Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/28/2024 08:57 AM
Hello,
I am working on creating a new SC2.0.
and this is what I am seeing when I start openvpn service and tun0 won't ever be coming up.
Thu Aug 29 00:39:57 2024 TCP_CLIENT link remote: [AF_INET]15.165.216.61:443
Thu Aug 29 00:39:57 2024 Connection reset, restarting [0]
Thu Aug 29 00:39:57 2024 SIGUSR1[soft,connection-reset] received, process restarting
Thu Aug 29 00:39:57 2024 Restart pause, 300 second(s)
Thu Aug 29 00:44:57 2024 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Aug 29 00:44:57 2024 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Aug 29 00:44:57 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]15.165.216.61:443
Thu Aug 29 00:44:57 2024 Socket Buffers: R=[87380->87380] S=[20480->20480]
Thu Aug 29 00:44:57 2024 Attempting to establish TCP connection with [AF_INET]15.165.216.61:443 [nonblock]
Thu Aug 29 00:44:58 2024 TCP connection established with [AF_INET]15.165.216.61:443
Thu Aug 29 00:44:58 2024 TCP_CLIENT link local: (not bound)
Thu Aug 29 00:44:58 2024 TCP_CLIENT link remote: [AF_INET]15.165.216.61:443
Thu Aug 29 00:44:58 2024 Connection reset, restarting [0]
Thu Aug 29 00:44:58 2024 SIGUSR1[soft,connection-reset] received, process restarting
Thu Aug 29 00:44:58 2024 Restart pause, 300 second(s)
Here's some configs I made,
"/etc/openvpn/client.conf"
daemon
client
dev tun
proto tcp
#multihome
remote ----remote IP---- 443 tcp-client
verify-x509-name "C=US, ST=CA, L=LosAngeles, O=saviyntcloud, OU=IT, CN=saviyntcloudovpnserver, name=server, emailAddress=devsecops@saviynt.com"
resolv-retry infinite
#mark 4458
nobind
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/saviyntcloudovpnclient.crt
key /etc/openvpn/keys/saviyntcloudovpnclient.key
remote-cert-tls server
auth-retry nointeract
cipher AES-256-GCM
auth SHA256
verb 3
reneg-sec 0
keepalive 10 60
log /etc/openvpn/logs/openvpn.log
status /etc/openvpn/logs/openvpn-status.log
tls-auth /etc/openvpn/keys/ta.key 1
/etc/sysconfig/iptables
*filter
:INPUT ACCEPT [157:10859]
:FORWARD ACCEPT [8:7088]
:OUTPUT ACCEPT [83:7284]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
COMMIT
# Completed on Thu Aug 29 00:27:13 2024
# Generated by iptables-save v1.8.4 on Thu Aug 29 00:27:13 2024
*nat
:PREROUTING ACCEPT [166:10707]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [540:38120]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -m policy --dir out --pol none -j MASQUERADE
-A POSTROUTING -s $saviynt_cid 4 -m policy --dir out --pol none -j SNAT --to-source $private_ipv4
COMMIT
# Completed on Thu Aug 29 00:27:13 2024
# Generated by iptables-save v1.8.4 on Thu Aug 29 00:27:13 2024
*raw
:PREROUTING ACCEPT [12352:2577942]
:OUTPUT ACCEPT [7310:1118958]
COMMIT
# Completed on Thu Aug 29 00:27:13 2024
# Generated by iptables-save v1.8.4 on Thu Aug 29 00:27:13 2024
*mangle
:PREROUTING ACCEPT [12352:2577942]
:INPUT ACCEPT [10406:1535453]
:FORWARD ACCEPT [1946:1042489]
:OUTPUT ACCEPT [7310:1118958]
:POSTROUTING ACCEPT [9256:2161447]
COMMIT
# Completed on Thu Aug 29 00:27:13 2024
"journalctl -xe"
Aug 29 00:55:24 ip-1.ap-northeast-2.compute.internal bash[8473]: root : pts/1 2024-08-29 00:46 (10.210.192.22) : /root : systemctl restart openvpn@client
Aug 29 00:55:24 ip-1.ap-northeast-2.compute.internal systemd[1]: Stopping OpenVPN Robust And Highly Flexible Tunneling Application On client...
-- Subject: Unit openvpn@client.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit openvpn@client.service has begun shutting down.
Aug 29 00:55:24 ip-1.ap-northeast-2.compute.internal systemd[1]: Stopped OpenVPN Robust And Highly Flexible Tunneling Application On client.
-- Subject: Unit openvpn@client.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit openvpn@client.service has finished shutting down.
Aug 29 00:55:24 ip-1.ap-northeast-2.compute.internal systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On client...
-- Subject: Unit openvpn@client.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit openvpn@client.service has begun starting up.
Aug 29 00:55:24 ip-1.ap-northeast-2.compute.internal systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On client.
-- Subject: Unit openvpn@client.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit openvpn@client.service has finished starting up.
08/28/2024 09:14 AM
Here are a few things you can check and try to resolve this issue:
Ensure that the OpenVPN server is correctly configured and running. Verify that the server is listening on the correct port (443 in your case) and that there are no firewall rules blocking the connection.
Make sure that your firewall rules are not blocking the connection. You have rules for port 1194, but your client configuration is using port 443. Update your firewall rules to allow traffic on port 443:
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Ensure that the certificates and keys specified in your client configuration are correct and match those on the server. Double-check the paths and file permissions.
Increase the verbosity of the OpenVPN logs to get more detailed information about the connection issue. You can set verb 5 or higher in your client configuration to get more detailed logs:
verb 5
Check the network stability between the client and the server. Network issues such as high latency or packet loss can cause connection resets.
Ensure that the tls-auth key is correctly configured on both the client and the server. The tls-auth directive should match on both sides.
08/28/2024 07:29 PM
@Joon
As Rushikesh mentioned, check the below config and create a support ticket with Saviynt to validate the auth key and the IPs used on the SC2.0 Server and Client.