As I mentioned above, I didn’t really want to spam the forum with logs unless necessary. I’ll go ahead and post them.
/etc/config/openvpn
:
config openvpn 'server_turris'
option enabled '1'
option port '1194'
option proto 'udp'
option dev 'tun_turris'
option ca '/etc/ssl/ca/openvpn/ca.crt'
option crl_verify '/etc/ssl/ca/openvpn/ca.crl'
option cert '/etc/ssl/ca/openvpn/01.crt'
option key '/etc/ssl/ca/openvpn/01.key'
option dh '/etc/dhparam/dh-default.pem'
option server '10.255.111.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option duplicate_cn '0'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option status '/tmp/openvpn-status.log'
option verb '3'
option mute '20'
list push 'route 192.168.40.0 255.255.255.0'
option script_security '2'
option client_connect '/etc/openvpn/up.sh'
option client_disconnect '/etc/openvpn/down.sh'
option compress ''
Here’s the logs from starting openvpn and having it stop from a client connecting and automatically restart:
Jul 13 21:26:43 openvpn(server_turris)[20371]: OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Jul 13 21:26:43 openvpn(server_turris)[20371]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
Jul 13 21:26:43 openvpn(server_turris)[20371]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 13 21:26:43 openvpn(server_turris)[20371]: Diffie-Hellman initialized with 2048 bit key
Jul 13 21:26:43 openvpn(server_turris)[20371]: TUN/TAP device tun_turris opened
Jul 13 21:26:43 openvpn(server_turris)[20371]: TUN/TAP TX queue length set to 100
Jul 13 21:26:43 openvpn(server_turris)[20371]: /sbin/ifconfig tun_turris 10.255.111.1 pointopoint 10.255.111.2 mtu 1500
Jul 13 21:26:43 openvpn(server_turris)[20371]: /sbin/route add -net 10.255.111.0 netmask 255.255.255.0 gw 10.255.111.2
Jul 13 21:26:43 openvpn(server_turris)[20371]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Jul 13 21:26:43 openvpn(server_turris)[20371]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Jul 13 21:26:43 openvpn(server_turris)[20371]: UDPv4 link local (bound): [AF_INET][undef]:1194
Jul 13 21:26:43 openvpn(server_turris)[20371]: UDPv4 link remote: [AF_UNSPEC]
Jul 13 21:26:43 openvpn(server_turris)[20371]: MULTI: multi_init called, r=256 v=256
Jul 13 21:26:43 openvpn(server_turris)[20371]: IFCONFIG POOL: base=10.255.111.4 size=62, ipv6=0
Jul 13 21:26:43 openvpn(server_turris)[20371]: ifconfig_pool_read(), in='momhelp,10.255.111.4', TODO: IPv6
Jul 13 21:26:43 openvpn(server_turris)[20371]: succeeded -> ifconfig_pool_set()
Jul 13 21:26:43 openvpn(server_turris)[20371]: ifconfig_pool_read(), in='phonetest,10.255.111.8', TODO: IPv6
Jul 13 21:26:43 openvpn(server_turris)[20371]: succeeded -> ifconfig_pool_set()
Jul 13 21:26:43 openvpn(server_turris)[20371]: IFCONFIG POOL LIST
Jul 13 21:26:43 openvpn(server_turris)[20371]: momhelp,10.255.111.4
Jul 13 21:26:43 openvpn(server_turris)[20371]: phonetest,10.255.111.8
Jul 13 21:26:43 openvpn(server_turris)[20371]: Initialization Sequence Completed
Jul 13 21:26:43 netifd: Interface 'vpn_turris' is enabled
Jul 13 21:26:43 netifd: Interface 'vpn_turris' is disabled
Jul 13 21:26:43 netifd: Interface 'vpn_turris' is enabled
Jul 13 21:26:43 netifd: Network device 'tun_turris' link is up
Jul 13 21:26:43 netifd: Interface 'vpn_turris' has link connectivity
Jul 13 21:26:43 netifd: Interface 'vpn_turris' is setting up now
Jul 13 21:26:43 netifd: Interface 'vpn_turris' is now up
Jul 13 21:26:45 firewall: Reloading firewall due to ifup of vpn_turris (tun_turris)
Jul 13 21:28:47 openvpn(server_turris)[20371]: 199.3.14.243:7627 TLS: Initial packet from [AF_INET]199.3.14.243:7627, sid=e17ea85c 64168da6
Jul 13 21:28:51 openvpn(server_turris)[20371]: 199.3.14.243:7627 VERIFY OK: depth=1, CN=openvpn
Jul 13 21:28:51 openvpn(server_turris)[20371]: 199.3.14.243:7627 VERIFY OK: depth=0, CN=phonetest
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_VER=2.5_master
