Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


OpenVPN-AS... Pulling my hair out! - RESOLVED
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OpenVPN-AS... Pulling my hair out! - RESOLVED

AmitzAmitz Member
edited March 2013 in Help

Hello everybody!

I am pulling my hair out because of some problem with OpenVPN-AS and sincerely hope (after quite some Google research) that someone here might help me out...

Prologue:
For some strange reason, I always miserably failed if installing OpenVPN (not AS) by hand. No matter which guide I followed, it simply never worked out as expected. And if it worked somehow, then it was quite some hassle to provide that access to a friend. Then I came across OpenVPN-AS. Installation was more than easy, it is providing 2 users as default and worked out of the box perfectly for me and my friend who is sharing the VPN with me.

But:
There is one problem that drives me crazy: Periodically, I would say daily, the VPN becomes unreachable. I receive a "Could not establish connection with VPN server" message on my home PC and that was it then. Same with my friend at the other side of the country. Looking at the VPS, the service is running fine at those times. Even the log in /var/log/ shows no entry at all. Even the Web-Interface is showing the server as "running". If I restart the server (via console), it starts working again immediately. I thought: "Well, let's go the easy way and just set a cron to restart the server twice a day". But that does not work. I have no idea when it stops working (there is no pattern) and so I am confronted with that "problem" on a daily basis.

I have tried it on two different VPS which are both OpenVZ, by the way. One is running CentOS 6.3, the other Debian Squeeze. They both use the official packages from the OpenVPN site and they both have the same issue.

I am at my wit's end. Really. Please. Help! :)

Kind regards and thanks in advance!
Amitz

Comments

  • NekkiNekki Veteran

    I've got around 8 different VPS running OpenVPN-AS, some of them have been around for just under a year and I've never seen this issue.

    What sort of spec are you running these on? AS can be a bit of a memory hog.

  • AmitzAmitz Member
    edited March 2013

    Thank you, Nekki - That's what drives me crazy. I know that OpenVPN-AS is stable for so many people and really wonder why it isn't for me. Therefore I tried it on two different VPS even with different OS.

    VPS A is a 1024 MB OpenVZ with access to 4 cores (at Ramnode) and
    VPS B is a 512 MB OpenVZ with access to 2 cores (at RocketVPS).

    I guess that memory should not be a problem with those specs or am I wrong?
    May I ask for your hardware specs and the OS that you are using?

    Kind regards
    Amitz

  • cloromorphocloromorpho Member
    edited March 2013

    @Amitz i had a similar problem some time ago.

    The issue was with OpenVZ and fixed following this instructions (by the provider):

    http://openvpn.net/index.php/access-server/docs/admin-guides/186-how-to-run-access-server-on-a-vps-container.html

    By the way, if you use kvm you should not have any issues. it seems to be a problem with OpenVZ and iptables.

    Also, BuyVM and Prometeus OpenVZ containers work with openvpn-as out of the box. (this are the providers i know)

  • AnthonySmithAnthonySmith Member, Patron Provider

    I provide OpenVPN AS Xen templates and have never seen this issue with the server side, however the client becomes unreliable if you install the 2 types.

  • NekkiNekki Veteran
    edited March 2013

    @Amitz said: I guess that memory should not be a problem with those specs or am I wrong?

    May I ask for your hardware specs and the OS that you are using?

    No, memory should be no issue at all with those specs - I've actually got AS running on a heavily optimised 64MB box, but most are running happily on 128's with very little optimisation (all Debian/Ubuntu, 1 core machines).

    I presume you're simply installing via dpkg as per the official instructions?

    Might be worth installing some monitoring software VPS (I use munin personally, very easy to setup) to see if anything unusual is happening prior to the server locking up.

  • AmitzAmitz Member

    @AnthonySmith said: I provide OpenVPN AS Xen templates and have never seen this issue with the server side, however the client becomes unreliable if you install the 2 types.

    Thanks, Anthony! Just to clarify - What do you mean by "if you install the 2 types"?

    @Nekki said: I presume you're simply installing via dpkg as per the official instructions?

    Right.

    @Nekki said: Might be worth installing some monitoring software VPS (I use munin personally, very easy to setup) to see if anything unusual is happening prior to the server locking up.

    I do have munin setup on both servers and - unfortunately - see nothing suspicious... :(

    But I have now ordered a KVM VPS just to test if I encounter the same problem there. I have always and only tried it with OpenVZ. Let's see what happens...

    Kind regards
    Amitz

  • VPNshVPNsh Member, Host Rep

    @Amitz said: I have always and only tried it with OpenVZ.

    Even if you do get it running on KVM, that's just working around whatever issue is at fault. There's no reason why OpenVZ should be the limiting factor.

  • AnthonySmithAnthonySmith Member, Patron Provider

    few different clients out there, if you have been using openvpn community you probably have had or have the older openvpn client installed along with the connect client which seem to punch eaach other in the face at times.

  • AmitzAmitz Member

    @liamwithers said: Even if you do get it running on KVM, that's just working around whatever issue is at fault. There's no reason why OpenVZ should be the limiting factor.

    You are absolutely right. And I would love to get it working flawlessly with OpenVZ. The KVM is just another test whether it is me or something else. I am really in despair somehow.

    @AnthonySmith said: few different clients out there, if you have been using openvpn community you probably have had or have the older openvpn client installed along with the connect client which seem to punch eaach other in the face at times.

