OpenVPN server inop after router reboot

I had a perfectly working OpenVPN server setup on my Netgear WNDR3700v4 running 18.06.2 until the a couple days ago. I ran an opkg update and starting noticing an issue where, after a router reboot, the OpenVPN server starts, I can connect and authenticate from outside of the network, but no forwarding to the WAN or LAN works.

If I go into the LUCI OpenVPN application, stop and start the OpenVPN server, then reconnect, everything works fine.

Looking through the logs, I see nothing different between the two sessions logged by OpenVPN.

opkg reports the following versions:

  • luci-app-openvpn - git-19.156.63894-115c4e3-1
  • openvpn-openssl - 2.4.5-4.2
reboot
logread -e openvpn
netstat -l -n -p | grep -e openvpn
ip a; ip r; ip ru
uci show network; uci show firewall

Did you run opkg update or opkg upgrade?

Yeah, sorry, "opkg update" followed by "opkg upgrade". I get it, though, upgrading is a bad idea. Never screw with something that works unless there's a reason.

Looks like the issue is probably here:

< udp        0      0 :::32500                :::*                                1097/openvpn
---
> udp        0      0 0.0.0.0:32500           0.0.0.0:*                           5665/openvpn

That diff is of the "netstat -l -n -p" output after a reboot and then after restarting the OpenVPN service. Not sure why it would be coming up on an IPv6 interface initially. I don't see any settings that control that.

Additionally... The diff between the "ip" outputs is:

8,13c8,9
<     link/ether b6:01:a3:40:24:4e brd ff:ff:ff:ff:ff:ff
<     inet6 fe80::b401:a3ff:fe40:244e/64 scope link 
<        valid_lft forever preferred_lft forever
< 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
<     link/[65534] 
<     inet6 fe80::697d:cb00:e59:6490/64 scope link 
---
>     link/ether c6:85:ec:02:c2:b0 brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::c485:ecff:fe02:c2b0/64 scope link 
22c18
<     link/ether b6:01:a3:40:24:4e brd ff:ff:ff:ff:ff:ff
---
>     link/ether c6:85:ec:02:c2:b0 brd ff:ff:ff:ff:ff:ff
24c20
<     link/ether b6:01:a3:40:24:4e brd ff:ff:ff:ff:ff:ff
---
>     link/ether c6:85:ec:02:c2:b0 brd ff:ff:ff:ff:ff:ff
27c23
<     inet6 fe80::b401:a3ff:fe40:244e/64 scope link 
---
>     inet6 fe80::c485:ecff:fe02:c2b0/64 scope link 
44a41,46
> 13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
>     link/[65534] 
>     inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
>        valid_lft forever preferred_lft forever
>     inet6 fe80::a406:443e:e8fd:bbbd/64 scope link 
>        valid_lft forever preferred_lft forever
45a48,49
> 10.8.0.0/24 via 10.8.0.2 dev tun0 
> 10.8.0.2 dev tun0 scope link  src 10.8.0.1 

So, it really does seem that OpenVPN is booting up with IPv6 for whatever reason.

No difference between the "uci" outputs.

Increase the verbosity and check the log, particularly around these lines:

UDPv4 link local (bound): [AF_INET][undef]:1194
UDPv4 link remote: [AF_UNSPEC]

:confused:

Verbosity set to 11. After boot:

Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: library versions: OpenSSL 1.0.2s  28 May 2019, LZO 2.10
Fri Jun  7 08:43:21 2019 daemon.warn openvpn(SlakNet)[1097]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: Diffie-Hellman initialized with 4096 bit key
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 28 bytes
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: TLS-Auth MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: TUN/TAP device tun0 opened
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: TUN/TAP TX queue length set to 100
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Fri Jun  7 08:43:21 2019 daemon.warn openvpn(SlakNet)[1097]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: UDPv4 link local (bound): [AF_INET][undef]:32500
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: UDPv4 link remote: [AF_UNSPEC]
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: UID set to nobody
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: MULTI: multi_init called, r=256 v=256
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: IFCONFIG POOL LIST
Fri Jun  7 08:43:21 2019 daemon.notice openvpn(SlakNet)[1097]: Initialization Sequence Completed
Fri Jun  7 08:44:12 2019 daemon.notice openvpn(SlakNet)[1097]:  event_wait returned 0
Fri Jun  7 08:44:22 2019 daemon.notice openvpn(SlakNet)[1097]:  event_wait returned 0

After restarting OpenVPN:

Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: library versions: OpenSSL 1.0.2s  28 May 2019, LZO 2.10
Fri Jun  7 08:46:23 2019 daemon.warn openvpn(SlakNet)[4909]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: Diffie-Hellman initialized with 4096 bit key
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 28 bytes
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: TLS-Auth MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: TUN/TAP device tun0 opened
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: TUN/TAP TX queue length set to 100
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Fri Jun  7 08:46:23 2019 daemon.warn openvpn(SlakNet)[4909]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: UDPv4 link local (bound): [AF_INET][undef]:32500
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: UDPv4 link remote: [AF_UNSPEC]
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: UID set to nobody
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: MULTI: multi_init called, r=256 v=256
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: IFCONFIG POOL LIST
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]: Initialization Sequence Completed
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]:  event_wait returned 1
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]:  read from TUN/TAP returned 76
Fri Jun  7 08:46:23 2019 daemon.notice openvpn(SlakNet)[4909]:  event_wait returned 1

Everything seems the same except, I guess, it is able to read from tun0 after the restart.

Set protocol to UDPv4 explicitly:

proto udp4

And verify:

netstat -l -n -p | grep -e openvpn

Yeah, I was looking through the OpenVPN settings earlier actually and gave that a shot. Still boots up IPv6 only oddly.

5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534] 
    inet6 fe80::24cf:c459:3e3a:eb7a/64 scope link 
       valid_lft forever preferred_lft forever

I'm dumb enough to screw around with upgrading packages, but not dumb enough to do it without very carefully backing up the settings. I blew out the firmware, reloaded it, reloaded the apps, reloaded the settings, and the issue persists.

Remove VPN interface declaration.

Cheers, man. That did it. Didn't see that article when I was searching.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.