Author Topic: Zentyal 6.0 OpenVPN not Listening  (Read 1292 times)

Ppbottle

  • Zen Apprentice
  • *
  • Posts: 16
  • Karma: +3/-0
    • View Profile
Zentyal 6.0 OpenVPN not Listening
« on: September 24, 2019, 07:36:55 pm »
I'm tearing my hair out here.

I've tried installing and reinstalling the VPN module multiple times but it doesn't appear to be listening on port 1194.

It is also writing nothing to the VPN log files. They are completely empty.

Code: [Select]
nmap -sU localhost -p 1194
Gives me:

Quote
Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-24 10:35 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000068s latency).
Other addresses for localhost (not scanned): ::1
PORT     STATE  SERVICE
1194/udp closed openvpn

Does anyone have any idea what might be going wrong?

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Zentyal 6.0 OpenVPN not Listening
« Reply #1 on: September 24, 2019, 08:41:39 pm »
 :)

Did you checked the VPN server widget in the dashboard?

Did you used the road warrior configuration or the zentyal to zentyal tunnel?

Did you configured your clients with the correct zentyal "bundles" provided by the webadmin?

Check your vpn server this way:

Code: [Select]
sudo zs openvpn status # the output should be "RUNNING"
# or
sudo systemctl status openvpn

Checking the UDP listening ports

Code: [Select]
sudo ss -ulpn | grep openvp

Checking the firewall rules: (Did you tried to create aservice for the udp 1194 port and grant access to it in the Firewall module?)

Code: [Select]
iptables -L | grep openvpn

Check the openvpn logs here:

Code: [Select]
# "test" is the name of my openvpn server. Each of them have his own logs.
less /var/log/openvpn/test.log

If you need more info, read about this command:

Code: [Select]
sudo openvpn --help

Cheers!
« Last Edit: September 24, 2019, 08:50:56 pm by doncamilo »
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

Ppbottle

  • Zen Apprentice
  • *
  • Posts: 16
  • Karma: +3/-0
    • View Profile
Re: Zentyal 6.0 OpenVPN not Listening
« Reply #2 on: September 24, 2019, 10:08:39 pm »
DonCamilo, your answer was fantastic, I really appreciate it.

I installed the VPN module through the Zentyal front end and enabled it in the modules section.

I did create the service and added firewall rules, the response I get from iptables says
Code: [Select]
iaccept    udp  --  anywhere             anywhere             udp dpt:openvpn state NEW
iaccept    udp  --  anywhere             anywhere             udp dpt:openvpn
iaccept    udp  --  anywhere             anywhere             udp dpt:openvpn state NEW

All openvpn logs are completely empty. Not a single character in them.
Code: [Select]
sudo zs openvpn statusSays
Code: [Select]
Zentyal: status module openvpn:                 [ STOPPED ]

Code: [Select]
sudo ss -ulpn | grep openvpngives no response.

I cannot figure it out!

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Zentyal 6.0 OpenVPN not Listening
« Reply #3 on: September 25, 2019, 08:40:32 pm »
 :)

Did you look for broken packages?

Code: [Select]
dpkg -l | grep -Ev '^(ii|rc)'

What's the openvpn status package? it's updated?

Code: [Select]

apt-cache policy zentyal-openvpn

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

Ppbottle

  • Zen Apprentice
  • *
  • Posts: 16
  • Karma: +3/-0
    • View Profile
Re: Zentyal 6.0 OpenVPN not Listening
« Reply #4 on: September 25, 2019, 10:36:28 pm »
Thanks DonCamilo,

The broken packages check gives me

Quote
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                  Version                           Architecture Description
+++-=====================================-=================================-============-===============================================================================
hi  libapt-pkg5.0:amd64                   1.2.29                            amd64        package management runtime library

And I'm really not sure what that means.

The OpenVPN seems to be updated correctly, if I'm reading it right.

Quote
zentyal-openvpn:
  Installed: 6.0
  Candidate: 6.0
  Version table:
 *** 6.0 500
        500 http://archive.zentyal.org/zentyal 6.0/main amd64 Packages
        500 http://archive.zentyal.org/zentyal 6.0/main i386 Packages
        100 /var/lib/dpkg/status

But I think I might have found the issue. Syslog tells me:
 
Code: [Select]
Sep 25 13:32:44 genesis systemd[1]: openvpn@OpenVPN-KCS.service: Service hold-off time over, scheduling restart.
Sep 25 13:32:44 genesis systemd[1]: openvpn@OpenVPN-KCS.service: Scheduled restart job, restart counter is at 420.
Sep 25 13:32:44 genesis systemd[1]: Stopped OpenVPN connection to OpenVPN-KCS.
Sep 25 13:32:44 genesis systemd[1]: Starting OpenVPN connection to OpenVPN-KCS...
Sep 25 13:32:44 genesis ovpn-OpenVPN-KCS[20939]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/OpenVPN-KCS.conf
Sep 25 13:32:44 genesis ovpn-OpenVPN-KCS[20939]: Use --help for more information.
Sep 25 13:32:44 genesis systemd[1]: openvpn@OpenVPN-KCS.service: Main process exited, code=exited, status=1/FAILURE
Sep 25 13:32:44 genesis systemd[1]: openvpn@OpenVPN-KCS.service: Failed with result 'exit-code'.
Sep 25 13:32:44 genesis systemd[1]: Failed to start OpenVPN connection to OpenVPN-KCS.

Which suggests that it's looking for OpenVPN-KCS.conf (the server conf file) in /etc/openvpn. That file is actually in /etc/openvpn/OpenVPN-KCS.d though

How do I redirect openvpn to look in the right place for the conf file?

Ppbottle

  • Zen Apprentice
  • *
  • Posts: 16
  • Karma: +3/-0
    • View Profile
Re: Zentyal 6.0 OpenVPN not Listening
« Reply #5 on: September 25, 2019, 11:58:33 pm »
OK, I got it working.

I was getting nothing written to any of the openvpn logs and the service was not even running.

Looking at the syslog, I found that the service was failing to start because it was looking in the wrong place for the server conf file.

Code: [Select]
tail -f -n 5 /var/log/syslog
I copied the conf file to /etc/openvpn/ which was where it was looking for it and then did

Code: [Select]
systemctl daemon-reload
sudo service openvpn start

And it magically started working.

I'm not sure this is the best fix, because if I alter the server config through Zentyal, it will not read the conf file that is being read, but it is a workaround that has me up and running!

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Zentyal 6.0 OpenVPN not Listening
« Reply #6 on: September 26, 2019, 02:38:54 pm »
 :)

Zentyal uses a redis database and some templates in order to store and load the custom configurations. (These stubs are in sub-folder of /usr/share/zentyal/stubs/). Zentyal is designed in order to load the redis stored values on the system through these templates in order to create the services config files.

Any custom setting which you will do in the service config file will be removed the next time that the service will be reloaded. In the other hand if you customize the master template you'll lost the changes the next time you'll upgrade the system... Read this document in order to give persistence to your custom templates: https://doc.zentyal.org/en/appendix-c.html#stubs

The question here is... What have happened in your openvpn zentyal implementation?  :o

Cheers!

I'm happy you have fixed this problem!  :D
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,