OpenVPN from Linux client -- also server fails to start with tun1 error

[whit]

I'm getting this in Ubuntu Linux, after starting the openvpn client from a shell:

Password entry required for 'Enter Auth Username:' (PID 12642).
Please enter password with the systemd-tty-ask-password-agent tool!

What seems wrong is that happens even after I've changed OPNsense's OpenVPN server config to be Remote Access (SSL/TLS) -- without "+ User Auth". So why is it asking for user auth? I've got the certificates installed, and the paths added to the .ovpn file so they're found. I'm starting the client with:

/usr/sbin/openvpn --config /etc/openvpn/openvpn_myid.ovpn

which is quite standard and how I start the client for other OpenVPN servers I run.

I'll grant that systemd is an atrocity, and I've no immediate interest in figuring out how to get the systemd-tty-ask-password-agent tool to work. Why is the OPNsense OpenVPN server asking for user auth though? How do I have it merely accept the certificate? The client log was presenting this as:

Fri Sep 20 15:12:13 2019 ERROR: could not read Auth username from stdin
Fri Sep 20 15:12:13 2019 Exiting due to fatal error

Now, I at first had had "+ User Auth" in the setup. Do I need to take extra action to bounce the OPNsense OpenVPN server process?

Ah I see now, the user config file has a line: auth-user-pass. I was assuming authorization method was controlled solely from the server.

A more serious problem: when I do a "ps aux" or "top" on the server, I don't see any openvpn process. And in /var/log/openvpn.log I see:
Sep 20 15:12:53 OPNsenseFL1 openvpn[44056]: Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)
Sep 20 15:12:53 OPNsenseFL1 openvpn[44056]: Exiting due to fatal error

follows by many repeats of ^@^@ etc. Not good. An ifconfig shows no device tun1 (or any tun at all -- usually this would start from tun0). So what's with OPNsense that it can't work tun1 here?

root@OPNsenseFL1:/var/log # ifconfig tun0
ifconfig: interface tun0 does not exist
root@OPNsenseFL1:/var/log # ifconfig tun1
ifconfig: interface tun1 does not exist

This is OPNsense as installed on Deciso appliances. How do I add the tun devices that should be there? This isn't how:

oot@OPNsenseFL1:/var/log # ifconfig tun0 create
ifconfig: SIOCIFCREATE2: File exists
root@OPNsenseFL1:/var/log # ifconfig tun1 create
ifconfig: SIOCIFCREATE2: File exists
root@OPNsenseFL1:/var/log # ifconfig tun0
ifconfig: interface tun0 does not exist
root@OPNsenseFL1:/var/log # ifconfig tun1
ifconfig: interface tun1 does not exist


Thanks,
Whit

[bartjsmit]

Hi Whit,

Add these commands to the client config:

log-append /var/log/ovpn-client.log
verb 4

Then have a good rummage through the log file. BTW you don't need the --config parameter, you can just run "openvpn my.conf.ovpn"

You are root, aren't you?

Bart...

[whit]

Hi Bart,

The log file previously showed:

  Sep 20 15:43:03 OPNsenseFL1 openvpn[93890]: Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)
  Sep 20 15:43:03 OPNsenseFL1 openvpn[93890]: Exiting due to fatal error

That's why I was looking for the device state, and not finding any /dev/tunN devices at all with ifconfig. However in /dev there are tun0 through tun3 files, and for each but tun3:

  root@OPNsenseFL1:/dev # more tun0
  tun0: Device busy

Interestingly, on the second Deciso device, same model, where we've not used OpenVPN at all, there's just tun0 and tun1, and neither returns "Device busy." Back on the problem system, tun3 does now show up in ifconfig's listing. But the other three don't. How do I see what has these devices "busy" when, if they were properly busy, they should be showing up in ifconfig's device list, but they don't? As "ps aux" shows, there is on openvpn process running at all. What's the right command to see what's claiming business with these /dev/tunN devices?

[whit]

From system.log:

Sep 23 14:36:49 OPNsenseFL1 opnsense: /status_services.php: The command '/sbin/ifconfig 'tun1' create' returned exit code '1', the output was 'ifconfig: SIOCIFCREATE2: File exists'
Sep 23 14:36:49 OPNsenseFL1 opnsense: /status_services.php: The command '/sbin/ifconfig 'tun1' name 'ovpns1'' returned exit code '1', the output was 'ifconfig: interface tun1 does not exist'
Sep 23 14:36:49 OPNsenseFL1 opnsense: /status_services.php: The command '/sbin/ifconfig 'ovpns1' group openvpn' returned exit code '1', the output was 'ifconfig: interface ovpns1 does not exist'
Sep 23 14:37:01 OPNsenseFL1 opnsense: /status_services.php: OpenVPN server 1 instance start timed out.

So the script is trying to create tun1, then after that fails persisting in trying to rename it, rather roll the number upwards until it finds a tunN which it can succeed in creating (which will work in the present instance with tun3 and above). Yes, there's a nice contradiction in how the interface both exists and does not exist.

Ah ha! I've got it. There are three wgN interfaces on this system for three WireGuard tunnels. WireGuard interfaces are renamed tunN interfaces. So wg0, wg1, and wg2 are taken. And the OpenVPN startup process is not written so as to transparently do the right thing, and establish itself on tun3.

Now, how should this be fixed?

[bartjsmit]

Hi Whit, you can add this line to the server conf file:

dev tun3

You could even opt for a tap device. Make sure you change the clients to match.

Also, you may be eligible for Deciso support on this.

Bart...