OpenVPN Admin Issues

webmin 1.999

root@electra:~# hostname
electra.xsxtc.uk
root@electra:~# domainname
(none)
root@electra:~# dnsdomainname
xsxtc.uk

Hi,

It has been a while since I posted as we lost both of our houses in a fire at easter and it has taken sometime to get organised. I lost my server with all the settings and also the backup (in the second house) so reinstating everything has not been easy.

I had an OpenVPN server running on my virtual server hosted with OVH which I then transferred to IONOS and in the transfer and set up of the VPN something has not worked so I cannot start the service on the new server.

OpenVPN Admin reports a version of 2.0_rc16, In trying to sort it out I saw that the latest version is not 3.2 but when I tried to download it through Webmin Modules I get a 502 Bad Gateway error on an nginx server. Search through the net but cannot find a solution to overcome it. Can anyone help?

I searched for other repositories but all roads seem to lead to the same place (Rome probably as it is a .it domain). Is there somewhere else I can download this file?

Is this the right forum to discuss OpenVPN issues? or should I just try to deal wtih the OpenVPN forums?

Hope someone can help.

Geoff

I did enter the system information but it has not come through so here it is again.

OS type and version Ubuntu 20.04.4
Virtualmin 7.1-1
Webmin 1.999

G

Here is some clarity about the problem I am facing with the server itself which is why I was looking to upgrade. May be that the upgrade is not necessary if I can solve the connection issue.

OpenVPN Issue

O/S Ubuntu 20.04.4

Webmin 1.999

Virtualmin 7.1-1

OpenVPN Admin uses OpenVPN version 2.0_rc16, OpenSSL version 0.9.7e

(I have tried to upgrade to the latest version but the site returns a 502 error)

Hi,

I am having issues connecting to my VPN. It sits on my server and worked fine on the previous machine I used but when I had to transfer it to a new VPS, it was necessary to rebuild it from scratch.

The service is running but I do not know how to test if it is running properly or not.

I have checked the config files and they all look to be fine with the redirection of keys and certificates etc. but to be sure I have even tried a profile with all the certificate, dh and keys data embedded.

No matter what I try I cannot get a connection. The log shows that it is negotiating with the server but something is stopping it from finalising the connection.

The only thing I can think of is the firewall but the ports have been open for UDP (1194 and 1195) and when I try:

root@electra:~# firewall-cmd --zone=public --query-masquerade

Get the response

yes

[Unfortunately I do not know enough about IP Tables and Firewalld to determine what I have set up as the masquerade so that might be the first place to start?]

I am posting some config files below as well for more information but can anyone help me to get this working please? I am posting both in Virtualmin forums and OpenVPN forums.

/etc/openvpn/xsxtc-vpn-kodi.conf

port 1195

proto udp

dev tun1

ca keys/xsxtc-ca/ca.crt

cert keys/xsxtc-ca/server-key.crt

key keys/xsxtc-ca/server-key.key

dh keys/xsxtc-ca/dh2048.pem

topology subnet

server 10.20.0.0 255.255.255.0

crl-verify keys/xsxtc-ca/crl.pem

ifconfig-pool-persist servers/xsxtc-vpn-kodi/logs/ipp.txt

cipher AES-256-CBC

user nobody

group nogroup

status servers/xsxtc-vpn-kodi/logs/openvpn-status.log

log-append servers/xsxtc-vpn-kodi/logs/openvpn.log

verb 2

mute 20

max-clients 100

keepalive 10 120

client-config-dir /etc/openvpn/servers/xsxtc-vpn-kodi/ccd

duplicate-cn

comp-lzo

persist-key

persist-tun

float

ccd-exclusive

auth SHA512

push “dhcp-option DNS 8.8.8.8”

push “dhcp-option DNS 8.8.4.4”

push “redirect-gateway def1 bypass-dhcp”

Extract from the server log

Wed Aug 31 21:29:47 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022

Wed Aug 31 21:29:47 2022 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10

Wed Aug 31 21:29:47 2022 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want

Wed Aug 31 21:29:47 2022 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn

Wed Aug 31 21:29:47 2022 TUN/TAP device tun1 opened

Wed Aug 31 21:29:47 2022 /sbin/ip link set dev tun1 up mtu 1500

Wed Aug 31 21:29:47 2022 /sbin/ip addr add dev tun1 10.20.0.1/24 broadcast 10.20.0.255

Wed Aug 31 21:29:47 2022 Could not determine IPv4/IPv6 protocol. Using AF_INET

Wed Aug 31 21:29:47 2022 UDPv4 link local (bound): [AF_INET][undef]:1195

Wed Aug 31 21:29:47 2022 UDPv4 link remote: [AF_UNSPEC]

