Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn issue - site 2 site

    Scheduled Pinned Locked Moved 2.3-RC Snapshot Feedback and Issues - ARCHIVED
    59 Posts 3 Posters 15.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maverick_slo
      last edited by

      Hi!

      Pfsense 2.3 as server and 2.2.6 as client.
      Generated CA, server and client cert.
      Exported CA cert and client cert+key and imported on 2.2.6

      Created openvpn server on pfsense 2.3 with server cert.
      Created openvpn client on 2.2.6 with client cert and selected imported CA for peer ca

      On server side:
      Jan 15 15:43:22 openvpn 78648 CLIENT_IP:37466 TLS Error: TLS handshake failed
      Jan 15 15:43:22 openvpn 78648 CLIENT_IP:37466 TLS Error: TLS object -> incoming plaintext read error
      Jan 15 15:43:22 openvpn 78648 CLIENT_IP:37466 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
      Jan 15 15:43:22 openvpn 78648 CLIENT_IP:37466 WARNING: Failed running command (–tls-verify script): external program exited with error status: 1

      Known thing?

      BR,
      Greg

      1 Reply Last reply Reply Quote 0
      • M
        maverick_slo
        last edited by

        Hmmm OpenVPN SSL/TLS is messed up.
        Same certs 2.2.6 to 2.2.6 just fine.

        Also in SSL/TLS or shared key advanced options are missing and verbosity is missing too.

        In addition on 2.3 there is no way to select do not check certificate, which would probably mitigate above issue.

        Is this related:https://redmine.pfsense.org/issues/4329 ?

        BR,
        G

        1 Reply Last reply Reply Quote 0
        • M
          maverick_slo
          last edited by

          OMG.
          In addition this playing around has borked my roadwarrior too.
          I havent even touched roadwarrior server and now its giving me same error. ???

          1 Reply Last reply Reply Quote 0
          • S
            Steve_B Netgate
            last edited by

            The lack of "Advanced Configuration" panel is intentional. It is being displayed in 2.2.x due to a bug in that code (which is not present in 2.3) We are currently researching whether that panel should, or should not display when Peer-to-peer (TLS/SSL) is selected.

            I am looking at the other issue you have reported.

            Als ik kan

            1 Reply Last reply Reply Quote 0
            • S
              Steve_B Netgate
              last edited by

              The consensus is that the Advances config panel should always be visible, so I will make that so.

              Als ik kan

              1 Reply Last reply Reply Quote 0
              • S
                Steve_B Netgate
                last edited by

                A number of changes have been made to this page to correct the hide/show actions
                The "Do Not Check option has been added to the cert depth control

                Would you please test these changes to see if they help with the issues you have reported?

                Thanks.

                Als ik kan

                1 Reply Last reply Reply Quote 0
                • M
                  maverick_slo
                  last edited by

                  Sure, will do it in coupke of hours when I come home .
                  Still not sure why my roadwarrior doesnt work anymore with same error…

                  1 Reply Last reply Reply Quote 0
                  • M
                    maverick_slo
                    last edited by

                    Wow, it`s more messed up as I thought…

                    When I disable cert check I got this:

                    Jan 15 20:17:16 	openvpn 	22678 	10.10.0.21:52813 [Myusername] Peer Connection Initiated with [AF_INET]10.10.0.21:52813
                    Jan 15 20:17:16 	openvpn 	22678 	10.10.0.21:52813 TLS Auth Error: Auth Username/Password verification failed for peer
                    Jan 15 20:17:16 	openvpn 	22678 	10.10.0.21:52813 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
                    Jan 15 20:17:16 	openvpn 		user 'myusername' authenticated 
                    
                    1 Reply Last reply Reply Quote 0
                    • M
                      maverick_slo
                      last edited by

                      Local auth.

                      Diagnostic-> Auth tested and it works ok.

