Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenVPN client doesn't work; no tun device created
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mounty1
l33t
l33t


Joined: 06 Jul 2006
Posts: 797
Location: Queensland

PostPosted: Sat May 11, 2019 2:44 am    Post subject: OpenVPN client doesn't work; no tun device created Reply with quote

Hello, I'm trying to set up an openvpn client on a systemd-based installation but it doesn't work. The first point is that no tun interface exists. My configuration is:
Code:
setenv UV_ID zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
setenv UV_NAME zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
client
dev tun0
dev-type tun
remote zzzzzzzzzzzzzzzzzzzzzzzzzzz 19209 udp
remote zzzzzzzzzzzzzzzzzzzzzzzzzzz 19209 udp
remote-random
nobind
persist-tun
cipher AES-256-CBC
auth SHA512
verb 2
mute 3
push-peer-info
ping 10
ping-restart 60
hand-window 70
server-poll-timeout 4
reneg-sec 2592000
sndbuf 393216
rcvbuf 393216
max-routes 1000
remote-cert-tls server
comp-lzo no
auth-user-pass
key-direction 1

ca /etc/openvpn/client/CS/ca.cert
cert /etc/openvpn/client/CS/client1.crt
key /etc/openvpn/client/CS/client1.key
tls-auth /etc/openvpn/client/CS/ta.key 1
auth-user-pass /etc/openvpn/client/CS/auth

up /etc/openvpn/up.sh
down /etc/openvpn/down.sh
and when I try:
# for I in stop start status ; do sleep 2 ; systemctl $I openvpn-client@CS.service ; done ; journalctl --since "10 seconds ago" -u openvpn-client@CS:
● openvpn-client@CS.service - OpenVPN tunnel for CS
   Loaded: loaded (/lib/systemd/system/openvpn-client@.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2019-05-11 12:38:14 AEST; 2s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 3351 (openvpn)
   Status: "Pre-connection initialization successful"
   CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client@CS.service
           └─3351 /usr/sbin/openvpn --suppress-timestamps --nobind --config CS.conf

May 11 12:38:14 unesco openvpn[3351]: DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, >
May 11 12:38:14 unesco openvpn[3351]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 10 2019
May 11 12:38:14 unesco openvpn[3351]: library versions: mbed TLS 2.17.0, LZO 2.10
May 11 12:38:14 unesco openvpn[3351]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
May 11 12:38:14 unesco systemd[1]: Started OpenVPN tunnel for CS.
May 11 12:38:14 unesco openvpn[3351]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:14 unesco openvpn[3351]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:14 unesco openvpn[3351]: TCP/UDP: Preserving recently used remote address: [AF_INET]zzz.zzz.zzz.zzz:19209
May 11 12:38:14 unesco openvpn[3351]: UDP link local: (not bound)
May 11 12:38:14 unesco openvpn[3351]: UDP link remote: [AF_INET]zzz.zzz.zzz.zzz:19209
-- Logs begin at Tue 2019-04-30 09:23:00 AEST, end at Sat 2019-05-11 12:38:14 AEST. --
May 11 12:38:08 unesco openvpn[3324]: Server poll timeout, restarting
May 11 12:38:08 unesco openvpn[3324]: SIGUSR1[soft,server_poll] received, process restarting
May 11 12:38:08 unesco openvpn[3324]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
May 11 12:38:08 unesco openvpn[3324]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:08 unesco openvpn[3324]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:08 unesco openvpn[3324]: TCP/UDP: Preserving recently used remote address: [AF_INET]zzz.zzz.zzz.zzz:19209
May 11 12:38:08 unesco openvpn[3324]: UDP link local: (not bound)
May 11 12:38:08 unesco openvpn[3324]: UDP link remote: [AF_INET]zzz.zzz.zzz.zzz:19209
May 11 12:38:12 unesco openvpn[3324]: Server poll timeout, restarting
May 11 12:38:12 unesco openvpn[3324]: SIGUSR1[soft,server_poll] received, process restarting
May 11 12:38:12 unesco openvpn[3324]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
May 11 12:38:12 unesco openvpn[3324]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:12 unesco openvpn[3324]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:12 unesco openvpn[3324]: TCP/UDP: Preserving recently used remote address: [AF_INET]zzz.zzz.zzz.zzz:19209
May 11 12:38:12 unesco openvpn[3324]: UDP link local: (not bound)
May 11 12:38:12 unesco openvpn[3324]: UDP link remote: [AF_INET]zzz.zzz.zzz.zzz:19209
May 11 12:38:12 unesco openvpn[3324]: event_wait : Interrupted system call (code=4)
May 11 12:38:12 unesco openvpn[3324]: SIGTERM[hard,] received, process exiting
May 11 12:38:12 unesco systemd[1]: Stopping OpenVPN tunnel for CS...
May 11 12:38:12 unesco systemd[1]: openvpn-client@CS.service: Succeeded.
May 11 12:38:12 unesco systemd[1]: Stopped OpenVPN tunnel for CS.
May 11 12:38:14 unesco systemd[1]: Starting OpenVPN tunnel for CS...
May 11 12:38:14 unesco openvpn[3351]: DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, >
May 11 12:38:14 unesco openvpn[3351]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 10 2019
May 11 12:38:14 unesco openvpn[3351]: library versions: mbed TLS 2.17.0, LZO 2.10
May 11 12:38:14 unesco openvpn[3351]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
May 11 12:38:14 unesco systemd[1]: Started OpenVPN tunnel for CS.
May 11 12:38:14 unesco openvpn[3351]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:14 unesco openvpn[3351]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 11 12:38:14 unesco openvpn[3351]: TCP/UDP: Preserving recently used remote address: [AF_INET]zzz.zzz.zzz.zzz:19209
May 11 12:38:14 unesco openvpn[3351]: UDP link local: (not bound)
May 11 12:38:14 unesco openvpn[3351]: UDP link remote: [AF_INET]zzz.zzz.zzz.zzz:19209
The kernel has CBC support, and /dev/net/tun exists. So why is there no tun0 device, and does it matter to getting the client working?
_________________
Michael Mounteney
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4397
Location: Dallas area

