VPN Troubleshooting
These guidelines provide a systematic approach to troubleshooting configuration inconsistencies for vpn issues. A mismatched configuration can result in vpn connection failure, intermittent disconnection, or even access to resources in a remote network. By following the steps outlined in this document, you should be able to identify and address configuration issues with VPN connections.
Troubleshooting Steps
Issue: Configuration Mismatch
Symptoms
- VPN connection fails to establish or frequently disconnects.
- The client device is unable to access resources on the remote network.
- Logs indicate error messages related to mismatched configurations.
- Cloud
- UCI
- Run-Time
- Testing
- Log
Cloud Configuration Verification
Access the CE Terminal
- Log in to the CE terminal with superuser privileges to perform diagnostic checks.
sudo su -
Check Configuration Files
Check the OpenVPN configuration files for all correct settings. Start by reviewing the interface configuration of OpenVPN.
- To review the OpenVPN configuration, execute the following command:
cat /tmp/last_config_response.json | jq '.interfacesConfig.openVpn'
This command will display the OpenVPN configuration, which can include various authentication methods.
Example OpenVPN Configuration (with Different Authentication Methods)
Here are examples of what an OpenVPN configuration might look like, highlighting the different authentication methods: The given one is just an example output; when this command is run, it will show something like this.
1. Office365 Authentication
The output shown here is an example of Office365 Authentication. When the command is executed and office365 Authentication is selected, an output similar to this is displayed.
{
"vtun25": {
"trafficPolicy": null,
"trafficPolicyIn": false,
"trafficPolicyOut": false,
"caCertFile": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2ekNDQWFlZ0F3SUJBZ0lHQVl6T0JIaHRNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1CWXhGREFTQmdOVkJBTU1DMjFoYm5WaGJDMTBaWE4wTUI0WERUSTBNREV3TXpBMk16QTBPRm9YRFRNek1USXpNVEEyTXpBME9Gb3dGakVVTUJJR0ExVUVBd3dMYldGdWRXRnNMWFJsYzNRd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNpd2dNb1haWEMrZzd1YXNYbVVnZHI2cGxjc29RS1R4Qm43YUVJMWtvWVBZZDNZQloyOGtocmoxQ1p4ZVFHY2E2N2Z0VmZrQk5EMmlNem5pR1duZTlHT2lFOWRHZGN4Y2MxSm9iSzVEUFVsd2tKMHpGcXJMMmFBdVlJNHZOWWxteU45ejY1cWhhc3BoeEc2aC9YK3lHZE9HSW1qT1oxQ3R4eXJhOVhTTFMwS0Z5b0J2TXI4SzJJMitOcFdVSkdkWUJyb1ZDRjhPOXlQQUpvOFl4eFRVVEhmOWpxanlid0N0NGZYUVlmekpidEdOMHc5TVRhYzVoV0xuQnNmLzYvemtZd3JZNE9aWmREOXN5R3F2RnpuT013SXdsMEdua2VsdXZSbmFnNlBmbE1RaDlYWDhWTFo5U3dmcWMwdCs3OU54elpaSENIK09CTUNPaFFIa3VkeDk4eEFnTUJBQUdqRXpBUk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCWnhFSjdMRXptTjVURWZLUkYrMDd3SzlQelhFL0FGTnVRcU1BNmNLeHg2VDlDdTlsZjRGNUptMWZld1hubmJOSDVBcXZoQkhQYStvQi8xYmF6ZmZodzFMb09XaVdwVjhONnRER3dGaDlqOFJSNHJxUzFZVysrZ1hHZzlIZy9qVWlGdThmTG0zaG5Ib2E3U0JFQVNQUUhudVlGd2JxMU16Mlhrbjg3SWoxZktMNVZYN083TG1KOWRjQjhWTGdCWEY0Zm5QaGRIWjZnRzdsalB2UE5OVkEyY05VaEVqTVR0bGxBK0xjYTVOaVMrM2FvbE54YTBlTThHQWx6Q0tBR2FmOG9pZ2dwWFFGUno0Vit6eFpUZTdrU2NUaVRTT0pMbVlENmZNV0dzdFh5RzdaM3E5YkZuNWg2QTcrYUwxUWVsUThobVM3RXN6QzdFNFFDeHV6dlMrREU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=",
"certFile": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN0ekNDQVorZ0F3SUJBZ0lHQVpidUF0VnNNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1CWXhGREFTQmdOVkJBTU1DMjFoYm5WaGJDMTBaWE4wTUI0WERUSTFNRFV5TURFME1EUTBOVm9YRFRNMU1EVXhPREUwTURRME5Wb3dJekVoTUI4R0ExVUVBd3dZTmpneVl6aGlObVl6TURaak9UUTBabVJpWXpreE9HUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW5sbHpTNGt6Rnlrc0ZjanlDQkRPQjhHZndHbXl3TXRIK1RtaVU1ZmtmeUxNbnBQZktiTTYwVUg4bDFTRzg4c0ZvUE0zWW1ZNEdPZUpkTzFWbC9CNHBPOUM3VHZjNlBFZ0swUGhqdTEwYmxQd29tNGJXbHNVUDJENFdjRUlFd3MvNml6TDhoT0RxSlRIRGZPOUNCSklMdnJjdVRPV1NPOG0yNTlLcHRNVUZtN2lGaDRIckdRU3JmQXJUdlB3bXN4aVpWbmF6ODZGaGVDb1gyUm9NeGRQMUNKODhxN3hDY3dPemY2T2U1Z2VuQVA3UVF0T2VMa2ZmNTk2cG5XTkIzV2hSa1o5eENseHRvNFRaOVQ0ZFdlS08xWlRrQzV5ZmVlbjBOZjdsQ05ka0RNU3A5R1NCY1RXdUI3N2lneUF0TWJvM3lGak85SXpZSENLMmh1a2ErUzJXUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVJNd0JLaStxS3ZVQ3ltOElYMWduaXdKbnc3YjlFV05Sb0xzSzYyK2lvcHpkdGIxWDBwZTNCaVJHMi9ncGFqQU83eVRNYk55NW1uWXRJUHpyajJxdzF3Q3daNWlmb3YwNmMzU2hUaVZlaHVEbXFPa1kyNCtwZ2dCSWV3NkxKQzFZbU5NV1FjSXhtNTNzdzNNNjd0QUYwN1Y0cUQwbHFqOGQyR1VEWGZmTFNEMzVORERNV3pRc2lzei9HS3NEOWMwNng4MDVGZlZJdjc5VUFqalBwa2c0RTZQaWJ0TmFiVWlneHNUWXFmSjlnaHhCMjkrd1NwMFNRbE9LY1lMSVRBMFYzZTJGZ2VHN2FtK1JoalRSK05xMUoxdmVXTDdSK3dncnZQcTVMSFY3WVJpMDRxN3RkaEpadDNRQ3Y3dEMrc1VqNm51MExCK2VCZEthNFZ2aGlPRjJ2Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=",
