Skip to main content
Version: v24.12.13

VPN Troubleshooting

These guidelines provide a systematic approach to troubleshooting configuration inconsistencies for vpn issues. A mismatched configuration can result in vpn connection failure, intermittent disconnection, or even access to resources in a remote network. By following the steps outlined in this document, you should be able to identify and address configuration issues with VPN connections.

Issue: Configuration Mismatch

Symptoms

  • VPN connection fails to establish or frequently disconnects.
  • The client device is unable to access resources on the remote network.
  • Logs indicate error messages related to mismatched configurations.

Troubleshooting Steps

1. Access the CE Terminal

  • Log in to the CE terminal with superuser privileges to perform diagnostic checks.
sudo su -

2. Check Configuration Files

Check the OpenVPN configuration files for all correct settings. Start by reviewing the interface configuration of OpenVPN.

  • To review the OpenVPN configuration, execute the following command:
cat /tmp/last_config_response.json | jq .interfacesConfig.openVpn
  • This will display the OpenVPN interface configuration from the file.
cat /etc/config/openvpn

3. Check OpenVPN Service

Check if the OpenVPN service is running on the CE device. Use the following command for its service status.

  • To check if the OpenVPN service is running, execute:
/etc/init.d/openvpn status
  • If the OpenVPN service is not running, start it by executing:
/etc/init.d/openvpn start
  • If you need to stop the OpenVPN service, use the following command:
/etc/init.d/openvpn stop

4. Client PC Troubleshooting

On the client PC, use traceroute to test network connectivity. This helps determine if routing between the client and the remote network is being done correctly.

  • On the client PC, open a terminal or command prompt and run the following command to check connectivity:
traceroute -n 8.8.8.8

5. Review OpenVPN Logs on the CE Device

Check the OpenVPN log for any error messages or warnings that may indicate configuration issues. To check the logs on the CE device, use the following command:

  • To check the OpenVPN logs for any errors or warnings, execute the following command on the CE device:
logread | grep openvpn

6. Verify Route on Client PC

To verify that the VPN route is active, run the following command on the client PC to verify that the route to the remote network is configured correctly:

  • On the client PC, to verify if the VPN route is active, use the following command:
ip route -n 8.8.8.8

Verify Network Connectivity:

Make sure the CE device has a valid IP address, subnet mask, and gateway. Use the following command to check network configuration:

uci show network

(Example Response):

root@Backup_node:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.@globals[0]=globals
network.@globals[0].packet_steering='1'
network.eth0=interface
network.eth0.device='eth0'
network.eth0.default_wan='1'
network.eth0.disabled='0'
network.eth0.proto='static'
network.eth0.ipaddr='172.20.10.8'
network.eth0.netmask='255.255.255.0'
network.eth0.dns='172.20.10.1'
network.eth3=interface
network.eth3.device='eth3'
network.eth3.proto='static'
network.eth3.netmask='255.255.255.0'
network.eth3.disabled='0'
network.eth3.ipaddr='172.30.1.1'
network.@rule[0]=rule
network.@rule[0].priority='901'
network.@rule[0].lookup='main'
network.wlm0=interface
network.wlm0.disabled='1'
network.wlm0.proto='3g'
network.wlm0.pppname='wlm0'
network.wlm0.device='ttyUSB0'
network.wlm0.apn='comgt'
network.wlm0.ipv6='0'
network.wlm0.delegate='0'
network.wlm0.metric='2'
network.wlm0.ip4table='2'
network.f85c71f21c3040bdb4abcd168fa8e900=route
network.f85c71f21c3040bdb4abcd168fa8e900.target='172.30.2.0'
network.f85c71f21c3040bdb4abcd168fa8e900.netmask='255.255.255.0'
network.f85c71f21c3040bdb4abcd168fa8e900.gateway='172.31.0.2'
network.f85c71f21c3040bdb4abcd168fa8e900.table='main'
network.f85c71f21c3040bdb4abcd168fa8e900.proto='static'
network.f85c71f21c3040bdb4abcd168fa8e900.metric='1'
network.f85c71f21c3040bdb4abcd168fa8e900.interface='br25'
network.1777530465de4eafada07376f1239abf=route
network.1777530465de4eafada07376f1239abf.target='172.30.1.0'
network.1777530465de4eafada07376f1239abf.netmask='255.255.255.0'
network.1777530465de4eafada07376f1239abf.gateway='172.31.0.1'
network.1777530465de4eafada07376f1239abf.table='main'
network.1777530465de4eafada07376f1239abf.proto='static'
network.1777530465de4eafada07376f1239abf.metric='1'
network.eth1=interface
network.eth1.proto='static'
network.eth1.device='eth1'
network.eth1.ipaddr='100.100.100.2'
network.eth1.netmask='255.255.255.0'
network.eth1.dns='172.20.10.1'

This output contains information about network settings such as IP address, netmask and DNS server for each interface pay particular attention to the interface used for WAN connectivity ( in this example, probably eth0). It must have a valid IP address and configured DNS server too. In any case, wrong network settings can block the access of the essential for accessing various networks. Ensure that the routes required to access the hiCloud server are properly configured.

