SOLVED: OpenVPN broken after running over a year

[chayes874]

Sometime over this past weekend, my OpenVPN server failed. I can no longer reach my server via OpenVPN. I had custom certificates for about 8 users on various platforms and personally I was remotely logging into the system M-F almost daily. I tried uninstalling and re-installing OpenVPN - no change. Rebooted, power cycle, re-install, build custom certificates, use default certificates (yes, the new ones)... nothing. I'm getting timeouts like it can't reach the server.

Inside my network, I can reach the server without issues (obviously not using OpenVPN), so my system is still up and running. Using the Amahi iOS app, I can also reach the server and all my shared folders/files.

System 4.1.13-100.fc21.x86_64 ,x86_64
Platform 8.0.2-1
Core 6.0.1-1
OpenVPN 2.3.2

Any suggestions? Thanks.

[chayes874]

Forgot to mention one thing - OpenVPN Tester is passing and showing green when I test my system with the default certificates.

[bigfoot65]

I can no longer reach my server via OpenVPN.

Verify that OpenVPN server is running:

Code: Select all

sudo systemctl status openvpn

Next provide the URL for:

Code: Select all

apaste --sysinfo

Check the /var/log/amahi-app-installer.log for errors.

[chayes874]

sudo systemctl status openvpn

● openvpn.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)

However, I was doing this last night, but with the following command which I thought was correct:

Code: Select all

sudo systemctl status openvpn@amahi.service

Running this command currently returns the following:

● openvpn@amahi.service - OpenVPN Robust And Highly Flexible Tunneling Application On amahi
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled)
Active: active (running) since Mon 2017-05-15 23:15:13 PDT; 8h ago
Process: 1102 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
Main PID: 1103 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@amahi.service
├─1103 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/amahi.pid --cd /etc/openvpn/ --config amahi.conf
└─1104 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/amahi.pid --cd /etc/openvpn/ --config amahi.conf

May 15 23:44:33 localhost.localdomain openvpn[1103]: 208.115.201.202:49764 PUSH: Received control message: 'PUSH_REQUEST'
May 15 23:44:33 localhost.localdomain openvpn[1103]: 208.115.201.202:49764 Delayed exit in 5 seconds
May 15 23:44:33 localhost.localdomain openvpn[1103]: 208.115.201.202:49764 SENT CONTROL [Amahi-Client-OpenVPN]: 'AUTH_FAILED' (status=1)
May 15 23:44:34 localhost.localdomain openvpn[1103]: 208.115.201.202:36638 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
May 15 23:44:34 localhost.localdomain openvpn[1103]: 208.115.201.202:36638 [Amahi-Client-OpenVPN] Peer Connection Initiated with [AF_INET]208.115.201.202:36638
May 15 23:44:35 localhost.localdomain openvpn[1103]: 208.115.201.202:36638 PUSH: Received control message: 'PUSH_REQUEST'
May 15 23:44:35 localhost.localdomain openvpn[1103]: 208.115.201.202:36638 Delayed exit in 5 seconds
May 15 23:44:35 localhost.localdomain openvpn[1103]: 208.115.201.202:36638 SENT CONTROL [Amahi-Client-OpenVPN]: 'AUTH_FAILED' (status=1)
May 15 23:44:38 localhost.localdomain openvpn[1103]: 208.115.201.202:49764 SIGTERM[soft,delayed-exit] received, client-instance exiting
May 15 23:44:40 localhost.localdomain openvpn[1103]: 208.115.201.202:36638 SIGTERM[soft,delayed-exit] received, client-instance exiting

Interesting... that IP address isn't familiar to me. Is that the Amahi OpenVPN checker tool trying to connect?

apaste --sysinfo

Gathering system info..............................Uploading (11.2KiB)...
Error: Server did not return a correct JSON response

Check the /var/log/amahi-app-installer.log for errors.

I see no errors below. Just me uninstalling and re-installing. Do I need to wipe out that cache?

