OpenVPN Stopped Working with 2.3.3

ericnix

I've had no problems with OpenVPN until upgrading to 2.3.3. Now I can never get iOS or macOS to connect. I've rebooted the server without any change.

Anyone else having problems?

doktornotor

With this massive amount of information, you should buy people a couple of crystal balls.

Soyokaze

You SHOULD examine server OpenVPN logs to determine problem.

vogelkamm

Hi,
Yes, I also have a problem with (all) our openVPN configurations after the upgrade to 2.3.3.
To concrete the problem:

We are using a OpenVPN cert based auth config with 2 intermediate CAs
The generated Config is the following (local IP and hostname changed  :D):

dev ovpns2
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 127.0.0.1
tls-server
server 10.10.1.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.example.com' 3"
lport 1195
management /var/etc/openvpn/server2.sock unix
ca /var/etc/openvpn/server2.ca 
cert /var/etc/openvpn/server2.cert 
key /var/etc/openvpn/server2.key 
dh /etc/dh-parameters.2048
crl-verify /var/etc/openvpn/server2.crl-verify 
tls-auth /var/etc/openvpn/server2.tls-auth 0
topology subnet
route 10.10.11.0 255.255.255.0

and the problematic log output:

Feb 23 22:24:02 vpn openvpn[78709]:   auth_user_pass_file = '[UNDEF]'
Feb 23 22:24:02 vpn openvpn[78709]: OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017
Feb 23 22:24:02 vpn openvpn[78709]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
Feb 23 22:24:02 vpn openvpn[78982]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server2.sock
Feb 23 22:24:02 vpn openvpn[78982]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 23 22:24:02 vpn openvpn[78982]: Diffie-Hellman initialized with 2048 bit key
Feb 23 22:24:02 vpn openvpn[78982]: OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
Feb 23 22:24:02 vpn openvpn[78982]: Cannot load CA certificate file /var/etc/openvpn/server2.ca (entry 4 did not validate)
Feb 23 22:24:02 vpn openvpn[78982]: OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
Feb 23 22:24:02 vpn openvpn[78982]: Cannot load CA certificate file /var/etc/openvpn/server2.ca (entry 5 did not validate)
Feb 23 22:24:02 vpn openvpn[78982]: Cannot load CA certificate file /var/etc/openvpn/server2.ca (only 3 of 5 entries were valid X509 names)
Feb 23 22:24:02 vpn openvpn[78982]: Exiting due to fatal error

The CA file is a "bundled" CA file with the full chain

In a other config it helped using not the bundled CA file, but not in this example edit: my fault, CA Cert was also "bundled"

Kind regards
vogelkamm

P.S.: investigating the (my) specific problem:
pfsense seems to build the CA chain correctly, now!
my config with the bundles CA seems to be is not necessary any more!

so: read the change log at https://doc.pfsense.org/index.php/2.3.3_New_Features_and_Changes#OpenVPN (Improved handling of chained/intermediate CAs in OpenVPN #2800) and the ticket

ericnix

It appears Viscosity isn't compatible with 2.4 yet.

spyshagg

I have 8  2.3.2-RELEASE-p1  pfsenses connected with OPENVPN to a 2.3.2-RELEASE-p1 server.  The only  machine I upgraded to 2.3.3 can no longer connect to my openvpn server.

I will create a new topic when I get access to the machine logs.

ericnix

I'm an idiot. Problem was me accidentally deleting the port forwarding rule on my router when deleting rules for my camera server/recorder. (I use a separate router instead of the pfSense box serving as router).