OpenVPN4UCS 4.3.x not listening on 1194

texas-aggie · May 21, 2018, 2:17am

Fresh install of DC Master and DC Backup and installed OpenVPN on the DC Backup.
On activating OpenVPN, the config files couldn’t be downloaded from the web GUI on the DCB. Checked for the files on the DC Master and the config files were available.
Upon testing, the OpenVPN server was not responding to requests. I ran netstat -tulpn | grep 1194 with zero response.
Ran the installer a second time and added to the DC Master.
Running systemctl showed openvpn.server loaded | active | stopped. Restarting yielded the same results.
Uninstalled from both DC Master/Backup, rebooted both, and installed again on just the DC Backup.
New issue: The OpenVPN configuration via the Computer module is no longer available via the GUI. The UCR does show OpenVPN installed.

Looking for steps to troubleshoot and correct the issues.

bytemine · May 22, 2018, 3:04pm

Did the openvpn server run in 3.? What does systemctl status openvpn say - any errors logged?

What is the output of univention-ldapsearch cn=<your servername> univentionOpenvpnPort univentionOpenvpnActive univentionOpenvpnNet univentionOpenvpnAddress?

Try running univention-run-join-scripts --force --run-scripts 94univention-openvpn-master, check the join Log for errors.

texas-aggie · May 22, 2018, 5:31pm

I have two 4.2 installations with OpenVPN running that were successfully upgraded to 4.3.x.
root@ucs-bdc-1:~# systemctl status openvpn -l

● openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
   Active: active (exited) since Tue 2018-05-22 11:44:50 CDT; 3s ago
  Process: 7899 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 7899 (code=exited, status=0/SUCCESS)
      CPU: 3ms

May 22 11:44:50 ucs-bdc-1 systemd[1]: Starting OpenVPN service...
May 22 11:44:50 ucs-bdc-1 systemd[1]: Started OpenVPN service.
root@ucs-bdc-1:~# netstat -tulpn | grep 1194
root@ucs-bdc-1:~#

univention-ldapsearch cn=ucs-bdc-1 univentionOpenvpnPort univentionOpenvpnActive univentionOpenvpnNet univentionOpenvpnAddress

# extended LDIF
#
# LDAPv3
# base <dc=kblacklaw,dc=intranet> (default) with scope subtree
# filter: cn=ucs-bdc-1
# requesting: univentionOpenvpnPort univentionOpenvpnActive univentionOpenvpnNet univentionOpenvpnAddress 
#

# ucs-bdc-1, dc, computers, kblacklaw.intranet
dn: cn=ucs-bdc-1,cn=dc,cn=computers,dc=kblacklaw,dc=intranet
univentionOpenvpnActive: 1
univentionOpenvpnNet: 100.9.0/24
univentionOpenvpnAddress: 192.168.20.231
univentionOpenvpnPort: 1194

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

** IP address for the OpenVPN net is missing a dot notation. Should be 10.0.9.0/24 per your instructions.

Results of join (errors/s) Only:

Waiting for activation of the extension object 63openvpn-sitetosite:..................................................ERROR: Master did not mark the extension object active within 180 seconds.
ERROR
ucs_registerLDAPExtension: registraton of /usr/lib/openvpn-int/misc/63openvpn-sitetosite.acl failed.
2018-05-22 12:19:23.415950850-05:00 (in joinscript_save_current_version)
EXITCODE=0

After completing the step to --force -join, the GUI is now available and I’ve modified the OpenVPNnet setting. This forced the restart of the service and now the service is listening on 1194. I suspect my typo of 100.0.9/0 setting created the problem.

Issue solved!

I don’t know that I need to be concerned about the sitetosite since that’s likely due to a licensing requirement (and it’s not being used here.)

Muchas Gracias!