Wed Aug 31 21:29:47 2022 GID set to nogroup

Wed Aug 31 21:29:47 2022 UID set to nobody

Wed Aug 31 21:29:47 2022 Initialization Sequence Completed

Wed Aug 31 22:43:43 2022 event_wait : Interrupted system call (code=4)

Wed Aug 31 22:43:43 2022 Closing TUN/TAP interface

Wed Aug 31 22:43:43 2022 /sbin/ip addr del dev tun1 10.20.0.1/24

RTNETLINK answers: Operation not permitted

Wed Aug 31 22:43:43 2022 Linux ip addr del failed: external program exited with error status: 2

Wed Aug 31 22:43:43 2022 SIGTERM[hard,] received, process exiting

Wed Aug 31 22:44:00 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022

Wed Aug 31 22:44:00 2022 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10

Wed Aug 31 22:44:00 2022 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want

Wed Aug 31 22:44:00 2022 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn

Wed Aug 31 22:44:00 2022 TUN/TAP device tun1 opened

Wed Aug 31 22:44:00 2022 /sbin/ip link set dev tun1 up mtu 1500

Wed Aug 31 22:44:00 2022 /sbin/ip addr add dev tun1 10.20.0.1/24 broadcast 10.20.0.255

Wed Aug 31 22:44:00 2022 Could not determine IPv4/IPv6 protocol. Using AF_INET

Wed Aug 31 22:44:00 2022 UDPv4 link local (bound): [AF_INET][undef]:1195

Wed Aug 31 22:44:00 2022 UDPv4 link remote: [AF_UNSPEC]

Wed Aug 31 22:44:00 2022 GID set to nogroup

Wed Aug 31 22:44:00 2022 UID set to nobody

Wed Aug 31 22:44:00 2022 Initialization Sequence Completed

Client kodi.opvn file (sits in a directory with all the referenced keys and certificates etc.

client

proto udp

dev tun

ca ca.crt

dh dh2048.pem

cert kodi.crt

key kodi.key

remote 77.68.100.23 1195

cipher AES-256-CBC

verb 2

mute 20

keepalive 10 120

comp-lzo

persist-key

persist-tun

float

resolv-retry infinite

nobind

auth SHA512

I have sorted this myself and the VPN is working but it would still be good to get the module to work properly instead of giving the Bad Gateway message. Is anyone going to look into it?

This can be closed.

I am not an expert in OpenVPN but I have installed open source server on RH and Debian with the third party Webmin module.
These are my observations related to this post:

1. The third party Webmin module that originated from Giuliano Natali & Marco Colombo at openit.it is no longer offered and the link to it on webmin.com does not work (502 Bad Gateway). The error is not the module’s fault, but the invalid link.

2. There are, anyway, reports that the above module has problems on Debian 11.

3. There are several forks of the module on Github and I have chosen to use André Schild’s since it has a release file that is provided as a Webmin module file. It works.
   GitHub - a-schild/webmin-openvpn-debian-jessie: OpenVPN plugin for Webmin

4. The OpenVPN and OpenSSL versions reported by the module are not obtained from OpenVPN and OpenSSL but are values from the module config page. You should therefore run “/usr/sbin/openvpn --version” and “openssl version” to find the version you’re running and type these into the config page if you want to see it shown in the module main page.

5. It appears the module defaults to creating folders under /etc/openvpn called servers instead of server and clients instead of client. You’ll find the singular folders are empty.

6. Since the keys and client and server files can be stored anywhere, and referenced in server.conf (or whatever you name it) you should either configure the VPN server using the module or ensure that the module is configured with the correct folder paths.

I hope this helps

Thanks, yes it does. I have used the install script to get it working.

I did look at the Schild option but did not install it. If it is just an admin package it should not upset my current installation should it? The install script uses the Server folder but puts Clients in the root account (I move them to the Client folder).

Appreciate your time to reply thank you.

Geoff

Maybe I misunderstood your initial post because I thought you had tried to install the webmin module for OpenVPN and failed at the bad gateway error.

The OpenVPN server package is installed through normal means being either from a repo or downloading the package. The Webmin module is not necessary to run the server, it just provides a web UI to configure the server (create ÇA, create VPN server, create clients, monitor clients etc).
There are other web UIs but they require a web server (Apache, nginx etc) whereas a Webmin module can use the Webmin UI on port 10000, so is more convenient (SSO, same look and feel etc).

So, as you say, if your VPN server is running you don’t need the admin module. And if you install the admin
module after the VPN server is running you must edit
The module config (gear wheel) to make sure it is pointed to all the right directories for certs and users.

Cheers, Peter

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.