1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenVPN Broke suddenly on v1-28-7502-8?

Discussion in 'Tomato Firmware' started by BikeHelmet, Oct 4, 2013.

  1. BikeHelmet

    BikeHelmet Networkin' Nut Member

    Hi All,

    I have an Asus RT-N16 running v1.28.7502 MIPSR2Toastman-RT K26 USB VLAN-VPN-NOCAT

    I just noticed that yesterday OpenVPN broke - it shut off, and now I can't start it from the web interface. I checked the logs, and found this:
    Code:
    Oct  3 11:19:30 Router daemon.notice openvpn[1816]: Closing TUN/TAP interface
    Oct  3 11:19:30 Router daemon.notice openvpn[1816]: SIGTERM[hard,] received, process exiting
    Oct  3 11:19:30 Router user.info kernel: br0: port 3(tap21) entering disabled state
    Oct  3 11:19:30 Router user.info kernel: br0: port 3(tap21) entering disabled state
    Oct  3 11:19:31 Router user.info kernel: tun: Universal TUN/TAP device driver, 1.6
    Oct  3 11:19:31 Router user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
    Oct  3 11:19:31 Router user.info kernel: device tap21 entered promiscuous mode
    Oct  3 11:19:31 Router user.info kernel: br0: topology change detected, propagating
    Oct  3 11:19:31 Router user.info kernel: br0: port 3(tap21) entering forwarding state
    There's absolutely nothing OpenVPN related past this point, nomatter what I do. Any ideas?

    Edit: Restored a config backup to get it up and running. Lets see if it lasts more than 2 days. I have both the broken and working config files, but they obviously contain passwords and stuff, so I will not be posting them. Still very interested in what the above means, especially if it happens again.

    Edit2: OpenVPN config. I don't see anything amiss?
    Code:
    cat /etc/openvpn/server1/config.ovpn
    # Automatically generated configuration
    daemon
    server-bridge
    proto tcp-server
    port 1194
    dev tap21
    cipher AES-128-CBC
    comp-lzo yes
    keepalive 15 60
    verb 3
    client-config-dir ccd
    client-to-client
    ccd-exclusive
    push "dhcp-option WINS 192.168.0.10"
    push "dhcp-option DNS 192.168.0.1"
    push "route-gateway 192.168.0.1"
    push "redirect-gateway def1"
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    
    # Custom Configuration
    
    
    -BikeHelmet
     
    Last edited: Oct 4, 2013
  2. koitsu

    koitsu Network Guru Member

    Try using verb 5 in your config file.

    The SIGTERM[hard] part indicates that most likely something on your system is literally killing the openvpn PID/process manually. If you were in the GUI messing around at the time (clicking Save, etc.) sometimes services/daemons get restarted, and this may be one of them. There can be some chronological tasks that happen depending on what features of TomatoUSB you're using (you would need to list off every single setting/thing you change from stock factory defaults).

    Increasing verbosity of openvpn may help you figure out what happens immediately prior, i.e. if this is truly the process being killed or if it's something like the remote VPN peer becoming unreachable (although I am under the impression that should be "soft" not "hard" -- I would need to look at the OpenVPN signal handler code, and I do not have time/interest to do this). If that turns out to be the case: remember, the Internet is never reliable/always broken in some way.

    And by the way, I can assure you that by not providing your configuration file with private data XXX'd out, the likelihood of people helping you is virtually nil. I recommend you ask for help on this on the OpenVPN forum if you want more thorough/detailed help. You will be expected to provide your config there.

    I cannot help past this point.
     
  3. BikeHelmet

    BikeHelmet Networkin' Nut Member

    Thanks, Koitsu - I'll try out verb 5 if it happens again!

    I'd just like to be clear - that error message only showed up once. After it there were no further openvpn entries in the log file. verb 5 might change that, so I'll try it if I need to.

    I'm just concerned about security. I might be willing to provide it to a reputable community member like yourself, Toastman, Shibby, etc. - but posting it online is just asking for headaches. Odds are I'll miss something important. :p

    -BikeHelmet
     
  4. koitsu

    koitsu Network Guru Member

    I recommend you see the OpenVPN support forums, which are filled with people wanting support, and key members saying "please provide your config file" (with relevant security bits removed/XXX'd out), where the users provide exactly that. Do not let your paranoia get in the way of getting support.
     
  5. BikeHelmet

    BikeHelmet Networkin' Nut Member

    Well, it happened again. I tracked down how to reliably cause it to happen.

    I have a bunch of OpenVPN clients:

    Code:
    client0
    client1
    client2
    client3
    client4
    client5
    client6
    client7
    client8
    client9
    If I add these and save:

    Code:
    client10
    client11
    client12
    client13
    client14
    client15
    client16
    client17
    client18
    client19
    Then...
    Code:
    Nov  7 19:29:56 Router daemon.notice openvpn[1025]: Closing TUN/TAP interface
    Nov  7 19:29:56 Router daemon.notice openvpn[1025]: SIGTERM[hard,] received, process exiting
    Nov  7 19:29:57 Router user.info kernel: br0: port 3(tap21) entering disabled state
    Nov  7 19:29:57 Router user.info kernel: br0: port 3(tap21) entering disabled state
    Nov  7 19:29:57 Router user.info kernel: tun: Universal TUN/TAP device driver, 1.6
    Nov  7 19:29:57 Router user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
    Nov  7 19:29:57 Router user.info kernel: device tap21 entered promiscuous mode
    Nov  7 19:29:57 Router user.info kernel: br0: topology change detected, propagating
    Nov  7 19:29:57 Router user.info kernel: br0: port 3(tap21) entering forwarding state
    And there are no further OpenVPN log entries after that - ever.

    If I save the original smaller list of clients, it does NOT revert to working behaviour. (again, no log entries) I must restore a config backup to fix it.

    Next step of debugging and diagnosis - restoring to the original, then adding entries one by one. So far I've got client10 and client11 in there without issue. I just added client12 - so far so good. I'll keep adding them until it goes dark.

    Edit: client17 deals the deathblow.


    koitsu - I have a question - how do I edit the OpenVPN config file when connected in with Putty? Tomato doesn't appear to have Nano or any of the other text editors that I'm familiar with. I'd like to change verb to 5, but I'm scratching my head over how to do so.
     
    Last edited: Nov 8, 2013
  6. jerrm

    jerrm Network Guru Member

    vi. Google for a basic howto if you've never used it.
     
  7. BikeHelmet

    BikeHelmet Networkin' Nut Member

    Ahh, I tried nano and vim, but didn't think to try vi.

    Got it edited. Next time I have a chance, I'll bugger it up again and see if the log file is any different.

    Edit: Shutdown messages in the logfile are identical to an orderly shutdown. In short, they tell me nothing.
     
    Last edited: Nov 9, 2013

Share This Page