OpenWRT opens multiple OpenVPN client connections

This is a slightly obscure one, but when I was initially hit by it, didn't find much searching on the net.

After setting up a new OpenVPN client config (i.e. the OpenWRT box is VPN'ing into somewhere, rather than acting as a VPN server itself) on an OpenWRT box, you might find that OpenWRT eventually crashes.

This documentation details the cause, at least in so far as it affected me

Symptoms

If you're affected by this

  • connectivity over the VPN may appear to work (though it also may not), but will be prone to connection drops
  • Your OpenWRT box may run out of memory and crash/reboot
  • Logging will be very active
  • There will be many OpenVPN processes on the box

If you look in the OpenWRT logs, you may see it successfully connecting to the VPN, with different PIDs, one after the other

Fri Sep 24 14:26:15 2021 daemon.notice openvpn(Ikaros)[31438]: OpenVPN 2.4.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Sep 24 14:26:15 2021 daemon.notice openvpn(Ikaros)[31438]: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
Fri Sep 24 14:26:15 2021 daemon.notice openvpn(Ikaros)[31440]: TCP/UDP: Preserving recently used remote address: [AF_INET]:13194
Fri Sep 24 14:26:15 2021 daemon.notice openvpn(Ikaros)[31440]: UDP link local: (not bound)
Fri Sep 24 14:26:15 2021 daemon.notice openvpn(Ikaros)[31440]: UDP link remote: [AF_INET]:13194
Fri Sep 24 14:26:15 2021 daemon.notice openvpn(Ikaros)[31440]: [server] Peer Connection Initiated with [AF_INET]:13194
Fri Sep 24 14:26:17 2021 daemon.notice openvpn(Ikaros)[31440]: TUN/TAP device tun1 opened
Fri Sep 24 14:26:17 2021 daemon.notice openvpn(Ikaros)[31440]: /sbin/ifconfig tun1 10.19.0.10 pointopoint 10.19.0.9 mtu 1500
Fri Sep 24 14:26:17 2021 daemon.notice netifd: Network device 'tun1' link is up
Fri Sep 24 14:26:17 2021 daemon.notice netifd: Interface 'tun0' has link connectivity
Fri Sep 24 14:26:17 2021 daemon.notice openvpn(Ikaros)[31440]: Initialization Sequence Completed
Fri Sep 24 14:26:20 2021 daemon.notice openvpn(Ikaros)[31633]: OpenVPN 2.4.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Sep 24 14:26:20 2021 daemon.notice openvpn(Ikaros)[31633]: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
Fri Sep 24 14:26:20 2021 daemon.notice openvpn(Ikaros)[31635]: TCP/UDP: Preserving recently used remote address: [AF_INET]:13194
Fri Sep 24 14:26:20 2021 daemon.notice openvpn(Ikaros)[31635]: UDP link local: (not bound)
Fri Sep 24 14:26:20 2021 daemon.notice openvpn(Ikaros)[31635]: UDP link remote: [AF_INET]:13194
Fri Sep 24 14:26:20 2021 daemon.notice openvpn(Ikaros)[31635]: [server] Peer Connection Initiated with [AF_INET]:13194
Fri Sep 24 14:26:21 2021 daemon.notice openvpn(Ikaros)[31635]: TUN/TAP device tun2 opened
Fri Sep 24 14:26:21 2021 daemon.notice openvpn(Ikaros)[31635]: /sbin/ifconfig tun2 10.19.0.14 pointopoint 10.19.0.13 mtu 1500
Fri Sep 24 14:26:21 2021 daemon.notice openvpn(Ikaros)[31635]: Initialization Sequence Completed

This will probably repeat with the number of the tun interface changing each time, however you might also see the same number.

Depending on the VPN's config, you may also see one of the following errors

MULTI: no free --ifconfig-pool addresses are available
MULTI: new connection by client 'myclient' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect
Cannot ioctl TUNSETIFF tun0: Device or resource busy (errno=16)

This is because OpenWRT is trying to establish multiple simultaneous connections to the OpenVPN server.

If you SSH onto the OpenWRT box, you see there are multiple OpenVPN processes

root@OpenWrt:~# ps | grep vpn
31440 root      3976 S    /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros.
31635 root      3976 S    /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros.
31800 root      3976 S    /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros.
31945 root      3976 S    /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros.
32094 root      3976 S    /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros.
32248 root      3976 S    /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros.
32400 root      3976 S    /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros.

Whether or not you experience system crashes seems to depend on how quickly the remote server can handle setup - if it's fast and responsive then OpenWRT can spin lots and lots of processes up and deprive itself of RAM.

 

Cause

The cause is annoyingly simple.

In the OpenVPN client config file (traditionally they have a .ovpn file extension) is the line

daemon

This causes the OpenVPN daemon to fork into the background once the connection is established. Unfortunately, OpenWRT interprets this as the process exiting and spins up a new one to replace it.

To resolve the issue, just edit your OpenVPN config in OpenWRT and remove that line so that the OpenVPN process doesn't fork.