Initialization Sequence Completed, but terminal wont give a prompt
Try starting the client with the --daemon
option:
openvpn --daemon
From openvpn
's man page:
--daemon [progname]
Become a daemon after all initialization functions are completed
To interact with openvpn
once it is a daemon, add the --management
option to the command. This allows you to interact with it using telnet
as described here.
Alternatively, open another terminal and just use that. This way, you can exit the running openvpn
by pressing Ctl C in the original terminal.
If the client is a desktop system that uses Network Manager, then use the OpenVPN plugin to control it from there - no terminal needed.
Related videos on Youtube
RabT
Updated on September 18, 2022Comments
-
RabT almost 2 years
I just installed
openvpn
on a remoteCentOS 7
server using the instructions in this tutorial.The only change I made to the tutorial was to use @GarethTheRed's instructions for configuring firewalld instead of iptables, as described in Step 4 of the tutorial.
The problem is that the tutorial ends with a line of client code that causes the terminal to fail to return a command prompt (see below). How can I successfully connect via
OpenVPN
to my remoteCentOS 7
server from my local CentOS 7 devbox?Here are the connection steps I have tried so far:
At the end of Step 6 of the tutorial, I successfully used
yum install openvpn
on my devbox before typingsudo openvpn --config /path/to/client.ovpn
.The problem is that
sudo openvpn --config /path/to/client.ovpn
results in the terminal locking up after printingInitialization Sequence Completed
.The complete output is:
[root@localhost ~]# openvpn --config /etc/openvpn/client.ovpn Wed Feb 11 16:46:06 2015 OpenVPN 2.3.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 2 2014 Wed Feb 11 16:46:06 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06 Wed Feb 11 16:46:06 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed Feb 11 16:46:06 2015 Socket Buffers: R=[212992->131072] S=[212992->131072] Wed Feb 11 16:46:06 2015 UDPv4 link local: [undef] Wed Feb 11 16:46:06 2015 UDPv4 link remote: [AF_INET]192.96.215.22:1194 Wed Feb 11 16:46:06 2015 TLS: Initial packet from [AF_INET]192.96.215.22:1194, sid=1f320288 ab1f20d3 Wed Feb 11 16:46:07 2015 VERIFY OK: depth=1, C=US, ST=CA, L=SomeTown, O=Fort-Funston, OU=MyOrganizationalUnit, CN=serverdomain.com, name=server, [email protected] Wed Feb 11 16:46:07 2015 VERIFY OK: depth=0, C=US, ST=CA, L=SomeTown, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=server, [email protected] Wed Feb 11 16:46:08 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Wed Feb 11 16:46:08 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Feb 11 16:46:08 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Wed Feb 11 16:46:08 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Feb 11 16:46:08 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Wed Feb 11 16:46:08 2015 [server] Peer Connection Initiated with [AF_INET]192.96.215.22:1194 Wed Feb 11 16:46:10 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Wed Feb 11 16:46:10 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' Wed Feb 11 16:46:10 2015 OPTIONS IMPORT: timers and/or timeouts modified Wed Feb 11 16:46:10 2015 OPTIONS IMPORT: --ifconfig/up options modified Wed Feb 11 16:46:10 2015 OPTIONS IMPORT: route options modified Wed Feb 11 16:46:10 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Feb 11 16:46:10 2015 ROUTE_GATEWAY 10.0.0.1/255.255.255.0 IFACE=p4p1 HWADDR=14:fe:b5:aa:57:60 Wed Feb 11 16:46:10 2015 TUN/TAP device tun0 opened Wed Feb 11 16:46:10 2015 TUN/TAP TX queue length set to 100 Wed Feb 11 16:46:10 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Wed Feb 11 16:46:10 2015 /usr/sbin/ip link set dev tun0 up mtu 1500 Wed Feb 11 16:46:10 2015 /usr/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Wed Feb 11 16:46:10 2015 /usr/sbin/ip route add 192.96.215.22/32 via 10.0.0.1 Wed Feb 11 16:46:10 2015 /usr/sbin/ip route add 0.0.0.0/1 via 10.8.0.5 Wed Feb 11 16:46:10 2015 /usr/sbin/ip route add 128.0.0.0/1 via 10.8.0.5 Wed Feb 11 16:46:10 2015 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5 Wed Feb 11 16:46:10 2015 Initialization Sequence Completed
At the end of this output, there is just a cursor, but no command prompt. Typing in the cursor or hitting return has no effect besides printing what you type on the terminal screen.
I read this other posting which describes a similar error and states that the problem is in the DNS configuration, but I followed the tutorial's DNS config instructions exactly. The server also handles requests for mydomain.com served up by httpd. The domain registrar has been pointing requests for mydomain.com to the ip of the server since long before adding OpenVPN. Would this cause some kind of conflict? How can I get the connection to complete?
