Re: Re (3): error message from openvpn & postmortem.
peasth...@shaw.ca wrote: > Bob Proulx wrote: > > That does look suspicious. But to me it looks suspiciously like > > packets are getting dropped by a firewall and you already checked > > that they weren't. > > * November 15, about 13:30 hrs my ISP inadvertently disconnected the cable. I had not suspected that your network was disconnected! :-) > Thanks for the help. Your advice wasn't wasted. Glad to have been able to help. Bob signature.asc Description: Digital signature
Re (3): error message from openvpn & postmortem.
>From my original message. > Nothing obvious, but shouldn't traceroute get a route? From: Bob Proulx Date: Sun, 28 Nov 2010 15:39:20 -0700 > That does look suspicious. But to me it looks suspiciously like > packets are getting dropped by a firewall and you already checked > that they weren't. The problem with OpenVPN was self-inflicted. I might blame it on the ISP but really I should have remembered the setting in /etc/default/openvpn. This is a summary. * November 14 and 15, updated the system. Also made some configuration adjustments aiming to make local name resolution work again. * November 15, about 13:30 hrs my ISP inadvertently disconnected the cable. * That afternoon and the next day I spent several hours in discussion with the ISP and hunting for a problem in my system. * November 18, returned to work. To prevent Dalton from hammering at the tunnel I shut it off in /etc/default/openvpn ... and quickly forgot it. * November 20, returned home and found the Internet connection still not working. * November 23, local staff reconnected the cable. * November 28, at home again, read your troubleshooting suggestions and and did the tests. * November 30, returned to work, found OpenVPN disabled, turned it on and had the tunnel working again. Whew! Still wondering how traceroute fails but the tunnel works. r...@dalton:~# traceroute -p 1194 -P udp joule.yi.org traceroute to joule.yi.org (24.108.33.159), 30 hops max, 60 byte packets 1 * * * 2 * * * ... r...@dalton:~# ping 10.4.0.1 PING 10.4.0.1 (10.4.0.1) 56(84) bytes of data. 64 bytes from 10.4.0.1: icmp_req=1 ttl=64 time=18.1 ms 64 bytes from 10.4.0.1: icmp_req=2 ttl=64 time=12.4 ms 64 bytes from 10.4.0.1: icmp_req=3 ttl=64 time=17.3 ms ^C --- 10.4.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 12.453/15.973/18.108/2.512 ms Thanks for the help. Your advice wasn't wasted. ... Peter E. -- Telephone 1 360 450 2132. 7785886232 is gone. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171056710.63856.33...@heaviside.invalid
State of interfaces ; was Re (3): error message from openvpn.
Progress. From: Bob Proulx Date: Sun, 28 Nov 2010 15:39:20 -0700 > You might crank up the verbosity of the openvpn > logging and see if it logs something interesting. r...@dalton:~# grep verb /etc/openvpn/my* verb 9 r...@dalton:~# grep tun0 /var/log/syslog r...@dalton:~# grep tun0 /var/log/kern.log r...@dalton:~# ip link show tun0 Device "tun0" does not exist. Whereas Joule has tun0 in "state UNKNOWN". pe...@joule:~$ ip link show tun0 6: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none Even lo is "state UNKNOWN". pe...@joule:~$ ip link show lo 1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 An ne2k-pci NIC as the primary Internet connection also gave "state UNKNOWN". Whereas an e100 is UP. pe...@joule:~# ip link show MainBoard 4: MainBoard: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:03:47:c2:94:65 brd ff:ff:ff:ff:ff:ff So I've narrowed the problem. Why no tun0 on Dalton? Why are some interfaces in "state UNKNOWN"? Google finds a variety of references to interface "state UNKNOWN" but I'm running out of weekend. Thanks for the help, ... Peter E. -- Telephone 1 360 450 2132. 7785886232 is gone. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171056701.54907.31...@heaviside.invalid
Re (3): error message from openvpn.
