Unable to start the OpenVPN server

Virtual Private Networks OpenVPN
42

No they are not working with Lightning Wire Labs anymore --> https://www.lightningwirelabs.com/products/goodbye-fountain-networks , also i am not a member/employee of Lightning Wire Labs but a fan of IPFire (which might be a small but essential difference) so i would flip it back to you if you want to do so since, i do not have any business relations to the TX-Team but i would give them some feedback if i bought some of their stuff which does not work :innocent: and would be tensed for their answer.

Having that said, IPFire never delivered OpenVPN with such settings :wink:

Best,

Erik

43

okok, i don’t know the relations for real, just heard that somewhere, but a time ago.
Thanks for the direct news.
I will contact them, to ask about this issue. :slight_smile:

best regards
fstarter

44

Your welcome :blush: ,
if you like, you can deliver here the essence of the answer since it seems that the TX-Team prefer own settings for IPFire on their sold hardware. If so, it can only be helpful for other potential and actual customers to know about that with the clear goal to outline that IPFire ISOs differs to IPFire which comes from the TX-Team .

Best,

Erik

45

I’m not sure, if tx-team configures ipfire in there own way. I just can not explain, why the server.conf had was owned by root.

What about @jlgtx ?
He also had this file owned by root.

46

I installed IPFire from scratch on this hardware, and had never configured OpenVPN or its certificates until recently. So either something in the backend process “touched” /var/ipfire/ovpn/server.conf as root, or the file was in the original distro with incorrect permissions.

47

At least i haven´t had that here, if this might be a state in general we should see a lot more with this kind of problems ?

Best,

Erik

48

Fyi
I had same issue (wrong o/g). This is a vendor installed ipfire, quoting vendor’s (teklager.se) answer:
I used the ISO image with “Core Update 145” and then updated the router to the latest “Core Update 147”. No other configuration has been made…

49

which directory/file(s) ?

Have also downloaded today Core 147 and installed it in a VM to check the permissions in the /var/ipfire/ovpn/ directory again. Since you need to generate the PKI/DH-parameter to get all files (a working OpenVPN instance) i did a test before and after generation with the same results which are as follows:

(after generation)

Last login: Mon Aug  3 10:09:44 2020
[root@ipfire-vm ~]# ls -la /var/ipfire/ovpn/
total 44
drwxr-xr-x  9 nobody nobody 4096 Jul 14 17:37 .
drwxr-xr-x 48 root   root   4096 Aug  3 10:02 ..
drwxr-xr-x  2 nobody nobody 4096 Jul 14 17:02 ca
-rw-r--r--  1 nobody nobody    0 Jul 14 17:02 caconfig
drwxr-xr-x  2 nobody nobody 4096 Jul 14 17:02 ccd
-rw-r--r--  1 nobody nobody    0 Jul 14 15:22 ccd.conf
-rw-r--r--  1 nobody nobody    0 Jul 14 15:22 ccdroute
-rw-r--r--  1 nobody nobody    0 Jul 14 15:22 ccdroute2
drwx------  2 nobody nobody 4096 Jul 14 18:49 certs
-rw-r--r--  1 nobody nobody   84 Jul 14 17:37 collectd.v
drwxr-xr-x  2 nobody nobody 4096 Jul 14 17:02 crls
drwxr-xr-x  2 nobody nobody 4096 Jul 14 17:02 n2nconf
drwxr-xr-x  2 nobody nobody 4096 Jul 14 18:49 openssl
-rw-r--r--  1 nobody nobody    0 Jul 14 17:02 ovpnconfig
-rwx------  1 nobody nobody    0 Jul 14 17:02 ovpn-lease
drwxr-xr-x  2 nobody nobody 4096 Jul 14 17:02 scripts
-rw-r--r--  1 nobody nobody   86 Jul 14 17:02 settings

[root@ipfire-vm ~]# ls -la /var/ipfire/{ovpn/certs,ovpn/ca,ovpn/crls,ovpn/openssl}
/var/ipfire/ovpn/ca:
total 20
drwxr-xr-x 2 nobody nobody 4096 Aug  3 10:15 .
drwxr-xr-x 9 nobody nobody 4096 Aug  3 10:14 ..
-rw-r--r-- 1 nobody nobody 2403 Aug  3 10:15 cacert.pem
-rw------- 1 nobody nobody 3272 Aug  3 10:15 cakey.pem
-rw-r--r-- 1 nobody nobody  424 Aug  3 10:15 dh1024.pem

/var/ipfire/ovpn/certs:
total 36
drwx------ 2 nobody nobody 4096 Aug  3 10:15 .
drwxr-xr-x 9 nobody nobody 4096 Aug  3 10:14 ..
-rw-r--r-- 1 nobody nobody   96 Aug  3 10:15 index.txt
-rw-r--r-- 1 nobody nobody   21 Aug  3 10:15 index.txt.attr
-rw-r--r-- 1 nobody nobody    0 Jul 14 17:02 index.txt.attr.old
-rw-r--r-- 1 nobody nobody    0 Jul 14 17:02 index.txt.old
-rw-r--r-- 1 nobody nobody    3 Aug  3 10:15 serial
-rw-r--r-- 1 nobody nobody    2 Jul 14 17:02 serial.old
-rw-r--r-- 1 nobody nobody 2106 Aug  3 10:15 servercert.pem
-rw------- 1 nobody nobody 1704 Aug  3 10:15 serverkey.pem
-rw------- 1 nobody nobody  636 Aug  3 10:15 ta.key

/var/ipfire/ovpn/crls:
total 12
drwxr-xr-x 2 nobody nobody 4096 Aug  3 10:15 .
drwxr-xr-x 9 nobody nobody 4096 Aug  3 10:14 ..
-rw-r--r-- 1 nobody nobody 1044 Aug  3 10:15 cacrl.pem

/var/ipfire/ovpn/openssl:
total 12
drwxr-xr-x 2 nobody nobody 4096 Jul 14 18:49 .
drwxr-xr-x 9 nobody nobody 4096 Aug  3 10:14 ..
-rw-r--r-- 1 nobody nobody 2643 Jul 14 17:02 ovpn.cnf

so again am stuck with your permission problems since here is all OK ???

