- DAL as OpenVPN client with OVPN config file ("Use .ovpn file" option enabled, is the default): The verbosity level can be directly set in the .ovpn file.
Note: Once the verbosity level is increased, the system logs will include more debugging info regarding the possible issue of the failure, but will also increase the size of log files, so is recommended to set it as default once the issue is resolved.
A typically good output will be shown as follows:
OpenVPN Server Initialization:
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 OpenVPN 2.4.4 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 28 2020
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.02
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 Diffie-Hellman initialized with 2048 bit key
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 TUN/TAP device os_NewTunnel opened
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 TUN/TAP TX queue length set to 100
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 /sbin/ifconfig os_NewTunnel 10.10.10.1 pointopoint 10.10.10.80 mtu 1500
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 Socket Buffers: R=[180224->180224] S=[180224->180224]
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 UDPv4 link local (bound): [AF_INET][undef]:1194
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 UDPv4 link remote: [AF_UNSPEC]
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 MULTI: multi_init called, r=256 v=256
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 IFCONFIG POOL: base=10.10.10.80 size=5, ipv6=0
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 Initialization Sequence Completed
Client Connection:
[F01:P05] Sep 11 12:59:27 EX15W root: openvpn: 95.91.252.234 successfully connected.
The OpenVPN tunnel establishment, can fail due to error in the OpenVPN Server/Clent configuration (as invalid commands for example) or due to negotiations problems (authentication failure, parameter incompatibility between peers, etc).
Following some examples of "bad" logs that can be seen in common error cases:
OpenVPN Server failing to initialize due to invalid options:
[F03:P05] Sep 11 13:30:35 EX15W netifd: Interface 'os_NewTunnel' is setting up now
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 OpenVPN 2.4.4 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 28 2020
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.02
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 Diffie-Hellman initialized with 2048 bit key
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 Cipher AES-128 not supported
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 Exiting due to fatal error
[F03:P05] Sep 11 13:30:35 EX15W netifd: Interface 'os_NewTunnel' is now down
What to check >> When there is an error regarding an option not supporetd, most probably "Advanced options" have been configured to add parametrs to the default used by DAL. So that field must be checked to correct possible errors in the format or name of options specified.
OpenVPN Server fails to negotiate due to authentication failure (username invalid):
Sep 11 13:50:30 EX15W Sep 11 13:50:30 00270439a34b us: pam_acc: username username invalid
Sep 11 13:50:30 EX15W root: openvpn: PAM failed to authenticate user username(95.91.252.234)
Sep 11 13:50:30 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 13:50:30 2020 us=145846 95.91.252.234:63047 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Sep 11 13:50:30 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 13:50:30 2020 us=146165 95.91.252.234:63047 TLS Auth Error: Auth Username/Password verification failed for peer
What to check >> When a username is detected as "invalid", most probaby the user configuration is missing on DAL. To add/correct it, go to Authentication > Users and add a user with same name configured in the client , asociated with the proper OpenVPN users groups for that tunnel (see below as well).
OpenVPN Server fails to negotiate due to authentication failure (user not authorized):
Sep 11 14:06:07 EX15W root: openvpn: user username(95.91.252.234) is not authorised to use server NewTunnel
Sep 11 14:06:07 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 14:06:07 2020 us=524199 95.91.252.234:63033 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Sep 11 14:06:07 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 14:06:07 2020 us=524564 95.91.252.234:63033 TLS Auth Error: Auth Username/Password verification failed for peer
What to check >> The username is authenticated, but is not authorized to use the OpenVPN tunnel. In this case what needs to be checked is the group associated to the user, that need to have the OpenVPN tunnel linked to it:
OpenVPN Server fails to negotiate due to authentication failure (password mismatch):
Sep 11 14:02:42 EX15W : pam_acc(openvpn:auth): pam_acc: password mismatch for user username
Sep 11 14:02:42 EX15W Sep 11 14:02:42 00270439a34b us: pam_acc: password mismatch for user username
Sep 11 14:02:42 EX15W root: openvpn: PAM failed to authenticate user username(95.91.252.234)
Sep 11 14:02:42 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 14:02:42 2020 us=642687 95.91.252.234:63069 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Sep 11 14:02:42 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 14:02:42 2020 us=642975 95.91.252.234:63069 TLS Auth Error: Auth Username/Password verification failed for peer
What to check >> The user is configured but the password is not matching with the one received from the client. So the password must be fixed.