"keyFile": "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ2VXWE5MaVRNWEtTd1Z5UElJRU00SHdaL0FhYkxBeTBmNU9hSlRsK1IvSXN5ZWs5OHBzenJSUWZ5WFZJYnp5d1dnOHpkaVpqZ1k1NGwwN1ZXWDhIaWs3MEx0Tzl6bzhTQXJRK0dPN1hSdVUvQ2liaHRhV3hRL1lQaFp3UWdUQ3ovcUxNdnlFNE9vbE1jTjg3MElFa2d1K3R5NU01Wkk3eWJibjBxbTB4UVdidUlXSGdlc1pCS3Q4Q3RPOC9DYXpHSmxXZHJQem9XRjRLaGZaR2d6RjAvVUluenlydkVKekE3Ti9vNTdtQjZjQS90QkMwNTR1UjkvbjNxbWRZMEhkYUZHUm4zRUtYRzJqaE5uMVBoMVo0bzdWbE9RTG5KOTU2ZlExL3VVSTEyUU14S24wWklGeE5hNEh2dUtESUMweHVqZklXTTcwak5nY0lyYUc2UnI1TFpaQWdNQkFBRUNnZ0VBSGF4N0ZlUmwwZGtLRlNJRk14dzlFOGlGMEpldUl3RmxJUy9hK3NuTHpNUmZibmNjK3BKRyt5aGZ0cGNsUEFIbmNlQXFHSk01djNjQ05BcDJ3QVNWQXltQUUvZGtJRFh4ZHBJZnJucFNsNHM4M0orQUdqaFhyTUhXQUhIVE9zaGdwNWhSOXJFUCt0TTRreVdDSHNWWVNBK0VOZU9VTGVJOUdLcDY0WlRNSHFESTBqajB4Zlo4SHRybUt1blRUdzFYL3JvdUxscTRwQjlUQ0UzNENQdXBQcWVITXZHb3NNTjZVdGVSbDNwd2EzUnFUYmp3RldEQlUvU1YybUNoRVlicWlLcDZtQ3doMnVDNGN2MWZqLzZnTExCNTM4YW1pcDdxV3QxU3o3dWROb2ZFZEE1UkkwaXgwdXFrdXRwcnViaVFjNjZFaFh1bjE2OFdydEQ0d21wZFJRS0JnUURSVys2VGgxbFZlb1lnZ2hnV2tUZ2FYV0N4OTlJUnUrOFFENjRQM2xOQndRcW13WENaT1ljbVdHUE5oeDRnbUJYNElFS25wK2tCUkxoemp5bzJYa01lU292QnpCOTc5eW5yVVM2ekxQOTJ2Z3MxdllmamtYWVBuNmRVeDNTUzVobnV0andGd3VIbE9qZUk4Nk1oSWZKN25KZHpYQmNtNDFSUFdvM3ZXa3pCM1FLQmdRREJvRnV0RFhvTWFMMXZ2V01MM1QwN2lkWjhkT1JmRjk0U0V0QncyeU04NlZTQ0xENWx4VS9OaHNjVGlvR1hvTU9kSHduSkFwcWxuTkZDWW45WG1IN3Bad2NXcHFham9uVUV0emgyNVd2Ung3VEhBbTU2clh1akVUbmZLRTY5Y2lLMVlFK3Rad0kvL0ZsbktpZ0RTOE9OOXlqVklxSXQ3QUF4bVZYWGViTkVyUUtCZ0hEQThsekNLSHJBNGp2ZjFObFNuTVNXUmQyVGVxL1NaNDVlNDMvb1hTNnNxTy9tZnA0SFBhS0pPRGNZN2tEZnAvVmFhb3VoQXZ5TDVrdFdiNFdZZnMxeG1KTm5QQTJuc0F2c1RScHl3YU5SOXZlYWUvVTBBa0duMnBidVZQcElzdTY5ZHRZamYwWFZkTk50WkE0VUdtUTRrZGl2WUVpeFpsYldqbHE2WjF5QkFvR0FZNnZ3aFR5U3Z5Q0xvNkdTQXVGNFM5WEFtNEJ3cnFMU3Blc1pjWDdjdk5ZL3NtS2tIQzlkelNhOEE4c2d1clQrL1RxbEJ0eFlUemhTWUNIaisydDhxUmxvQkxqMHZ2YzUxWnViYlZqY0Q3a0Z6Z3ZxWXl3Nm9NNlZROUt6OWNGekxIclBpU3VsZE5xcUN2a2diOUhvY0lQeWVRVERCM0NkQ09zdHpTWFFxbUVDZ1lBUjRaMTNyMmc0cnRtMXpJRWpmM2pCdGtCWmhucDZUM3ZTeDVTTjNBTVhqZzYrU3RpNUs2eXR4bjdyb1c5aWtNMHVzQWowczR6Rmh5c2ZOY1VNenZnRTBIV3JBZWphMGdRelZBdkZHWjNTamVJU3BMck9RZDNqSkZQT2NJN0pheEVGZ0dVNFhuRGQwNzZsNGd4TTFGd0JYeGswb0NBR2ZJdzFsSlBmaHdOV1lnPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQ==",
"crlFiles": [],
"dhFile": null,
"pushRoutes": [],
"subnet": "172.29.2.0/24",
"replaceDefaultRoutes": true,
"maxConnections": 20,
"useLzoCompression": true,
"nameServer": "172.29.2.1",
"cipher": "default",
"authentication": {
"authenticationMethod": "OFFICE365",
"office365": {
"tenantId": "1010101-56e9-4621-9b8d-912f769c66f3",
"clientId": "2020202-c805-4af9-ba35-12d3a4dea237",
"clientSecret": "00000~c9jwdyhn3jzWccg-G5lKzj9b.Z2TNgHcCr",
"scope": null
},
"ldap": null
},
"interfaceName": "vtun25",
"bridgeGroup": null,
"tunnelType": null,
"localPort": 11940,
"remotePort": null,
"localHost": "172.20.10.3",
"remoteHost": null,
"remoteHosts": [],
"openVpnOption": null,
"persistentTunnel": true,
"vpnSharedSecret": null,
"splitTunnel": false,
"socksProxy": false,
"socksProxyType": null,
"socksProxyPrivateKey": null,
"socksProxyPublicKey": null,
"description": "Vpn Server",
"wanInterfaces": null,
"mode": "server",
"protocol": "udp",
"ceDeviceId": null,
"ceDeviceLabel": null,
"customerEmail": null,
"status": null,
"peDeviceIds": [],
"hubCEDeviceIds": [],
"ceSpokeId": null,
"remoteDeviceLabel": null,
"ethInterface": "eth0"
}
}
2. LDAP Authentication
The output shown here is an example of LDAP Authentication. When the command is executed and LDAP Authentication is selected, an output similar to this is displayed.
