OpenVPN Stopped Working with 2.3.3



  • I've had no problems with OpenVPN until upgrading to 2.3.3. Now I can never get iOS or macOS to connect. I've rebooted the server without any change.

    Anyone else having problems?


  • Banned

    With this massive amount of information, you should buy people a couple of crystal balls.



  • You SHOULD examine server OpenVPN logs to determine problem.



  • Hi,
    Yes, I also have a problem with (all) our openVPN configurations after the upgrade to 2.3.3.
    To concrete the problem:

    We are using a OpenVPN cert based auth config with 2 intermediate CAs
    The generated Config is the following (local IP and hostname changed  :D):

    dev ovpns2
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server3.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-256-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 127.0.0.1
    tls-server
    server 10.10.1.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server2
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.example.com' 3"
    lport 1195
    management /var/etc/openvpn/server2.sock unix
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.2048
    crl-verify /var/etc/openvpn/server2.crl-verify 
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    topology subnet
    route 10.10.11.0 255.255.255.0
    

    and the problematic log output:

    Feb 23 22:24:02 vpn openvpn[78709]:   auth_user_pass_file = '[UNDEF]'
    Feb 23 22:24:02 vpn openvpn[78709]: OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017
    Feb 23 22:24:02 vpn openvpn[78709]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
    Feb 23 22:24:02 vpn openvpn[78982]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server2.sock
    Feb 23 22:24:02 vpn openvpn[78982]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb 23 22:24:02 vpn openvpn[78982]: Diffie-Hellman initialized with 2048 bit key
    Feb 23 22:24:02 vpn openvpn[78982]: OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
    Feb 23 22:24:02 vpn openvpn[78982]: Cannot load CA certificate file /var/etc/openvpn/server2.ca (entry 4 did not validate)
    Feb 23 22:24:02 vpn openvpn[78982]: OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
    Feb 23 22:24:02 vpn openvpn[78982]: Cannot load CA certificate file /var/etc/openvpn/server2.ca (entry 5 did not validate)
    Feb 23 22:24:02 vpn openvpn[78982]: Cannot load CA certificate file /var/etc/openvpn/server2.ca (only 3 of 5 entries were valid X509 names)
    Feb 23 22:24:02 vpn openvpn[78982]: Exiting due to fatal error
    

    The CA file is a "bundled" CA file with the full chain

    In a other config it helped using not the bundled CA file, but not in this example edit: my fault, CA Cert was also "bundled"

    Kind regards
    vogelkamm

    P.S.: investigating the (my) specific problem:
    pfsense seems to build the CA chain correctly, now!
    my config with the bundles CA seems to be is not necessary any more!

    so: read the change log at https://doc.pfsense.org/index.php/2.3.3_New_Features_and_Changes#OpenVPN (Improved handling of chained/intermediate CAs in OpenVPN #2800) and the ticket



  • It appears Viscosity isn't compatible with 2.4 yet.



  • I have 8  2.3.2-RELEASE-p1  pfsenses connected with OPENVPN to a 2.3.2-RELEASE-p1 server.  The only  machine I upgraded to 2.3.3 can no longer connect to my openvpn server.

    I will create a new topic when I get access to the machine logs.



  • I'm an idiot. Problem was me accidentally deleting the port forwarding rule on my router when deleting rules for my camera server/recorder. (I use a separate router instead of the pfSense box serving as router).


Log in to reply