OpenVPN config disappear after reboot 1.2.0 rc3


#1

Hello,

i have a fresh installed vyos 1.2.0 rc3 with this config:

set cluster dead-interval '10000'
set cluster group cluster-v auto-failback 'true'
set cluster group cluster-v primary 'astor-v'
set cluster group cluster-v secondary 'phoenix-v'
set cluster group cluster-v service '192.168.247.94/28/eth1.4064'
set cluster group cluster-v service '10.202.11.254/24/eth1.3079'
set cluster group cluster-v service '99.99.99.251/28/eth3'
set cluster group cluster-v service '192.168.88.50/24/eth0'
set cluster interface 'eth3'
set cluster interface 'eth0'
set cluster keepalive-interval '2000'
set cluster monitor-dead-interval '20000'
set cluster pre-shared-secret 'Vgzui78K1234567890'
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ip-src-route 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall log-martians 'enable'
set firewall name WAN-IN default-action 'drop'
set firewall name WAN-IN enable-default-log
set firewall name WAN-IN rule 100 action 'accept'
set firewall name WAN-IN rule 100 source address '10.214.0.0/16'
set firewall name WAN-local default-action 'drop'
set firewall name WAN-local enable-default-log
set firewall name WAN-local rule 100 action 'accept'
set firewall name WAN-local rule 100 destination port '500,4500,1195'
set firewall name WAN-local rule 100 log 'enable'
set firewall name WAN-local rule 100 protocol 'udp'
set firewall name WAN-local rule 101 action 'accept'
set firewall name WAN-local rule 101 log 'enable'
set firewall name WAN-local rule 101 protocol 'esp'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall state-policy established action 'accept'
set firewall state-policy invalid action 'drop'
set firewall state-policy related action 'accept'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address '192.168.88.51/24'
set interfaces ethernet eth0 description 'uplink'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 description 'Switch'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth1 vif 3079 address '10.202.11.251/24'
set interfaces ethernet eth1 vif 3079 description 'GLT_GYM_Tolkewitz'
set interfaces ethernet eth1 vif 3079 policy route 'central-routing'
set interfaces ethernet eth1 vif 4064 address '192.168.247.93/28'
set interfaces ethernet eth1 vif 4064 description 'MGMT-Switche'
set interfaces ethernet eth1 vif 4064 policy route 'central-routing'
set interfaces ethernet eth2 address '192.168.146.51/24'
set interfaces ethernet eth2 description 'MGMT'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 smp-affinity 'auto'
set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth3 address '99.99.99.246/28'
set interfaces ethernet eth3 description 'WAN'
set interfaces ethernet eth3 duplex 'auto'
set interfaces ethernet eth3 firewall in name 'WAN-IN'
set interfaces ethernet eth3 firewall local name 'WAN-local'
set interfaces ethernet eth3 smp-affinity 'auto'
set interfaces ethernet eth3 speed 'auto'
set interfaces loopback lo
set interfaces openvpn vtun0 encryption 'aes256'
set interfaces openvpn vtun0 local-host '99.99.99.251'
set interfaces openvpn vtun0 local-port '1195'
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 policy route 'central-routing'
set interfaces openvpn vtun0 replace-default-route
set interfaces openvpn vtun0 server client cs-o202001 ip '10.250.202.1'
set interfaces openvpn vtun0 server client cs-o202001 subnet '10.202.1.0/24'
set interfaces openvpn vtun0 server reject-unconfigured-clients
set interfaces openvpn vtun0 server subnet '10.250.0.0/16'
set interfaces openvpn vtun0 server topology 'point-to-point'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/server.crt'
set interfaces openvpn vtun0 tls crl-file '/config/auth/ovpn/crl.pem'
set interfaces openvpn vtun0 tls dh-file '/config/auth/ovpn/dh4096.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/server.key'
set nat source rule 10 outbound-interface 'eth3'
set nat source rule 10 translation address '99.99.99.246'
set policy route central-routing description 'Route all to central Router'
set policy route central-routing rule 100 set table '100'
set protocols static route 0.0.0.0/0 next-hop 99.99.99.254
set protocols static route 10.202.0.0/16 next-hop 10.250.0.1
set protocols static route 10.214.0.0/16 next-hop 10.250.0.1
set protocols static table 100 route 0.0.0.0/0 next-hop 192.168.88.253
set service dhcp-server shared-network-name eth1.3079 authoritative
set service dhcp-server shared-network-name eth1.3079 subnet 10.202.11.0/24 dns-server '10.166.252.117'
set service dhcp-server shared-network-name eth1.3079 subnet 10.202.11.0/24 dns-server '10.166.253.11'
set service dhcp-server shared-network-name eth1.3079 subnet 10.202.11.0/24 range 0 start '10.202.11.10'
set service dhcp-server shared-network-name eth1.3079 subnet 10.202.11.0/24 range 0 stop '10.202.11.249'
set service snmp community lhd2
set service snmp listen-address 192.168.146.5
set service ssh listen-address '192.168.146.51'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system host-name 'phoenix-v'
set system login user vyos authentication encrypted-password ******
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system name-server '1.1.1.1'
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'Europe/Berlin'

the secondary cluster node is offline, i don’t installed ist now.

after a reboot, all configuration start with set interface openvpn is gone. But it is present in the config.boot file.

at the moment i tryed to run the config without the routing policy. But also without this the openvpn config disappear.


#2

It could be related to this 1.2.0-rc3 bug: https://phabricator.vyos.net/T890


#3

maybe.

in the mean time i installed the 2nd node and provide the same config, except the local interface IPs

if i commit the config this error appears:

OpenVPN configuration error: No interface on system with specified local-host IP address 99.99.99.251.

That’s right, because the IP is on the active node.
So i thought, maybe the cluster ip of the WAN interface is not fast enough there wenn the server is booting.

so i delete the virtual ip in the openvpn config on both nods:

delete interface openvpn vtun0 local-host

now the openvpn config does not disappear. And it worked with the local interface IP of the node, but not with the cluster IP. Because VyOS answers with the local interface IP.

how i build an cluster with openvpn?