OpenVPN to 2.5.0 works ?

JKnott

@hypnosis4u2nv said in OpenVPN to 2.5.0 works ?:

I've been playing with it since upgrading, I can't get it to work even though it was working prior.

For me, the config that was working with 2.4.5 didn't with 2.5.0.

hypnosis4u2nv

@jknott Yeah, I'm in the same boat. Had it working and 2.5 killed it somehow.

How this issue wasn't seen during development is beyond me.

chudak

@hypnosis4u2nv

Wonder if a bug was reported about this ?

hypnosis4u2nv

@chudak Scrolling through the forums I see lots of complaints regarding OpenVPN. I'd like to submit a bug but where do I begin? Is it OpenVPN or pfsense? I don't even know. My pfsense crashed during my attempts to get it working. When it rebooted, it knocked out the VPN client gateway forcing me to phantom edit and save to get it back up.

This release has serious flaws and shouldn't be out until this is fixed. The loss of connectivity is a pretty serious problem to have in deployment.

chudak

@hypnosis4u2nv said in OpenVPN to 2.5.0 works ?:

@chudak Scrolling through the forums I see lots of complaints regarding OpenVPN. I'd like to submit a bug but where do I begin? Is it OpenVPN or pfsense? I don't even know. My pfsense crashed during my attempts to get it working. When it rebooted, it knocked out the VPN client gateway forcing me to phantom edit and save to get it back up.

This release has serious flaws and shouldn't be out until this is fixed. The loss of connectivity is a pretty serious problem to have in deployment.

Shining side of open source is that everyone can contribute
Pls submit as it will benefit all of us !

https://redmine.pfsense.org/
https://github.com/pfsense/pfsense

divsys

@divsys Was able to get my "problem" OpenVPN site back up.

To recap: TLS/SSL S2S connection that was previously fine under 2.4.5p1 Server/Client.
Converted Client to 2.5.0, Server left at 2.4.5p1 and the connection remained fine.
Once I converted the Server (remote in my case) to 2.5.0, the connection failed w/ various TLS HMAC and other Handshake errors.

Chased various issues, finally disabled TLS completely to drop the variables in play and recreated a new CA, Server cert, and Client cert.
Copied the certs onto the client and restarted both ends.
I started seeing
"VERIFY WARNING: depth=1, unable to get certificate ....."
for the CA I just created on the Server and the Client.
As a possible fix I went back and checked the box
"Add this Certificate Authority to the Operating System Trust Store"
on the Server and Client CA cert page.
I had to physically reboot both boxes for this to have any effect.
I was then able to apply the newly created CA and Certs to both ends and the link came back up.

Seems a new cert check in 2.5.0 didn't like my previously created certs from 2.4.x.
Was a little ugly to track, but reasonably simple to resolve in the end.

If this is a possibility moving forward, it might be nice to "prescan" previously created certs somehow to know if you're going to step into a minefield.

Edit: I was able to re-enable TLS once I had the certs connected properly.

hypnosis4u2nv

@divsys Thanks for sharing your troubleshooting. Going to give this a try later and configure my OpenVPN client from scratch again.

There's a known issue with non local gateways not coming back up after boot. Did you do a reboot and confirm that they connect fine? Not sure if this pertains to us who use OpenVPN as a client and have specific traffic utilizing that gateway.

https://redmine.pfsense.org/issues/11433

divsys

@hypnosis4u2nv That's not an issue for my setups.
I'm typically using this a means of providing secure Site-Site links over multiple different LANS.
General internet traffic simply passes through the local gateway at each site.
With the exceptions I've noted, the changeover to 2.5.0 has been pretty invisible.
I'll be moving more slowly as I changeover sites.
Some of the remote locations are less than accessible, I don't need to create headaches when not required.

divsys

@divsys Looks like my guesses about needing the:
"Add this Certificate Authority to the Operating System Trust Store"
option on the CA were incorrect.
The S2S link remains stable after my previous work to rebuild CA&certs, but I found the secondary server for RoadWarrior clients was not allowing any connections.
It was failing with the same Unable to get certificate msgs.

Hunted about a few messages and found:OpenVPN 2.5.0 Certificate Verification Fails
Implemented the suggested fix and everything came back to life.
Hopefully we'll see a patch/fix for this.

hypnosis4u2nv

@divsys Appreciate the heads up. Gonna wait for a fix for all this. Right now I'm getting by as a Wireguard client.