Openvpn issue - site 2 site

maverick_slo

Sure.

Forget about site2site.

I have server that is configured as remote access server (roadwarrior).

Everything was working just fine until today.

Now it can`t check cert:

Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 TLS Error: TLS handshake failed
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 TLS Error: TLS object -> incoming plaintext read error
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 VERIFY SCRIPT ERROR: depth=1, C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=Internal CA
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 TLS: Initial packet from [AF_INET]10.10.0.21:56042, sid=1fd153e1 fab4ae72
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Expected Remote Options hash (VER=V4): '0f816d6e'
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Local Options hash (VER=V4): '2f3e190a'
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:12 ET:0 EL:3 ]
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Control Channel MTU parms [ L:1557 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Re-using SSL/TLS context
Jan 15 21:25:12 	openvpn 	13760 	MULTI: multi_create_instance called
Jan 15 21:25:07 	openvpn 	13760 	MANAGEMENT: Client disconnected
Jan 15 21:25:07 	openvpn 	13760 	MANAGEMENT: CMD 'quit'
Jan 15 21:25:07 	openvpn 	13760 	MANAGEMENT: CMD 'status 2'
Jan 15 21:25:07 	openvpn 	13760 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock

If I configure to not check the certs, I get auth error (I DO USE CORRECT CREDENTIALS AS THEY WORK IN DIAG->AUTH)

Jan 15 21:27:53 	openvpn 	30490 	10.10.0.21:49724 SIGTERM[soft,delayed-exit] received, client-instance exiting
Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 TLS: Initial packet from [AF_INET]10.10.0.21:49725, sid=2c89bc8c 95d86f32
Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Expected Remote Options hash (VER=V4): '0f816d6e'
Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Local Options hash (VER=V4): '2f3e190a'
Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:12 ET:0 EL:3 ]
Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Control Channel MTU parms [ L:1557 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Re-using SSL/TLS context
Jan 15 21:27:50 	openvpn 	30490 	MULTI: multi_create_instance called
Jan 15 21:27:48 	openvpn 	30490 	10.10.0.21:49724 SENT CONTROL [username]: 'AUTH_FAILED' (status=1)
Jan 15 21:27:48 	openvpn 	30490 	10.10.0.21:49724 Delayed exit in 5 seconds
Jan 15 21:27:48 	openvpn 	30490 	10.10.0.21:49724 PUSH: Received control message: 'PUSH_REQUEST'
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 [username] Peer Connection Initiated with [AF_INET]10.10.0.21:49724
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 TLS Auth Error: Auth Username/Password verification failed for peer
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Jan 15 21:27:45 	openvpn 		user 'username' authenticated
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 VERIFY OK: depth=0, C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=username
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 CRL CHECK OK: C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=username
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 VERIFY OK: depth=1, C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=Internal CA
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 CRL CHECK OK: C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=Internal CA
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 TLS: Initial packet from [AF_INET]10.10.0.21:49724, sid=895948a2 44e52937
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Expected Remote Options hash (VER=V4): '0f816d6e'
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Local Options hash (VER=V4): '2f3e190a'
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:12 ET:0 EL:3 ]
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Control Channel MTU parms [ L:1557 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Re-using SSL/TLS context
Jan 15 21:27:45 	openvpn 	30490 	MULTI: multi_create_instance called

So I`m screwed pretty much :)

Steve_B

Would you recheck with the depth set to "one" and see if that error goes away please?

maverick_slo

I did it and the check cert error occured…

Steve_B

Redmine ticket has been opened.

https://redmine.pfsense.org/issues/5773

maverick_slo

So you can repro?

cmb

@maverick_slo:

So you can repro?

No. Steve just figured there must be something to it. This all works fine with TLS and user auth on latest version, and nothing there has changed in some time. I upgraded a variety of test and production setups to latest and they all still work fine, and did a couple new configs from scratch which also worked fine.

Could you get me into your system to review? Can PM me to arrange specifics if so.

maverick_slo

There was snapshot issue or bad upgrade.
Now I`m on 2.3.b.20160115.1858 and roadwarrior works.

Now I have to test SSL/TLS peer to peer to confirm that working too.

maverick_slo

peer2peer still not working between 2.3 and 2.2.6

Client error: openvpn[56391]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Server no error.

maverick_slo

hmmmm could it be topology issue on 2.2.6?
mismatch between 2.3 server (subnet) and 2.2.6 client (net30) ?

maverick_slo

UPDATE:
If I leave all settings like they were and change only from SSL/TLS TO shared key VPN works.
With TLS I get that add route error.

wth??? :)

maverick_slo

There is no way at all for me to connect 2.3 box to 2.2.6 with Openvpn SSL/TLS.
With shared key it works just fine.

maverick_slo

Guys I found the error.
Look at screenshot.
Shared key and ssl/tls don`t have same settings under tunnel options.

ssltls.JPG_thumb

shared_key.JPG_thumb

maverick_slo

Shared key works for me, SSL/TLS not.

maverick_slo

In addition, when changing modes (shared key to ssl/tls) firefox needs like 15 seconds to display other options while IE changes options instantly.

EDIT:
This only happens on firefox NIGHTLY build, so nevermind that.

maverick_slo

Configs:

Working shared key server config:

dev ovpns2
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local MY WAN IP
ifconfig 172.16.91.1 172.16.91.2
lport 1199
management /var/etc/openvpn/server2.sock unix
push "route 10.10.0.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
secret /var/etc/openvpn/server2.secret 
comp-lzo adaptive

Not working SSL/TLS config:

dev ovpns2
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local MY WAN IP
tls-server
ifconfig 172.16.91.1 172.16.91.2
lport 1199
management /var/etc/openvpn/server2.sock unix
push "route 10.10.0.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
ca /var/etc/openvpn/server2.ca 
cert /var/etc/openvpn/server2.cert 
key /var/etc/openvpn/server2.key 
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server2.crl-verify 
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo adaptive
topology subnet

cmb

@maverick_slo:

Guys I found the error.
Look at screenshot.
Shared key and ssl/tls don`t have same settings under tunnel options.

They're not supposed to have all the same settings. Which specific setting are you referring to?

maverick_slo

Local subnet for example

maverick_slo

Tunnell settings MUST be same only encryption should vary. 2.2.6 has same tunnell settings for both methods and encryption different which is ok.
Clearly there is something wrong with openvpn gui and how it generates config.
Between 2.2.6 no problem at all.

Steve_B

There is a difference between the Tunnel settings display (Peer to peer (Shared Key) ) 2.2.x vs 2.3

I will correct that. I'm sure it will make a difference to the shared configuration though. I will make a note here once a correction has been pushed and perhaps you would let me know if you see any improvement.

Thanks for continuing to work on this!

maverick_slo

Thanks Steve!

I sure will test it because I need it :)