Cant start ovpn strange error in log

hahnson · 27 April 2024 14:43

Hi i have configured ovpn but i cant start the service and the start button is greyed out, tried to se the log but it is filled with this message

less /var/log/messages | grep openvpn

when last update time is 1714228804 (minimum one second step)
Apr 27 16:40:33 artemis collectd[20932]: rrdtool plugin: rrd_update_r failed: /var/log/rrd/collectd/localhost/processes-openvpn/ps_cputime.rrd: /var/log/rrd/collectd/localhost/processes-openvpn/ps_cputime.rrd: illegal attempt to update using time 1714228803 when last update time is 1714228804 (minimum one second step)
[root@artemis ~]#

I do suspect something regarding this might be the problem , anyone have any idea what to try ?

markadewet · 27 April 2024 17:23

@hahnson Not an expert at all, however, looking at those entries, it looks for all the world like the time on your IPFire is out somehow.

hahnson · 28 April 2024 08:12

Yeah that sorry was the first thing i checked, date gives the same date and time as is correct

i also see in the log it is continously spamming the error about every minute,

Perhaps i should try reinstalling the ipfirebox, as i remember it is not very hard nor consuming exporting the config

bonnietwin · 28 April 2024 10:00

The log message shown is about a problem related to creating the data for the openvpn cpu time graph.

The message shown has nothing in it about why openvpn is not starting.

The best approach is first to try and start openvpn and then go to the WUI menu Logs - System Logs. Then in the drop down box labelled Section: select OpenVPN and press the Update button.

Then post the logs using the Preformatted text option on the forum post menu bar, which is the symbol </>
Those logs should give some hint as to what is stopping openvpn from starting.

hahnson · 28 April 2024 12:24

Hi

Thanks, i checked there and there are som entrys from when i rebooted this morning

IPFire diagnostics
Section: openvpn
Date: April 28, 2024

10:41:38 openvpnserver[2525]:  DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
10:41:38 openvpnserver[2525]:  Options error: --server directive network/netmask combination is invalid
10:41:38 openvpnserver[2525]:  Use --help for more information.

Have i configured wrong maybe? This is what my config looks like

for external IP i have entered my public IP

bonnietwin · 28 April 2024 13:28

The first DEPRECATED OPTION warning is because IPFire currently is still using the ncp-disable option. So that can be ignored.

The second line is the problem. The network/netmask of 192.168.50.0/255.255.255.0 is said to be invalid.

Have you used 192.168.50.0/255.255.255.0 as the subnet for your green or blue or orange networks?

The OpenVPN subnet has to be a unique subnet not overlapping with any other subnet you are already using in IPFire.

See the documentation on the OpenVPN subnet entry
https://www.ipfire.org/docs/configuration/services/openvpn/config/glob_set#network-configuration

hahnson · 5 May 2024 08:03

Hi thanks, yes i dont use that subnet on any interface , just to be perfectly sure i set it to 172.16.0.0/255.255.0.0 now, but still same problem / message int the log

bonnietwin · 5 May 2024 08:19

Can you show the contents of

/var/ipfire/ovpn/server.conf

hahnson · 5 May 2024 08:25

Blockquote
[root@artemis ~]# cat /var/ipfire/ovpn/server.conf
#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local MYEXTERNALIPV4
dev tun
proto udp
port 1195
script-security 3
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /etc/ssl/ffdhe4096.pem
server 172.16.0.0 255.255.0.0
tun-mtu 1400
mssfix 0
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
ncp-disable
cipher AES-256-GCM
auth SHA256
tls-version-min 1.2
max-clients 100
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
auth-user-pass-optional
reneg-sec 86400
user nobody
group nobody
persist-key
persist-tun
verb 3

Log clients connecting/disconnecting

client-connect “/usr/sbin/openvpn-metrics client-connect”
client-disconnect “/usr/sbin/openvpn-metrics client-disconnect”

Enable Management Socket

management /var/run/openvpn.sock unix
management-client-auth

Blockquote

bonnietwin · 5 May 2024 09:49

There is nothing in that server.conf that should cause a problem.

I just tried the subnet of 172.16.0.0/255.255.0.0 on my vm testbed system and OpernVPN started without any problem.

Searching on that log message it is saying that the OpenVPN server has found that the subnet overlaps, however small, with another subnet used somewhere on your IPFire.

Can you please show the output from this command, excluding the lo and red0 results.

ip address show

I am presuming that your red0 interface has a public IP and not a private range IP but can you please confirm this.