-
garethTheRed over 9 years@CodeMed - I've edited my answer...
-
RabT over 9 yearsI am planning to use OpenVPN to 1.) allow the administrator to perform all admin functions that I currently perform with ssh and 2.) to allow users to interact with a private web application using their web browsers. I can put much of those requirements in other questions. Right now, I just want to get started so that I can research the possibilities with a working prototype. I'm telling you these details so you can help me define a working starting point. Just being able to access a terminal via OpenVPN would be great for now. Then I could shut down ssh altogether and do admin over OpenVPN
-
garethTheRed over 9 yearsAccess a terminal via OpenVPN? That's the job of
ssh
. Unless you're trying to avoid opening the firewall forssh
of course. Onceopenvpn
is running correctly, your remote user will effectively be on the LAN, at which point the user canssh
to the servers or access the private web application. Is that what you are trying to achieve? Runopenvpn --daemon
and check if you have a LAN IP address. -
RabT over 9 yearsI ran
openvpn --daemon
andopenvpn --daemon --management
, but all I get is another command prompt after each of those commands. No error message. No success message. Nothing but another command prompt. Yes, I am trying to avoid opening the firewall for ssh. I want all ssh and http/s traffic to run inside the VPN tunnel, so that only two ports are open in the firewall, one for OpenVPN and the other for smtp. How can I check if I have a LAN IP address? This is all new to me. Thank you -
RabT over 9 yearsNote that I created passwords for both the server and the client. I have not entered these passwords because I have not been prompted for them, and I have not read where to submit them. I do not know if they are required for authentication. I believe the passwords were created as part of the certificate generation process. The tutorial in my OP was silent on the topic of passwords, though the certificate generating scripts asked me to create passwords.
-
garethTheRed over 9 yearsYes, that's correct - you'll get a command prompt as
openvpn
is running in the background. If you runip addr
you should see atun
device with an IP address. If you runip route
you should see a new route added with IP addresses in the same network as yourtun
device has. This is the route through the VPN to your remote server. Ping the remote server's VPN address (not it's public IP address) and you should get a response. -
RabT over 9 yearsThank you. But I think I am missing something. Are you willing to look at the output and help me see what I might be doing wrong? I posted it to a file sharing site. Here is the link: jumpshare.com/v/lTULOxSkEeiaOm6Yd5FU?b=mLIuVaLC7U1s9hBx1tYY
-
garethTheRed over 9 yearsYou are missing the
tun
device, without which, nothing will work. Are you sure you've followed the DigitalOcean article correctly? To be honest, I can't confirm it works as I set up my server from another source, the client setup does work though. Runopenvpn
without--daemon
or--management
and see if there is anything useful in the output. You did run it asroot
didn't you? -
RabT over 9 yearsYes I ran it as root. Typing
openvpn
as root gives a long printout of options, much like a man page. Yes, I followed the digital ocean article explicitly, with the only exception that I used your firewalld instructions linked in my OP instead of the iptables instruction in the article. -
garethTheRed over 9 yearsSorry -
openvpn --config /path/to/config/file
. -
RabT over 9 years
openvpn --config /path/to/config/file
gives the same results described in my OP. i.e. The terminal prints a lot of stuff like it is establishing a connection. Then it printsTue Feb 17 11:21:47 2015 Initialization Sequence Completed
. But it does not give a command prompt. It just gives a cursor with no command prompt, so you can type things and hit return, but all you get is a carriage return and no interactive response. -
garethTheRed over 9 yearsLet us continue this discussion in chat.
-
RabT over 9 yearsI am not able to log into unix.stackexchange chat, though of course I am logged in as a user. I have posted a ticket about this, see meta post: meta.unix.stackexchange.com/questions/3405/cannot-log-into-chat
-
RabT over 9 yearsI did open a stack overflow chat room. Are you willing to discuss this with me there? here is the link: chat.stackoverflow.com/rooms/71108/anotherroom
-
RabT over 9 yearsI would like to define separate permissions for users who only get
https
access, and for administrator who canhttps
andssh
. My research indicates that I should set up a separate instance of OpenVPN to accomplish this. I took a first stab at a plan. Are you willing to assess the plan and show how to accomplish it if you think my approach is best? Here is the link to the new posting: unix.stackexchange.com/questions/185599/… -
lobi almost 9 yearsI wish you guys did not use chat to solve the problem... I am stuck with this problem as of now.
-
garethTheRed over 8 years@lobi. If we do not use chat, we get severely told off by the moderators :-) This is a question and answer site, not a question and discuss site and in order to keep it tidy, we are forced into chat every time the comments start to get a little long. In the perfect world, after discussing via chat, a relevant and concise answer should be posted; but as you can imagine, that doesn't always happen.
-
lobi over 8 yearsUnderstood. Thanks for the response; I'm relatively new to stackexchange. It is unfortunate that a chat session is not stored and linked to the question.