6

I'm having this weird issue that when I run bridge-start together with openvpn, the service won't start. If I don't let openvpn run bridge-start, and add the necessary interfaces (tap0, br0) manually (or run bridge-start from the shell) and I comment out the "up" directives so that openvpn won't invoke any script, then it works and everything's fine.

Looking into openvpn.log I can see that openvpn invokes the script with several options (/etc/openvpn/bridge-start tap0 1500 1654 init), and I don't really understand why that is. Could this be a problem?

openvpn.log:

Tue May  8 20:18:34 2018 us=217442 Current Parameter Settings:
Tue May  8 20:18:34 2018 us=217576   config = 'server.conf'
Tue May  8 20:18:34 2018 us=217599   mode = 1
Tue May  8 20:18:34 2018 us=217616   persist_config = DISABLED
Tue May  8 20:18:34 2018 us=217633   persist_mode = 1
Tue May  8 20:18:34 2018 us=217679   show_ciphers = DISABLED
Tue May  8 20:18:34 2018 us=217697   show_digests = DISABLED
Tue May  8 20:18:34 2018 us=217713   show_engines = DISABLED
Tue May  8 20:18:34 2018 us=217729   genkey = DISABLED
Tue May  8 20:18:34 2018 us=217745   key_pass_file = '[UNDEF]'
Tue May  8 20:18:34 2018 us=217761   show_tls_ciphers = DISABLED
Tue May  8 20:18:34 2018 us=217778   connect_retry_max = 0
Tue May  8 20:18:34 2018 us=217795 Connection profiles [0]:
Tue May  8 20:18:34 2018 us=217812   proto = udp
Tue May  8 20:18:34 2018 us=217829   local = '[UNDEF]'
Tue May  8 20:18:34 2018 us=217845   local_port = '1194'
Tue May  8 20:18:34 2018 us=217861   remote = '[UNDEF]'
Tue May  8 20:18:34 2018 us=217877   remote_port = '1194'
Tue May  8 20:18:34 2018 us=217893   remote_float = DISABLED
Tue May  8 20:18:34 2018 us=217909   bind_defined = DISABLED
Tue May  8 20:18:34 2018 us=217925 NOTE: --mute triggered...
Tue May  8 20:18:34 2018 us=217949 268 variation(s) on previous 20 message(s) suppressed by --mute
Tue May  8 20:18:34 2018 us=217974 OpenVPN 2.4.5 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar  1 2018
Tue May  8 20:18:34 2018 us=218005 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Tue May  8 20:18:34 2018 us=218268 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Tue May  8 20:18:34 2018 us=218467 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue May  8 20:18:34 2018 us=219618 Diffie-Hellman initialized with 2048 bit key
Tue May  8 20:18:34 2018 us=221006 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue May  8 20:18:34 2018 us=221065 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue May  8 20:18:34 2018 us=221120 TLS-Auth MTU parms [ L:1654 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Tue May  8 20:18:34 2018 us=221554 TUN/TAP device tap0 opened
Tue May  8 20:18:34 2018 us=221605 TUN/TAP TX queue length set to 100
Tue May  8 20:18:34 2018 us=221798 /etc/openvpn/bridge-start tap0 1500 1654   init
Tue May  8 20:18:34 2018 ERROR: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16)
Tue May  8 20:18:34 2018 Exiting due to fatal error
RTNETLINK answers: File exists
RTNETLINK answers: File exists
Tue May  8 20:18:34 2018 us=249873 WARNING: Failed running command (--up/--down): external program exited with error status: 2
Tue May  8 20:18:34 2018 us=249933 Exiting due to fatal error

bridge-start:

br="br0"
tap="tap0"
eth="enp1s0"
eth_ip="10.50.0.4"
eth_netmask="24"
eth_broadcast="10.50.0.255"
for t in $tap; do
    /usr/sbin/openvpn --mktun --dev $t
done
/usr/sbin/ip link add $br type bridge
/usr/sbin/ip link set $eth master $br
for t in $tap; do
/usr/sbin/ip link set $t master $br
done
for t in $tap; do
/usr/sbin/ip link set $t up
/usr/sbin/ip link set $t promisc on
done
/usr/sbin/ip link set $eth up
/usr/sbin/ip link set $eth promisc on
/usr/sbin/ip address add $eth_ip/$eth_netmask broadcast $eth_broadcast dev $br

sever conf:

port 1194
proto udp
dev tap0
script-security 2
up "/etc/openvpn/bridge-start"
down "/etc/openvpn/bridge-stop"
tls-server
ca ca.crt
cert home-vpn.crt
key home-vpn.key  # This file should be kept secret
dh dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.50.0.4 255.255.255.0 10.50.0.50 10.50.0.100
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
auth-nocache
cipher CAMELLIA-256-CBC
auth SHA512
reneg-sec 3600
crl-verify crl.pem
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
compress lz4-v2
push "compress lz4-v2"
max-clients 50
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 4
mute 20
explicit-exit-notify

Thanks!

Lethargos
  • 396
  • 1
  • 4
  • 16

1 Answers1

9

This happens if you did not stop the service openvpn and immediately made changes to the configuration file - as a result, after restarting, you still have a lost process with the old interface. It is necessary to stop the openvpn service completely and execute the killall openvpn. - example for Linux Debian:

# /etc/init.d/openvpn stop
# killall openvpn

We check the process in memory:

# ps -A|grep openvpn

if none - start openvpn:

# /etc/init.d/openvpn start

the service should start without errors... :)

user515778
  • 91
  • 1
  • 2
  • Hi. Thanks for the answer. I don't even remember if I solved it, to be honest, but after such a long time it's become irrelevant. If I come across this problem again, I'll check it out. – Lethargos Mar 25 '19 at 20:14
  • Actually the problem was not that an openvpn process was still running, but that the bridge-stop script isn't being executed when the vpn service is restarted. If I run it manually, then I can restart the openvpn service without any issues. This is what bridge-stop looks like on my server (sorry for that format, I don't seem to be able to do it right in comments): br="br0" tap="tap0" for t in $tap; do /usr/sbin/openvpn --rmtun --dev $t done /usr/sbin/ip link set $br down /usr/sbin/ip link delete $br type bridge – Lethargos May 30 '19 at 12:07
  • I stopped my service before running the script manually (to test it), and it worked: `service openvpn stop`, `openvpn /etc/openvpn/client.conf`. – xinthose Jun 21 '19 at 20:06
  • `ps -A | grep openvpn` followed by `sudo kill -9 ` worked for me on Ubuntu 18.04 – aksh1618 Jun 26 '19 at 02:39