OpenVPN Stopped Working with 2.3.3
-
I've had no problems with OpenVPN until upgrading to 2.3.3. Now I can never get iOS or macOS to connect. I've rebooted the server without any change.
Anyone else having problems?
-
With this massive amount of information, you should buy people a couple of crystal balls.
-
You SHOULD examine server OpenVPN logs to determine problem.
-
Hi,
Yes, I also have a problem with (all) our openVPN configurations after the upgrade to 2.3.3.
To concrete the problem:We are using a OpenVPN cert based auth config with 2 intermediate CAs
The generated Config is the following (local IP and hostname changed :D):dev ovpns2 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server3.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher AES-256-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 127.0.0.1 tls-server server 10.10.1.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server2 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.example.com' 3" lport 1195 management /var/etc/openvpn/server2.sock unix ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.2048 crl-verify /var/etc/openvpn/server2.crl-verify tls-auth /var/etc/openvpn/server2.tls-auth 0 topology subnet route 10.10.11.0 255.255.255.0
and the problematic log output:
Feb 23 22:24:02 vpn openvpn[78709]: auth_user_pass_file = '[UNDEF]' Feb 23 22:24:02 vpn openvpn[78709]: OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017 Feb 23 22:24:02 vpn openvpn[78709]: library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 Feb 23 22:24:02 vpn openvpn[78982]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server2.sock Feb 23 22:24:02 vpn openvpn[78982]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 23 22:24:02 vpn openvpn[78982]: Diffie-Hellman initialized with 2048 bit key Feb 23 22:24:02 vpn openvpn[78982]: OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table Feb 23 22:24:02 vpn openvpn[78982]: Cannot load CA certificate file /var/etc/openvpn/server2.ca (entry 4 did not validate) Feb 23 22:24:02 vpn openvpn[78982]: OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table Feb 23 22:24:02 vpn openvpn[78982]: Cannot load CA certificate file /var/etc/openvpn/server2.ca (entry 5 did not validate) Feb 23 22:24:02 vpn openvpn[78982]: Cannot load CA certificate file /var/etc/openvpn/server2.ca (only 3 of 5 entries were valid X509 names) Feb 23 22:24:02 vpn openvpn[78982]: Exiting due to fatal error
The CA file is a "bundled" CA file with the full chain
In a other config it helped using not the bundled CA file,
but not in this exampleedit: my fault, CA Cert was also "bundled"Kind regards
vogelkammP.S.: investigating the (my) specific problem:
pfsense seems to build the CA chain correctly, now!
my config with the bundles CA seems to be is not necessary any more!so: read the change log at https://doc.pfsense.org/index.php/2.3.3_New_Features_and_Changes#OpenVPN (Improved handling of chained/intermediate CAs in OpenVPN #2800) and the ticket
-
It appears Viscosity isn't compatible with 2.4 yet.
-
I have 8 2.3.2-RELEASE-p1 pfsenses connected with OPENVPN to a 2.3.2-RELEASE-p1 server. The only machine I upgraded to 2.3.3 can no longer connect to my openvpn server.
I will create a new topic when I get access to the machine logs.
-
I'm an idiot. Problem was me accidentally deleting the port forwarding rule on my router when deleting rules for my camera server/recorder. (I use a separate router instead of the pfSense box serving as router).