Open
Description
Hi, I was installing openvpn on target_ubuntu_server over another ssh over vpn connection :
[my_machine]<openvpn client> ----- (internet) ------ <openvpn server>[asuswrt_router] ----- (local network) ---- [target_unbuntu_server]
I lost connection from my_machine to target_ubuntu_server during the installation of the script, and can't connect back to it since. However, if I ssh onto asuswrt_router, then I can ssh into target_ubuntu_server.
Do you know what's wrong ?
Here is the log output from the installation all the way to the disconnection. I just redacted the hostname.
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 192.168.1.162
It seems this server is behind NAT. What is its public IPv4 address or hostname?
We need it for the clients to connect to the server.
Public IPv4 address or hostname: *****.*****.***
Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n
What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 2
Custom port [1-65535]: 1195
What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
1) UDP
2) TCP
Protocol [1-2]: 1
What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Anycast: worldwide)
12) NextDNS (Anycast: worldwide)
13) Custom
DNS [1-12]: 9
Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
Enable compression? [y/n]: n
Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
Customize encryption settings? [y/n]: n
Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
Hit:1 https://downloads.plex.tv/repo/deb public InRelease
Hit:2 https://packages.microsoft.com/repos/vscode stable InRelease
Hit:3 https://download.docker.com/linux/ubuntu jammy InRelease
Hit:4 https://apt.grafana.com stable InRelease
Hit:5 https://repos.influxdata.com/debian stable InRelease
Hit:6 http://jp.archive.ubuntu.com/ubuntu jammy InRelease
Hit:7 https://ppa.launchpadcontent.net/team-xbmc/ppa/ubuntu jammy InRelease
Get:8 http://jp.archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB]
Get:9 http://jp.archive.ubuntu.com/ubuntu jammy-backports InRelease [127 kB]
Get:10 http://jp.archive.ubuntu.com/ubuntu jammy-security InRelease [129 kB]
Get:11 http://jp.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [2,338 kB]
Get:12 http://jp.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1,187 kB]
Get:13 http://jp.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [30.0 kB]
Get:14 http://jp.archive.ubuntu.com/ubuntu jammy-backports/universe Translation-en [16.6 kB]
Fetched 3,957 kB in 5s (747 kB/s)
Reading package lists... Done
W: https://packages.microsoft.com/repos/vscode/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
ca-certificates is already the newest version (20240203~22.04.1).
gnupg is already the newest version (2.2.27-3ubuntu2.1).
0 upgraded, 0 newly installed, 0 to remove and 16 not upgraded.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
ca-certificates is already the newest version (20240203~22.04.1).
curl is already the newest version (7.81.0-1ubuntu1.20).
iptables is already the newest version (1.8.7-1ubuntu5.2).
iptables set to manually installed.
openssl is already the newest version (3.0.2-0ubuntu1.19).
openssl set to manually installed.
wget is already the newest version (1.21.2-2ubuntu1.1).
The following additional packages will be installed:
libpkcs11-helper1
Suggested packages:
resolvconf openvpn-systemd-resolved easy-rsa
The following NEW packages will be installed:
libpkcs11-helper1 openvpn
0 upgraded, 2 newly installed, 0 to remove and 16 not upgraded.
Need to get 669 kB of archives.
After this operation, 1,832 kB of additional disk space will be used.
Get:1 http://jp.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libpkcs11-helper1 amd64 1.28-1ubuntu0.22.04.1 [50.3 kB]
Get:2 http://jp.archive.ubuntu.com/ubuntu jammy-updates/main amd64 openvpn amd64 2.5.11-0ubuntu0.22.04.1 [619 kB]
Fetched 669 kB in 2s (442 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libpkcs11-helper1:amd64.
(Reading database ... 192876 files and directories currently installed.)
Preparing to unpack .../libpkcs11-helper1_1.28-1ubuntu0.22.04.1_amd64.deb ...
Unpacking libpkcs11-helper1:amd64 (1.28-1ubuntu0.22.04.1) ...
Selecting previously unselected package openvpn.
Preparing to unpack .../openvpn_2.5.11-0ubuntu0.22.04.1_amd64.deb ...
Unpacking openvpn (2.5.11-0ubuntu0.22.04.1) ...
Setting up libpkcs11-helper1:amd64 (1.28-1ubuntu0.22.04.1) ...
Setting up openvpn (2.5.11-0ubuntu0.22.04.1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /lib/systemd/system/openvpn.service.
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.9) ...
Scanning processes...
Scanning candidates...
Scanning processor microcode...
Scanning linux images...
The processor microcode seems to be up-to-date.
Restarting services...
