FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
363 views 4 comments
by anonymous
We are using RUTX09 Routers with Firmware 07.02.4. with OpenVPN in TAP-Mode. The router is acting as a failover-device in case the internet to our network is gone. We do a manual failover and add "eth0" to the LAN interface bridge, if we need to bridge the switch with the router.

This was working fine in the past, but now I cannot start the VPN anymore through GUI.

Using the same command, than the GUI would trigger, is working perfectly on cli.

If I use the GUI, I see on our vpn server only "PUSH: Received control message: 'PUSH_REQUEST'" and client (the router) is trying to connect aggain and again

Aug 18 11:08:48 ATVSISROU001 openvpn[46905]: [XXXXhostnameXXXXX] Peer Connection Initiated with [AF_INET]XXXIP:PORTXXX
Aug 18 11:08:49 ATVSISROU001 openvpn[46905]: PUSH: Received control message: 'PUSH_REQUEST'
Aug 18 11:08:54 ATVSISROU001 openvpn[46905]: PUSH: Received control message: 'PUSH_REQUEST'

Maybe it is an important information, that from CLI I can only start, if I edit and remove ()

--syslog openvpn(ISHQ) to --syslog openvpnISHQ
by anonymous

After trying different setting, different FW-versions I can write following details about the issue:

  1. OpenVPN-Configuration

client

nobind

persist-key

persist-tun

tls-client

auth sha512

ca /etc/vuci-uploads/cbid.openvpn.ISHQstat.caSIS_Backup_VPNCA.crt

cert /etc/vuci-uploads/cbid.openvpn.ISHQstat.certATVILTE162.sis.infoscreen.at.crt

cipher AES-256-CBC

dev tap

key /etc/vuci-uploads/cbid.openvpn.ISHQstat.keyATVILTE162.sis.infoscreen.at.key

port 11192

proto udp

remote X.X.X.X

resolv-retry infinite

status /tmp/openvpn-status_ISHQstat.log

user root

verb 5

data-ciphers AES-256-CBC

auth-nocache

script-security 2

down /etc/openvpn/updown.sh

up /etc/openvpn/updown.sh

Initialization of VPN in the GUI is NOT possible! - I had to start the tunnel by

/usr/sbin/openvpn --status /var/run/openvpn.ISHQstat.status --cd /var/etc --config /var/etc/openvpn-ISHQstat.conf --daemon

You remember: I set up the LAN-interface in the physical settings with "tap0" only. In case we need to handle failover, we will change the interface and restart the VPN process. This is a temporary workaround until you fixed the issues with TLS and the GUI

One thing that is really interesting: In Interface LAN the Firewall settings are assigned with "Create / Assign firewall-zone: lan: [wan] [lan] - In the routers with Routed VPN I saw only LAN in this setting.

Clientlog I will send by PM.

Another thing I just noticed: after bootup /var/etc/openvpn-ISHQstat.conf does not exist. Where is the VPN configuration saved, if not here?

 

2 Answers

0 votes
by anonymous

Maybe some of you will be interested, how I solved it. As the configuration through the webinterface was not working properly (sometimes VPN on, sometimes VPN off), I decided to use scripting.

For this reason I switched off the VPN in the webinterface. New challenge: VPN-config is not available after reboot. Also the generated VPN-configuration was not proper. For example "cipher" is not needed, when VPN-Server is negotiating, so I edited the configuration.

data-ciphers AES-256-CBC:BF-CBC:AES-256-GCM & data-ciphers-fallback AES-256-CBC are equal to server-configuration and IMHO not available in the webinterface

VPN-config:

client
nobind
persist-key
persist-tun
tls-client
auth sha512
ca /etc/vuci-uploads/MYCA.crt
cert /etc/vuci-uploads/MYCERT.crt
dev tap
key /etc/vuci-uploads/MYKEYFILE.key
port 11192
proto udp
remote X.X.X.X
resolv-retry infinite
status /tmp/openvpn-status_ISHQstat.log
user root
verb 5
data-ciphers AES-256-CBC:BF-CBC:AES-256-GCM
data-ciphers-fallback AES-256-CBC
auth-nocache
script-security 2
down /etc/openvpn/updown.sh
up /etc/openvpn/updown.sh

Solution to make configuration available:

I deployed the config on a webserver, that is always reachable from the router, as long mobile connection is available

Solution to make the VPN-configuration available, once mobile connection is ready: hotplug.d

This script will be launched, once the device "wwan0" comes with the action "ifup". If wwan0 is down, we don't need openvpn

cat /etc/hotplug.d/iface/99-openvpn

#!/bin/sh
#/etc/hotplug.d/iface/99-openvpn
VPNSCRIPT=/usr/bin/dl_vpn.sh
log() {
       logger -p 4 -t "$(basename $script)" "$@"
}

if [ "$ACTION" == "ifup"  -a $DEVICE == "wwan0" ]; then
        log "wwan0 up - Mobile data connected"
        /bin/sh $VPNSCRIPT
elif [ "$ACTION" == "ifdown" -a $DEVICE == "wwan0" ]; then
        log "wwan0 down - Mobile data disconnected"
        killall openvpn
fi

Script to switch VPN on:

The script is downloading the client configuration and launching openvpn in daemon-mode

#!/bin/sh
#/bin/sh /usr/bin/dl_vpn.sh

VPNGW="X.X.X.X"
SISGW="X.X.X.X"
FQDN=$(cat /proc/sys/kernel/hostname)
HOSTNAME=${FQDN%%.*}
FILENAME=$HOSTNAME"_openvpn-ISHQstat.conf"
URL="https://"$VPNGW"/"$FILENAME
FILENAME="/var/etc/openvpn-ISHQstat.conf"

 

log() {
        /usr/bin/logger -t dl_vpn.sh "$@"
}

bailout() {

      /usr/bin/logger -t dl_vpn.sh "$@"
     exit

}

if ping -c 1 $VPNGW &> /dev/null
then
/usr/bin/wget $URL -O $FILENAME --no-check-certificate
sleep 2

test -f $FILENAME || bailout "$FILENAME not available"
pgrep -f openvpn-ISHQstat.conf || /usr/sbin/openvpn --status /var/run/openvpn.ISHQstat.status --cd /var/etc --config /var/etc/openvpn-ISHQstat.conf --daemon
ping -c 2 $SISGW

else
  log "could not download VPN_config file"
fi

Best answer
0 votes
by anonymous

Hello,

Could you provide the steps to replicate the issue?

Since which firmware version did the functionality stop working?

Is it some kind of formatting issue from GUI configuration?

Could you provide a troubleshoot file from the device with the issue? To generate the file access router's WebUI, go to System -> Administration > Troubleshoot section and download troubleshoot file from there.

Best regards,

by anonymous

Hi,

I set up the OpenVPN-connection with necessary parameters (TAP-mode) with the configuration of:

  1.  TAP (bridged)
  2. UDP
  3. PORT 11195 (second router / client is 11194)
  4. LZO none
  5. TLS auth
  6. TLS-ciphers all
  7. remote hostt: IP
  8. redove retry: infinite
  9. Keep alive 10 120
  10. SHA512
  11. Auth only (TLS-auth)
  12. -provided HMAC-file
  13. Key-direction: 1
  14. - provided CA/cert/key

The VPN itself seems to be fine, but even if I get it running through GUI, connection breaks down after some minutes: sometimes few minutes, sometimes more. 

connection break dows not occur on cli

currectly I upgraded to firmware 07.02.5, but had issues already in 07.02.2 & 4

How should I provide the file?

BR

by anonymous
Something new came up:

once I restore on Router 1 the configuration, router 1 is working (we will see, how long)

On Router 2 I imported the backup from router 1 and changed the necessary data, like IP, VPN, etc.

I will try to configure router 2 from the beginning while monitoring router 1
by anonymous

You can attach the file by editing your question or send it in a private message, however, based on your description, I assume the issue might arise due to the Auth only (TLS-auth) usage, which has been reported here. If that were the case, it will be solved in the upcoming RUTOS 7.2.6 firmware release.

Best regards,