    Ah, I see. I am using the client that gets provided by OpenVPN themselves. The one that gets offered when you connect to your own OpenVPN-AS IP via WebGUI.

  • NekkiNekki Veteran

    @Amitz said: But I have now ordered a KVM VPS just to test if I encounter the same problem there. I have always and only tried it with OpenVZ. Let's see what happens...

    Just a thought, but what authentication are you using?

  • AmitzAmitz Member
    edited March 2013

    @Nekki
    PAM on both systems. That was preconfigured by the installer.

  • budingyunbudingyun Member
    edited March 2013

    Actually configuring standard openvpn (not AS) is easy. I may guide you if you want. Just pm me. :D

  • bnmklbnmkl Member

    If you are finished with your hair @Amitz , could you mail it to me please ? I would like to sniff it whilst reading your posts . Thanks ^_^

  • AmitzAmitz Member

    @budingyun said: Actually configuring standard openvpn (not AS) is easy. I may guide you if you want. Just pm me. :D

    Thank you for the offer, budingyun - I may come back to it if my KVM experiment fails too! :)

    @bnmkl said: If you are finished with your hair @Amitz , could you mail it to me please ? I would like to sniff it whilst reading your posts . Thanks ^_^

    Come on, what's wrong with you? I can offer you my worn underwear, that's the real deal! :)

  • bnmklbnmkl Member

    Haha @Amitz !

    There are so many irresistible offers here.

  • AmitzAmitz Member

    @Nekki said: Might be worth installing some monitoring software VPS (I use munin personally, very easy to setup) to see if anything unusual is happening prior to the server locking up.

    Okay, I have missed something: Both OpenVZ hosts share this:

    VPS A

    VPS B

    Not any other VPS that I have (and run munin on) shows venet0 errors. Only the two that also cause problems with OpenVPN. I think there might be a correlation...

  • OpenVPN-AS and OpenVZ can be a bitch to work with, would not recommend.

  • raidzraidz Member
    edited March 2013

    @Amitz said: Even the log in /var/log/ shows no entry at all. Even the Web-Interface is showing the server as "running".

    Have you tried looking in /var/log/openvpnas.log? That's where we spit out most of the OpenVPN-AS errors.

    Do you have something else that uses iptables (like CSF) running on the VPS?

    Also, a trick for some of you guys who want to run OpenVPN-AS + CSF.

    Create a csfpost.sh in /etc/csf and add:

    #!/bin/sh /usr/local/openvpn_as/scripts/sacli --restart_mode=iptables start

    This allows for Access Server to run together with CSF, it is not a bulletproof solution but will work more than not.

    Thanked by 1AlwaysSkint
  • AmitzAmitz Member

    Ehm. Yes. What all my tries had in common was CSF installed with OpenVPN-AS. I have opened the corresponding ports and never came across the idea that there could be a coincidence...

    But just to repeat it again: OpenVPN IS working on those OpenVZ-VPS with CSF installed. It just stops responding periodically until I manually restart the service.

  • raidzraidz Member
    edited March 2013

    @Amitz said: OpenVPN IS working on those OpenVZ-VPS with CSF installed. It just stops responding periodically until I manually restart the service.

    I would recommend trying the trick I recommended then, sounds to me like csf is screwing it up when it reloads rules or loads new rules etc, so now when it does that it will run a warm restart of openvpn-as (which will just reload openvpn's iptables rules.)

  • AmitzAmitz Member

    Yes, this absolutely sounds like the possible solution for my problem! I have added the script to /etc/csf and I guess the next 48 hours will show the result.

    Even if it sounds dumb: The same is not required when running OpenVPN-AS and CSF on a KVM?

  • raidzraidz Member

    @Amitz said: Even if it sounds dumb: The same is not required when running OpenVPN-AS and CSF on a KVM?

    You would have the same issue on KVM, if this is the problem. It is unrelated to OpenVZ and more related to the fact that both CSF and OpenVPN-AS like to keep control of iptables. This solution should help resolve that. I am pretty confident this is your issue and the script will fix it.

  • AmitzAmitz Member

    Then it should be simple to instantly reproduce the issue. All I have to do is a 'csf -r' WITHOUT your script in place (should lead to OpenVPN becoming unresponsive) and then again with your script. Sounds great, I'll try that. I would be SO happy if this would be the solution! :-)

  • raidzraidz Member

    @Amitz said: ll I have to do is a 'csf -r' WITHOUT your script in place (should lead to OpenVPN becoming unresponsive) and then again with your script.

    Yeah, give that a shot and let me know.

  • AmitzAmitz Member
    edited March 2013

    image

    THAT IS SO GREAT! Absolutely wonderful - The solution for my problem finally is there! It works great now.
    Thank you so much, raidz, for the final hint and everyone else here for your support and for ending my daily facepalming...
    You cannot imagine how happy I am right now! :-)

  • raidzraidz Member

    @Amitz said: Thank you so much, raidz

    No problem, glad I could help.

  • AmitzAmitz Member

    Damn! You DID! :-)

  • AmitzAmitz Member
    edited March 2013

    I just wanted to confirm that, some days later, everything still works fine! :-)
    Just one thing: If you look at the munin screenshots that I have posted above, you will notice the venet0 errors (dropped packets). I still see that in my munin graphs whenever I have used the VPN. So there is a direct correlation. I do not see any errors on the munin graph on a KVM VPS running OpenVPN. It just shows on the OVZ machines.

    Any idea how I could fix that? Hugs in advance!
    -A

Sign In or Register to comment.