Best,

Erik

50

Hi,
Thank you for verifying Erik.

The server.conf file had root:root.

Edit: if I recall correctly I tried to start openvpn before generating DH params, then generated them.

Best Regards
Marc

51

@ummeegge wait… where is your server.conf?

52

The server.conf will only be created if you enable your interface, hit the save button and start the server which i did now for you again with the following result:

OpenVPN after creating the PKI/DH-Parameter but default parameter:

ovpn_before:config
ovpn_before:config960×451 27.1 KB

OpenVPN after enabling the interface, hit the save button and staring the server:

ovpn_configured_enable
ovpn_configured_enable962×448 26.9 KB

Here the permissions of the /var/ipfire/ovpn directory:

[root@ipfire-VM ~]# ls -la /var/ipfire/ovpn/
total 48
drwxr-xr-x  9 nobody nobody 4096 Aug  3 11:55 .
drwxr-xr-x 48 root   root   4096 Aug  3 11:48 ..
drwxr-xr-x  2 nobody nobody 4096 Aug  3 11:51 ca
-rw-r--r--  1 nobody nobody    0 Jul 14 17:02 caconfig
drwxr-xr-x  2 nobody nobody 4096 Jul 14 17:02 ccd
-rw-r--r--  1 nobody nobody    0 Jul 14 15:22 ccd.conf
-rw-r--r--  1 nobody nobody    0 Jul 14 15:22 ccdroute
-rw-r--r--  1 nobody nobody    0 Jul 14 15:22 ccdroute2
drwx------  2 nobody nobody 4096 Aug  3 11:51 certs
-rw-r--r--  1 nobody nobody   84 Jul 14 17:37 collectd.vpn
drwxr-xr-x  2 nobody nobody 4096 Aug  3 11:51 crls
-rw-r--r--  1 nobody nobody    0 Aug  3 11:55 enable
drwxr-xr-x  2 nobody nobody 4096 Jul 14 17:02 n2nconf
drwxr-xr-x  2 nobody nobody 4096 Jul 14 18:49 openssl
-rw-r--r--  1 nobody nobody    0 Jul 14 17:02 ovpnconfig
-rwx------  1 nobody nobody    0 Aug  3 11:56 ovpn-leases.db
-rw-r--r--  1 nobody nobody    0 Aug  3 11:51 routes_push
drwxr-xr-x  2 nobody nobody 4096 Aug  3 11:51 scripts
-rw-r--r--  1 nobody nobody  915 Aug  3 11:55 server.conf
-rw-r--r--  1 nobody nobody  395 Aug  3 11:55 settings

or in specific server.conf:

-rw-r--r--  1 nobody nobody  915 Aug  3 11:55 server.conf

and here the log of the first start of the OpenVPN server instance with default settings:

[root@ipfire-VM ~]# grep openvpn /var/log/messages 
Aug  3 11:56:49 ipfire-VM openvpnserver[4106]: OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 14 2020
Aug  3 11:56:49 ipfire-VM openvpnserver[4106]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.09
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: WARNING: --keepalive option is missing from server config
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: Diffie-Hellman initialized with 2048 bit key
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: ROUTE_GATEWAY 192.168.200.1/255.255.255.0 IFACE=red0 HWADDR=08:00:27:b6:87:3b
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: TUN/TAP device tun0 opened
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: TUN/TAP TX queue length set to 100
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: /sbin/ip link set dev tun0 up mtu 1400
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: /sbin/ip addr add dev tun0 local 10.11.239.1 peer 10.11.239.2
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: /sbin/ip route add 10.11.239.0/24 via 10.11.239.2
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: UDPv4 link local (bound): [AF_INET][undef]:1194
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: UDPv4 link remote: [AF_UNSPEC]
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: GID set to nobody
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: UID set to nobody
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: MULTI: multi_init called, r=256 v=256
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: IFCONFIG POOL: base=10.11.239.4 size=62, ipv6=0
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: IFCONFIG POOL LIST
Aug  3 11:56:49 ipfire-VM openvpnserver[4107]: Initialization Sequence Completed

so again, here works anything as expected…

Best,

Erik

So the server

53

thanks!
strange thing…

54

Hey Guys,

just my two cents on this topic. I had the exact same issue on my new IPFire yesterday. I installed IPFire from scratch some months ago and prepared the config for my project. Yesterday I installed the rescent updates and wanted to start configuring the openvpn server which ended in the same error. I upgraded from Core 145 to 147. My other appliances are not affected. Would it be possible that this is caused by an update and only affects installations where openvpn wasn’t configured or running?

Greetings

Steffen

55

Hi all,
there was a modification in server.conf with Core update 145 --> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/rootfiles/core/145/update.sh;h=4b59a03dc7f684bc97d9a82b21a4a52aed1b4de8;hb=refs/heads/core145#l84 by update.sh . If i execute those commands via terminal/root the permissions won´t be touched. Also, we have had such modifications more often in the past without such problems…

Nevertheless, can give it there also a try if i am back in my testing laboratory :cold_face: .

Best and thanks for another feedback,

Erik