OpenVPN not starting tun0

linux networking vpn openvpn raspberry-pi

6,254

The next thing that should happen after "Peer Connection Initiated" is a push/pull request exchange. Apparently the other side is doing a push, but not a pull, so you also need to do a pull on this side.

6,254

usr-local-ΕΨΗΕΛΩΝ

Chuck Norris is the only one who can type my name on a keyboard by using my teeth as keys, courtesy of a roundhouse kick in my mouth

Updated on September 18, 2022

Comments

usr-local-ΕΨΗΕΛΩΝ over 1 year

I have restored a Raspberry Pi running an OpenVPN client from a major disaster by actually copying files in /etc/openvpn to the new machine.

Now simply openvpn won't start dev tun0

Log shows the following (verbosity 3):

Tue Jan 31 20:08:34 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Tue Jan 31 20:08:34 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Tue Jan 31 20:08:35 2017 WARNING: file '/etc/ssl/vpn/secret.key' is group or others accessible
Tue Jan 31 20:08:35 2017 WARNING: file '/etc/ssl/vpn/ta.key' is group or others accessible
Tue Jan 31 20:08:35 2017 Control Channel Authentication: using '/etc/ssl/vpn/ta.key' as a OpenVPN static key file
Tue Jan 31 20:08:35 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 20:08:35 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 20:08:35 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue Jan 31 20:08:35 2017 TUN/TAP device tun0 opened
Tue Jan 31 20:08:35 2017 TUN/TAP TX queue length set to 100
Tue Jan 31 20:08:35 2017 GID set to nogroup
Tue Jan 31 20:08:35 2017 UID set to nobody
Tue Jan 31 20:08:35 2017 UDPv4 link local: [undef]
Tue Jan 31 20:08:35 2017 UDPv4 link remote: [AF_INET]aa.bb.cc.dd:1194
Tue Jan 31 20:08:35 2017 TLS: Initial packet from [AF_INET]aa.bb.cc.dd:1194, sid=4c0e5dbf 708c5f57
Tue Jan 31 20:08:36 2017 VERIFY OK: depth=1, C=AT, ST=LA, L=ATLANTIS, O=coolpeople, OU=VPN, CN=coolpeople CA, name=djechelon, [email protected]
Tue Jan 31 20:08:36 2017 VERIFY OK: nsCertType=SERVER
Tue Jan 31 20:08:36 2017 VERIFY OK: depth=0, C=AT, ST=LA, L=ATLANTIS, O=coolpeople, OU=VPN, CN=limortacci, name=djechelon, [email protected]
Tue Jan 31 20:08:37 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 20:08:37 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 20:08:37 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 20:08:37 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 20:08:37 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Jan 31 20:08:37 2017 [limortacci] Peer Connection Initiated with [AF_INET]aa.bb.cc.dd:1194
Tue Jan 31 20:08:38 2017 Initialization Sequence Completed

But ifconfig shows no trace of tun0 unless I use -a

ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          POINTOPOINT NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

I expected at least tun0 to get the IP address as the server has.

What is wrong with my configuration? It looks like the VPN is established.

Client config is

dev tun
proto udp
tls-client
remote aa.bb.cc.dd 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /etc/ssl/vpn/ca.crt
cert /etc/ssl/vpn/cert.crt
key /etc/ssl/vpn/key.key
ns-cert-type server
tls-auth /etc/ssl/vpn/ta.key 1
cipher AES-256-CBC
comp-lzo
push "route 192.168.192.0 255.255.255.0 vpn_gateway 1"
log         /var/log/openvpn.log
verb 7

Files in /etc/ssl are present (did I say I restored them too?)