You are not logged in.

#1 2017-04-11 02:41:36

thoss
Member
Registered: 2015-02-16
Posts: 33

[SOLVED] OpenVPN -- tun device doesn't come up

     % sudo openvpn --config /etc/openvpn/client/client.conf     

     % ip addr
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
        link/ether f0:de:f1:c8:08:97 brd ff:ff:ff:ff:ff:ff
    3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
        link/ether 80:19:34:e8:25:42 brd ff:ff:ff:ff:ff:ff
        inet 192.168.26.99/24 brd 192.168.26.255 scope global wlp3s0
           valid_lft forever preferred_lft forever
        inet6 fe80::8219:34ff:fee8:2542/64 scope link
           valid_lft forever preferred_lft forever
    8: tun0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
        link/none

My config is slightly old, but it had been working before this came up at some point over the past several months.

Openvpn brings up the tun0 interface but doesn't set it up.

Last edited by thoss (2017-06-05 19:53:55)

Offline

#2 2017-04-11 02:49:06

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: [SOLVED] OpenVPN -- tun device doesn't come up

Start it in verbose mode to generate some error messages.


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#3 2017-04-11 02:59:43

thoss
Member
Registered: 2015-02-16
Posts: 33

Re: [SOLVED] OpenVPN -- tun device doesn't come up

--verb 9 at https://pastebin.com/fZzCkKDB

... and the following is default --verb 3 in case you don't want to wade through that.

Mon Apr 10 23:04:55 2017 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Mon Apr 10 23:04:55 2017 OpenVPN 2.4.1 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2017
Mon Apr 10 23:04:55 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.10
Mon Apr 10 23:04:55 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Apr 10 23:04:55 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Apr 10 23:04:55 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Apr 10 23:04:55 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Apr 10 23:04:55 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Apr 10 23:04:55 2017 TUN/TAP device tun0 opened
Mon Apr 10 23:04:55 2017 TUN/TAP TX queue length set to 100
Mon Apr 10 23:04:55 2017 /etc/openvpn/client.up tun0 1500 1601   init
Mon Apr 10 23:04:55 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Mon Apr 10 23:04:55 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Apr 10 23:04:55 2017 UDP link local: (not bound)
Mon Apr 10 23:04:55 2017 UDP link remote: [AF_INET]x.x.x.x:1194
Mon Apr 10 23:04:55 2017 GID set to nobody
Mon Apr 10 23:04:55 2017 UID set to nobody
Mon Apr 10 23:04:55 2017 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=53fb0e36 e76ef12c
Mon Apr 10 23:04:55 2017 VERIFY OK: depth=1, C=AU, ST=ST, L=location, O=thoss, OU=boo, CN=bar.foo.com, name=EasyRSA, emailAddress=t@t.t
Mon Apr 10 23:04:55 2017 VERIFY KU OK
Mon Apr 10 23:04:55 2017 Validating certificate extended key usage
Mon Apr 10 23:04:55 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Apr 10 23:04:55 2017 VERIFY EKU OK
Mon Apr 10 23:04:55 2017 VERIFY OK: depth=0, C=AU, ST=ST, L=location, O=thoss, OU=boo, CN=bar.foo.com, name=EasyRSA, emailAddress=t@t.t
Mon Apr 10 23:04:55 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 10 23:04:55 2017 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Apr 10 23:04:55 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 10 23:04:55 2017 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Apr 10 23:04:55 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Apr 10 23:04:55 2017 [boo.baz.com] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Mon Apr 10 23:04:56 2017 Initialization Sequence Completed
Mon Apr 10 23:05:08 2017 event_wait : Interrupted system call (code=4)
Mon Apr 10 23:05:08 2017 Closing TUN/TAP interface
Mon Apr 10 23:05:08 2017 /etc/openvpn/client.down tun0 1500 1601   init
Mon Apr 10 23:05:08 2017 SIGINT[hard,] received, process exiting

Last edited by thoss (2017-04-11 03:08:48)

Offline

#4 2017-05-30 05:09:29

thoss
Member
Registered: 2015-02-16
Posts: 33

Re: [SOLVED] OpenVPN -- tun device doesn't come up

Alright, I got my openvpn setup working now, kind of.

I have to manually set the tun device up and add routes using ip link set up and ip route add... etc. I can't figure out how to force my computer to use the tun adapter as the new default though, so it doesn't provide the security I would like on public networks.

sudo dhclient -d tun0    
Internet Systems Consortium DHCP Client 4.3.5                             
Copyright 2004-2016 Internet Systems Consortium.                          
All rights reserved.                 
For info, please visit [url]https://www.isc.org/software/dhcp/[/url]                 

Unsupported device type 65534 for "tun0"                                  

If you think you have received this message due to a bug rather           
than a configuration issue please read the section on submitting          
bugs on either our web page at [url=http://www.isc.org]www.isc.org[/url] or in the README file          
before submitting a bug.  These pages explain the proper                  
process and the information we find helpful for debugging..               
exiting.

Googling around has led me to believe that this may be due to the tun adapter having a 00:00:00:00:00 hardware address.

Last edited by thoss (2017-05-30 05:13:22)

Offline

#5 2017-05-31 14:40:39

EndUserOnly
Member
Registered: 2017-05-31
Posts: 74

Re: [SOLVED] OpenVPN -- tun device doesn't come up

Do you have the executable "update-resolv-conf" inside your /etc/openvpn/ folder?

Offline

#6 2017-05-31 15:33:52

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: [SOLVED] OpenVPN -- tun device doesn't come up

thoss wrote:

I have to manually set the tun device up
...
Googling around has led me to believe that this may be due to the tun adapter having a 00:00:00:00:00 hardware address.