/etc/needrestart/restart.d/systemd-manager
systemctl restart containerd.service cron.service glances.service irqbalance.service mosquitto.service mqtt-to-prometheus-node-exporter.service multipathd.service nmbd.service packagekit.service polkit.service prometheus-node-exporter.service prometheus.service rsyslog.service rtkit-daemon.service smartmontools.service smbd.service ssh.service systemd-journald.service systemd-networkd.service systemd-resolved.service systemd-timesyncd.service systemd-udevd.service thermald.service transmission-daemon.service udisks2.service upower.service
Service restarts being deferred:
systemctl restart ModemManager.service
/etc/needrestart/restart.d/dbus.service
systemctl restart docker.service
systemctl restart [email protected]
systemctl restart networkd-dispatcher.service
systemctl restart systemd-logind.service
systemctl restart unattended-upgrades.service
systemctl restart [email protected]
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
--2025-02-22 12:26:08-- https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz
Resolving github.com (github.com)... 20.27.177.113
Connecting to github.com (github.com)|20.27.177.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250222%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250222T122608Z&X-Amz-Expires=300&X-Amz-Signature=29f302e8e6ac7135839d13ac265bc05fdbe397506054fa66b8d8cec59eed2a5f&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream [following]
--2025-02-22 12:26:08-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250222%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250222T122608Z&X-Amz-Expires=300&X-Amz-Signature=29f302e8e6ac7135839d13ac265bc05fdbe397506054fa66b8d8cec59eed2a5f&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68984 (67K) [application/octet-stream]
Saving to: ‘/root/easy-rsa.tgz’
/root/easy-rsa.tgz 100%[================================================================================================================================================================>] 67.37K --.-KB/s in 0.008s
2025-02-22 12:26:09 (7.88 MB/s) - ‘/root/easy-rsa.tgz’ saved [68984/68984]
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /etc/openvpn/easy-rsa/pki
* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
* Using x509-types directory: /etc/openvpn/easy-rsa/x509-types
* Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
Using configuration from /etc/openvpn/easy-rsa/pki/5f0ba68a/temp.9624d85f
-----
Notice
------
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
* Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
-----
Notice
------
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server_Pa6rPQRNXhhY3aoU.req
key: /etc/openvpn/easy-rsa/pki/private/server_Pa6rPQRNXhhY3aoU.key
Using configuration from /etc/openvpn/easy-rsa/pki/c5109376/temp.a2ac98d3
401714F0557F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=<NULL> name=unique_subject
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server_Pa6rPQRNXhhY3aoU'
Certificate is to be certified until Feb 20 12:26:10 2035 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Certificate created at:
* /etc/openvpn/easy-rsa/pki/issued/server_Pa6rPQRNXhhY3aoU.crt
Notice
------
Inline file created:
* /etc/openvpn/easy-rsa/pki/inline/server_Pa6rPQRNXhhY3aoU.inline
* Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
Using configuration from /etc/openvpn/easy-rsa/pki/ac287b81/temp.683c8087
Notice
------
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
2025-02-22 12:26:10 WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead.
* Applying /etc/sysctl.d/10-console-messages.conf ...
kernel.printk = 4 4 1 7
* Applying /etc/sysctl.d/10-ipv6-privacy.conf ...
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
* Applying /etc/sysctl.d/10-kernel-hardening.conf ...
kernel.kptr_restrict = 1
* Applying /etc/sysctl.d/10-magic-sysrq.conf ...
kernel.sysrq = 176
* Applying /etc/sysctl.d/10-network-security.conf ...
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
* Applying /etc/sysctl.d/10-ptrace.conf ...
kernel.yama.ptrace_scope = 1
* Applying /etc/sysctl.d/10-zeropage.conf ...
vm.mmap_min_addr = 65536
* Applying /usr/lib/sysctl.d/50-bubblewrap.conf ...
kernel.unprivileged_userns_clone = 1
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.default.accept_source_route = 0
sysctl: setting key "net.ipv4.conf.all.accept_source_route": Invalid argument
net.ipv4.conf.default.promote_secondaries = 1
sysctl: setting key "net.ipv4.conf.all.promote_secondaries": Invalid argument
net.ipv4.ping_group_range = 0 2147483647
net.core.default_qdisc = fq_codel
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_regular = 1
fs.protected_fifos = 1
* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
kernel.pid_max = 4194304
* Applying /etc/sysctl.d/99-openvpn.conf ...
net.ipv4.ip_forward = 1
* Applying /usr/lib/sysctl.d/99-protect-links.conf ...
fs.protected_fifos = 1
fs.protected_hardlinks = 1
fs.protected_regular = 2
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.conf ...
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] → /etc/systemd/system/[email protected].
client_loop: send disconnect: Connection reset
[process exited with code 255 (0x000000ff)]
You can now close this terminal with Ctrl+D, or press Enter to restart.
Metadata
Metadata
Assignees
Labels
No labels