WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

OpenVPN client crash on auth-failure

+1 vote
820 views 4 comments
by anonymous

Hi,

we have a RUT240 configured as OpenVPN Client with this configuration:

client
dev tun
proto udp
remote X.X.X.X 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
;comp-lzo
verb 4
;key-direction 1
;auth-user-pass /root/openvpn-auth.txt
reneg-sec 0
compress lz4
<ca>
-----BEGIN CERTIFICATE-----
MIIB/DCCAYKgAwIBAgIULU6yknmZ43qmvubiwFGVMGEi1AowCgYIKoZIzj0EAwQw
...
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
...
-----BEGIN CERTIFICATE-----
MIICCTCCAY+gAwIBAgIRAI6EMCx7pFVywKPmppTE8EswCgYIKoZIzj0EAwQwFjEU
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDASeAyjGG09Mh0L1g/k
...
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
4f6765ffc784855835a259c84e55204d
...
-----END OpenVPN Static key V1-----
</tls-crypt>
# Login credentials
auth-user-pass /etc/openvpn/auth_client_vpntest
# Authentication
auth-nocache
script-security 2
down /etc/openvpn/updown_dns
up /etc/openvpn/updown_dns

Everything works fine and the RUT240 is able to connect to the server.

However if the server answer with auth-failed, the RUT240 stops to try openvpn access after some tentative. This is an issue because it will not be able to automatically recover the openvpn connection once the authentication issue on the server side is solved.

In the logs I see the following messages:

Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
Fri Jul  2 07:03:09 2021 daemon.warn openvpn(client_vpntest)[11829]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: LZ4 compression initializing
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: Socket Buffers: R=[8388608->8388608] S=[8388608->8388608]
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: UDP link local: (not bound)
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: UDP link remote: [AF_INET]X.X.X.X:1194
Fri Jul  2 07:03:09 2021 daemon.notice openvpn(client_vpntest)[11829]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Fri Jul  2 07:03:10 2021 daemon.notice openvpn(client_vpntest)[11829]: TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=319e913f 29ecf395
Fri Jul  2 07:03:10 2021 daemon.notice openvpn(client_vpntest)[11829]: VERIFY OK: depth=1, CN=Easy-RSA CA
Fri Jul  2 07:03:10 2021 daemon.notice openvpn(client_vpntest)[11829]: VERIFY KU OK
Fri Jul  2 07:03:10 2021 daemon.notice openvpn(client_vpntest)[11829]: Validating certificate extended key usage
Fri Jul  2 07:03:10 2021 daemon.notice openvpn(client_vpntest)[11829]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Jul  2 07:03:10 2021 daemon.notice openvpn(client_vpntest)[11829]: VERIFY EKU OK
Fri Jul  2 07:03:10 2021 daemon.notice openvpn(client_vpntest)[11829]: VERIFY OK: depth=0, CN=server
Fri Jul  2 07:03:12 2021 daemon.notice openvpn(client_vpntest)[11829]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Fri Jul  2 07:03:12 2021 daemon.notice openvpn(client_vpntest)[11829]: [server] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
Fri Jul  2 07:03:13 2021 daemon.notice openvpn(client_vpntest)[11829]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Jul  2 07:03:13 2021 daemon.notice openvpn(client_vpntest)[11829]: AUTH: Received control message: AUTH_FAILED
Fri Jul  2 07:03:13 2021 daemon.notice openvpn(client_vpntest)[11829]: TCP/UDP: Closing socket
Fri Jul  2 07:03:13 2021 daemon.notice openvpn(client_vpntest)[11829]: SIGTERM[soft,auth-failure] received, process exiting
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
Fri Jul  2 07:03:18 2021 daemon.warn openvpn(client_vpntest)[11864]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: LZ4 compression initializing
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: Socket Buffers: R=[8388608->8388608] S=[8388608->8388608]
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: UDP link local: (not bound)
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: UDP link remote: [AF_INET]X.X.X.X:1194
Fri Jul  2 07:03:18 2021 daemon.notice openvpn(client_vpntest)[11864]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Fri Jul  2 07:03:19 2021 daemon.notice openvpn(client_vpntest)[11864]: TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=36bba555 96cbdd53
Fri Jul  2 07:03:19 2021 daemon.notice openvpn(client_vpntest)[11864]: VERIFY OK: depth=1, CN=Easy-RSA CA
Fri Jul  2 07:03:19 2021 daemon.notice openvpn(client_vpntest)[11864]: VERIFY KU OK
Fri Jul  2 07:03:19 2021 daemon.notice openvpn(client_vpntest)[11864]: Validating certificate extended key usage
Fri Jul  2 07:03:19 2021 daemon.notice openvpn(client_vpntest)[11864]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Jul  2 07:03:19 2021 daemon.notice openvpn(client_vpntest)[11864]: VERIFY EKU OK
Fri Jul  2 07:03:19 2021 daemon.notice openvpn(client_vpntest)[11864]: VERIFY OK: depth=0, CN=server
Fri Jul  2 07:03:21 2021 daemon.notice openvpn(client_vpntest)[11864]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Fri Jul  2 07:03:21 2021 daemon.notice openvpn(client_vpntest)[11864]: [server] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
Fri Jul  2 07:03:22 2021 daemon.notice openvpn(client_vpntest)[11864]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Jul  2 07:03:22 2021 daemon.notice openvpn(client_vpntest)[11864]: AUTH: Received control message: AUTH_FAILED
Fri Jul  2 07:03:22 2021 daemon.notice openvpn(client_vpntest)[11864]: TCP/UDP: Closing socket
Fri Jul  2 07:03:22 2021 daemon.notice openvpn(client_vpntest)[11864]: SIGTERM[soft,auth-failure] received, process exiting
Fri Jul  2 07:03:22 2021 daemon.info procd: Instance openvpn::client_vpntest s in a crash loop 6 crashes, 4 seconds since last crash

Thanks,

M

1 Answer

0 votes
by anonymous

Hello,

I would like to suggest for you enter keep-alive value in your RUT240 client configuration:

Defines two time intervals: the first is used to periodically send ICMP requests to the OpenVPN server, the second one defines a time window, which is used to restart the OpenVPN service if no ICMP response is received during the specified time slice. When this value is specfiied on the OpenVPN server, it overrides the 'keep alive' values set on client instances.
Example: 10 120

Best answer
by anonymous

Hi, 

thanks for the response.

Yes, I have set the keepalive option on the server-side, but I set it to high values, like 25 600. So maybe I have to wait for the 600s before seeing a new connection tentative?

by anonymous
Yes, you are correct.

I would suggest changing these values to 10 120 if that is possible.
by anonymous

I have just tried again and wait more than 600 seconds after the log:

Fri Jul  2 08:00:23 2021 daemon.info procd: Instance openvpn::client_vpntest s in a crash loop 6 crashes, 4 seconds since last crash

but the openvpn client on RUT240 does not send any new connection request.

The previous one is the last log that I can see from OpeVPN.

by anonymous
Hello,
talking with OpenVPN support, this is the standard behavior of the client, to avoid continuative failure authentication tentatives.

M