{
"vtun25": {
"trafficPolicy": null,
"trafficPolicyIn": false,
"trafficPolicyOut": false,
"caCertFile": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2ekNDQWFlZ0F3SUJBZ0lHQVl6T0JIaHRNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1CWXhGREFTQmdOVkJBTU1DMjFoYm5WaGJDMTBaWE4wTUI0WERUSTBNREV3TXpBMk16QTBPRm9YRFRNek1USXpNVEEyTXpBME9Gb3dGakVVTUJJR0ExVUVBd3dMYldGdWRXRnNMWFJsYzNRd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNpd2dNb1haWEMrZzd1YXNYbVVnZHI2cGxjc29RS1R4Qm43YUVJMWtvWVBZZDNZQloyOGtocmoxQ1p4ZVFHY2E2N2Z0VmZrQk5EMmlNem5pR1duZTlHT2lFOWRHZGN4Y2MxSm9iSzVEUFVsd2tKMHpGcXJMMmFBdVlJNHZOWWxteU45ejY1cWhhc3BoeEc2aC9YK3lHZE9HSW1qT1oxQ3R4eXJhOVhTTFMwS0Z5b0J2TXI4SzJJMitOcFdVSkdkWUJyb1ZDRjhPOXlQQUpvOFl4eFRVVEhmOWpxanlid0N0NGZYUVlmekpidEdOMHc5TVRhYzVoV0xuQnNmLzYvemtZd3JZNE9aWmREOXN5R3F2RnpuT013SXdsMEdua2VsdXZSbmFnNlBmbE1RaDlYWDhWTFo5U3dmcWMwdCs3OU54elpaSENIK09CTUNPaFFIa3VkeDk4eEFnTUJBQUdqRXpBUk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCWnhFSjdMRXptTjVURWZLUkYrMDd3SzlQelhFL0FGTnVRcU1BNmNLeHg2VDlDdTlsZjRGNUptMWZld1hubmJOSDVBcXZoQkhQYStvQi8xYmF6ZmZodzFMb09XaVdwVjhONnRER3dGaDlqOFJSNHJxUzFZVysrZ1hHZzlIZy9qVWlGdThmTG0zaG5Ib2E3U0JFQVNQUUhudVlGd2JxMU16Mlhrbjg3SWoxZktMNVZYN083TG1KOWRjQjhWTGdCWEY0Zm5QaGRIWjZnRzdsalB2UE5OVkEyY05VaEVqTVR0bGxBK0xjYTVOaVMrM2FvbE54YTBlTThHQWx6Q0tBR2FmOG9pZ2dwWFFGUno0Vit6eFpUZTdrU2NUaVRTT0pMbVlENmZNV0dzdFh5RzdaM3E5YkZuNWg2QTcrYUwxUWVsUThobVM3RXN6QzdFNFFDeHV6dlMrREU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=",
"certFile": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN0ekNDQVorZ0F3SUJBZ0lHQVpidUF0VnNNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1CWXhGREFTQmdOVkJBTU1DMjFoYm5WaGJDMTBaWE4wTUI0WERUSTFNRFV5TURFME1EUTBOVm9YRFRNMU1EVXhPREUwTURRME5Wb3dJekVoTUI4R0ExVUVBd3dZTmpneVl6aGlObVl6TURaak9UUTBabVJpWXpreE9HUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW5sbHpTNGt6Rnlrc0ZjanlDQkRPQjhHZndHbXl3TXRIK1RtaVU1ZmtmeUxNbnBQZktiTTYwVUg4bDFTRzg4c0ZvUE0zWW1ZNEdPZUpkTzFWbC9CNHBPOUM3VHZjNlBFZ0swUGhqdTEwYmxQd29tNGJXbHNVUDJENFdjRUlFd3MvNml6TDhoT0RxSlRIRGZPOUNCSklMdnJjdVRPV1NPOG0yNTlLcHRNVUZtN2lGaDRIckdRU3JmQXJUdlB3bXN4aVpWbmF6ODZGaGVDb1gyUm9NeGRQMUNKODhxN3hDY3dPemY2T2U1Z2VuQVA3UVF0T2VMa2ZmNTk2cG5XTkIzV2hSa1o5eENseHRvNFRaOVQ0ZFdlS08xWlRrQzV5ZmVlbjBOZjdsQ05ka0RNU3A5R1NCY1RXdUI3N2lneUF0TWJvM3lGak85SXpZSENLMmh1a2ErUzJXUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVJNd0JLaStxS3ZVQ3ltOElYMWduaXdKbnc3YjlFV05Sb0xzSzYyK2lvcHpkdGIxWDBwZTNCaVJHMi9ncGFqQU83eVRNYk55NW1uWXRJUHpyajJxdzF3Q3daNWlmb3YwNmMzU2hUaVZlaHVEbXFPa1kyNCtwZ2dCSWV3NkxKQzFZbU5NV1FjSXhtNTNzdzNNNjd0QUYwN1Y0cUQwbHFqOGQyR1VEWGZmTFNEMzVORERNV3pRc2lzei9HS3NEOWMwNng4MDVGZlZJdjc5VUFqalBwa2c0RTZQaWJ0TmFiVWlneHNUWXFmSjlnaHhCMjkrd1NwMFNRbE9LY1lMSVRBMFYzZTJGZ2VHN2FtK1JoalRSK05xMUoxdmVXTDdSK3dncnZQcTVMSFY3WVJpMDRxN3RkaEpadDNRQ3Y3dEMrc1VqNm51MExCK2VCZEthNFZ2aGlPRjJ2Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=",
