Connecting after 2.6 upgrade
-
A couple of months ago we had a box that users had difficulty connecting OpenVPN clients in to after upgrading to 2.6. I believe it had something to do with the certificate age. I had tried a bunch of stuff but just wound up creating a new tunnel and reinstalling to get them back in.
Last week I upgraded another device to 2.6 expecting to need to redo the OpenVPN on the firewall and reinstall on users PCs but nobody had any issues at all after the upgrade. Would anyone know what the difference would have been? I've been doing evening upgrades and have about 30 more to do over the next couple of weeks and would prefer not to get hammered with calls to re-setup OpenVPN. Thanks!
-
Checking Logs is better than believing. :-)
How come you think its the Certs?-Rico
-
@rico Here is the thread from before. I'm not certain on what the previous issue was but I think it had to do with the certificate length dropping down to 13 months from 10 years. It's been a few months but there were a lot of people who helped out. I remember modifying files and manually exporting the certificate to no avail. I don't believe I figured out the exact cause and solution.
Since it went smoothly this time there's nothing to check in the logs. I'm wondering if there is something different in the packages now that perhaps allowed it to work. The current OpenVPN Server certificate is:
Valid From: Thu, 30 Apr 2020 11:50:06 -0400
Valid Until: Sun, 28 Apr 2030 11:50:06 -0400
So I would have expected it to break like last time since it would be beyond the 13 months. -
I have my test SG-1100 (22.05) running with a CA, Server Cert and Client Cert valid until Jan 2120 and OpenVPN runs perfectly fine, never had any problems with upgrades. Using this since feb 2020.
-Rico
-
@stewart said in Connecting after 2.6 upgrade:
but I think it had to do with the certificate length dropping down to 13 months from 10 years
the CRL had* this issue IIRC, not the CA.
As for the 13-month thing that's for publicly signed certificates and mostly only used in web surfing.
Self-signed are already flagged in web traffic just like the 10-year ones would be. It should be fine.
-
@rico I'm glad you didn't have any problems with your unit. That hasn't been my experience so far.
-
@rcoleman-netgate I don't know. I did the steps for the CRL from here but it didn't fix the problem. I worked at it for a few days and tried everything suggested to me and everything I could find. I wound up just having to rebuild from scratch.
-
@stewart said in Connecting after 2.6 upgrade:
Last week I upgraded another device to 2.6 expecting to need to redo the OpenVPN on the firewall and reinstall on users PCs but nobody had any issues at all after the upgrade. Would anyone know what the difference would have been? I've been doing evening upgrades and have about 30 more to do over the next couple of weeks and would prefer not to get hammered with calls to re-setup OpenVPN. Thanks!
when your CA expires you have to re-issue everything on the OVPN so it's recommended to set the age of the CA to 10 or more years.
If you have to replace a CA because it is expiring soon the best practice is to make a new OVPN server and migrate users to it one at a time. The only differences on this new OVPNS is the CA, the port #, and the internal/assigned user network. Everything else can (and should) be the same.
That gives you weeks or months to migrate vs having to do all 10, 50, 100, 200 users in a weekend.
-
@rcoleman-netgate That makes sense if I were hitting the 10 year mark but it'll be awhile until that happens. My concern is from upgrading pfSense. My first 2.6.0 upgrade that had OpenVPN fell apart so I've been holding back until now when I can devote a large amount of time to both the upgrades and supporting the influx of calls. Now that I've upgraded a second unit and it didn't have the issues I'm trying to determine what to expect on the next 30 or so upgrades. Until now I thought that the upgrade necessitated a change in OpenVPN that would cause issues with remote users until a new cert was put in place but it appears not.
