblick or HDA Connect to use the correct address for my HDA without inserting my current IP address into the OpenVPN client config file. And doing that is a problem as my IP address will change in the future.

How is my Amahi Dynamic DNS resolved to my current IP address?

chayes874
Posts: 25
Joined: Tue Jan 03, 2017 9:14 pm

Re: OpenVPN broken after running over a year

Postby chayes874 » Tue May 16, 2017 6:56 pm

This one is resolved. Apparently it was an issue with a switch to SSL for Dynamic DNS and Amahi 8. It was resolved on the Amahi side and I am now back to connecting properly via OpenVPN - it is finding the proper IP address. Thanks for the great support!

Who is online

Users browsing this forum: No registered users and 16 guests