======= app uninstall begin @ 2017-05-15 20:57:20 -0700 ==========
Uninstalling app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
App: OpenVPN uninstalled
======= app uninstall end @ 2017-05-15 20:57:22 -0700 ==========
======= app install begin @ 2017-05-15 20:57:54 -0700 ==========
Installing app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
file /var/hda/tmp/amahi-download-cache/ebb40d5724a72ffdd5f9e23d10d6432087225ba8 written in cache
App: OpenVPN installed
======= app install end @ 2017-05-15 20:58:01 -0700 ==========
======= app uninstall begin @ 2017-05-15 21:00:08 -0700 ==========
Uninstalling app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
App: OpenVPN uninstalled
======= app uninstall end @ 2017-05-15 21:00:09 -0700 ==========
======= app install begin @ 2017-05-15 21:01:54 -0700 ==========
Installing app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
file /var/hda/tmp/amahi-download-cache/ebb40d5724a72ffdd5f9e23d10d6432087225ba8 picked up from cache.
App: OpenVPN installed
======= app install end @ 2017-05-15 21:02:00 -0700 ==========
======= app uninstall begin @ 2017-05-15 22:13:35 -0700 ==========
Uninstalling app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
App: OpenVPN uninstalled
======= app uninstall end @ 2017-05-15 22:13:37 -0700 ==========
======= app install begin @ 2017-05-15 22:22:07 -0700 ==========
Installing app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
file /var/hda/tmp/amahi-download-cache/ebb40d5724a72ffdd5f9e23d10d6432087225ba8 picked up from cache.
App: OpenVPN installed
======= app install end @ 2017-05-15 22:22:16 -0700 ==========
======= app uninstall begin @ 2017-05-15 23:13:21 -0700 ==========
Uninstalling app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
/var/hda/apps/wzjcdmbnqp/elevated/uninstall: line 1: cd: /etc/openvpn/: No such file or directory
App: OpenVPN uninstalled
======= app uninstall end @ 2017-05-15 23:13:23 -0700 ==========
======= app install begin @ 2017-05-15 23:15:05 -0700 ==========
Installing app id wzjcdmbnqp under /var/hda/platform/html/script/.. ENV=production
file /var/hda/tmp/amahi-download-cache/ebb40d5724a72ffdd5f9e23d10d6432087225ba8 picked up from cache.
App: OpenVPN installed
======= app install end @ 2017-05-15 23:15:13 -0700 ==========

Thanks for the help!

[bigfoot65]

Interesting... that IP address isn't familiar to me. Is that the Amahi OpenVPN checker tool trying to connect?

Check that your HDA has the correct IP address assigned:

Code: Select all

ip address

It almost looks like the IP address for your ISP.

Gathering system info..............................Uploading (11.2KiB)...

This error may be a result of the first issue.

Might want to check out the Network Troubleshooting guidance.

Something appears to be amiss with your network.

[chayes874]

100% sure that 208.115.201.202 IP is the Amahi OpenVPN checker from the member control panel. I clicked it again and got another entry from the IP in the log file about an authorization failure. The member control panel tool is reporting everything is good, if it means anything.

The IP address of the HDA on the internal network is correct. I'll keep hacking away at it here...

[chayes874]

Okay, I think I see an issue here. It doesn't look like Amahi is resolving my HDA name (Dynamic DNS) to the proper IP address. It looks like it is using an IP address from a month ago.

Without using my actual IP addresses, let me explain. Currently, my external IP address is 123.123.123.123 - verified by looking at the modem/router IP address and what is displayed in my Amahi User Control Panel. They both match.

When I attempt to connect to my HDA via an OpenVPN client, it is resolving to the wrong IP address. The address shown in my client log is a previous address for my HDA - 123.123.456.456. That IP address shows up in my Alert Log at the User Control Panel as being valid "about 1 month ago."

I think I can't connect because Amahi is resolving my HDA name (Dynamic DNS) to an old IP address. This is further corroborated by these problems showing up over the weekend and my IP address changing to a new address "3 days ago". It changed to this new address from that previous address that it's still trying to connect to.

[chayes874]

Okay, I verified that this is exactly the problem. Modifying the config file to use the current modem IP address, instead of the Dynamic DNS, results in a successful VPN connection. Looks like this one is in your court!

Thanks for the help!

[chayes874]

The offending line in the OpenVPN client log is:
TCP/UDP: Preserving recently used remote address: [AF_INET]123.123.456.456:1194

The problem is my router's external IP address has changed and so this preserved remote address is wrong. Why and where is this address preserved? I'm not seeing a way to force OpenVPN client (Windows/iOS), Tunnelblick or HDA Connect to use the correct address for my HDA without inserting my current IP address into the OpenVPN client config file. And doing that is a problem as my IP address will change in the future.

How is my Amahi Dynamic DNS resolved to my current IP address?

[chayes874]

This one is resolved. Apparently it was an issue with a switch to SSL for Dynamic DNS and Amahi 8. It was resolved on the Amahi side and I am now back to connecting properly via OpenVPN - it is finding the proper IP address. Thanks for the great support!