From: Bob Proulx Date: Sun, 28 Nov 2010 15:39:20 -0700 > ... if it were configured to log rejects to the syslog then you should see > logging of > anything shorewall is rejecting to ... /var/log/kern.log syslog vs. kern.log? In any case, yes, kern.log records that Shorewall is dropping UDP packets ... but this is more elementary. PCI1 is the external interface on Joule. joule:/home/peter# ip link show PCI1 2: PCI1: mtu 1500 qdisc pfifo_fast state UNKNO WN qlen 1000 link/ether 00:50:ba:52:79:1c brd ff:ff:ff:ff:ff:ff HTTP and SSH to the Internet work with the interface in state UNKNOWN? This is the external interface on Dalton for comparison. r...@dalton:~# ip link show eth0 2: eth0: mtu 1500 qdisc pfifo_fast state UP ql en 1000 link/ether 00:02:55:d9:a7:ef brd ff:ff:ff:ff:ff:ff Appears that the external interface on Joule isn't working properly. Regards, ... Peter E. -- Telephone 1 360 450 2132. 7785886232 is gone. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171056700.63217.43...@heaviside.invalid
Re: Re (2): error message from openvpn.
peasth...@shaw.ca wrote: > Bob Proulx wrote: > > I would look to see that the ports match up on both sides of the > > OpenVPN connection. > > Just checked /etc/openvpn/myvpn.conf again. Yes, both ends aim for > dev tun, udp 1194. Good. > > I would look that it is allowed through the firewall. > > I reviewed the Shorewall configuration before learning that Shaw > Cable accidentally disconnected service and again after > reconnection. I like Shorewall. Not sure that all of these are required but this is what I have on my machine. rules: ACCEPT all fw udp openvpn policy: fw tun ACCEPT tun fw ACCEPT If you are using shorewall and if it were rejecting and if it were configured to log rejects to the syslog then you should see logging of anything shorewall is rejecting to /var/log/kern.log If not then I don't know. I use both OpenVPN and Shorewall and it works well for me. You might crank up the verbosity of the openvpn logging and see if it logs something interesting. # 0 is silent, except for fatal errors # 1 is default # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose ; verb 1 ;log openvpn.log ;log-append openvpn.log Pick something more verbose than the default and see if it gives a clue as to the problem. I would also fire up tcpdump at the same time and monitor traffic on that port. You should see it both leave and arrive on the different end points. I would run multiple copies on each host that had any involvement in the connection. tcpdump -lni any port 1194 > Nothing obvious, but shouldn't traceroute get a route? That does look suspicious. But to me it looks suspiciously like packets are getting dropped by a firewall and you already checked that they weren't. Bob signature.asc Description: Digital signature
Re (2): error message from openvpn.
From: Bob Proulx Date: Sat, 27 Nov 2010 19:24:33 -0700 > I would look to see that the ports match up on both sides of the OpenVPN > connection. Just checked /etc/openvpn/myvpn.conf again. Yes, both ends aim for dev tun, udp 1194. > I would look that it is allowed through the firewall. I reviewed the Shorewall configuration before learning that Shaw Cable accidentally disconnected service and again after reconnection. Nothing obvious, but shouldn't traceroute get a route? r...@dalton:~# traceroute -p 1194 -P udp joule.yi.org traceroute to joule.yi.org (24.108.33.159), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * ... r...@joule:/etc/openvpn# traceroute -p 1194 -P udp 142.103.107.137 [dalton] traceroute to 142.103.107.137 (142.103.107.137), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * ... r...@joule:/home/peter# traceroute -p 1194 -P udp localhost traceroute to localhost (127.0.0.1), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * ... Regards, ... Peter E. -- Telephone 1 360 450 2132. 7785886232 is gone. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171056700.57705.43...@heaviside.invalid
Re: error message from openvpn.
peasth...@shaw.ca wrote: > An OpenVPN tunnel is failing and this message is in /var/log/syslog. > Nov 27 16:17:07 joule ovpn-myvpn[1827]: read UDPv4 [ECONNREFUSED]: > Connection refused (code=111) > > Google finds references to some of the words but nothing explains > the meaning of ECONNREFUSED or of (code=111). > > Any clues? Thanks, ... Peter E. For documentation on ECONNREFUSED see the connect(2) man page. $ man 2 connect ... ECONNREFUSED No-one listening on the remote address. If no one is listening then the packet is rejected. I would look to see that the ports match up on both sides of the OpenVPN connection. I would look that it is allowed through the firewall. The default OpenVPN port is 1194. You would want to make sure that the same port is configured on both sides and that it is allowed through any firewall between and on each machine. Bob signature.asc Description: Digital signature
error message from openvpn.
Folk, An OpenVPN tunnel is failing and this message is in /var/log/syslog. Nov 27 16:17:07 joule ovpn-myvpn[1827]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Google finds references to some of the words but nothing explains the meaning of ECONNREFUSED or of (code=111). Any clues? Thanks, ... Peter E. -- Telephone 1 360 450 2132. 7785886232 is gone. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171056699.66931.63...@heaviside.invalid