Openvpn n2n - reconnect error

frodo · 2 June 2022 20:15

Hello @all,

I have the problem that the n2n connection breaks after a few days.

Client-Config

# IPFire rewritten n2n Open VPN Client Config by ummeegge und m.a.d
#
# User Security
user nobody
group nobody
persist-tun
persist-key
script-security 2
# IP/DNS for remote Server Gateway
remote fw.clientside.lan
float
# IP adresses of the VPN Subnet
ifconfig 10.107.122.2 10.107.122.1
# Server Gateway Network
route 192.168.178.0 255.255.255.0
up "/etc/init.d/static-routes start"
# tun Device
dev tun
#Logfile for statistics
status-version 1
status /var/run/openvpn/example-n2n 10
# Port and Protocol
port 1195
proto udp4
# Paketsize
tun-mtu 1500
fragment 1300
mssfix
remote-cert-tls server
# Auth. Client
tls-client
# Cipher
cipher AES-256-CBC
pkcs12 /var/ipfire/ovpn/certs/BoDoMos.p12
# HMAC algorithm
auth SHA512
tls-version-min 1.2
# Debug Level
verb 3
# Tunnel check
keepalive 10 60
# Start as daemon
daemon example_n2n
writepid /var/run/example_n2n.pid
# Activate Management Interface and Port
management localhost 1195

Server-Config

# IPFire n2n Open VPN Server Config by ummeegge und m.a.d

# User Security
user nobody
group nobody
persist-tun
persist-key
script-security 2
# IP/DNS for remote Server Gateway
remote fw.serverside.lan
float
# IP adresses of the VPN Subnet
ifconfig 10.107.122.1 10.107.122.2
# Client Gateway Network
route 192.168.0.0 255.255.252.0
up "/etc/init.d/static-routes start"
# tun Device
dev tun
#Logfile for statistics
status-version 1
status /var/run/openvpn/example-n2n 10
# Port and Protokol
port 1195
proto udp4
# Paketsize
tun-mtu 1500
fragment 1300
mssfix
# Auth. Server
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
# Cipher
cipher AES-256-CBC
# HMAC algorithm
auth SHA512
tls-version-min 1.2
# Debug Level
verb 3
# Tunnel check
keepalive 10 60
# Start as daemon
daemon example_n2n
writepid /var/run/example_n2n.pid
# Activate Management Interface and Port
management localhost 1195

The only error i found in the Logs is:

05:21:25	openvpnserver[2585]: 	TLS Error: cannot locate HMAC in incoming packet from [AF_INET]146.88.240.4:3806 8
05:33:03	example_n2n[2637]: 	[fw.serverside.lan] Inactivity timeout (--ping-restart), restarting
05:33:03	example_n2n[2637]: 	/sbin/ip route del 192.168.178.0/24
05:33:03	example_n2n[2637]: 	ERROR: Linux route delete command failed: external program exited with error sta tus: 2
05:33:03	example_n2n[2637]: 	Closing TUN/TAP interface
05:33:03	example_n2n[2637]: 	/sbin/ip addr del dev tun1 local 10.107.122.2 peer 10.107.122.1
05:33:03	example_n2n[2637]: 	Linux ip addr del failed: external program exited with error status: 2
05:33:03	example_n2n[2637]: 	SIGUSR1[soft,ping-restart] received, process restarting
05:33:03	example_n2n[2637]: 	Restart pause, 5 second(s)
05:33:08	example_n2n[2637]: 	WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
05:33:08	example_n2n[2637]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
05:33:08	example_n2n[2637]: 	ROUTE_GATEWAY 10.0.0.1/255.255.255.0 IFACE=red0 HWADDR=02:ac:96:22:8f:35
05:33:08	example_n2n[2637]: 	ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
05:33:08	example_n2n[2637]: 	Exiting due to fatal error

cfusco · 3 June 2022 05:51

do you see any pattern in the logs? e.g. time intervals, time of the day in either side of the tunnel etc.

tphz · 3 June 2022 06:56

edit:

TLS Error: cannot locate HMAC in incoming packet from [AF_INET]146.88.240.4:3806 8

Below is the answer I found:
https://forums.openvpn.net/viewtopic.php?f=4&p=96268

146.88.240.4
It looks like this address belongs to NETSCOUT|Arbor Networks Research Scanner

https://www.arbor-observatory.com/

frodo · 4 June 2022 08:36

I don’t see anything obvious at first. No regular failure after a reboot or anything like that.

pmueller · 6 June 2022 11:42

Hi,

as rightly pointed out, such messages are caused if non-OpenVPN-clients (i.e. scanners) try to establish connections to OpenVPN. These log messages are nothing to worry about.

@frodo: What operating system is the peer in your net-to-net connection running? Is it IPFire as well?

Frank Dornheim:

05:33:03	example_n2n[2637]: 	/sbin/ip route del 192.168.178.0/24
05:33:03	example_n2n[2637]: 	ERROR: Linux route delete command failed: external program exited with error sta tus: 2
05:33:03	example_n2n[2637]: 	Closing TUN/TAP interface
05:33:03	example_n2n[2637]: 	/sbin/ip addr del dev tun1 local 10.107.122.2 peer 10.107.122.1
05:33:03	example_n2n[2637]: 	Linux ip addr del failed: external program exited with error status: 2
05:33:03	example_n2n[2637]: 	SIGUSR1[soft,ping-restart] received, process restarting
05:33:03	example_n2n[2637]: 	Restart pause, 5 second(s)

These log messages indicate your problem. For whatever reason, conducting the routing table changes fails on the machine, so OpenVPN cannot reestablish the connection, and exits.

This should not happen if that’s an IPFire system (if it is, we are dealing with a rather serious bug ). If the system is running a different Linux operating system, please ensure OpenVPN can properly access all binaries it needs.

Thanks, and best regards,
Peter Müller