PostPosted: Sat May 11, 2019 10:32 am    Post subject: Reply with quote

This is what I see before the tun shows up (ip's omitted)

Code:
UDP link remote: [AF_INET]
Peer Connection Initiated with [AF_INET]
TUN/TAP device tun0 opened


If you don't get the remote link and peer connection the tun won't show.
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1847

PostPosted: Sat May 11, 2019 11:00 am    Post subject: Reply with quote

Quote:
persist-tun
Doesn't this option require you to create tun device manually before starting your VPN?
Quote:

May 11 12:38:12 unesco openvpn[3324]: Server poll timeout, restarting

A firewall blocking your connection?

Quote:
May 11 12:38:12 unesco openvpn[3324]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
You have some scripts linked in your config, what do they do?
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4397
Location: Dallas area

PostPosted: Sat May 11, 2019 11:39 am    Post subject: Reply with quote

szatox wrote:
Quote:
persist-tun
Doesn't this option require you to create tun device manually before starting your VPN?


I have that option, it will create it if it doesn't exist or reuse one if had been started in the past.

Edit to add:
Code:
       --persist-tun
              Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.

_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
mounty1
l33t
l33t


Joined: 06 Jul 2006
Posts: 797
Location: Queensland

PostPosted: Sat May 11, 2019 12:05 pm    Post subject: Not sure Reply with quote

Been working with some of the sysops ... apparently I am connecting, but disconnecting after 60 seconds owing to failing to respond to 'pings' (which are not real pings but openvpn keepalive packets). No tun interface is created.
_________________
Michael Mounteney
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4397
Location: Dallas area

PostPosted: Sat May 11, 2019 12:08 pm    Post subject: Reply with quote

My openvpn.conf
Code:
$ cat /etc/openvpn/openvpn.conf
client
dev tun
proto udp
remote xxxxxxxxxxxxxxxxxxxx xxxx
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
#auth-user-pass
auth-user-pass /etc/openvpn/openvpn.up
#comp-lzo
compress
verb 1
reneg-sec 0
crl-verify crl.pem
ca ca.crt
#disable occ

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/openvpn.rte.down"
route-up "/etc/openvpn/openvpn.rte.up"

route-delay 2
route-noexec
log-append /var/log/openvpn/openvpn.log

user openvpn
group openvpn


ETA: If you run "verb 4" you'll get lots more info (I use it when troubleshooting, then turn it off)
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4397
Location: Dallas area

PostPosted: Sat May 11, 2019 12:56 pm    Post subject: Reply with quote

I see you use "dev tun0" instead of "dev tun", in that case I'm not sure if it has to exist before you try and use it or not

Code:
       --dev tunX | tapX | null
              TUN/TAP virtual network device ( X can be omitted for a dynamic device.)


I use tun without the number, and I know it's created.

What does "ls -la /dev/net" show
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum