Re-connecting to OpenVPN Instance after destroying and re-applying it
A customer asked: > Hello, we’re having an issue with our Openvpn server in our stage environment. Our environment was set up originally with the Gruntwork Reference Architecture. We got a notice from AWS about a detected degradation of the underlying hardware hosting your Amazon EC2 instance. So we used Terraform to destroy the openvpn server module and then recreated it (I’m guessing this wasn’t the right way to do it). We use Viscocity to connect to the openvpn servers. I changed the IP for the existing connection to the new public IP for the new openvpn server but I cannot connect. Below is snippet from my Viscocity log when trying to connect (certain information has been X’d out for security): ``` 2021-10-15 14:29:29: Viscosity Mac 1.9.4 (1578) 2021-10-15 14:29:29: Viscosity OpenVPN Engine Started 2021-10-15 14:29:29: Running on macOS 11.6.0 2021-10-15 14:29:29: --------- 2021-10-15 14:29:29: State changed to Connecting 2021-10-15 14:29:29: Checking reachability status of connection... 2021-10-15 14:29:29: Connection is reachable. Starting connection attempt. 2021-10-15 14:29:29: OpenVPN 2.4.11 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Aug 26 2021 2021-10-15 14:29:29: library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10 2021-10-15 14:29:29: Valid endpoint found: XX.X.XXX.205:1194:udp 2021-10-15 14:29:29: TCP/UDP: Preserving recently used remote address: [AF_INET]XX.X.XXX.205:1194 2021-10-15 14:29:29: UDP link local: (not bound) 2021-10-15 14:29:29: UDP link remote: [AF_INET]52.7.152.205:1194 2021-10-15 14:29:29: State changed to Authenticating 2021-10-15 14:29:29: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=ME, L=Farmington, O=Aptuitiv, OU=IT, CN=Aptuitiv CA, name=server, emailAddress=XXXX@XXXX.com, serial=16374791465934600503 2021-10-15 14:29:29: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 2021-10-15 14:29:29: TLS_ERROR: BIO read tls_read_plaintext error 2021-10-15 14:29:29: TLS Error: TLS object -> incoming plaintext read error 2021-10-15 14:29:29: TLS Error: TLS handshake failed 2021-10-15 14:29:29: SIGTERM[soft,tls-error] received, process exiting 2021-10-15 14:29:29: State changed to Disconnected (Process Terminated) ```
The right thing to do in this case is terminate the current VPN server (perform an instance refresh on the Auto Scaling Group (ASG) that the openvpn server is attached to). The new host will automatically grab the same Elastic IP address (EIP) and will restore the same certificates.