"keyFile": "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ2VXWE5MaVRNWEtTd1Z5UElJRU00SHdaL0FhYkxBeTBmNU9hSlRsK1IvSXN5ZWs5OHBzenJSUWZ5WFZJYnp5d1dnOHpkaVpqZ1k1NGwwN1ZXWDhIaWs3MEx0Tzl6bzhTQXJRK0dPN1hSdVUvQ2liaHRhV3hRL1lQaFp3UWdUQ3ovcUxNdnlFNE9vbE1jTjg3MElFa2d1K3R5NU01Wkk3eWJibjBxbTB4UVdidUlXSGdlc1pCS3Q4Q3RPOC9DYXpHSmxXZHJQem9XRjRLaGZaR2d6RjAvVUluenlydkVKekE3Ti9vNTdtQjZjQS90QkMwNTR1UjkvbjNxbWRZMEhkYUZHUm4zRUtYRzJqaE5uMVBoMVo0bzdWbE9RTG5KOTU2ZlExL3VVSTEyUU14S24wWklGeE5hNEh2dUtESUMweHVqZklXTTcwak5nY0lyYUc2UnI1TFpaQWdNQkFBRUNnZ0VBSGF4N0ZlUmwwZGtLRlNJRk14dzlFOGlGMEpldUl3RmxJUy9hK3NuTHpNUmZibmNjK3BKRyt5aGZ0cGNsUEFIbmNlQXFHSk01djNjQ05BcDJ3QVNWQXltQUUvZGtJRFh4ZHBJZnJucFNsNHM4M0orQUdqaFhyTUhXQUhIVE9zaGdwNWhSOXJFUCt0TTRreVdDSHNWWVNBK0VOZU9VTGVJOUdLcDY0WlRNSHFESTBqajB4Zlo4SHRybUt1blRUdzFYL3JvdUxscTRwQjlUQ0UzNENQdXBQcWVITXZHb3NNTjZVdGVSbDNwd2EzUnFUYmp3RldEQlUvU1YybUNoRVlicWlLcDZtQ3doMnVDNGN2MWZqLzZnTExCNTM4YW1pcDdxV3QxU3o3dWROb2ZFZEE1UkkwaXgwdXFrdXRwcnViaVFjNjZFaFh1bjE2OFdydEQ0d21wZFJRS0JnUURSVys2VGgxbFZlb1lnZ2hnV2tUZ2FYV0N4OTlJUnUrOFFENjRQM2xOQndRcW13WENaT1ljbVdHUE5oeDRnbUJYNElFS25wK2tCUkxoemp5bzJYa01lU292QnpCOTc5eW5yVVM2ekxQOTJ2Z3MxdllmamtYWVBuNmRVeDNTUzVobnV0andGd3VIbE9qZUk4Nk1oSWZKN25KZHpYQmNtNDFSUFdvM3ZXa3pCM1FLQmdRREJvRnV0RFhvTWFMMXZ2V01MM1QwN2lkWjhkT1JmRjk0U0V0QncyeU04NlZTQ0xENWx4VS9OaHNjVGlvR1hvTU9kSHduSkFwcWxuTkZDWW45WG1IN3Bad2NXcHFham9uVUV0emgyNVd2Ung3VEhBbTU2clh1akVUbmZLRTY5Y2lLMVlFK3Rad0kvL0ZsbktpZ0RTOE9OOXlqVklxSXQ3QUF4bVZYWGViTkVyUUtCZ0hEQThsekNLSHJBNGp2ZjFObFNuTVNXUmQyVGVxL1NaNDVlNDMvb1hTNnNxTy9tZnA0SFBhS0pPRGNZN2tEZnAvVmFhb3VoQXZ5TDVrdFdiNFdZZnMxeG1KTm5QQTJuc0F2c1RScHl3YU5SOXZlYWUvVTBBa0duMnBidVZQcElzdTY5ZHRZamYwWFZkTk50WkE0VUdtUTRrZGl2WUVpeFpsYldqbHE2WjF5QkFvR0FZNnZ3aFR5U3Z5Q0xvNkdTQXVGNFM5WEFtNEJ3cnFMU3Blc1pjWDdjdk5ZL3NtS2tIQzlkelNhOEE4c2d1clQrL1RxbEJ0eFlUemhTWUNIaisydDhxUmxvQkxqMHZ2YzUxWnViYlZqY0Q3a0Z6Z3ZxWXl3Nm9NNlZROUt6OWNGekxIclBpU3VsZE5xcUN2a2diOUhvY0lQeWVRVERCM0NkQ09zdHpTWFFxbUVDZ1lBUjRaMTNyMmc0cnRtMXpJRWpmM2pCdGtCWmhucDZUM3ZTeDVTTjNBTVhqZzYrU3RpNUs2eXR4bjdyb1c5aWtNMHVzQWowczR6Rmh5c2ZOY1VNenZnRTBIV3JBZWphMGdRelZBdkZHWjNTamVJU3BMck9RZDNqSkZQT2NJN0pheEVGZ0dVNFhuRGQwNzZsNGd4TTFGd0JYeGswb0NBR2ZJdzFsSlBmaHdOV1lnPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQ==",
"crlFiles": [],
"dhFile": null,
"pushRoutes": [],
"subnet": "172.29.2.0/24",
"replaceDefaultRoutes": true,
"maxConnections": 20,
"useLzoCompression": true,
"nameServer": "172.29.2.1",
"cipher": "default",
"authentication": {
"authenticationMethod": "LDAP",
"office365": null,
"ldap": {
"ldapServer": "ldap://100.100.01.1:40404",
"ldapBaseDN": "cn=accounts,dc=google,dc=com",
"ldapBindDN": "uid=binduser,cn=users,cn=accounts,dc=google,dc=com",
"ldapBindPassword": "the.set-go-yard-percolate",
"ldapFilter": "(memberof=CN=vpn_users,CN=groups,CN=accounts,dc=google,dc=com)"
}
},
"interfaceName": "vtun25",
"bridgeGroup": null,
"tunnelType": null,
"localPort": 11940,
"remotePort": null,
"localHost": "172.20.10.3",
"remoteHost": null,
"remoteHosts": [],
"openVpnOption": null,
"persistentTunnel": true,
"vpnSharedSecret": null,
"splitTunnel": false,
"socksProxy": false,
"socksProxyType": null,
"socksProxyPrivateKey": null,
"socksProxyPublicKey": null,
"description": "Vpn Server",
"wanInterfaces": null,
"mode": "server",
"protocol": "udp",
"ceDeviceId": null,
"ceDeviceLabel": null,
"customerEmail": null,
"status": null,
"peDeviceIds": [],
"hubCEDeviceIds": [],
"ceSpokeId": null,
"remoteDeviceLabel": null,
"ethInterface": "eth0"
}
}
3. Defualt Authentication
The output shown here is an example of Default Authentication. When the command is executed and Default Authentication is selected, an output similar to this is displayed.
