Koozali.org: home of the SME Server

openvpn reconnect

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
openvpn reconnect
« on: November 04, 2020, 09:30:56 PM »
I have a sme server in a data centre running on proxmox. To protect the machine i use openvpn site to site to link it to my office sme. Office sme is the server and the data centre is the client. However if i have a breif internet outage i  loose the vpn link. Is there a way to make it reconnect? I dont mind checking once per hour etc but cant find any info on it. ALl I can find is that it should auto reconnect?

Thanks All

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: openvpn reconnect
« Reply #1 on: November 04, 2020, 10:38:51 PM »
Not had a look at the code/confs but it should auto reconnect.

Have you checked the logs?

https://wiki.contribs.org/OpenVPN_SiteToSite

Post your confs, less any private detail

/etc/openvpn/s2s/
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: openvpn reconnect
« Reply #2 on: November 05, 2020, 09:36:09 AM »
Ah what an Idiot why didnt i check the logs!

Code: [Select]
Tue Nov  3 09:25:12 2020 Restart pause, 300 second(s)
Tue Nov  3 09:30:12 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Nov  3 09:30:12 2020 Re-using pre-shared static key
Tue Nov  3 09:30:32 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 09:30:32 2020 Preserving previous TUN/TAP instance: tunsme-sia
Tue Nov  3 09:30:52 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 09:30:52 2020 Could not determine IPv4/IPv6 protocol
Tue Nov  3 09:30:52 2020 SIGUSR1[soft,init_instance] received, process restarting
Tue Nov  3 09:30:52 2020 Restart pause, 300 second(s)
Tue Nov  3 09:35:52 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Nov  3 09:35:52 2020 Re-using pre-shared static key
Tue Nov  3 09:36:12 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 09:36:12 2020 Preserving previous TUN/TAP instance: tunsme-sia
Tue Nov  3 09:36:32 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 09:36:32 2020 Could not determine IPv4/IPv6 protocol
Tue Nov  3 09:36:32 2020 SIGUSR1[soft,init_instance] received, process restarting
Tue Nov  3 09:36:32 2020 Restart pause, 300 second(s)
Tue Nov  3 09:41:32 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Nov  3 09:41:32 2020 Re-using pre-shared static key
Tue Nov  3 09:41:52 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 09:41:52 2020 Preserving previous TUN/TAP instance: tunsme-sia
Tue Nov  3 09:42:12 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 09:42:12 2020 Could not determine IPv4/IPv6 protocol
Tue Nov  3 09:42:12 2020 SIGUSR1[soft,init_instance] received, process restarting
Tue Nov  3 09:42:12 2020 Restart pause, 300 second(s)
Tue Nov  3 09:47:12 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Nov  3 09:47:12 2020 Re-using pre-shared static key
Tue Nov  3 09:47:32 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 09:47:32 2020 Preserving previous TUN/TAP instance: tunsme-sia
Tue Nov  3 09:47:52 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 09:47:52 2020 Could not determine IPv4/IPv6 protocol
Tue Nov  3 09:47:52 2020 SIGUSR1[soft,init_instance] received, process restarting
Tue Nov  3 09:47:52 2020 Restart pause, 300 second(s)
Tue Nov  3 09:52:52 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Nov  3 09:52:52 2020 Re-using pre-shared static key
Tue Nov  3 09:53:12 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 09:53:12 2020 Preserving previous TUN/TAP instance: tunsme-sia
Tue Nov  3 09:53:32 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 09:53:32 2020 Could not determine IPv4/IPv6 protocol
Tue Nov  3 09:53:32 2020 SIGUSR1[soft,init_instance] received, process restarting
Tue Nov  3 09:53:32 2020 Restart pause, 300 second(s)
Tue Nov  3 09:58:32 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Nov  3 09:58:32 2020 Re-using pre-shared static key
Tue Nov  3 09:58:52 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 09:58:52 2020 Preserving previous TUN/TAP instance: tunsme-sia
Tue Nov  3 09:59:12 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 09:59:12 2020 Could not determine IPv4/IPv6 protocol
Tue Nov  3 09:59:12 2020 SIGUSR1[soft,init_instance] received, process restarting
Tue Nov  3 09:59:12 2020 Restart pause, 300 second(s)
Tue Nov  3 10:04:12 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Nov  3 10:04:12 2020 Re-using pre-shared static key
Tue Nov  3 10:04:32 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 10:04:32 2020 Preserving previous TUN/TAP instance: tunsme-sia
Tue Nov  3 10:04:52 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
Tue Nov  3 10:04:52 2020 Could not determine IPv4/IPv6 protocol
Tue Nov  3 10:04:52 2020 SIGUSR1[soft,init_instance] received, process restarting
Tue Nov  3 10:04:52 2020 Restart pause, 300 second(s)
Tue Nov  3 10:08:58 2020 Closing TUN/TAP interface
Tue Nov  3 10:08:58 2020 /sbin/ip addr del dev tunsme-sia local 10.3.0.2 peer 10.3.0.1
Tue Nov  3 10:08:58 2020 Linux ip addr del failed: could not execute external program
Tue Nov  3 10:08:58 2020 SIGTERM[hard,init_instance] received, process exiting
Tue Nov  3 10:09:00 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Tue Nov  3 10:09:00 2020 WARNING: file 'priv/sme-sia_sharedkey.pem' is group or others accessible
Tue Nov  3 10:09:00 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
Tue Nov  3 10:09:00 2020 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Tue Nov  3 10:09:00 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Nov  3 10:09:00 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov  3 10:09:00 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Nov  3 10:09:00 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov  3 10:09:00 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov  3 10:09:00 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Nov  3 10:09:00 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov  3 10:09:00 2020 ROUTE_GATEWAY 91.109.115.137/255.255.255.248 IFACE=eth0 HWADDR=e2:42:17:da:fb:60
Tue Nov  3 10:09:00 2020 TUN/TAP device tunsme-sia opened
Tue Nov  3 10:09:00 2020 TUN/TAP TX queue length set to 100
Tue Nov  3 10:09:00 2020 /sbin/ip link set dev tunsme-sia up mtu 1500
Tue Nov  3 10:09:00 2020 /sbin/ip addr add dev tunsme-sia local 10.3.0.2 peer 10.3.0.1
Tue Nov  3 10:09:00 2020 bin/up tunsme-sia 1500 1545 10.3.0.2 10.3.0.1 init
Tue Nov  3 10:09:00 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]81.143.33.105:1196
Tue Nov  3 10:09:00 2020 Socket Buffers: R=[124928->124928] S=[124928->124928]
Tue Nov  3 10:09:00 2020 UDP link local: (not bound)
Tue Nov  3 10:09:00 2020 UDP link remote: [AF_INET]81.143.33.105:1196
Tue Nov  3 10:09:00 2020 chroot to '/etc/openvpn/s2s' and cd to '/' succeeded
Tue Nov  3 10:09:00 2020 GID set to openvpn
Tue Nov  3 10:09:00 2020 UID set to openvpn
Tue Nov  3 10:09:00 2020 Peer Connection Initiated with [AF_INET]81.143.33.105:1196
Tue Nov  3 10:09:01 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Nov  3 10:09:01 2020 Initialization Sequence Completed
Tue Nov  3 10:09:03 2020 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
Tue Nov  3 10:12:05 2020 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1540,1540] remote->local=[1540,1540]

