vpn suddenly not working

[MachielR]

Hi Guys

     I really hope that someone can give me some insight on this.

     We are running Zentyal 2.2.10 with openvpn to provide vpn connectivity to the office after hours.

      however about 2 days ago our vpn stopped working and after several investigations and testing the following was found :

       - Open vpn is running on the zentyal server and the port is listening on all interfaces.
       - I am able to telnet to the port as well as connect successfully from inside the office network.
       - Outside of the office network however, using dsl or 3g methods we are not able to connect and getting the message "Connection Refused"
        - I have verified and certificates have not expired and as a test also created a new one to ensure the certificate is valid.

        - We have 2 x gateways on the Zentyal server and both linked to the vpn in case one goes down, however not able to connect via either one.

        - When trying to telnet to port 1194 from outside the office, no luck.
        - The following is the only errors I am able to find in the openvpn log files and can not seem to find anything usefull on the net for these :

Thu Feb  5 09:23:25 2015 WARNING: file '/var/lib/zentyal/CA/private/VPN.pem' is group or others accessible
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied
Thu Feb  5 09:23:21 2015 Linux ip addr del failed: external program exited with error status: 255

         I have also tried to add explicit firewall rules to allow port 1194 externally but this has made no difference at all.


        Can anyone please assist me with this as I am busy running out of ideas.


       Any help would be greatly appreciated.

Regards


     

[jbahillo]

Try stopping and starting the VPN module. It really looks like Some issue when adding routes has happened

[MachielR]

HI thank you for the reply

    I have stopped and restarted the module several times as well as restarted the server itself more than once without any changes to the problem.

Regards

[jbahillo]

Hello:

Might you empty this VPN log echo ""> /var/log/openvpn/<logfile>.log and show the result when clint tries to connect?

Client log might be useful as well


I addition to this, I think that this mnight be due to VPN port being firewalled at some point

[MachielR]

Hi, The zentyal openvpn log does not generate any messages at all.

the client log as below :

[root@edray-server1 certs]# openvpn client.ovpn
Thu Feb  5 12:36:53 2015 DEPRECATED OPTION: --tls-remote, please update your configuration
Thu Feb  5 12:36:53 2015 OpenVPN 2.3.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  2 2014
Thu Feb  5 12:36:53 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.08
Thu Feb  5 12:36:53 2015 WARNING: file 'client.pem' is group or others accessible
Thu Feb  5 12:36:53 2015 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Feb  5 12:36:53 2015 Attempting to establish TCP connection with [AF_INET]<IP address>:1194 [nonblock]
Thu Feb  5 12:36:54 2015 TCP: connect to [AF_INET]<IP address>:1194 failed, will try again in 5 seconds: Connection refused
Thu Feb  5 12:37:00 2015 TCP: connect to [AF_INET]<IP address>:1194 failed, will try again in 5 seconds: Connection refused
Thu Feb  5 12:37:06 2015 TCP: connect to [AF_INET]<IP address>:1194 failed, will try again in 5 seconds: Connection refused
Thu Feb  5 12:37:13 2015 TCP: connect to [AF_INET]<IP address>:1194 failed, will try again in 5 seconds: Connection refused
Thu Feb  5 12:37:19 2015 TCP: connect to [AF_INET]<IP address>:1194 failed, will try again in 5 seconds: Connection refused
Thu Feb  5 12:37:25 2015 TCP: connect to [AF_INET]<IP address>:1194 failed, will try again in 5 seconds: Connection refused
Thu Feb  5 12:37:37 2015 TCP: connect to [AF_INET]<IP address>:1194 failed, will try again in 5 seconds: Connection refused



regards

[jbahillo]

This clearloy means that the port is closed at some of your routers or at Zentyal firewall. Check port redirections on your router

[MachielR]

Already verified and port redirection is enabled.

I have also added explicit rules on the zentyal firewall to allow the ports but no difference at all.

Regards

ps, thank you for the responses so far.

[jbahillo]

Hello:

Issue is related to this for sure so I would advise to :

issue follwoing command on CLI:

iptables -I INPUT -p tcp --destination-port 1194 -j ACCEPT

 (this will allow any incoming connection on tcp port 1194)

Is  this fixes your issue you will need to review your Zentyal fw rules (perhaps rule added on wrong section) I f this does not fix your issue recheck your routers port redirection or any other firewall between Zentyal and router.

[MachielR]

I have run that command and no luck.

The routers are however not managed by us  but by the ISP themselves.

I have logged a request with them to investigate this from their side.

Regards