{
"vtun25": {
"trafficPolicy": null,
"trafficPolicyIn": false,
"trafficPolicyOut": false,
"caCertFile": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2ekNDQWFlZ0F3SUJBZ0lHQVl6T0JIaHRNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1CWXhGREFTQmdOVkJBTU1DMjFoYm5WaGJDMTBaWE4wTUI0WERUSTBNREV3TXpBMk16QTBPRm9YRFRNek1USXpNVEEyTXpBME9Gb3dGakVVTUJJR0ExVUVBd3dMYldGdWRXRnNMWFJsYzNRd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNpd2dNb1haWEMrZzd1YXNYbVVnZHI2cGxjc29RS1R4Qm43YUVJMWtvWVBZZDNZQloyOGtocmoxQ1p4ZVFHY2E2N2Z0VmZrQk5EMmlNem5pR1duZTlHT2lFOWRHZGN4Y2MxSm9iSzVEUFVsd2tKMHpGcXJMMmFBdVlJNHZOWWxteU45ejY1cWhhc3BoeEc2aC9YK3lHZE9HSW1qT1oxQ3R4eXJhOVhTTFMwS0Z5b0J2TXI4SzJJMitOcFdVSkdkWUJyb1ZDRjhPOXlQQUpvOFl4eFRVVEhmOWpxanlid0N0NGZYUVlmekpidEdOMHc5TVRhYzVoV0xuQnNmLzYvemtZd3JZNE9aWmREOXN5R3F2RnpuT013SXdsMEdua2VsdXZSbmFnNlBmbE1RaDlYWDhWTFo5U3dmcWMwdCs3OU54elpaSENIK09CTUNPaFFIa3VkeDk4eEFnTUJBQUdqRXpBUk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCWnhFSjdMRXptTjVURWZLUkYrMDd3SzlQelhFL0FGTnVRcU1BNmNLeHg2VDlDdTlsZjRGNUptMWZld1hubmJOSDVBcXZoQkhQYStvQi8xYmF6ZmZodzFMb09XaVdwVjhONnRER3dGaDlqOFJSNHJxUzFZVysrZ1hHZzlIZy9qVWlGdThmTG0zaG5Ib2E3U0JFQVNQUUhudVlGd2JxMU16Mlhrbjg3SWoxZktMNVZYN083TG1KOWRjQjhWTGdCWEY0Zm5QaGRIWjZnRzdsalB2UE5OVkEyY05VaEVqTVR0bGxBK0xjYTVOaVMrM2FvbE54YTBlTThHQWx6Q0tBR2FmOG9pZ2dwWFFGUno0Vit6eFpUZTdrU2NUaVRTT0pMbVlENmZNV0dzdFh5RzdaM3E5YkZuNWg2QTcrYUwxUWVsUThobVM3RXN6QzdFNFFDeHV6dlMrREU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=",
"certFile": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN0ekNDQVorZ0F3SUJBZ0lHQVpidUF0VnNNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1CWXhGREFTQmdOVkJBTU1DMjFoYm5WaGJDMTBaWE4wTUI0WERUSTFNRFV5TURFME1EUTBOVm9YRFRNMU1EVXhPREUwTURRME5Wb3dJekVoTUI4R0ExVUVBd3dZTmpneVl6aGlObVl6TURaak9UUTBabVJpWXpreE9HUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW5sbHpTNGt6Rnlrc0ZjanlDQkRPQjhHZndHbXl3TXRIK1RtaVU1ZmtmeUxNbnBQZktiTTYwVUg4bDFTRzg4c0ZvUE0zWW1ZNEdPZUpkTzFWbC9CNHBPOUM3VHZjNlBFZ0swUGhqdTEwYmxQd29tNGJXbHNVUDJENFdjRUlFd3MvNml6TDhoT0RxSlRIRGZPOUNCSklMdnJjdVRPV1NPOG0yNTlLcHRNVUZtN2lGaDRIckdRU3JmQXJUdlB3bXN4aVpWbmF6ODZGaGVDb1gyUm9NeGRQMUNKODhxN3hDY3dPemY2T2U1Z2VuQVA3UVF0T2VMa2ZmNTk2cG5XTkIzV2hSa1o5eENseHRvNFRaOVQ0ZFdlS08xWlRrQzV5ZmVlbjBOZjdsQ05ka0RNU3A5R1NCY1RXdUI3N2lneUF0TWJvM3lGak85SXpZSENLMmh1a2ErUzJXUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVJNd0JLaStxS3ZVQ3ltOElYMWduaXdKbnc3YjlFV05Sb0xzSzYyK2lvcHpkdGIxWDBwZTNCaVJHMi9ncGFqQU83eVRNYk55NW1uWXRJUHpyajJxdzF3Q3daNWlmb3YwNmMzU2hUaVZlaHVEbXFPa1kyNCtwZ2dCSWV3NkxKQzFZbU5NV1FjSXhtNTNzdzNNNjd0QUYwN1Y0cUQwbHFqOGQyR1VEWGZmTFNEMzVORERNV3pRc2lzei9HS3NEOWMwNng4MDVGZlZJdjc5VUFqalBwa2c0RTZQaWJ0TmFiVWlneHNUWXFmSjlnaHhCMjkrd1NwMFNRbE9LY1lMSVRBMFYzZTJGZ2VHN2FtK1JoalRSK05xMUoxdmVXTDdSK3dncnZQcTVMSFY3WVJpMDRxN3RkaEpadDNRQ3Y3dEMrc1VqNm51MExCK2VCZEthNFZ2aGlPRjJ2Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=",
"keyFile": "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ2VXWE5MaVRNWEtTd1Z5UElJRU00SHdaL0FhYkxBeTBmNU9hSlRsK1IvSXN5ZWs5OHBzenJSUWZ5WFZJYnp5d1dnOHpkaVpqZ1k1NGwwN1ZXWDhIaWs3MEx0Tzl6bzhTQXJRK0dPN1hSdVUvQ2liaHRhV3hRL1lQaFp3UWdUQ3ovcUxNdnlFNE9vbE1jTjg3MElFa2d1K3R5NU01Wkk3eWJibjBxbTB4UVdidUlXSGdlc1pCS3Q4Q3RPOC9DYXpHSmxXZHJQem9XRjRLaGZaR2d6RjAvVUluenlydkVKekE3Ti9vNTdtQjZjQS90QkMwNTR1UjkvbjNxbWRZMEhkYUZHUm4zRUtYRzJqaE5uMVBoMVo0bzdWbE9RTG5KOTU2ZlExL3VVSTEyUU14S24wWklGeE5hNEh2dUtESUMweHVqZklXTTcwak5nY0lyYUc2UnI1TFpaQWdNQkFBRUNnZ0VBSGF4N0ZlUmwwZGtLRlNJRk14dzlFOGlGMEpldUl3RmxJUy9hK3NuTHpNUmZibmNjK3BKRyt5aGZ0cGNsUEFIbmNlQXFHSk01djNjQ05BcDJ3QVNWQXltQUUvZGtJRFh4ZHBJZnJucFNsNHM4M0orQUdqaFhyTUhXQUhIVE9zaGdwNWhSOXJFUCt0TTRreVdDSHNWWVNBK0VOZU9VTGVJOUdLcDY0WlRNSHFESTBqajB4Zlo4SHRybUt1blRUdzFYL3JvdUxscTRwQjlUQ0UzNENQdXBQcWVITXZHb3NNTjZVdGVSbDNwd2EzUnFUYmp3RldEQlUvU1YybUNoRVlicWlLcDZtQ3doMnVDNGN2MWZqLzZnTExCNTM4YW1pcDdxV3QxU3o3dWROb2ZFZEE1UkkwaXgwdXFrdXRwcnViaVFjNjZFaFh1bjE2OFdydEQ0d21wZFJRS0JnUURSVys2VGgxbFZlb1lnZ2hnV2tUZ2FYV0N4OTlJUnUrOFFENjRQM2xOQndRcW13WENaT1ljbVdHUE5oeDRnbUJYNElFS25wK2tCUkxoemp5bzJYa01lU292