OpenVPN connectivity issues

Logwatch was good enough to show me that I had my logs filled with messages like these... repeating themselves over and over ad infinitum:

2007-12-20 09:11:21.037917500 90.154.176.176:36999 Re-using SSL/TLS context
2007-12-20 09:11:21.037942500 90.154.176.176:36999 LZO compression initialized
2007-12-20 09:11:21.038038500 90.154.176.176:36999 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
2007-12-20 09:11:21.038061500 90.154.176.176:36999 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2007-12-20 09:11:21.038096500 90.154.176.176:36999 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2007-12-20 09:11:21.038115500 90.154.176.176:36999 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2007-12-20 09:11:21.038147500 90.154.176.176:36999 Local Options hash (VER=V4): '14168603'
2007-12-20 09:11:21.038172500 90.154.176.176:36999 Expected Remote Options hash (VER=V4): '504e774e'
2007-12-20 09:11:21.038221500 90.154.176.176:36999 TLS: Initial packet from 90.154.176.176:36999, sid=ae156279 68b55b32
2007-12-20 09:11:24.132401500 90.154.176.176:36986 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2007-12-20 09:11:24.132458500 90.154.176.176:36986 TLS Error: TLS handshake failed
2007-12-20 09:11:24.132578500 90.154.176.176:36986 SIGUSR1[soft,tls-error] received, client-instance restarting
2007-12-20 09:11:25.446516500 MULTI: multi_create_instance called


That's openvpn server complaining that it is getting a connection... and then without a warning another one is started. Worst of all, I had no access to the client logs so I had to guess what's going on.

Good news is, I guessed right. I checked my certificate and it had expired the day before and the clients were dropping the connection as soon as they saw the expired certificate.

I don't know how many times it has been that this has happened now. It was okay with Web, SMTP and IMAP servers since you get a warning in the client but you can still keep working. With OpenVPN it's more subtle than that.

Homework -- figure a way of protecting myself against such errors.

Comments

Post a Comment

Popular posts from this blog

Installing Gentoo with full disk encryption

The purpose of this exercise - install Gentoo where all disk partitions are encrypted. Boot from a system rescue disk and partition the disk - use GPT partition table where the first partition is reserved, second is the boot, and the third one is for the rest of the data. Device Start End Sectors Size Type /dev/sda1 2048 32767 30720 15M BIOS boot /dev/sda2 32768 442367 409600 200M Linux filesystem /dev/sda3 442368 375093902 374651535 178.7G Linux filesystem Encrypt partitions number 2 and 3, and open them cryptsetup luksFormat /dev/sda2 cryptsetup luksFormat /dev/sda3 cryptsetup luksOpen /dev/sda2 crypt_boot cryptsetup luksOpen /dev/sda3 crypt_data Format the boot partition mkfs.btrfs /dev/mapper/crypt_boot Prepare LVM for the rest, and format the top level vgcreate vg0 /dev/mapper/crypt_data lvcreate -l 100%FREE -n data vg0 mkfs.btrfs /dev/vg0/data Mount and set up any subvolumes mount /dev/vg0/data /mnt/gentoo btrfs subvol create /mnt/gentoo/@ /mnt/gentoo/@home umount /mnt/gentoo Now
Read more

FreeIPA cluster with containers

Notes on how to install a FreeIPA cluster on Ubuntu. Mostly following the instructions on https://github.com/freeipa/freeipa-container Start with what would be the primary host. If you install a third replica you would want to review the replica agreements to ensure you have a two-way replication between all pairs of nodes.
Read more

ADSL Router Model CT-5367 user and pass (VIVACOM)

Writing down the username and password for the vivacom ADSL router, in case I need it again. user: root pass: warmWLspot Useful to telnet 192.168.1.1 and then reboot . Originally found at Neo2SHYAlien blog . And here I found passwords for other models, just in case. ZTE ZXDSL 832 username: root password: GSrootaccess ZTE ZXDSL 831 username: root password: GSrootaccess ZTE username: root password: 831access Huawei SmartAX MT882 username: root password: MT882rootaccess ZTE ZXDSL-531b username: root password: rootWLaccess Pirelli – DRG – A124G username: root password: warmWLspot Comtrend CT-5367 username: root password: warmWLspot HG530 Home Gateway username: root password: warmWLspot
Read more