OpenWRT opens multiple OpenVPN client connections
This is a slightly obscure one, but when I was initially hit by it, didn't find much searching on the net.
After setting up a new OpenVPN client config (i.e. the OpenWRT box is VPN'ing into somewhere, rather than acting as a VPN server itself) on an OpenWRT box, you might find that OpenWRT eventually crashes.
This documentation details the cause, at least in so far as it affected me
Symptoms
If you're affected by this
- connectivity over the VPN may appear to work (though it also may not), but will be prone to connection drops
- Your OpenWRT box may run out of memory and crash/reboot
- Logging will be very active
- There will be many OpenVPN processes on the box
If you look in the OpenWRT logs, you may see it successfully connecting to the VPN, with different PIDs, one after the other
Fri Sep 24 14:26:15 2021 daemon.notice openvpn(Ikaros)[31438]: OpenVPN 2.4.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] Fri Sep 24 14:26:15 2021 daemon.notice openvpn(Ikaros)[31438]: library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10 Fri Sep 24 14:26:15 2021 daemon.notice openvpn(Ikaros)[31440]: TCP/UDP: Preserving recently used remote address: [AF_INET]:13194 Fri Sep 24 14:26:15 2021 daemon.notice openvpn(Ikaros)[31440]: UDP link local: (not bound) Fri Sep 24 14:26:15 2021 daemon.notice openvpn(Ikaros)[31440]: UDP link remote: [AF_INET] :13194 Fri Sep 24 14:26:15 2021 daemon.notice openvpn(Ikaros)[31440]: [server] Peer Connection Initiated with [AF_INET] :13194 Fri Sep 24 14:26:17 2021 daemon.notice openvpn(Ikaros)[31440]: TUN/TAP device tun1 opened Fri Sep 24 14:26:17 2021 daemon.notice openvpn(Ikaros)[31440]: /sbin/ifconfig tun1 10.19.0.10 pointopoint 10.19.0.9 mtu 1500 Fri Sep 24 14:26:17 2021 daemon.notice netifd: Network device 'tun1' link is up Fri Sep 24 14:26:17 2021 daemon.notice netifd: Interface 'tun0' has link connectivity Fri Sep 24 14:26:17 2021 daemon.notice openvpn(Ikaros)[31440]: Initialization Sequence Completed Fri Sep 24 14:26:20 2021 daemon.notice openvpn(Ikaros)[31633]: OpenVPN 2.4.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] Fri Sep 24 14:26:20 2021 daemon.notice openvpn(Ikaros)[31633]: library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10 Fri Sep 24 14:26:20 2021 daemon.notice openvpn(Ikaros)[31635]: TCP/UDP: Preserving recently used remote address: [AF_INET] :13194 Fri Sep 24 14:26:20 2021 daemon.notice openvpn(Ikaros)[31635]: UDP link local: (not bound) Fri Sep 24 14:26:20 2021 daemon.notice openvpn(Ikaros)[31635]: UDP link remote: [AF_INET] :13194 Fri Sep 24 14:26:20 2021 daemon.notice openvpn(Ikaros)[31635]: [server] Peer Connection Initiated with [AF_INET] :13194 Fri Sep 24 14:26:21 2021 daemon.notice openvpn(Ikaros)[31635]: TUN/TAP device tun2 opened Fri Sep 24 14:26:21 2021 daemon.notice openvpn(Ikaros)[31635]: /sbin/ifconfig tun2 10.19.0.14 pointopoint 10.19.0.13 mtu 1500 Fri Sep 24 14:26:21 2021 daemon.notice openvpn(Ikaros)[31635]: Initialization Sequence Completed
This will probably repeat with the number of the tun
interface changing each time, however you might also see the same number.
Depending on the VPN's config, you may also see one of the following errors
MULTI: no free --ifconfig-pool addresses are available MULTI: new connection by client 'myclient' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect Cannot ioctl TUNSETIFF tun0: Device or resource busy (errno=16)
This is because OpenWRT is trying to establish multiple simultaneous connections to the OpenVPN server.
If you SSH onto the OpenWRT box, you see there are multiple OpenVPN processes
root@OpenWrt:~# ps | grep vpn 31440 root 3976 S /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros. 31635 root 3976 S /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros. 31800 root 3976 S /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros. 31945 root 3976 S /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros. 32094 root 3976 S /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros. 32248 root 3976 S /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros. 32400 root 3976 S /usr/sbin/openvpn --syslog openvpn(Ikaros) --status /var/run/openvpn.Ikaros.status --cd /etc/openvpn --config /etc/openvpn/Ikaros.
Whether or not you experience system crashes seems to depend on how quickly the remote server can handle setup - if it's fast and responsive then OpenWRT can spin lots and lots of processes up and deprive itself of RAM.
Cause
The cause is annoyingly simple.
In the OpenVPN client config file (traditionally they have a .ovpn
file extension) is the line
daemon
This causes the OpenVPN daemon to fork into the background once the connection is established. Unfortunately, OpenWRT interprets this as the process exiting and spins up a new one to replace it.
To resolve the issue, just edit your OpenVPN config in OpenWRT and remove that line so that the OpenVPN process doesn't fork.