Initialization Sequence Completed, but terminal wont give a prompt

Question

I just installed openvpn on a remote CentOS 7 server using the instructions in this tutorial.

The only change I made to the tutorial was to use @GarethTheRed's instructions for configuring firewalld instead of iptables, as described in Step 4 of the tutorial.

The problem is that the tutorial ends with a line of client code that causes the terminal to fail to return a command prompt (see below). How can I successfully connect via OpenVPN to my remote CentOS 7 server from my local CentOS 7 devbox?

Here are the connection steps I have tried so far:

At the end of Step 6 of the tutorial, I successfully used yum install openvpn on my devbox before typing sudo openvpn --config /path/to/client.ovpn.

The problem is that sudo openvpn --config /path/to/client.ovpn results in the terminal locking up after printing Initialization Sequence Completed.

The complete output is:

[root@localhost ~]# openvpn --config /etc/openvpn/client.ovpn
Wed Feb 11 16:46:06 2015 OpenVPN 2.3.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  2 2014
Wed Feb 11 16:46:06 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Wed Feb 11 16:46:06 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Feb 11 16:46:06 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Wed Feb 11 16:46:06 2015 UDPv4 link local: [undef]
Wed Feb 11 16:46:06 2015 UDPv4 link remote: [AF_INET]192.96.215.22:1194
Wed Feb 11 16:46:06 2015 TLS: Initial packet from [AF_INET]192.96.215.22:1194, sid=1f320288 ab1f20d3
Wed Feb 11 16:46:07 2015 VERIFY OK: depth=1, C=US, ST=CA, L=SomeTown, O=Fort-Funston, OU=MyOrganizationalUnit, CN=serverdomain.com, name=server, emailAddress=me@somedomain.com
Wed Feb 11 16:46:07 2015 VERIFY OK: depth=0, C=US, ST=CA, L=SomeTown, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@somedomain.com
Wed Feb 11 16:46:08 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 11 16:46:08 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 11 16:46:08 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 11 16:46:08 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 11 16:46:08 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Feb 11 16:46:08 2015 [server] Peer Connection Initiated with [AF_INET]192.96.215.22:1194
Wed Feb 11 16:46:10 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Feb 11 16:46:10 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Feb 11 16:46:10 2015 OPTIONS IMPORT: timers and/or timeouts modified
Wed Feb 11 16:46:10 2015 OPTIONS IMPORT: --ifconfig/up options modified
Wed Feb 11 16:46:10 2015 OPTIONS IMPORT: route options modified
Wed Feb 11 16:46:10 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Feb 11 16:46:10 2015 ROUTE_GATEWAY 10.0.0.1/255.255.255.0 IFACE=p4p1 HWADDR=14:fe:b5:aa:57:60
Wed Feb 11 16:46:10 2015 TUN/TAP device tun0 opened
Wed Feb 11 16:46:10 2015 TUN/TAP TX queue length set to 100
Wed Feb 11 16:46:10 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Feb 11 16:46:10 2015 /usr/sbin/ip link set dev tun0 up mtu 1500
Wed Feb 11 16:46:10 2015 /usr/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Wed Feb 11 16:46:10 2015 /usr/sbin/ip route add 192.96.215.22/32 via 10.0.0.1
Wed Feb 11 16:46:10 2015 /usr/sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Wed Feb 11 16:46:10 2015 /usr/sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Wed Feb 11 16:46:10 2015 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Wed Feb 11 16:46:10 2015 Initialization Sequence Completed

At the end of this output, there is just a cursor, but no command prompt. Typing in the cursor or hitting return has no effect besides printing what you type on the terminal screen.

I read this other posting which describes a similar error and states that the problem is in the DNS configuration, but I followed the tutorial's DNS config instructions exactly. The server also handles requests for mydomain.com served up by httpd. The domain registrar has been pointing requests for mydomain.com to the ip of the server since long before adding OpenVPN. Would this cause some kind of conflict? How can I get the connection to complete?

garethTheRed · Accepted Answer · 2015-02-12T19:21:09.180

7

Try starting the client with the --daemon option:

openvpn --daemon

From openvpn's man page:

--daemon [progname]
  Become a daemon after all initialization functions are completed

To interact with openvpn once it is a daemon, add the --management option to the command. This allows you to interact with it using telnet as described here.

Alternatively, open another terminal and just use that. This way, you can exit the running openvpn by pressing Ctl C in the original terminal.

