493 questions
Azure Devops Pipeline Agent can not connect to my network using OpenVPN anymore
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 72%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDP%3C/text%3E%3C/svg%3E)
Denny Pradipta
0
Reputation points
I have this simple pipeline to deploy my web app using Dokku, using an OpenVPN in my Azure Pipeline agent. I am not using the self hosted agent, in case you need to know. Here is the part of the azure-pipelines.yml:
- stage: 'DeployToStaging'
displayName: 'Deploy to Staging'
condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
jobs:
- job: DeployDashboard
steps:
- task: InstallSSHKey@0
inputs:
knownHostsEntry: $(known_host_entry)
sshPublicKey: $(ssh_public_key)
sshKeySecureFile: $(ssh_private_key)
addEntryToConfig: true
configHostAlias: staging
configHostName: $(dokku_staging_ip)
configUser: $(server_user)
env:
PUBLIC_KEY: $(ssh_public_key)
displayName: 'Add SSH Fingerprint'
# Build and push Docker image
# Needs separate step because build arguments are not supported in Docker@2 buildAndPush
- task: Docker@2
displayName: 'Build docker image'
inputs:
containerRegistry: $(containerRegistry)
command: 'build'
Dockerfile: './Dockerfile'
repository: $(repository)
arguments: $(stagingBuildArguments)
tags: |
$(Build.BuildId)-rc
test
- task: Docker@2
displayName: 'Push docker image'
inputs:
containerRegistry: $(containerRegistry)
command: 'push'
repository: $(repository)
tags: |
$(Build.BuildId)-rc
test
# Install OpenVPN
- script: |
sudo apt-get update -y
sudo apt-get install openvpn -y
displayName: 'Install OpenVPN'
- task: DownloadSecureFile@1
name: ovpn_config
displayName: 'Download OpenVPN Config'
inputs:
secureFile: 'dashboard.ovpn'
- task: DownloadSecureFile@1
name: ovpn_auth
displayName: 'Download OpenVPN Password'
inputs:
secureFile: 'openvpn_auth.txt'
# Deploy
- script: |
# Start OpenVPN in the background and capture its PID
nohup sudo openvpn --config "$(ovpn_config.secureFilePath)" --askpass "$(ovpn_auth.secureFilePath)" > /dev/null 2>&1 &
VPN_PID=$!
# Wait for VPN connection to establish (check tunnel interface)
echo "Waiting for VPN connection..."
timeout=10 # Adjust timeout as needed
while [[ $timeout -gt 0 ]]; do
if ip a | grep -q 'tun0'; then # Replace 'tun0' with your actual interface if different
echo "VPN connected."
break
fi
sleep 1
((timeout--))
done
if [[ $timeout -eq 0 ]]; then
echo "Failed to establish VPN connection."
exit 1
fi
# Deploy
ssh staging dokku git:from-image dashboard $(image_name):$(Build.BuildId)-rc
ssh staging docker image prune -f
# Stop OpenVPN
kill $VPN_PID
It was working fine until April 9th.
Afterwards, it doesn't run anything at all.
I though to myself, maybe I need to upgrade the OpenVPN to OpenVPN3. So I did:
- stage: 'DeployToStaging'
displayName: 'Deploy to Staging'
condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
jobs:
- job: DeployDashboard
steps:
- task: InstallSSHKey@0
inputs:
knownHostsEntry: $(known_host_entry)
sshPublicKey: $(ssh_public_key)
sshKeySecureFile: $(ssh_private_key)
addEntryToConfig: true
configHostAlias: staging
configHostName: $(dokku_staging_ip)
configUser: $(server_user)
env:
PUBLIC_KEY: $(ssh_public_key)
displayName: 'Add SSH Fingerprint'
# Build and push Docker image
# Needs separate step because build arguments are not supported in Docker@2 buildAndPush
- task: Docker@2
displayName: 'Build docker image'
inputs:
containerRegistry: $(containerRegistry)
command: 'build'
Dockerfile: './Dockerfile'
repository: $(repository)
arguments: $(stagingBuildArguments)
tags: |
$(Build.BuildId)-rc
test
- task: Docker@2
displayName: 'Push docker image'
inputs:
containerRegistry: $(containerRegistry)
command: 'push'
repository: $(repository)
tags: |
$(Build.BuildId)-rc
test
# Install OpenVPN
- script: |
sudo mkdir -p /etc/apt/keyrings && curl -fsSL https://packages.openvpn.net/packages-repo.gpg | sudo tee /etc/apt/keyrings/openvpn.asc
DISTRO=$(lsb_release -c -s)
echo "deb [signed-by=/etc/apt/keyrings/openvpn.asc] https://packages.openvpn.net/openvpn3/debian $DISTRO main" | sudo tee /etc/apt/sources.list.d/openvpn-packages.list
sudo apt-get update -y
sudo apt-get install openvpn3 -y
displayName: 'Install OpenVPN'
- task: DownloadSecureFile@1
name: ovpn_config
displayName: 'Download OpenVPN Config'
inputs:
secureFile: 'dashboard.ovpn'
- task: DownloadSecureFile@1
name: ovpn_auth
displayName: 'Download OpenVPN Password'
inputs:
secureFile: 'openvpn_auth.txt'
# Deploy
- script: |
# Start OpenVPN in the background and capture its PID
cat $(ovpn_auth.secureFilePath) | openvpn3 session-start --config "$(ovpn_config.secureFilePath)"
# Deploy
ssh staging git:from-image dashboard $(image_name):$(Build.BuildId)-rc
ssh staging cleanup
ssh staging docker-direct image prune -f
# Stop OpenVPN
openvpn3 session-manage --config $(ovpn_config.secureFilePath) --disconnect
displayName: 'Deploy Dashboard'
All I got was connected, but the connection is closed.
Any ideas why?
Azure DevOps
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 87%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVB%3C/text%3E%3C/svg%3E)
Vinay B 500 Reputation points Microsoft External Staff Moderator2025-04-17T16:43:20.67+00:00 Hi Denny Pradipta,
Issue likely caused by changes to the Microsoft-hosted Azure DevOps agents around April 9th. This affects low-level networking like tun interfaces and privileged operations required by OpenVPN.
Switch to a self-hosted Azure DevOps agent in a VM under your control, where you can manage network interfaces and VPN connections fully.
Why this works:
Microsoft-hosted agents restrict low-level networking, including
tun0creation and background daemon behavior.OpenVPN and OpenVPN3 need
tun/tapdevices and sometimessudoprivileges — these are not supported on hosted agents anymore.
Please let us know if it was helpful, and feel free to reach out if you have any further queries.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 82%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Venkat V 2,545 Reputation points Microsoft External Staff Moderator2025-04-23T08:43:03.4866667+00:00 Hi @Hi Denny Pradipta,
It looks like the issue may be due to recent changes in the pipeline agent environment. Kindly check the steps below:
- Ensure the OpenVPN configuration and authentication files are still valid and have not expired or been revoked.
- Verify whether the VPN interface (e.g.,
tun0) still exists. Useip ato confirm, and update the script if the interface name has changed. - Run OpenVPN in verbose mode to capture logs and identify where the connection is failing.
- If the pipeline is using Microsoft-hosted agents, be aware that there may be restrictions affecting VPN connectivity. In that case, consider switching to a self-hosted agent within your network for more control.
Reference Azure DevOps release notes
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
-
Venkat V 2,545 Reputation points Microsoft External Staff Moderator
2025-04-24T05:36:50.6266667+00:00 Hi Denny Pradipta,
I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.
Sign in to comment
Sign in to answer