OpenVPN Troubleshooting Tips on DAL Routers

OpenVPN issues on DAL routers can be troubleshooted checking the logs (System > Logs  section on the WEB UI). In some cases, if the OpenVPN tunnel doesn't come up, it could be useful to  increase the verbosity level in order to get debug info for investigate the failure.

Below, the verbosity definition and levels from the official OpenVPN reference guide (https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/):

By default the verbosity level is set as 1, in order to increase VERB level for troubleshooting, there are the following options:

- DAL as OpenVPN Server or  DAL OpenVPN client without OVPN config file ("Use .ovpn file" option disabled):  Advanced Options section must be enabled and configured for this as in the example below:

- DAL as OpenVPN client with OVPN config file ("Use .ovpn file" option enabled, is the default): The verbosity level can be directly set in the .ovpn file.

Note: Once the verbosity level is increased, the system logs will include more debugging info regarding the possible issue of the failure, but will also increase the size of log files, so is recommended to set it as default once the issue is resolved. 

Client Connection:

The OpenVPN tunnel establishment, can fail due to error in the OpenVPN Server/Clent configuration (as invalid commands for example) or due to negotiations problems (authentication failure, parameter incompatibility between peers, etc). 

Following some examples of "bad" logs that can be seen in common error cases:

OpenVPN Server failing to initialize due to invalid options:

[F03:P05] Sep 11 13:30:35 EX15W netifd: Interface 'os_NewTunnel' is setting up now 
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 OpenVPN 2.4.4 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 28 2020 
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.02 
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 Diffie-Hellman initialized with 2048 bit key 
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 Cipher AES-128 not supported 
[F03:P05] Sep 11 13:30:35 EX15W netifd: os_NewTunnel (16773): Fri Sep 11 13:30:35 2020 Exiting due to fatal error 
[F03:P05] Sep 11 13:30:35 EX15W netifd: Interface 'os_NewTunnel' is now down 

What to check >> When there is an error regarding an option not supporetd, most probably "Advanced options" have been configured to add parametrs to the default used by DAL. So that field must be checked to correct possible errors in the format or name of options specified.

OpenVPN Server fails to negotiate due to authentication failure (username invalid):

Sep 11 13:50:30 EX15W Sep 11 13:50:30 00270439a34b us: pam_acc: username username invalid
Sep 11 13:50:30 EX15W root: openvpn: PAM failed to authenticate user username(95.91.252.234)
Sep 11 13:50:30 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 13:50:30 2020 us=145846 95.91.252.234:63047 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Sep 11 13:50:30 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 13:50:30 2020 us=146165 95.91.252.234:63047 TLS Auth Error: Auth Username/Password verification failed for peer​

What to check >> When a username is detected as "invalid", most probaby the user configuration is missing on DAL. To add/correct it, go to Authentication > Users and add a user with same name configured in the client , asociated with the proper OpenVPN users groups for that tunnel (see below as well).

OpenVPN Server fails to negotiate due to authentication failure (user not authorized):

Sep 11 14:06:07 EX15W root: openvpn: user username(95.91.252.234) is not authorised to use server NewTunnel
Sep 11 14:06:07 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 14:06:07 2020 us=524199 95.91.252.234:63033 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Sep 11 14:06:07 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 14:06:07 2020 us=524564 95.91.252.234:63033 TLS Auth Error: Auth Username/Password verification failed for peer

What to check >> The username is authenticated, but is not authorized to use the OpenVPN tunnel. In this case what needs to be checked is the group associated to the user, that need to have the OpenVPN tunnel linked to it:






OpenVPN Server fails to negotiate due to authentication failure (password mismatch):

Sep 11 14:02:42 EX15W : pam_acc(openvpn:auth): pam_acc: password mismatch for user username
Sep 11 14:02:42 EX15W Sep 11 14:02:42 00270439a34b us: pam_acc: password mismatch for user username
Sep 11 14:02:42 EX15W root: openvpn: PAM failed to authenticate user username(95.91.252.234)
Sep 11 14:02:42 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 14:02:42 2020 us=642687 95.91.252.234:63069 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Sep 11 14:02:42 EX15W netifd: os_NewTunnel (8715): Fri Sep 11 14:02:42 2020 us=642975 95.91.252.234:63069 TLS Auth Error: Auth Username/Password verification failed for peer

What to check >> The user is configured but the password is not matching with the one received from the client. So the password must be fixed.