If the client is a desktop system that uses Network Manager, then use the OpenVPN plugin to control it from there - no terminal needed.

edited Feb 12 '15 at 19:21

answered Feb 12 '15 at 12:57

garethTheRed

33,957

@CodeMed - I've edited my answer... – garethTheRed Feb 12 '15 at 17:45
I am planning to use OpenVPN to 1.) allow the administrator to perform all admin functions that I currently perform with ssh and 2.) to allow users to interact with a private web application using their web browsers. I can put much of those requirements in other questions. Right now, I just want to get started so that I can research the possibilities with a working prototype. I'm telling you these details so you can help me define a working starting point. Just being able to access a terminal via OpenVPN would be great for now. Then I could shut down ssh altogether and do admin over OpenVPN – CodeMed Feb 12 '15 at 18:52
Access a terminal via OpenVPN? That's the job of ssh. Unless you're trying to avoid opening the firewall for ssh of course. Once openvpn is running correctly, your remote user will effectively be on the LAN, at which point the user can ssh to the servers or access the private web application. Is that what you are trying to achieve? Run openvpn --daemon and check if you have a LAN IP address. – garethTheRed Feb 12 '15 at 19:31
1

I ran openvpn --daemon and openvpn --daemon --management, but all I get is another command prompt after each of those commands. No error message. No success message. Nothing but another command prompt. Yes, I am trying to avoid opening the firewall for ssh. I want all ssh and http/s traffic to run inside the VPN tunnel, so that only two ports are open in the firewall, one for OpenVPN and the other for smtp. How can I check if I have a LAN IP address? This is all new to me. Thank you – CodeMed Feb 17 '15 at 01:11
Note that I created passwords for both the server and the client. I have not entered these passwords because I have not been prompted for them, and I have not read where to submit them. I do not know if they are required for authentication. I believe the passwords were created as part of the certificate generation process. The tutorial in my OP was silent on the topic of passwords, though the certificate generating scripts asked me to create passwords. – CodeMed Feb 17 '15 at 01:23
Yes, that's correct - you'll get a command prompt as openvpn is running in the background. If you run ip addr you should see a tun device with an IP address. If you run ip route you should see a new route added with IP addresses in the same network as your tun device has. This is the route through the VPN to your remote server. Ping the remote server's VPN address (not it's public IP address) and you should get a response. – garethTheRed Feb 17 '15 at 17:05
Thank you. But I think I am missing something. Are you willing to look at the output and help me see what I might be doing wrong? I posted it to a file sharing site. Here is the link: https://jumpshare.com/v/lTULOxSkEeiaOm6Yd5FU?b=mLIuVaLC7U1s9hBx1tYY – CodeMed Feb 17 '15 at 18:26
You are missing the tun device, without which, nothing will work. Are you sure you've followed the DigitalOcean article correctly? To be honest, I can't confirm it works as I set up my server from another source, the client setup does work though. Run openvpn without --daemon or --management and see if there is anything useful in the output. You did run it as root didn't you? – garethTheRed Feb 17 '15 at 19:14
Yes I ran it as root. Typing openvpn as root gives a long printout of options, much like a man page. Yes, I followed the digital ocean article explicitly, with the only exception that I used your firewalld instructions linked in my OP instead of the iptables instruction in the article. – CodeMed Feb 17 '15 at 19:17
Sorry - openvpn --config /path/to/config/file. – garethTheRed Feb 17 '15 at 19:20
openvpn --config /path/to/config/file gives the same results described in my OP. i.e. The terminal prints a lot of stuff like it is establishing a connection. Then it prints Tue Feb 17 11:21:47 2015 Initialization Sequence Completed. But it does not give a command prompt. It just gives a cursor with no command prompt, so you can type things and hit return, but all you get is a carriage return and no interactive response. – CodeMed Feb 17 '15 at 19:24
Let us continue this discussion in chat. – garethTheRed Feb 17 '15 at 19:30
I am not able to log into unix.stackexchange chat, though of course I am logged in as a user. I have posted a ticket about this, see meta post: http://meta.unix.stackexchange.com/questions/3405/cannot-log-into-chat – CodeMed Feb 17 '15 at 19:36
I did open a stack overflow chat room. Are you willing to discuss this with me there? here is the link: http://chat.stackoverflow.com/rooms/71108/anotherroom – CodeMed Feb 17 '15 at 19:37
I would like to define separate permissions for users who only get https access, and for administrator who can https and ssh. My research indicates that I should set up a separate instance of OpenVPN to accomplish this. I took a first stab at a plan. Are you willing to assess the plan and show how to accomplish it if you think my approach is best? Here is the link to the new posting: http://unix.stackexchange.com/questions/185599/multiple-instances-of-openvpn-on-centos-7 – CodeMed Feb 18 '15 at 22:20
1

I wish you guys did not use chat to solve the problem... I am stuck with this problem as of now. – lobi Sep 28 '15 at 22:05
1

@lobi. If we do not use chat, we get severely told off by the moderators :-) This is a question and answer site, not a question and discuss site and in order to keep it tidy, we are forced into chat every time the comments start to get a little long. In the perfect world, after discussing via chat, a relevant and concise answer should be posted; but as you can imagine, that doesn't always happen. – garethTheRed Sep 29 '15 at 06:26
Understood. Thanks for the response; I'm relatively new to stackexchange. It is unfortunate that a chat session is not stored and linked to the question. – lobi Sep 30 '15 at 18:35

score -1 · Answer 2 · edited Aug 18 '16 at 14:52

-1

I encountered the same issue here and this is what worked for me:

# setenforce 0

edited Aug 18 '16 at 14:52

Kevdog777

3,224

answered Aug 18 '16 at 14:39

Alex Iorga

1

Initialization Sequence Completed, but terminal wont give a prompt

2 Answers2