OpenVPN to 2.5.0 works ?
-
@chudak I've been playing with it since upgrading, I can't get it to work even though it was working prior. Also experienced a firewall crash because of it. The OpenVPN service needs work.
-
@chudak My initial experience:
Running a small network of OpenVPN connected boxes, mostly AMD 2GHz quadcore w/Intel quad nics. Sites are set as OpenVPN servers using TLS/SSL certificates no passwords.
Majority of sites are updated to 2.4.5p1 although a few running older 32bit versions.
About 40 sites in total, has been stable for a few years (at least).My home box runs on a Gig fiber connection and services 36 OpenVPN clients as well as 4 OpenVPN server connections. Again this is all fixed TLS/SSL connections.
I decided to bite the bullet and try to upgrade my home box first made sure the few packages I had were up to date, took a backup and set it to auto-update.
The update took a "good while" perhaps 8 minutes to complete but the box came back as expected and I had internet. Out of 36 client connections, only one didn't come back properly.
I checked the logs and it was giving me some odd messages about negotiating a link, so on a hunch (and remebering something about preferred encryption types) I locked the link at both ends to AES-256-GCM, forced both processes to restart and the link came back as expected.
Everything looked good, so I picked one of the remote sites as a test and again updated packages, took a backup and ran the update. This time the remote site did not come back across OpenVPN, but I was able to remote directly into frontend and verify the site was up and showed an upgrade to 2.5.0.
Unfortunately the OpenVPN server was complaining about failed "TLS Handshake errors" which is somewhat odd as the site had been running fine for a few years at least.
Tried the usual cast of errors, recopied the TLS key from the server to client (I normally let the Server self-create it's opn TLS key and then copy that back to the client) to no avail,I then went so far as to create a new CA on the Server, create a Server and Client cert from that and install them into the Server and Client processes. Still no go.
And just to confuse things a little further, I have 4 OpenVPN Server processes running on my home box that are working just fine on 2.5.0.
I'm still working through my debug process here, but either I'm missing something basic in a change to 2.5.0 re: Certs/TLS/etc. or something is Not Right.
-
@hypnosis4u2nv said in OpenVPN to 2.5.0 works ?:
I've been playing with it since upgrading, I can't get it to work even though it was working prior.
For me, the config that was working with 2.4.5 didn't with 2.5.0.
-
@jknott Yeah, I'm in the same boat. Had it working and 2.5 killed it somehow.
How this issue wasn't seen during development is beyond me.
-
Wonder if a bug was reported about this ?
-
@chudak Scrolling through the forums I see lots of complaints regarding OpenVPN. I'd like to submit a bug but where do I begin? Is it OpenVPN or pfsense? I don't even know. My pfsense crashed during my attempts to get it working. When it rebooted, it knocked out the VPN client gateway forcing me to phantom edit and save to get it back up.
This release has serious flaws and shouldn't be out until this is fixed. The loss of connectivity is a pretty serious problem to have in deployment.
-
@hypnosis4u2nv said in OpenVPN to 2.5.0 works ?:
@chudak Scrolling through the forums I see lots of complaints regarding OpenVPN. I'd like to submit a bug but where do I begin? Is it OpenVPN or pfsense? I don't even know. My pfsense crashed during my attempts to get it working. When it rebooted, it knocked out the VPN client gateway forcing me to phantom edit and save to get it back up.
This release has serious flaws and shouldn't be out until this is fixed. The loss of connectivity is a pretty serious problem to have in deployment.
Shining side of open source is that everyone can contribute
Pls submit as it will benefit all of us !https://redmine.pfsense.org/
https://github.com/pfsense/pfsense -
@divsys Was able to get my "problem" OpenVPN site back up.
To recap: TLS/SSL S2S connection that was previously fine under 2.4.5p1 Server/Client.
Converted Client to 2.5.0, Server left at 2.4.5p1 and the connection remained fine.
Once I converted the Server (remote in my case) to 2.5.0, the connection failed w/ various TLS HMAC and other Handshake errors.Chased various issues, finally disabled TLS completely to drop the variables in play and recreated a new CA, Server cert, and Client cert.
Copied the certs onto the client and restarted both ends.
I started seeing
"VERIFY WARNING: depth=1, unable to get certificate ....."
for the CA I just created on the Server and the Client.
As a possible fix I went back and checked the box
"Add this Certificate Authority to the Operating System Trust Store"
on the Server and Client CA cert page.
I had to physically reboot both boxes for this to have any effect.
I was then able to apply the newly created CA and Certs to both ends and the link came back up.Seems a new cert check in 2.5.0 didn't like my previously created certs from 2.4.x.
Was a little ugly to track, but reasonably simple to resolve in the end.If this is a possibility moving forward, it might be nice to "prescan" previously created certs somehow to know if you're going to step into a minefield.
Edit: I was able to re-enable TLS once I had the certs connected properly.
-
@divsys Thanks for sharing your troubleshooting. Going to give this a try later and configure my OpenVPN client from scratch again.
There's a known issue with non local gateways not coming back up after boot. Did you do a reboot and confirm that they connect fine? Not sure if this pertains to us who use OpenVPN as a client and have specific traffic utilizing that gateway.
https://redmine.pfsense.org/issues/11433
-
@hypnosis4u2nv That's not an issue for my setups.
I'm typically using this a means of providing secure Site-Site links over multiple different LANS.
General internet traffic simply passes through the local gateway at each site.
With the exceptions I've noted, the changeover to 2.5.0 has been pretty invisible.
I'll be moving more slowly as I changeover sites.
Some of the remote locations are less than accessible, I don't need to create headaches when not required. -
@divsys Looks like my guesses about needing the:
"Add this Certificate Authority to the Operating System Trust Store"
option on the CA were incorrect.
The S2S link remains stable after my previous work to rebuild CA&certs, but I found the secondary server for RoadWarrior clients was not allowing any connections.
It was failing with the same Unable to get certificate msgs.Hunted about a few messages and found:OpenVPN 2.5.0 Certificate Verification Fails
Implemented the suggested fix and everything came back to life.
Hopefully we'll see a patch/fix for this. -
@divsys Appreciate the heads up. Gonna wait for a fix for all this. Right now I'm getting by as a Wireguard client.
