OpenVPN Connections undefined

stage

We have a PFSence 2.7.2 with more than 500+ connections.
The problem arises after updating from 2.6.0 to 2.7.2 the openVPN is experiencing issues.
Specifically the openVPN server with more than 100 connections reports 90% as undefined and regarding the logging: We're not really figuring it out but it can be added if requested.

anyone know what the problems is??

Thank you very much

Gertjan

@stage said in OpenVPN Connections undefined:

openVPN server with more than 100 connections reports 90% as undefined and regarding the logging

What happens when you change the OpenVPN port from (example) 1194 to (example) 1195 ?
All the "undefined connections" go away, right ?

There are zillions of port scanners on the internet, testing all IP addresses for open port.
That these are hitting an IP and protocol and port you are using for your OpenVPN Server is nothing exceptional. These will reach the OpenVPN server, but will fail to identify. For a short period of time these connection attempts will be marked as "undefined".
This is not a real a problem, as the OpenVPN server is there to stop the scanners, and only let pass the identified connection.

@stage said in OpenVPN Connections undefined:

We have a PFSence 2.7.2 with more than 500+ connections.

What does this mean ?

stage

@Gertjan

The OpenVPN tunnels are allready originated from different ports. We use different OpenVPN servers in PFSense.
So, that should not be an isseu i think?

The VPN's are connecting, using Teltonika RUT routers and work without any problem, using PFsense 2.6; the problems come when we use 2.7 or higher.

Also we changed the following rule in the connections.
connect-freq

And added:
connect-freq-initial

Then it seems to be working beter; but the connections keep comming as Undef; also it seems that after a while there are less Undef's; but if we look after about 30 minutes more then half of them are undef again :-(

Gertjan

@stage said in OpenVPN Connections undefined:

using PFsense 2.6; the problems come when we use 2.7 or higher.

Oh ... that's a big red urgency button problem.
Read this first : Home > pfSense Software > OpenVPN the very first pinned post.

2.6.0 is depreciated, as is any OpenVPN before "2.6" and OpenSSL binaries. See also the recent Netgate blog posts.
I get it : you stick with the old versions as they work fine for you. But you also keep the now know security issues ....
OpenVPN 2.6.8, that comes with pfSense 2.7.2 works just fine. I had to ditch non supported Data Encryption Algorithms, and that ment I had to re export clienst config files. And I had to make sure that my OpenVPN don't use a OpenVPN client from early "2000" but a more recent one, like the one shown here.
I know, that means you have to some maintenance, deployment, but that's ok, as issue isn't about admin's confort, but security.

@stage said in OpenVPN Connections undefined:

Then it seems to be working beter; but the connections keep comming as Undef; also it seems that after a while there are less Undef's; but if we look after about 30 minutes more then half of them are undef again

If you have a lot of users, this can happen :
They have the OpenVPN client activated, and they start to "move". This means their connection drops, and comes back, drops again, etc.
Every time, the OpenVPN tries to reconnect against the server. The connections gets lost, and reconnects etc etc.
So some (or many) of the OpenVPN connections are what I call 'stale', they didn't finish the client server renegotiation. I guess this is what also can produce these Undef connections shown.
Not an issue to worry about.
And there is just one solution : train your OpenVPN client users to disable their connection when they are not using the OpenVPN and/or start to "move" with their device (I know : easily said then done)

stage

@Gertjan
Here is my setup of the certs.
If not wrong, the encryption is still up to date?

stage

After running a few tests this morning (nobody works at this time except me :-) )

AEAD Decrypt error: cipher final failed
Open VPN TLS Error: Unroutable control packet received from
Error: Unroutable control packet
VERIFY WARNING: depth=1, unable to get certificate CRL:
SIGUSR1[soft,tls-error] received, client-instance restarting
Note: OpenSSL hardware crypto engine functionality is not available
(in config Crypto HW: AES-NI and BSD Crypto both enabled (and reboot done)

After a while log shows:
Note: OpenSSL hardware crypto engine functionality is not available
And from one orignating IP:(client)
SIGUSR1[soft,tls-error] received, client-instance restarting
TLS Error: TLS handshake failed
TLS Error: TLS object -> incoming plaintext read error
TLS_ERROR: BIO read tls_read_plaintext error
OpenSSL: error:0A000086:SSL routines::certificate verify failed:
VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak:
If i look at this cert; it has a signature like this: Signature Digest: RSA-SHA1 (Weak Digest)

So we do need to check them right?

Problem there is, that sombody makes the certificate's; whell try to talk to concrete; there is no isseu he says...

Gertjan

@stage

First of all, sorry for the confussion.
I somehow had the impression you were using 2.6.0, and that's not the case.
You are using the most recent pfSense version, that is 2.7.2.

This :

@stage said in OpenVPN Connections undefined:

Note: OpenSSL hardware crypto engine functionality is not available

is a harmless message. It's a 'Note', consider that as a friendly "Hi !".

@stage said in OpenVPN Connections undefined:

VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak:
If i look at this cert; it has a signature like this: Signature Digest: RSA-SHA1 (Weak Digest)

As said above, and I wasn't mistaken here : redo your certificates.
RSA-SHA1 is not concrete.
No need to listen to 'somebody' : you control pfSense, you can make certificates for the OpenVPN server, and then a certificate for every connected user.
500 OpenVPN users ? Well, ok, that will take a day or so.

Search the occurrence of SHA1 on this page : it's not supported anymore.

stage

@Gertjan

Thnx,
With Conrete i ment, one person in our organisation is responable to keep the certificates up to date and also create them.
Working with him for changes is often like working a peace of concret or a big steel door ;-) ( feel free to translate to dutch )

allxi

If you use SHA1 in clients. Temporary add "tls-cert-profile insecure" in "Advanced Configuration -> Custom options" on your Server.