OpenVPN Troubleshooting Tips on DAL Routers

OpenVPN issues on DAL routers can be troubleshooted checking the logs (System > Logs  section on the WEB UI). In some cases, if the OpenVPN tunnel doesn't come up, it could be useful to  increase the verbosity level in order to get debug info for investigate the failure.

Below, the verbosity definition and levels from the official OpenVPN reference guide (https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/):

–verb n
Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good summary of what’s happening without being swamped by output.0 — No output except fatal errors.
1 to 4 — Normal usage range.
5 — Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
6 to 11 — Debug info range
 

By default the verbosity level is set as 1, in order to increase VERB level for troubleshooting, there are the following options:

- DAL as OpenVPN Server or  DAL OpenVPN client without OVPN config file ("Use .ovpn file" option disabled):  Advanced Options section must be enabled and configured for this as in the example below:


verb.PNG

- DAL as OpenVPN client with OVPN config file ("Use .ovpn file" option enabled, is the default): The verbosity level can be directly set in the .ovpn file.

Note: Once the verbosity level is increased, the system logs will include more debugging info regarding the possible issue of the failure, but will also increase the size of log files, so is recommended to set it as default once the issue is resolved. 


A typically good output will be shown as follows:

OpenVPN Server Initialization:

 

[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 OpenVPN 2.4.4 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 28 2020 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.02 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 Diffie-Hellman initialized with 2048 bit key 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 TUN/TAP device os_NewTunnel opened 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 TUN/TAP TX queue length set to 100 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 /sbin/ifconfig os_NewTunnel 10.10.10.1 pointopoint 10.10.10.80 mtu 1500 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 Socket Buffers: R=[180224->180224] S=[180224->180224] 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 UDPv4 link local (bound): [AF_INET][undef]:1194 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 UDPv4 link remote: [AF_UNSPEC] 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 MULTI: multi_init called, r=256 v=256 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 IFCONFIG POOL: base=10.10.10.80 size=5, ipv6=0 
[F03:P05] Sep 11 12:55:18 EX15W netifd: os_NewTunnel (11791): Fri Sep 11 12:55:18 2020 Initialization Sequence Completed 

 

Client Connection:

[F01:P05] Sep 11 12:59:27 EX15W root: openvpn: 95.91.252.234 successfully connected. 
 

The OpenVPN tunnel establishment, can fail due to error in the OpenVPN Server/Clent configuration (as invalid commands for example) or due to negotiations problems (authentication failure, parameter incompatibility between peers, etc). 

Following some examples of "bad" logs that can be seen in common error cases:

OpenVPN Server failing to initialize due to invalid options:

[F03:P05] Sep 11 13:30:35 EX15W netifd: Interface 'os_NewTunnel' is setting up now 
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 OpenVPN 2.4.4 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 28 2020 
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.02 
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 Diffie-Hellman initialized with 2048 bit key 
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 Cipher AES-128 not supported 
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 Exiting due to fatal error 
[F03:P05] Sep 11 13:30:35 EX15W netifd: Interface 'os_NewTunnel' is now down 


What to check >> When there is an error regarding an option not supporetd, most probably "Advanced options" have been configured to add parametrs to the default used by DAL. So that field must be checked to correct possible errors in the format or name of options specified.

OpenVPN Server fails to negotiate due to authentication failure (username invalid):

Sep 11 13:50:30 EX15W Sep 11 13:50:30 00270439a34b us: pam_acc: username username invalid
Sep 11 13:50:30 EX15W root: openvpn: PAM failed to authenticate user username(95.91.252.234)
Sep 11 13:50:30 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 13:50:30 2020 us=145846 95.91.252.234:63047 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Sep 11 13:50:30 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 13:50:30 2020 us=146165 95.91.252.234:63047 TLS Auth Error: Auth Username/Password verification failed for peer​


What to check >> When a username is detected as "invalid", most probaby the user configuration is missing on DAL. To add/correct it, go to Authentication > Users and add a user with same name configured in the client , asociated with the proper OpenVPN users groups for that tunnel (see below as well).

OpenVPN Server fails to negotiate due to authentication failure (user not authorized):

Sep 11 14:06:07 EX15W root: openvpn: user username(95.91.252.234) is not authorised to use server NewTunnel
Sep 11 14:06:07 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 14:06:07 2020 us=524199 95.91.252.234:63033 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Sep 11 14:06:07 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 14:06:07 2020 us=524564 95.91.252.234:63033 TLS Auth Error: Auth Username/Password verification failed for peer


What to check >> The username is authenticated, but is not authorized to use the OpenVPN tunnel. In this case what needs to be checked is the group associated to the user, that need to have the OpenVPN tunnel linked to it:

OVPN_1.PNG

OVPN_2.PNG


OpenVPN Server fails to negotiate due to authentication failure (password mismatch):

Sep 11 14:02:42 EX15W : pam_acc(openvpn:auth): pam_acc: password mismatch for user username
Sep 11 14:02:42 EX15W Sep 11 14:02:42 00270439a34b us: pam_acc: password mismatch for user username
Sep 11 14:02:42 EX15W root: openvpn: PAM failed to authenticate user username(95.91.252.234)
Sep 11 14:02:42 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 14:02:42 2020 us=642687 95.91.252.234:63069 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Sep 11 14:02:42 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 14:02:42 2020 us=642975 95.91.252.234:63069 TLS Auth Error: Auth Username/Password verification failed for peer


What to check >> The user is configured but the password is not matching with the one received from the client. So the password must be fixed.

 
Last updated: Jan 01, 2024

Recently Viewed

No recently viewed articles

Did you find this article helpful?