Anyway im assuming this is the issue
Code: [Select]
Tue Nov  3 10:04:32 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)
however the name is correct. The way I resolve is to goto the server manager page and edit the connection etc and then it connects. Rebooting also reconnects.
« Last Edit: November 05, 2020, 09:37:54 AM by jameswilson »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: openvpn reconnect
« Reply #3 on: November 05, 2020, 12:26:04 PM »
Ah what an Idiot why didnt i check the logs!

Ha. Ever it was thus ;-)

Quote
Anyway im assuming this is the issue
Code: [Select]
Tue Nov  3 10:04:32 2020 RESOLVE: Cannot resolve host address: sme-big.EDITED.com:1196 (Temporary failure in name resolution)

Most likely yes. You can see it waits for 300 seconds and tries again.

Code: [Select]
Restart pause, 300 second(s)

Quote
however the name is correct. The way I resolve is to goto the server manager page and edit the connection etc and then it connects. Rebooting also reconnects.

So I guess that is what you did here?

Code: [Select]
Tue Nov  3 10:08:58 2020 Closing TUN/TAP interface
Tue Nov  3 10:08:58 2020 /sbin/ip addr del dev tunsme-sia local 10.3.0.2 peer 10.3.0.1
Tue Nov  3 10:08:58 2020 Linux ip addr del failed: could not execute external program


Hmmm. First thing is when the tunnel has gone down, can you ping the remote host at a command prompt? Both as IP and FQDN?

What do the logs say at the point of failure - ie at the time the link goes down? And what does the remote end say?

Can you use an IP address instead of a FQDN in the settings?

A couple of things you should tidy up.

Code: [Select]
WARNING: file 'priv/sme-sia_sharedkey.pem' is group or others accessible
cd to priv and then:

Code: [Select]
chmod 0600 sme-sia_sharedkey.pem
And then this:

Code: [Select]
Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
You can change this to:

Cipher=AES-256-CBC

Do this both ends and update:

Code: [Select]
config setprop openvpn-s2s Cipher AES-256-CBC
signal-event openvpn-s2s-update
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: openvpn reconnect
« Reply #4 on: November 05, 2020, 12:32:43 PM »
As a follow up question, are either of the servers WAN IPs DHCP??

(For settings reference:
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ )
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: openvpn reconnect
« Reply #5 on: November 12, 2020, 01:24:36 AM »
I've changed the setting to static IP and that appears to work. However why wouldn't the address work when its pointing to the same static?

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: openvpn reconnect
« Reply #6 on: November 12, 2020, 01:31:25 AM »
I've changed the setting to static IP and that appears to work. However why wouldn't the address work when its pointing to the same static?

Sounds like some form of DNS issue. No idea why.

Have a search for something like:

"Openvpn reconnect dns lookup failure"

Eg

https://community.openvpn.net/openvpn/ticket/292

Need to look at the scripts. But either way, an IP is probably more reliable.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation