OpenVPN fails to start from the app, but works when started on the CLI

I have configured openvpn on my firewall with the following configuration file:

remote VPN_FQDN PORT_NUMBER
#daemon
dev tun
ifconfig 10.12.0.2 10.12.0.1
secret /etc/openvpn/secret-file.key
#log /var/log/openvpn.log
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
script-security 2
#up /etc/openvpn/up-script.sh
push "route 172.31.0.0 255.255.0.0"

I try to start the VPN from the app and it fails with the following logs:

2023-05-23 16:21:39 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-05-23 16:21:39 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
2023-05-23 16:21:39 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
2023-05-23 16:21:39 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
2023-05-23 16:21:39 TUN/TAP device vpn_372A_372A8 opened
2023-05-23 16:21:39 net_iface_mtu_set: mtu 1500 for vpn_372A_372A8
2023-05-23 16:21:39 net_iface_up: set vpn_372A_372A8 up
2023-05-23 16:21:39 net_addr_ptp_v4_add: 10.12.0.2 peer 10.12.0.1 dev vpn_372A_372A8
2023-05-23 16:21:39 /home/pi/firewalla/extension/vpnclient/ovpn_up.sh 372A_372A8 vpn_372A_372A8 1500 1545 10.12.0.2 10.12.0.1 init
net.ipv4.conf.vpn_372A_372A8.rp_filter = 2
chown: cannot access '/home/pi/.firewalla/run/ovpn_profile/372A_372A8.push_options': No such file or directory
RTNETLINK answers: No such process
RTNETLINK answers: No such process
0
2023-05-23 16:21:39 TCP/UDP: Preserving recently used remote address: [AF_INET]2.32.111.19:32
2023-05-23 16:21:39 UDP link local (bound): [AF_INET][undef]:1194
2023-05-23 16:21:39 UDP link remote: [AF_INET]2.32.111.19:32
2023-05-23 16:21:43 Peer Connection Initiated with [AF_INET]2.32.111.19:32
2023-05-23 16:21:43 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-05-23 16:21:43 Initialization Sequence Completed

and the following status

systemctl status "openvpn_client@372A_372A8"
○ openvpn_client@372A_372A8.service - Firewalla OpenVPN Client Service using profile 372A_372A8
   Loaded: loaded (/etc/systemd/system/openvpn_client@.service; disabled; vendor preset: enabled)
   Active: inactive (dead)May 23 16:31:43 Firewalla service_start.sh[4136093]: 2023-05-23 16:31:43 UDP link local (bound): [AF_INET][undef]:1194
May 23 16:31:43 Firewalla service_start.sh[4136093]: 2023-05-23 16:31:43 UDP link remote: [AF_INET]2.32.111.19:32
May 23 16:31:44 Firewalla service_start.sh[4136093]: 2023-05-23 16:31:44 Peer Connection Initiated with [AF_INET]2.32.111.19:32
May 23 16:31:46 Firewalla service_start.sh[4136093]: 2023-05-23 16:31:46 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 23 16:31:46 Firewalla service_start.sh[4136093]: 2023-05-23 16:31:46 Initialization Sequence Completed
May 23 16:32:13 Firewalla systemd[1]: Stopping Firewalla OpenVPN Client Service using profile 372A_372A8...
May 23 16:32:13 Firewalla sudo[4136091]: pam_unix(sudo:session): session closed for user root
May 23 16:32:13 Firewalla sudo[4136090]: pam_unix(sudo:session): session closed for user root
May 23 16:32:13 Firewalla systemd[1]: openvpn_client@372A_372A8.service: Deactivated successfully.
May 23 16:32:13 Firewalla systemd[1]: Stopped Firewalla OpenVPN Client Service using profile 372A_372A8.

Then I ssh on the Firewalla box and I start with

systemctl restart "openvpn_client@372A_372A8"

and the logs are

2023-05-23 16:26:05 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-05-23 16:26:05 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
2023-05-23 16:26:05 WARNING: file '/etc/openvpn/secret-file.key' is group or others accessible
2023-05-23 16:26:05 OpenVPN 2.5.5 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-05-23 16:26:05 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2023-05-23 16:26:05 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-05-23 16:26:05 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
2023-05-23 16:26:06 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
2023-05-23 16:26:06 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
2023-05-23 16:26:06 TUN/TAP device vpn_372A_372A8 opened
2023-05-23 16:26:06 net_iface_mtu_set: mtu 1500 for vpn_372A_372A8
2023-05-23 16:26:06 net_iface_up: set vpn_372A_372A8 up
2023-05-23 16:26:06 net_addr_ptp_v4_add: 10.12.0.2 peer 10.12.0.1 dev vpn_372A_372A8
2023-05-23 16:26:06 /home/pi/firewalla/extension/vpnclient/ovpn_up.sh 372A_372A8 vpn_372A_372A8 1500 1545 10.12.0.2 10.12.0.1 init
net.ipv4.conf.vpn_372A_372A8.rp_filter = 2
chown: cannot access '/home/pi/.firewalla/run/ovpn_profile/372A_372A8.push_options': No such file or directory
RTNETLINK answers: No such process
RTNETLINK answers: No such process
0
2023-05-23 16:26:06 TCP/UDP: Preserving recently used remote address: [AF_INET]2.32.111.19:32
2023-05-23 16:26:06 UDP link local (bound): [AF_INET][undef]:1194
2023-05-23 16:26:06 UDP link remote: [AF_INET]2.32.111.19:32
2023-05-23 16:26:06 Peer Connection Initiated with [AF_INET]2.32.111.19:32
2023-05-23 16:26:07 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-05-23 16:26:07 Initialization Sequence Completed

At this point the vpn process stays on and doesn't exit as follows:

ps ax | grep openvpn 
4133784 ?        S      0:00 sudo /usr/sbin/openvpn --config /home/pi/.firewalla/run/ovpn_profile/372A_372A8.conf --script-security 2 --route-noexec --route-up /home/pi/firewalla/extension/vpnclient/ovpn_remove_pushed_routes.sh 372A_372A8 --up /home/pi/firewalla/extension/vpnclient/ovpn_up.sh 372A_372A8 --status /var/log/openvpn_client-status-372A_372A8.log
4133785 ?        S      0:00 sudo tee -a /var/log/openvpn_client-372A_372A8.log
4133786 ?        S      0:00 /usr/sbin/openvpn --config /home/pi/.firewalla/run/ovpn_profile/372A_372A8.conf --script-security 2 --route-noexec --route-up /home/pi/firewalla/extension/vpnclient/ovpn_remove_pushed_routes.sh 372A_372A8 --up /home/pi/firewalla/extension/vpnclient/ovpn_up.sh 372A_372A8 --status /var/log/openvpn_client-status-372A_372A8.log
4133787 ?        S      0:00 tee -a /var/log/openvpn_client-372A_372A8.log
4134139 pts/1    S+     0:00 grep --color=auto openvpn

And I can see the interface is UP

vpn_372A_372A8: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.12.0.2  netmask 255.255.255.255  destination 10.12.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 10  bytes 840 (840.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 388 (388.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

(In the logs I obfuscated our VPN url and ip/port).

I can't figure out why it fails to start from the app while it succeeds when I do it from the console.

If any other information is needed to help troubleshoot this let me know.

Michael Bierman

May 24, 2023 01:43

Hi Panos,

Did you try to manually install the VPN Profile on Firewalla via ssh? Or did you import it through the app? It looks like a script may not have run with the right permissions or something. Firewalla doesn't try to stop you from using ssh but you are kind of on your own if you do something and it doesn't work—especially when the firewalla app supports the same operation.

Panos Vouzis

May 24, 2023 04:28

Hi Michael,

I set it up through the app. The part I set up through ssh was to save the key file on the device in the file:

secret /etc/openvpn/secret-file.key

The profile was impoted through the app.

When you say it doesn't run with the right permissions, what do you mean more specifiicaly?

May 24, 2023 15:12

I believe you are talking about this line

WARNING: file '/etc/openvpn/secret-to-netbeez.key' is group or others accessible

The thing is that line appears in the logs on both when I launch the VPN from the app and when I launch it on the terminal.

As a matter of fact, the logs between the two are identical.

Are there any other logs I should be look into?

Does the configuration file look correct?

May 29, 2023 22:57

@Panos,

You can put the key inside the profile itself. https://www.brainfart.sg/index.php/2012/05/embedding-certificate-into-openvpn-config/ this should work.

May 30, 2023 19:13

I made that change, but the VPN client still fails to start form the app.

As I mentioned if I ssh into the firewall and I run

systemctl restart openvpn_client@B081_B081D

the clients starts fine.

Also, I found the script you use to start the openvpn client

cat firewalla/extension/vpnclient/service_start.sh
#!/bin/bash

if [ $# -eq 0 ]; then
  logger "OpenVPNClient: No profile ID provided, exit"
  echo "OpenVPNClient: No profile ID provided, exit"
  exit 1
fi

sudo /usr/sbin/openvpn --config "/home/pi/.firewalla/run/ovpn_profile/$1.conf" --script-security 2 --route-noexec --route-up "/home/pi/firewalla/extension/vpnclient/ovpn_remove_pushed_routes.sh $1" --up "/home/pi/firewalla/extension/vpnclient/ovpn_up.sh $1" --status "/var/log/openvpn_client-status-$1.log" 2>&1 | sudo tee -a "/var/log/openvpn_client-$1.log"

And when I use that script to start the vpn client, it also works as expected with the following output:

firewalla/extension/vpnclient/service_start.sh B081_B081D
2023-05-30 11:11:49 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-05-30 11:11:49 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
2023-05-30 11:11:49 OpenVPN 2.5.5 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-05-30 11:11:49 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2023-05-30 11:11:49 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-05-30 11:11:49 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
2023-05-30 11:11:49 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
2023-05-30 11:11:49 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
2023-05-30 11:11:49 TUN/TAP device vpn_B081_B081D opened
2023-05-30 11:11:49 net_iface_mtu_set: mtu 1500 for vpn_B081_B081D
2023-05-30 11:11:49 net_iface_up: set vpn_B081_B081D up
2023-05-30 11:11:49 net_addr_ptp_v4_add: 10.12.0.2 peer 10.12.0.1 dev vpn_B081_B081D
2023-05-30 11:11:49 /home/pi/firewalla/extension/vpnclient/ovpn_up.sh B081_B081D vpn_B081_B081D 1500 1545 10.12.0.2 10.12.0.1 init
net.ipv4.conf.vpn_B081_B081D.rp_filter = 2
chown: cannot access '/home/pi/.firewalla/run/ovpn_profile/B081_B081D.push_options': No such file or directory
RTNETLINK answers: No such process
RTNETLINK answers: No such process
0
2023-05-30 11:11:49 TCP/UDP: Preserving recently used remote address: [AF_INET]52.22.141.219:128
2023-05-30 11:11:49 UDP link local (bound): [AF_INET][undef]:1194
2023-05-30 11:11:49 UDP link remote: [AF_INET]52.22.141.219:128
2023-05-30 11:11:50 Peer Connection Initiated with [AF_INET]52.22.141.219:128
2023-05-30 11:11:50 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-05-30 11:11:50 Initialization Sequence Completed

My problem is that when I start the open vpn client (with "systemctl restart "openvpn_client@B081_B081D") it works fine. But when I use the app it fails (with the logs I posted at the begging of this thread)

My question, what mechanism does the app use to start the open vpn client?

If I know that, I might be able to reproduce the issue on the console and figure out why it fails (because the logs don't show any failure). It's just that the VPN process exits.

Does it call something like

OpenVPN fails to start from the app, but works when started on the CLI

Comments

Didn't find what you were looking for?