Question #4751


Distant VPN server can't receive his promises

Added by Nicolas KAROLAK about 10 years ago. Updated about 10 years ago.

Target version:


I have two networks linked by a VPN (OpenPVN) and the distant VPN server (in the "network A") can't receive his promises from the Rudder server (in the "net B"). All other clients, even in the distant network (A), work properly.

Network A :
Network B :

As I understand, the problem seems to be that when my distant VPN server was accepted on the Rudder server, it was registred with its "eth0" interface address IP. But now, when asking to receive his promises, it ask with its "tun0" interface address IP which is So it is rejected by the Rudder server because of the UUID doesn't match with the IP previously registred. Here are the debug informations from cf-serverd :

rudder>  -> Accepting a connection
rudder> Obtained IP address of on socket 7 from accept
rudder> Accepting connection from "" 
rudder> New connection...(from 7)
rudder> Spawning new thread...
rudder> Allowing to connect without (re)checking ID
rudder> Non-verified Host ID is (Using skipverify)
rudder> Non-verified User ID seems to be root (Using skipverify)
rudder>  -> Public key identity of host "" is "MD5=cb8201b1bca81bc884557edc12dcb9d3" 
rudder> A public key was already known from - no trust required
rudder> Adding IP to SkipVerify - no need to check this if we have a key
rudder> The public key identity was confirmed as root@
rudder>  -> Strong authentication of client achieved
rudder>  -> Receiving session key from client (size=256)...
rudder> Filename /var/rudder/share/dd3c2ec5-69cb-47ea-b2b4-bb8fb129e997/rules/cfengine-community/rudder_promises_generated is resolved to /var/rudder/share/dd3c2ec5-69cb-47ea-b2b4-bb8fb129e997/rules/cfengine-community/rudder_promises_generated
rudder> Found a matching rule in access list (/var/rudder/share/dd3c2ec5-69cb-47ea-b2b4-bb8fb129e997/rules/cfengine-community/rudder_promises_generated in /var/rudder/share/dd3c2ec5-69cb-47ea-b2b4-bb8fb129e997)
rudder> Host denied access to /var/rudder/share/dd3c2ec5-69cb-47ea-b2b4-bb8fb129e997/rules/cfengine-community/rudder_promises_generated
rudder> Access control in sync
rudder> From (host=,user=root,ip=
rudder> REFUSAL of request from connecting host: (SYNCH 1397134555 STAT /var/rudder/share/dd3c2ec5-69cb-47ea-b2b4-bb8fb129e997/rules/cfengine-community/rudder_promises_generated)
rudder> Terminating thread...

I added the tunnel network in the authorized network in the administration panel, but still doesn't work. Routing is OK, everything ping correctly.


Also available in: Atom PDF