QnpCOTc5eW5yVVM2ekxQOTJ2Z3MxdllmamtYWVBuNmRVeDNTUzVobnV0andGd3VIbE9qZUk4Nk1oSWZKN25KZHpYQmNtNDFSUFdvM3ZXa3pCM1FLQmdRREJvRnV0RFhvTWFMMXZ2V01MM1QwN2lkWjhkT1JmRjk0U0V0QncyeU04NlZTQ0xENWx4VS9OaHNjVGlvR1hvTU9kSHduSkFwcWxuTkZDWW45WG1IN3Bad2NXcHFham9uVUV0emgyNVd2Ung3VEhBbTU2clh1akVUbmZLRTY5Y2lLMVlFK3Rad0kvL0ZsbktpZ0RTOE9OOXlqVklxSXQ3QUF4bVZYWGViTkVyUUtCZ0hEQThsekNLSHJBNGp2ZjFObFNuTVNXUmQyVGVxL1NaNDVlNDMvb1hTNnNxTy9tZnA0SFBhS0pPRGNZN2tEZnAvVmFhb3VoQXZ5TDVrdFdiNFdZZnMxeG1KTm5QQTJuc0F2c1RScHl3YU5SOXZlYWUvVTBBa0duMnBidVZQcElzdTY5ZHRZamYwWFZkTk50WkE0VUdtUTRrZGl2WUVpeFpsYldqbHE2WjF5QkFvR0FZNnZ3aFR5U3Z5Q0xvNkdTQXVGNFM5WEFtNEJ3cnFMU3Blc1pjWDdjdk5ZL3NtS2tIQzlkelNhOEE4c2d1clQrL1RxbEJ0eFlUemhTWUNIaisydDhxUmxvQkxqMHZ2YzUxWnViYlZqY0Q3a0Z6Z3ZxWXl3Nm9NNlZROUt6OWNGekxIclBpU3VsZE5xcUN2a2diOUhvY0lQeWVRVERCM0NkQ09zdHpTWFFxbUVDZ1lBUjRaMTNyMmc0cnRtMXpJRWpmM2pCdGtCWmhucDZUM3ZTeDVTTjNBTVhqZzYrU3RpNUs2eXR4bjdyb1c5aWtNMHVzQWowczR6Rmh5c2ZOY1VNenZnRTBIV3JBZWphMGdRelZBdkZHWjNTamVJU3BMck9RZDNqSkZQT2NJN0pheEVGZ0dVNFhuRGQwNzZsNGd4TTFGd0JYeGswb0NBR2ZJdzFsSlBmaHdOV1lnPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQ==",
"crlFiles": [],
"dhFile": null,
"pushRoutes": [],
"subnet": "172.29.2.0/24",
"replaceDefaultRoutes": true,
"maxConnections": 20,
"useLzoCompression": true,
"nameServer": "172.29.2.1",
"cipher": "default",
"authentication": {
"authenticationMethod": "PLATFORM",
"office365": null,
"ldap": null
},
"interfaceName": "vtun25",
"bridgeGroup": null,
"tunnelType": null,
"localPort": 11940,
"remotePort": null,
"localHost": "172.20.10.3",
"remoteHost": null,
"remoteHosts": [],
"openVpnOption": null,
"persistentTunnel": true,
"vpnSharedSecret": null,
"splitTunnel": false,
"socksProxy": false,
"socksProxyType": null,
"socksProxyPrivateKey": null,
"socksProxyPublicKey": null,
"description": "Vpn Server",
"wanInterfaces": null,
"mode": "server",
"protocol": "udp",
"ceDeviceId": null,
"ceDeviceLabel": null,
"customerEmail": null,
"status": null,
"peDeviceIds": [],
"hubCEDeviceIds": [],
"ceSpokeId": null,
"remoteDeviceLabel": null,
"ethInterface": "eth0"
}
}
Check OpenVPN Interface Configuration File
- To check the OpenVPN interface configuration for each authentication type, run the following command. This will display the OpenVPN interface configuration in its file.
cat /etc/config/openvpn
The given one is just an example output; when this command is run, it will show something like this.
Example Response
config openvpn 'vtun25'
option enabled '1'
option verb '3'
option nobind '0'
option dev_type 'tun'
option script_security '2'
option persist_tun '1'
option ping '10'
option ping_restart '0'
option dev 'vtun25'
option topology 'subnet'
option status '/var/run/vtun25.status 30'
option status_version '2'
option local '172.20.10.3'
option server '172.29.2.0 255.255.255.0'
list push 'dhcp-option DNS 172.29.2.1'
list push 'comp-lzo yes'
list push 'redirect-gateway def1'
option lport '11940'
option split_tunnel '0'
option comp_lzo 'yes'
option cipher 'AES-256-CBC'
option ca '/etc/openvpn/vtun25.ca'
option dh '/etc/openvpn/vtun25.dh'
option cert '/etc/openvpn/vtun25.crt'
option key '/etc/openvpn/vtun25.key'
option auth_method 'ldap'
option client_connect '/usr/bin/openvpn_connect.sh'
option client_disconnect '/usr/bin/openvpn_disconnect.sh'
option auth_user_pass_verify '/usr/bin/openvpn_login.sh via-file'
option ldap_filter '(memberof=CN=vpn_users,CN=groups,CN=accounts,dc=google,dc=com)'
option ldap_server 'ldap://100.100.01.1:40404'
option ldap_base_dn 'cn=accounts,dc=google,dc=com'
option ldap_bind_dn 'uid=binduser,cn=users,cn=accounts,dc=google,dc=com'
option ldap_bind_password 'the.set-go-yard-percolate'
UCI Configuration Verification
The uci show openvpn command displays the configuration of OpenVPN. This allows you to see whether the VPN server is running, what port and protocol it is on, and what config file it is using.
uci show openvpn
The given one is just an example output; when this command is run, it will show something like this.
