VPN & Tunnel Troubleshooting
VPN & Tunnel Troubleshooting
Section titled “VPN & Tunnel Troubleshooting”This guide covers issues with VPN backends, tunnel configurations, and VPN mode.
Quick Diagnostics
Section titled “Quick Diagnostics”# Check backend healthcurl -s http://localhost:7082/api/v1/backends | jq '.[] | {name, type, healthy}'
# Check VPN status (client)curl -s http://localhost:7082/api/v1/vpn/status | jq
# Test connectivity through tunnelcurl -x http://localhost:7080 https://ipinfo.io/ipWireGuard Backend Issues
Section titled “WireGuard Backend Issues”Tunnel Not Establishing
Section titled “Tunnel Not Establishing”Symptoms: WireGuard backend shows unhealthy, no connectivity.
Diagnosis:
# Check WireGuard interface (if using kernel mode)sudo wg show
# Check backend statuscurl -s http://localhost:7082/api/v1/backends | jq '.[] | select(.type=="wireguard")'
# Check server logsjournalctl -u bifrost-server | grep -i wireguardKey Mismatch
Section titled “Key Mismatch”Symptoms: Handshake fails, “invalid MAC” in logs.
Diagnosis:
Verify key configuration matches the peer:
# Your private key generates your public keyecho "YOUR_PRIVATE_KEY" | wg pubkey
# Peer should have this as your public keySolution:
Ensure keys are correctly paired:
backends: - name: wg-vpn type: wireguard config: private_key: "YOUR_PRIVATE_KEY_BASE64" # Your private key peer: public_key: "PEER_PUBLIC_KEY_BASE64" # Peer's public key preshared_key: "OPTIONAL_PSK" # Must match both sidesGenerate new keys if needed:
# Generate private keywg genkey > private.key
# Generate public key from privatewg pubkey < private.key > public.key
# Generate preshared keywg genpsk > preshared.keyEndpoint Unreachable
Section titled “Endpoint Unreachable”Symptoms: “no route to host” or timeout errors.
Diagnosis:
# Test UDP connectivity to endpointnc -u -z -v vpn.example.com 51820
# Check if UDP port is blockedsudo tcpdump -i any udp port 51820Solution:
-
Verify endpoint address and port:
peer:endpoint: "vpn.example.com:51820" # Must be reachable -
Check firewall allows outbound UDP:
Terminal window sudo ufw allow out 51820/udp
No Traffic Through Tunnel
Section titled “No Traffic Through Tunnel”Symptoms: Tunnel established but traffic doesn’t flow.
Diagnosis:
# Check allowed IPscurl -s http://localhost:7082/api/v1/backends | jq '.[] | select(.type=="wireguard") | .config.peer.allowed_ips'
# Check routingip route showSolution:
Verify allowed IPs are configured correctly:
peer: allowed_ips: - "0.0.0.0/0" # Route all traffic (common for VPN) # Or specific ranges: - "10.0.0.0/8" - "192.168.0.0/16"DNS Not Working Through Tunnel
Section titled “DNS Not Working Through Tunnel”Symptoms: Domain resolution fails when using WireGuard backend.
Solution:
Configure DNS servers for the tunnel:
backends: - name: wg-vpn type: wireguard config: dns: - "1.1.1.1" - "8.8.8.8"Permission Denied
Section titled “Permission Denied”Symptoms: Cannot create WireGuard interface.
Solution:
Bifrost uses userspace WireGuard by default. If using kernel mode:
# Grant capabilitiessudo setcap cap_net_admin+ep /usr/local/bin/bifrost-server
# Or run as root (not recommended)sudo bifrost-server -c config.yamlHandshake Timeout
Section titled “Handshake Timeout”Symptoms: “handshake did not complete” after 5+ seconds.
Causes:
- Wrong public key
- Firewall blocking UDP
- Endpoint not reachable
- Clock skew
Solution:
- Verify keys match
- Check firewall rules
- Test endpoint connectivity
- Sync system time:
Terminal window sudo timedatectl set-ntp true
OpenVPN Backend Issues
Section titled “OpenVPN Backend Issues”Connection Failed
Section titled “Connection Failed”Symptoms: OpenVPN backend shows unhealthy.
Diagnosis:
# Check OpenVPN processps aux | grep openvpn
# View OpenVPN logstail -f /var/log/openvpn.log
# Check backend statuscurl -s http://localhost:7082/api/v1/backends | jq '.[] | select(.type=="openvpn")'Config File Not Found
Section titled “Config File Not Found”Symptoms: “config file not found” error.