Check hiCLOUDS Configuration:

The configuration on the CE device can be verified using the following command.

uci show hiclouds

(Example Response):

root@Backup_node:~# uci show hiclouds
hiclouds.globals=hiclouds
hiclouds.globals.hub='hub.hi-clouds.com'
hiclouds.globals.uri='deviceApi/getEndpointUrl'
hiclouds.globals.request_timeout='30'
hiclouds.globals.machine_id='33b01673-94a7-343e-b403-8c47cabac692'
hiclouds.globals.router_id='08:00:27:82:fc:73'
hiclouds.globals.endpoint='dev.hi-clouds.com'
hiclouds.globals.device_id='677e6da4ab30043a8492148a'
hiclouds.globals.auth_token='eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiI2NzdlNmRhNGFiMzAwNDNhODQ5MjE0OGE6OmNlOjozM2IwMTY3My05NGE3LTM0M2UtYjQwMy04YzQ3Y2FiYWM2OTI6OjA4OjAwOjI3OjgyOmZjOjczIiwiaWF0IjoxNzM4NjcxOTg5LCJleHAiOjE3Mzg2NzU1ODl9.JU0WBSCzpCbS8PTPypXoCvjka01IKcuKVm54YJnPjtt9jUZdF_5fTyraDc3oirSh67ZzKU7MbYo7Osy84AmoeA'
hiclouds.register=hiclouds
hiclouds.register.interval='30'
hiclouds.register.uri='api/deviceApi/v1/devices/register'
hiclouds.status=hiclouds
hiclouds.status.keepalive_interval='10'
hiclouds.status.status_interval='30'
hiclouds.status.uri='api/deviceApi/v1/devices'
hiclouds.config=hiclouds
hiclouds.config.uri='api/deviceApi/v1/devices'
hiclouds.config.revision='64bd463d-f6ae-4cfc-b89d-c4d74b63a382'
hiclouds.edge=hiclouds_edge
hiclouds.edge.type='CE'
hiclouds.hiclouds=hiclouds
hiclouds.hiclouds.version='22.03.5'
hiclouds.hiclouds.build='b75'
root@Backup_node:~# uci show hiclouds
hiclouds.globals=hiclouds
hiclouds.globals.hub='hub.hi-clouds.com'
hiclouds.globals.uri='deviceApi/getEndpointUrl'
hiclouds.globals.request_timeout='30'
hiclouds.globals.machine_id='33b01673-94a7-343e-b403-8c47cabac692'
hiclouds.globals.router_id='08:00:27:82:fc:73'
hiclouds.globals.endpoint='dev.hi-clouds.com'
hiclouds.globals.device_id='677e6da4ab30043a8492148a'
hiclouds.globals.auth_token='eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiI2NzdlNmRhNGFiMzAwNDNhODQ5MjE0OGE6OmNlOjozM2IwMTY3My05NGE3LTM0M2UtYjQwMy04YzQ3Y2FiYWM2OTI6OjA4OjAwOjI3OjgyOmZjOjczIiwiaWF0IjoxNzM4NjcxOTg5LCJleHAiOjE3Mzg2NzU1ODl9.JU0WBSCzpCbS8PTPypXoCvjka01IKcuKVm54YJnPjtt9jUZdF_5fTyraDc3oirSh67ZzKU7MbYo7Osy84AmoeA'
hiclouds.register=hiclouds
hiclouds.register.interval='30'
hiclouds.register.uri='api/deviceApi/v1/devices/register'
hiclouds.status=hiclouds
hiclouds.status.keepalive_interval='10'
hiclouds.status.status_interval='30'
hiclouds.status.uri='api/deviceApi/v1/devices'
hiclouds.config=hiclouds
hiclouds.config.uri='api/deviceApi/v1/devices'
hiclouds.config.revision='64bd463d-f6ae-4cfc-b89d-c4d74b63a382'
hiclouds.edge=hiclouds_edge
hiclouds.edge.type='CE'
hiclouds.hiclouds=hiclouds
hiclouds.hiclouds.version='22.03.5'
hiclouds.hiclouds.build='b75'

This output displays the hiCLOUDS-related configurations, such as the hub address, endpoint, deviceId, authToken, and the keepalive_interval. Check whether the hub and endpoint are correct and if the authToken is valid and non-expired. The keepalive_interval specifies how often the device is set to send Keepalive requests. A very short interval may cause unnecessary overloading of the network, while a too big interval may cause the device to be determined as offline in case connectivity is temporarily lost