Update to 23.09 broke OpenVPN server
-
I know it is the 23.09 update that broke my OpenVPN server.
After countless configuration tweaks on both the server and client configuration (client is Spark Labs’ Viscosity) last night I drove to the location, where the Netgate 1100 is located, so I could figure out what’s going on.
I obtained a 23.05 image from Netgate TAC and restored that to the 1100, along with a recent configuration file from the time, when I know the VPN was working. Once that was all done, I had VPN connectivity.
Now, with the update (through the GUI) to 23.09, the client fails to connect to the OpenVPN server running on the 1100. I will have to investigate more systematically and will report my findings along the way here later.
-
@DominikHoffmann was your setup using one of the removed algorithms?
https://docs.netgate.com/pfsense/en/latest/releases/23-09.html#numerous-deprecated-encryption-and-digest-algorithms-removed
-
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
-
@SteveITS: Thanks for the tip! I will look into that and post my findings here.
Interestingly, on four of the other pfSense appliances I manage for clients this wasn’t a problem. I thought, I had set up OpenVPN on them in a largely identical manner (following the SparkLabs tutorial).
-
Looking at the Viscosity log I am finding:
2023-11-08 23:13:33: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 2023-11-08 23:13:33: TLS Error: TLS handshake failedOn my Netgate 1100 running pfSense+ 23.09 I have this:
Nov 8 23:13:34 openvpn 46477 208.88.254.27:30797 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=US, ST=****, L=****, O=****, CN=dominik, serial=5 Nov 8 23:13:34 openvpn 46477 208.88.254.27:30797 SSL alert (write): fatal: bad certificate Nov 8 23:13:34 openvpn 46477 208.88.254.27:30797 OpenSSL: error:0A000086:SSL routines::certificate verify failed Nov 8 23:13:34 openvpn 46477 208.88.254.27:30797 TLS_ERROR: BIO read tls_read_plaintext errorI don’t think it is a problem that this is off by 1 s from the corresponding occurrence in the Viscosity log.
-
@SteveITS said in Update to 23.09 broke OpenVPN server:
https://docs.netgate.com/pfsense/en/latest/releases/23-09.html#numerous-deprecated-encryption-and-digest-algorithms-removed
Based on this reference I ended up completely reconfiguring the internal certificate authority, which is used to create the OpenVPN server and user certificates, which I redid, as well. With the OpenVPN server made to use these new entities, everything started working again.
-
@DominikHoffmann said in Update to 23.09 broke OpenVPN server:
error=CA signature digest algorithm too weak
That's the problem right there -- the signature digest on the certificates was too weak, meaning probably it was using SHA1.
Redoing the CA/Certs was the right move there
-
@DominikHoffmann said in Update to 23.09 broke OpenVPN server:
I know it is the 23.09 update that broke my OpenVPN server.
Tip of the day : put back the RSS dashboard widget :
its full with info that you need to know. Even if you don't know it yet