Solution:
Use absolute path to config file:
backends: - name: ovpn-vpn type: openvpn config: config_file: "/etc/bifrost/client.ovpn" # Absolute pathAuthentication Failed
Section titled “Authentication Failed”Symptoms: “AUTH_FAILED” in OpenVPN logs.
Solution:
Provide credentials:
backends: - name: ovpn-vpn type: openvpn config: config_file: "/etc/bifrost/client.ovpn" auth_file: "/etc/bifrost/auth.txt" # username on line 1, password on line 2Or inline:
config: username: "myuser" password: "${OPENVPN_PASSWORD}"Auth file format:
usernamepasswordOpenVPN Binary Not Found
Section titled “OpenVPN Binary Not Found”Symptoms: “openvpn: command not found” error.
Solution:
Install OpenVPN or specify path:
# Install on Debian/Ubuntusudo apt install openvpn
# Install on RHEL/CentOSsudo dnf install openvpnconfig: binary: "/usr/sbin/openvpn" # Explicit pathTLS Handshake Failed
Section titled “TLS Handshake Failed”Symptoms: “TLS handshake failed” in logs.
Diagnosis:
# Test manuallysudo openvpn --config /etc/bifrost/client.ovpn --verb 4Solution:
- Verify certificates are valid
- Check CA certificate is included
- Ensure clock is synchronized
Management Interface Issues
Section titled “Management Interface Issues”Symptoms: Cannot connect to OpenVPN management.
Solution:
Configure management interface:
config: management_addr: "127.0.0.1" management_port: 7505VPN Mode Issues (Client)
Section titled “VPN Mode Issues (Client)”TUN Device Not Created
Section titled “TUN Device Not Created”Symptoms: “failed to create TUN device” error.
Linux:
# Check if tun module is loadedlsmod | grep tun
# Load modulesudo modprobe tun
# Check device permissionsls -la /dev/net/tun# Should be: crw-rw-rw- 1 root root 10, 200
# Fix permissions if neededsudo chmod 666 /dev/net/tunmacOS:
# Check for tuntapls /dev/tun*
# Install if missingbrew install --cask tuntapWindows:
# Check for wintun driverGet-Service wintun
# Install wintun from https://www.wintun.net/Insufficient Permissions
Section titled “Insufficient Permissions”Symptoms: “operation not permitted” when creating VPN interface.
Solution:
# Linux: Grant capabilitiessudo setcap cap_net_admin+ep /usr/local/bin/bifrost-client
# Or run as rootsudo bifrost-client -c config.yamlVPN Interface Has No IP
Section titled “VPN Interface Has No IP”Symptoms: Interface exists but no IP address assigned.
Diagnosis:
# Check interfaceip addr show bifrost0
# Check VPN statuscurl -s http://localhost:7082/api/v1/vpn/status | jqSolution:
Verify VPN configuration:
vpn: enabled: true interface_name: bifrost0 # IP should be assigned automaticallyManually assign if needed:
# Linuxsudo ip addr add 10.0.0.2/24 dev bifrost0sudo ip link set bifrost0 upDNS Not Working in VPN Mode
Section titled “DNS Not Working in VPN Mode”Symptoms: Domain resolution fails when VPN is enabled.
Diagnosis:
# Check DNS configurationcat /etc/resolv.conf
# Test DNSnslookup example.comSolution:
Enable DNS interception:
vpn: dns: enabled: true servers: - "1.1.1.1" - "8.8.8.8" cache_ttl: "5m"Flush DNS cache:
# macOSsudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
# Linux (systemd-resolved)sudo systemd-resolve --flush-caches
# Windowsipconfig /flushdnsTraffic Not Routing Through VPN
Section titled “Traffic Not Routing Through VPN”Symptoms: Traffic bypasses VPN.
Diagnosis:
# Check routing tableip route show # Linuxnetstat -rn # macOSroute print # Windows
# Check what IP traffic is usingcurl https://ipinfo.io/ip # Should show VPN IPSolution:
-
Check split tunnel configuration:
vpn:split:mode: exclude # All traffic through VPN except matching# Ormode: include # Only matching traffic through VPN -
Verify routes are set:
Terminal window # Check if default route is through VPNip route | grep default
Split Tunneling Not Working
Section titled “Split Tunneling Not Working”Symptoms: Traffic routes incorrectly based on rules.