Example Response
openvpn.vtun38_2=openvpn
openvpn.vtun38_2.enabled='1'
openvpn.vtun38_2.verb='3'
openvpn.vtun38_2.nobind='0'
openvpn.vtun38_2.dev_type='tap'
openvpn.vtun38_2.script_security='2'
openvpn.vtun38_2.persist_tun='1'
openvpn.vtun38_2.ping='10'
openvpn.vtun38_2.ping_restart='60'
openvpn.vtun38_2.dev='vtun38_2'
openvpn.vtun38_2.sndbuf='6291456'
openvpn.vtun38_2.rcvbuf='6291456'
openvpn.vtun38_2.status='/var/run/vtun38_2.status 30'
openvpn.vtun38_2.remote='117.186.234.99'
openvpn.vtun38_2.rport='50024'
openvpn.vtun38_2.secret='/etc/openvpn/vtun38_2.key'
openvpn.vtun38_2.lport='50024'
openvpn.vtun38_2.cipher='AES-256-CBC'
openvpn.vtun38=openvpn
openvpn.vtun38.enabled='1'
openvpn.vtun38.verb='3'
openvpn.vtun38.nobind='0'
openvpn.vtun38.dev_type='tun'
openvpn.vtun38.script_security='2'
openvpn.vtun38.persist_tun='1'
openvpn.vtun38.ping='10'
openvpn.vtun38.ping_restart='0'
openvpn.vtun38.dev='vtun38'
openvpn.vtun38.topology='subnet'
openvpn.vtun38.status='/var/run/vtun38.status 30'
openvpn.vtun38.status_version='2'
openvpn.vtun38.local='192.168.31.225'
openvpn.vtun38.server='172.29.2.0 255.255.255.0'
openvpn.vtun38.push='dhcp-option DNS 172.29.2.1' 'comp-lzo yes' 'redirect-gateway def1'
openvpn.vtun38.lport='11940'
openvpn.vtun38.split_tunnel='0'
openvpn.vtun38.comp_lzo='yes'
openvpn.vtun38.cipher='AES-256-CBC'
openvpn.vtun38.ca='/etc/openvpn/vtun38.ca'
openvpn.vtun38.dh='/etc/openvpn/vtun38.dh'
openvpn.vtun38.cert='/etc/openvpn/vtun38.crt'
openvpn.vtun38.key='/etc/openvpn/vtun38.key'
openvpn.vtun38.auth_method='platform'
openvpn.vtun38.client_connect='/usr/bin/openvpn_connect.sh'
openvpn.vtun38.client_disconnect='/usr/bin/openvpn_disconnect.sh'
openvpn.vtun38.auth_user_pass_verify='/usr/bin/openvpn_login.sh via-file'
root@manual-testing:~# uci show openvpn
openvpn.vtun38_2=openvpn
openvpn.vtun38_2.enabled='1'
openvpn.vtun38_2.verb='3'
openvpn.vtun38_2.nobind='0'
openvpn.vtun38_2.dev_type='tap'
openvpn.vtun38_2.script_security='2'
openvpn.vtun38_2.persist_tun='1'
openvpn.vtun38_2.ping='10'
openvpn.vtun38_2.ping_restart='60'
openvpn.vtun38_2.dev='vtun38_2'
openvpn.vtun38_2.sndbuf='6291456'
openvpn.vtun38_2.rcvbuf='6291456'
openvpn.vtun38_2.status='/var/run/vtun38_2.status 30'
openvpn.vtun38_2.remote='117.186.234.99'
openvpn.vtun38_2.rport='50024'
openvpn.vtun38_2.secret='/etc/openvpn/vtun38_2.key'
openvpn.vtun38_2.lport='50024'
openvpn.vtun38_2.cipher='AES-256-CBC'
openvpn.vtun38=openvpn
openvpn.vtun38.enabled='1'
openvpn.vtun38.verb='3'
openvpn.vtun38.nobind='0'
openvpn.vtun38.dev_type='tun'
openvpn.vtun38.script_security='2'
openvpn.vtun38.persist_tun='1'
root@manual-testing:~# uci show openvpn
openvpn.vtun38=openvpn
openvpn.vtun38.enabled='1'
openvpn.vtun38.verb='3'
openvpn.vtun38.nobind='0'
openvpn.vtun38.dev_type='tun'
openvpn.vtun38.script_security='2'
openvpn.vtun38.persist_tun='1'
openvpn.vtun38.ping='10'
openvpn.vtun38.ping_restart='0'
openvpn.vtun38.dev='vtun38'
openvpn.vtun38.topology='subnet'
openvpn.vtun38.status='/var/run/vtun38.status 30'
openvpn.vtun38.status_version='2'
openvpn.vtun38.local='192.168.31.225'
openvpn.vtun38.server='172.29.2.0 255.255.255.0'
openvpn.vtun38.push='dhcp-option DNS 172.29.2.1' 'comp-lzo yes' 'redirect-gateway def1'
openvpn.vtun38.lport='11940'
openvpn.vtun38.split_tunnel='0'
openvpn.vtun38.comp_lzo='yes'
openvpn.vtun38.cipher='AES-256-CBC'
openvpn.vtun38.ca='/etc/openvpn/vtun38.ca'
openvpn.vtun38.dh='/etc/openvpn/vtun38.dh'
openvpn.vtun38.cert='/etc/openvpn/vtun38.crt'
openvpn.vtun38.key='/etc/openvpn/vtun38.key'
openvpn.vtun38.auth_method='platform'
openvpn.vtun38.client_connect='/usr/bin/openvpn_connect.sh'
openvpn.vtun38.client_disconnect='/usr/bin/openvpn_disconnect.sh'
openvpn.vtun38.auth_user_pass_verify='/usr/bin/openvpn_login.sh via-file'
Q:1 What do ping and ping_restart show in UCI output?
ping – Defines the interval (in seconds) at which the VPN client sends keepalive pings to the server. Example: ping='10' means the client sends a ping every 10 seconds to check connectivity. ping_restart – Defines the timeout (in seconds) after which the VPN connection will be restarted if no ping response is received. Example: ping_restart='60' means if the server does not respond within 60 seconds, the client restarts the connection. Together, these parameters ensure the VPN tunnel remains stable by detecting connectivity loss and automatically re-establishing the connection when needed.
Run time Configuration Verification
Check OpenVPN Service
Check if the OpenVPN service is running on the CE device. Use the following command for its service status.
- To check if the OpenVPN service is running, execute:
/etc/init.d/openvpn status
- If the OpenVPN service is not running, start it by executing:
/etc/init.d/openvpn start
- If you need to stop the OpenVPN service, use the following command:
/etc/init.d/openvpn stop
Q:1 How to check the status of the OpenVPN service?
To check the current status of the OpenVPN service, run: /etc/init.d/openvpn status. If the service is active, the output will show running. If it is inactive, no output or an error message will appear. This command provides a quick way to confirm whether the VPN process is operational.
Q:2 What command should I use to stop the OpenVPN service?
To stop the OpenVPN service on the CE device, use: /etc/init.d/openvpn stop. This command terminates the VPN process, closing the secure tunnel and halting encrypted traffic flow. It is useful when troubleshooting, reconfiguring, or restarting the service after changes.
Testing Verification
Before starting connectivity tests, make sure the VPN client is set up correctly.
VPN Client Creation and File Upload
To initiate the VPN connection from the client side, the VPN client configuration must be created first, and the generated configuration file should then be uploaded to the client system.
- Refer to the Create a VPN Client documentation for detailed instructions on how to generate the required client configuration files (e.g., .ovpn file).
- Follow the instructions in the Hiclouds App Doc to install the Hiclouds app on the client device and upload the .ovpn file to establish a VPN connection
Client PC Troubleshooting
On the client PC, open a terminal or command prompt and run the following command to check connectivity to a known internet address (e.g., Google's DNS server). This helps determine if routing between the client and the remote network is being done correctly and if traffic is going through the VPN tunnel.
traceroute -n 8.8.8.8
Test Basic Connectivity with Ping
The ping command can be used on the CE device to check internet connectivity.
ping 8.8.8.8
The given one is just an example output; when this command is run, it will show something like this.
Example Response
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=113 time=63.279 ms
64 bytes from 8.8.8.8: seq=1 ttl=113 time=49.643 ms
64 bytes from 8.8.8.8: seq=2 ttl=113 time=82.592 ms
Verify Route on Client PC
To verify that the VPN route is active, run the following command on the client PC to verify that the route to the remote network is configured correctly:
- On the client PC, to verify if the VPN route is active, use the following command:
ip route -n 8.8.8.8
Q:1 What command should I use to check if my VPN traffic is routing through the tunnel?
To verify if VPN traffic is routing through the tunnel, use the traceroute command: traceroute -n 8.8.8.8. If the hops shown in the traceroute pass through the VPN gateway, it confirms traffic is routed through the tunnel. You can also check the route table with: ip route -n 8.8.8.8` This ensures the destination traffic is directed via the VPN interface rather than the local internet connection.