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_PLAT=android
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_PROTO=2
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_NCP=2
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_LZ4=1
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_LZ4v2=1
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_LZO=1
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_COMP_STUB=1
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_COMP_STUBv2=1
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_TCPNL=1
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.15
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 peer info: IV_SSO=openurl,crtext
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 4096 bit RSA
Jul 13 21:28:53 openvpn(server_turris)[20371]: 199.3.14.243:7627 [phonetest] Peer Connection Initiated with [AF_INET]199.3.14.243:7627
Jul 13 21:28:53 openvpn(server_turris)[20371]: phonetest/199.3.14.243:7627 MULTI_sva: pool returned IPv4=10.255.111.10, IPv6=(Not enabled)
Jul 13 21:28:53 openvpn(server_turris)[20371]: phonetest/199.3.14.243:7627 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_607defb103dfb366.tmp
Jul 13 21:28:53 openvpn(server_turris)[20371]: phonetest/199.3.14.243:7627 MULTI: Learn: 10.255.111.10 -> phonetest/199.3.14.243:7627
Jul 13 21:28:53 openvpn(server_turris)[20371]: phonetest/199.3.14.243:7627 MULTI: primary virtual IP for phonetest/199.3.14.243:7627: 10.255.111.10
Jul 13 21:28:54 openvpn(server_turris)[20371]: event_wait : Interrupted system call (code=4)
Jul 13 21:28:54 openvpn(server_turris)[20371]: /sbin/route del -net 10.255.111.0 netmask 255.255.255.0
Jul 13 21:28:54 openvpn(server_turris)[20371]: ERROR: Linux route delete command failed: external program exited with error status: 1
Jul 13 21:28:54 openvpn(server_turris)[20371]: Closing TUN/TAP interface
Jul 13 21:28:54 openvpn(server_turris)[20371]: /sbin/ifconfig tun_turris 0.0.0.0
Jul 13 21:28:54 netifd: Network device 'tun_turris' link is down
Jul 13 21:28:54 netifd: Interface 'vpn_turris' has link connectivity loss
Jul 13 21:28:54 netifd: Interface 'vpn_turris' is now down
Jul 13 21:28:54 openvpn(server_turris)[20371]: SIGTERM[hard,] received, process exiting
After more thorough inspection of my logs, a client connecting isn’t required for this behavior. Between midnight UTC and 12:17 UTC, it’s restarted 222 times and no one has been connecting. It’s not consistent either. Between 00:10:45 and 00:12:00 it restarted 30 times, mostly every 2-3 seconds it seems. Other times, there are gaps up to 15 minutes between restarts.
I can up the log verbosity and see if anything jumps out.
Here’s the client config:
##############################################
# Openvpn client configuration generated by #
# router Turris based on Sample client-side #
# OpenVPN 2.0 config file #
# #
# This configuration can be used only on #
# a single client. #
# #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun_turris
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-1 1194
;remote my-server-2 1194
remote 164.23.24.17 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings
<ca>
</ca>
<cert>
</cert>
<key>
</key>
remote-cert-tls server
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
# To enable to process DNS push request from the server on linux machines (non systemd-resolved)
# note that you might need to have resolvconf program installed
;script-security 2
;up /etc/openvpn/update-resolv-conf
;down /etc/openvpn/update-resolv-conf
# To enable to process DNS push request from the server on linux machines (systemd-resolved)
# see https://github.com/jonathanio/update-systemd-resolved
;script-security 2
;setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
;up /etc/openvpn/update-systemd-resolved
;down /etc/openvpn/update-systemd-resolved
;down-pre
But I don’t think the client connecting is the issue any more.