OpenVPN will normally set up the tun device (having *no* MAC address). What weirdness have you not yet mentioned? What commands are you running, to "manually" set up the tun device?

Offline

#7 2017-06-04 20:59:23

thoss
Member
Registered: 2015-02-16
Posts: 33

Re: [SOLVED] OpenVPN -- tun device doesn't come up

OpenVPN will normally set up the tun device (having *no* MAC address). What weirdness have you not yet mentioned? What commands are you running, to "manually" set up the tun device?

ip route save > /etc/openvpn/routes
ip addr add dev tun0 x.x.0.2/24 broadcast x.x.0.255;
ip link set dev tun0 up;

#ip route del default
ip route add default via x.x.0.1 dev tun0
ip route add x.x.0.0/24 via x.x.0.1
ip route add x.y.0.0/24 via x.x.0.1

I eventually determined that adding these commands to my client.up script allows access to my vpn, although the default route does not update properly. As you can see in the original post, the tun0 device is created by openvpn but is down and can't get an ip address.

Do you have the executable "update-resolv-conf" inside your /etc/openvpn/ folder?

No, I use the client.up script and client.down script from /usr/share/openvpn/contrib/pull-resolv-conf/, unmodified except as above.

Last edited by thoss (2017-06-04 21:01:30)

Offline

#8 2017-06-04 22:53:03

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: [SOLVED] OpenVPN -- tun device doesn't come up

You probably want an "ip tunnel ..." command, rather than "ip addr ..."

And then "add default" should be "replace default".

However, I reckon you should fix your openvpn config so that openvpn stays running and sets up the tunnel, rather than attempting to set up the tunnel yourself.

Why isn't your openvpn setting up the tunnel? Or, does your openvpn quit running after a short time?

Offline

#9 2017-06-04 23:48:05

thoss
Member
Registered: 2015-02-16
Posts: 33

Re: [SOLVED] OpenVPN -- tun device doesn't come up

I don't think I want ip tunnel, that creates a tunnel. openvpn creates the tun device just fine, it's that it doesn't set it 'up' and consequently fails to get an ip address. I can do that with ip link, addr, and route.

It's perfectly feasible to continue with the manual workaround if I can figure out how to set up my routing table so that it prefers the tun interface for all but local traffic.

Obviously I'd like to fix openvpn though. Perhaps I'll head over to their site for more assistance.

Offline

#10 2017-06-05 00:07:28

aiBo
Member
Registered: 2010-11-10
Posts: 50

Re: [SOLVED] OpenVPN -- tun device doesn't come up

It seems the server is not pushing any network configuration details as it should. These would show in the log. Because  none are passed, nothing is configured on the tun device. Check your openvpn server's config and its logs in order to find the reason why no tun config is passed.

Offline

#11 2017-06-05 00:27:02

thoss
Member
Registered: 2015-02-16
Posts: 33

Re: [SOLVED] OpenVPN -- tun device doesn't come up

I'm not so sure, my other device seems to get the routes pushed. It seems to be a client-side problem.

Offline

#12 2017-06-05 08:53:30

aiBo
Member
Registered: 2010-11-10
Posts: 50

Re: [SOLVED] OpenVPN -- tun device doesn't come up

The server can also act different for the clients if client specific configurations are used via client-config-dir.

Compare the client logs and you should see a PUSH_REQUEST line and an answer with the tun donfiguration details in the working client, which is missing in the log you posted. Also, could you post your client config?

Offline

#13 2017-06-05 19:53:10

thoss
Member
Registered: 2015-02-16
Posts: 33

Re: [SOLVED] OpenVPN -- tun device doesn't come up

Ugh. Brilliant (not really). I've discovered the issue--

At some point I must have changed my client directive from client to tls-client. RTFM says:

--client
          A helper directive designed to simplify the configuration of OpenVPN's client mode.  This directive is equivalent to:

           pull
           tls-client

So changing tls-client without adding pull is equivalent to deleting the pull statement.

Thanks for your help!

Offline

#14 2017-08-05 12:34:47

hgratp
Member
Registered: 2017-08-05
Posts: 1

Re: [SOLVED] OpenVPN -- tun device doesn't come up

I am having a similar problem but using OpenWRT.  Just want to comment because it seems to be a similar or same issue, my tun0 device does not come up.  What I have found and been able to confirm from comments is that the tun0 device fails to obtain an IP from openvpn after the boot process but if openvpn is restarted from a prompt after the network is up the IP for the tun0 device gets assigned correctly.  The 'network' service seems to be clearing the tunnel interface, I confirmed this by checking that the tun0 interface was properly set and then restarted the 'network' service.  The result was as expected, the IP for tun0 device was cleared (not set).

My network config setting:
config interface vpn0
  option ifname  tun0
  option proto none

Proto 'none' might be the culprit here.  To attempt to solve the issue I have added a delay in the init script for openvpn and move the start level to the end of the boot process.  This approach did not solve the issue for me, it seems as if the 'network' service did not complete until the openvpn service was up.  Maybe the 'network' service is expecting a config for the tun0 device and does not close it until completed.  When I removed the openvpn service from boot the network came up but the tun0 device did not show up in the ifconfig list.

Openvpn is able to create the tunnel even if the tun0 configuration is removed or commented from the network configuration.  The downside is that I have created a set of rules, per OpenWRT instructions, to create a zone for the vpn interface tun0.  The firewall rules I have are zone based, the settings and status are available in the luci configuration page.  When I remove the tun0 from the network config the vpn zone does not get assigned correctly, my forwarding and firewall rules fail to work as intended.

So my only guest to solve my problem is to create a quick user script that restarts openvpn after boot to reasign the IP to the tun interface.

Offline

Board footer

Powered by FluxBB