Q:2 What does it mean if traceroute or ping fails?
If traceroute or ping fails, it indicates a connectivity issue. Possible causes include: VPN tunnel not established – The OpenVPN service may not be running or the client configuration is incorrect. Routing misconfiguration – The route to the destination is missing or incorrectly set. Firewall restrictions – Firewall rules may be blocking ICMP or VPN traffic. Remote server unreachable – The target IP (e.g., 8.8.8.8) may be temporarily down or inaccessible.Failure means the VPN is not properly forwarding traffic, and further troubleshooting of configuration, logs, and firewall rules is required.
Log Verification
Review OpenVPN Logs on the CE Device
Check the OpenVPN log for any error messages or warnings that may indicate configuration issues. To check the logs on the CE device, use the following command:
- To check the OpenVPN logs for any errors or warnings, execute the following command on the CE device:
logread | grep openvpn
The given one is just an example output; when this command is run, it will show something like this.
Example Response
Jul 2 12:56:55 Apex-CE-London-1 openvpn(vtun25_2)[4738]: DEPRECATED OPTION: The option --secret is deprecated.
Jul 2 12:56:55 Apex-CE-London-1 openvpn(vtun25_2)[4738]: DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint.
Jul 2 12:56:55 Apex-CE-London-1 openvpn(vtun25_2)[4738]: OpenVPN 2.6.13 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Jul 2 12:56:55 Apex-CE-London-1 openvpn(vtun25_2)[4738]: library versions: OpenSSL 3.0.16 11 Feb 2025, LZO 2.10
Jul 2 12:56:55 Apex-CE-London-1 openvpn(vtun25_2)[4738]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 2 12:56:55 Apex-CE-London-1 openvpn(vtun25_2)[4738]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
Jul 2 12:56:55 Apex-CE-London-1 openvpn(vtun25_2)[4738]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
Jul 2 12:56:55 Apex-CE-London-1 openvpn(vtun25_2)[4738]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
Jul 2 12:56:55 Apex-CE-London-1 openvpn(vtun25_2)[4738]: TUN/TAP device vtun25_2 opened
Jul 2 12:56:55 Apex-CE-London-1 openvpn(vtun25_2)[4738]: /usr/libexec/openvpn-hotplug up vtun25_2 vtun25_2 1500 0 init
Jul 2 12:56:57 Apex-CE-London-1 openvpn(vtun25_2)[4738]: TCP/UDP: Preserving recently used remote address: [AF_INET]116.63.224.149:45017
Jul 2 12:56:57 Apex-CE-London-1 openvpn(vtun25_2)[4738]: Socket Buffers: R=[212992->425984] S=[212992->425984]
Jul 2 12:56:57 Apex-CE-London-1 openvpn(vtun25_2)[4738]: UDPv4 link local (bound): [AF_INET][undef]:45017
Jul 2 12:56:57 Apex-CE-London-1 openvpn(vtun25_2)[4738]: UDPv4 link remote: [AF_INET]116.63.224.149:45017
Jul 2 12:57:07 Apex-CE-London-1 openvpn(vtun25_2)[4738]: Peer Connection Initiated with [AF_INET]116.63.224.149:45017
Jul 2 12:57:08 Apex-CE-London-1 openvpn(vtun25_2)[4738]: Initialization Sequence Completed
Jul 2 12:57:08 Apex-CE-London-1 openvpn(vtun25_2)[4738]: Data Channel: cipher 'BF-CBC', auth 'SHA1'
Jul 2 12:57:08 Apex-CE-London-1 openvpn(vtun25_2)[4738]: Timers: ping 10, ping-restart 60
Jul 2 12:58:14 Apex-CE-London-1 hiclouds_config.sh[11397]: execute post config command "/etc/init.d/openvpn restart vtun25"
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: OpenVPN 2.6.13 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: library versions: OpenSSL 3.0.16 11 Feb 2025, LZO 2.10
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: WARNING: --keepalive option is missing from server config
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: net_route_v4_best_gw query: dst 0.0.0.0
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: net_route_v4_best_gw result: via 0.0.0.0 dev
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: Diffie-Hellman initialized with 1024 bit key
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: TUN/TAP device vtun25 opened
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: net_iface_mtu_set: mtu 1500 for vtun25
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: net_iface_up: set vtun25 up
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: net_addr_v4_add: 172.29.2.1/24 dev vtun25
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: /usr/libexec/openvpn-hotplug up vtun25 vtun25 1500 0 172.29.2.1 255.255.255.0 init
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: UDPv4 link local (bound): [AF_INET]172.20.10.3:11940
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: UDPv4 link remote: [AF_UNSPEC]
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: MULTI: multi_init called, r=256 v=256
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: IFCONFIG POOL IPv4: base=172.29.2.2 size=253
Jul 2 12:58:15 Apex-CE-London-1 openvpn(vtun25)[14727]: Initialization Sequence Completed
Jul 2 13:02:01 Apex-CE-London-1 openvpn(vtun25_2)[4738]: read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
Jul 2 13:02:01 Apex-CE-London-1 openvpn(vtun25_2)[4738]: read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
Jul 2 13:02:02 Apex-CE-London-1 openvpn(vtun25_2)[4738]: read UDPv4 [ECONNREFUSED|ECONNREFUSED]: Connection refused (fd=6,code=111)
Jul 2 13:02:06 Apex-CE-London-1 hiclouds_config.sh[27176]: execute post config command "/etc/init.d/openvpn stop vtun25_2"
Jul 2 13:02:06 Apex-CE-London-1 openvpn(vtun25_2)[4738]: event_wait : Interrupted system call (fd=-1,code=4)
Jul 2 13:02:06 Apex-CE-London-1 openvpn(vtun25_2)[4738]: /usr/libexec/openvpn-hotplug route-pre-down vtun25_2 vtun25_2 1500 0 init
Jul 2 13:02:06 Apex-CE-London-1 openvpn(vtun25_2)[4738]: Closing TUN/TAP interface
Jul 2 13:02:06 Apex-CE-London-1 openvpn(vtun25_2)[4738]: /usr/libexec/openvpn-hotplug down vtun25_2 vtun25_2 1500 0 init
Jul 2 13:02:06 Apex-CE-London-1 openvpn(vtun25_2)[4738]: SIGTERM[hard,] received, process exiting
Jul 2 13:26:28 Apex-CE-London-1 hiclouds_config.sh[1346]: execute post config command "/etc/init.d/openvpn restart vtun25"
Jul 2 13:26:28 Apex-CE-London-1 openvpn(vtun25)[14727]: event_wait : Interrupted system call (fd=-1,code=4)
Jul 2 13:26:28 Apex-CE-London-1 openvpn(vtun25)[14727]: /usr/libexec/openvpn-hotplug route-pre-down vtun25 vtun25 1500 0 172.29.2.1 255.255.255.0 init
Jul 2 13:26:28 Apex-CE-London-1 openvpn(vtun25)[14727]: Closing TUN/TAP interface