Diagnosis:
# Check split tunnel rulescurl -s http://localhost:7082/api/v1/vpn/split/rules | jqSolution:
Verify rule configuration:
vpn: split: mode: exclude # Traffic to these destinations bypasses VPN
# Domain-based domains: - "*.local" - "localhost"
# IP-based ips: - "192.168.0.0/16" - "10.0.0.0/8"
# App-based apps: - name: "Slack" - name: "Zoom"Upstream Proxy Issues
Section titled “Upstream Proxy Issues”HTTP Proxy Backend Failing
Section titled “HTTP Proxy Backend Failing”Symptoms: Upstream HTTP proxy connection fails.
Diagnosis:
# Test upstream proxy directlycurl -x http://upstream-proxy:3128 https://example.com
# Check connectivitync -zv upstream-proxy 3128Solution:
backends: - name: upstream-http type: http_proxy config: address: "upstream-proxy:3128" username: "user" # If auth required password: "password" connect_timeout: "30s"SOCKS5 Proxy Backend Failing
Section titled “SOCKS5 Proxy Backend Failing”Symptoms: Upstream SOCKS5 proxy connection fails.
Diagnosis:
# Test upstream SOCKS5 directlycurl --socks5 upstream-proxy:1080 https://example.com
# Check connectivitync -zv upstream-proxy 1080Solution:
backends: - name: upstream-socks type: socks5_proxy config: address: "upstream-proxy:1080" username: "user" password: "password"Health Check Issues
Section titled “Health Check Issues”Backend Marked Unhealthy
Section titled “Backend Marked Unhealthy”Symptoms: Backend constantly shows as unhealthy.
Diagnosis:
# Check health statuscurl -s http://localhost:7082/api/v1/backends | jq '.[] | {name, healthy, last_check}'
# Check logs for health check failuresjournalctl -u bifrost-server | grep -i "health check"Solution:
Adjust health check configuration:
backends: - name: my-backend type: wireguard health_check: type: tcp # tcp, http, or ping interval: "30s" # Check frequency timeout: "10s" # Timeout per check target: "example.com:443" # What to check healthy_threshold: 2 # Checks to mark healthy unhealthy_threshold: 3 # Checks to mark unhealthyHealth Check Target Unreachable
Section titled “Health Check Target Unreachable”Symptoms: Health checks fail even though backend works.
Solution:
Use a reliable health check target:
health_check: type: http target: "https://www.google.com/generate_204" # Google's connectivity check # Or type: tcp target: "1.1.1.1:443" # CloudflareMesh Networking Issues
Section titled “Mesh Networking Issues”Peers Not Connecting
Section titled “Peers Not Connecting”Symptoms: Peers discovered but connections fail.
Diagnosis:
# Check NAT typecurl -s http://localhost:7082/api/v1/p2p/nat | jq
# Check discovered peerscurl -s http://localhost:7082/api/v1/mesh/networks/my-network/peers | jq
# Check connection statuscurl -s http://localhost:7082/api/v1/p2p/connections | jqSolution:
-
Symmetric NAT detected: Enable TURN relay
turn:enabled: trueservers:- url: "turn:turn.example.com:3478"username: "${TURN_USER}"password: "${TURN_PASS}" -
Firewall blocking: Allow UDP traffic
Terminal window sudo ufw allow 32768:65535/udp # Ephemeral ports
STUN Connectivity Issues
Section titled “STUN Connectivity Issues”Symptoms: Cannot determine public IP address.
Diagnosis:
# Test STUN serversnc -u -z -v stun.l.google.com 19302Solution:
Add multiple STUN servers:
stun: servers: - "stun:stun.l.google.com:19302" - "stun:stun1.l.google.com:19302" - "stun:stun.cloudflare.com:3478" timeout: 5sTURN Relay Not Working
Section titled “TURN Relay Not Working”Symptoms: Relay connections fail.
Diagnosis:
# Test TURN serverturnutils_stunclient -p 3478 turn.example.comSolution:
Verify TURN configuration:
turn: enabled: true servers: - url: "turn:turn.example.com:3478" username: "user" password: "password"Diagnostic Commands Summary
Section titled “Diagnostic Commands Summary”# Backend healthcurl -s http://localhost:7082/api/v1/backends | jq
# VPN statuscurl -s http://localhost:7082/api/v1/vpn/status | jq
# WireGuard interfacesudo wg show
# OpenVPN statusps aux | grep openvpn
# Network interfacesip addr show
# Routing tableip route show
# Test through proxycurl -x http://localhost:7080 https://ipinfo.io/ip
# DNS testnslookup example.com
# NAT type (mesh)curl -s http://localhost:7082/api/v1/p2p/nat | jq
# Mesh peerscurl -s http://localhost:7082/api/v1/mesh/status | jq