Question #4751


Distant VPN server can't receive his promises

Added by Nicolas KAROLAK about 9 years ago. Updated about 9 years ago.

Target version:


I have two networks linked by a VPN (OpenPVN) and the distant VPN server (in the "network A") can't receive his promises from the Rudder server (in the "net B"). All other clients, even in the distant network (A), work properly.

Network A :
Network B :

As I understand, the problem seems to be that when my distant VPN server was accepted on the Rudder server, it was registred with its "eth0" interface address IP. But now, when asking to receive his promises, it ask with its "tun0" interface address IP which is So it is rejected by the Rudder server because of the UUID doesn't match with the IP previously registred. Here are the debug informations from cf-serverd :

rudder>  -> Accepting a connection
rudder> Obtained IP address of on socket 7 from accept
rudder> Accepting connection from "" 
rudder> New connection...(from 7)
rudder> Spawning new thread...
rudder> Allowing to connect without (re)checking ID
rudder> Non-verified Host ID is (Using skipverify)
rudder> Non-verified User ID seems to be root (Using skipverify)
rudder>  -> Public key identity of host "" is "MD5=cb8201b1bca81bc884557edc12dcb9d3" 
rudder> A public key was already known from - no trust required
rudder> Adding IP to SkipVerify - no need to check this if we have a key
rudder> The public key identity was confirmed as root@
rudder>  -> Strong authentication of client achieved
rudder>  -> Receiving session key from client (size=256)...
rudder> Filename /var/rudder/share/dd3c2ec5-69cb-47ea-b2b4-bb8fb129e997/rules/cfengine-community/rudder_promises_generated is resolved to /var/rudder/share/dd3c2ec5-69cb-47ea-b2b4-bb8fb129e997/rules/cfengine-community/rudder_promises_generated
rudder> Found a matching rule in access list (/var/rudder/share/dd3c2ec5-69cb-47ea-b2b4-bb8fb129e997/rules/cfengine-community/rudder_promises_generated in /var/rudder/share/dd3c2ec5-69cb-47ea-b2b4-bb8fb129e997)
rudder> Host denied access to /var/rudder/share/dd3c2ec5-69cb-47ea-b2b4-bb8fb129e997/rules/cfengine-community/rudder_promises_generated
rudder> Access control in sync
rudder> From (host=,user=root,ip=
rudder> REFUSAL of request from connecting host: (SYNCH 1397134555 STAT /var/rudder/share/dd3c2ec5-69cb-47ea-b2b4-bb8fb129e997/rules/cfengine-community/rudder_promises_generated)
rudder> Terminating thread...

I added the tunnel network in the authorized network in the administration panel, but still doesn't work. Routing is OK, everything ping correctly.

Actions #1

Updated by Vincent MEMBRÉ about 9 years ago

Hello Nicolas,

Thanks for opening your issue!

Does Rudder server resolve ip as your node hostname? It uses file /etc/hosts to resolve ip and only authorize the node to access its directory if it can resolve.

by the way, which version of Rudder are you using ?

Actions #2

Updated by Nicolas KAROLAK about 9 years ago


Actually it didn't resolve as my node hostname, I added this line in `/etc/hosts` :       srv92-vpn01

And after a reboot of the server it works ! Thanks.

I'm on the version 2.6.

Actions #3

Updated by Vincent MEMBRÉ about 9 years ago

  • Tracker changed from Bug to Question
  • Status changed from New to Resolved
  • Target version set to 2.6.13

If you have other problems, you might look at this page for more advices:

But don't hesitate to open an issue if you have a doubt :)

If this is a quite small install, I suggest you to try our latest version (2.10) to enjoy a faster Rudder with lots of new features :)


Also available in: Atom PDF