                      1 Reply Last reply Reply Quote 0
                      • S
                        Steve_B Netgate
                        last edited by

                        Would you please state as concisely as you can what is still broken in OpenVPN please? I am losing track :)

                        Als ik kan

                        1 Reply Last reply Reply Quote 0
                        • M
                          maverick_slo
                          last edited by

                          Sure.

                          Forget about site2site.

                          I have server that is configured as remote access server (roadwarrior).

                          Everything was working just fine until today.

                          Now it can`t check cert:

                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 SIGUSR1[soft,tls-error] received, client-instance restarting
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 TLS Error: TLS handshake failed
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 TLS Error: TLS object -> incoming plaintext read error
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 VERIFY SCRIPT ERROR: depth=1, C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=Internal CA
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 TLS: Initial packet from [AF_INET]10.10.0.21:56042, sid=1fd153e1 fab4ae72
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Expected Remote Options hash (VER=V4): '0f816d6e'
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Local Options hash (VER=V4): '2f3e190a'
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:12 ET:0 EL:3 ]
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Control Channel MTU parms [ L:1557 D:1184 EF:66 EB:0 ET:0 EL:3 ]
                          Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Re-using SSL/TLS context
                          Jan 15 21:25:12 	openvpn 	13760 	MULTI: multi_create_instance called
                          Jan 15 21:25:07 	openvpn 	13760 	MANAGEMENT: Client disconnected
                          Jan 15 21:25:07 	openvpn 	13760 	MANAGEMENT: CMD 'quit'
                          Jan 15 21:25:07 	openvpn 	13760 	MANAGEMENT: CMD 'status 2'
                          Jan 15 21:25:07 	openvpn 	13760 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock 
                          

                          If I configure to not check the certs, I get auth error (I DO USE CORRECT CREDENTIALS AS THEY WORK IN DIAG->AUTH)

                          Jan 15 21:27:53 	openvpn 	30490 	10.10.0.21:49724 SIGTERM[soft,delayed-exit] received, client-instance exiting
                          Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 TLS: Initial packet from [AF_INET]10.10.0.21:49725, sid=2c89bc8c 95d86f32
                          Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Expected Remote Options hash (VER=V4): '0f816d6e'
                          Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Local Options hash (VER=V4): '2f3e190a'
                          Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
                          Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
                          Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:12 ET:0 EL:3 ]
                          Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Control Channel MTU parms [ L:1557 D:1184 EF:66 EB:0 ET:0 EL:3 ]
                          Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Re-using SSL/TLS context
                          Jan 15 21:27:50 	openvpn 	30490 	MULTI: multi_create_instance called
                          Jan 15 21:27:48 	openvpn 	30490 	10.10.0.21:49724 SENT CONTROL [username]: 'AUTH_FAILED' (status=1)
                          Jan 15 21:27:48 	openvpn 	30490 	10.10.0.21:49724 Delayed exit in 5 seconds
                          Jan 15 21:27:48 	openvpn 	30490 	10.10.0.21:49724 PUSH: Received control message: 'PUSH_REQUEST'
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 [username] Peer Connection Initiated with [AF_INET]10.10.0.21:49724
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 TLS Auth Error: Auth Username/Password verification failed for peer
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
                          Jan 15 21:27:45 	openvpn 		user 'username' authenticated
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 VERIFY OK: depth=0, C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=username
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 CRL CHECK OK: C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=username
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 VERIFY OK: depth=1, C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=Internal CA
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 CRL CHECK OK: C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=Internal CA
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 TLS: Initial packet from [AF_INET]10.10.0.21:49724, sid=895948a2 44e52937
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Expected Remote Options hash (VER=V4): '0f816d6e'
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Local Options hash (VER=V4): '2f3e190a'
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:12 ET:0 EL:3 ]
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Control Channel MTU parms [ L:1557 D:1184 EF:66 EB:0 ET:0 EL:3 ]
                          Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Re-using SSL/TLS context
                          Jan 15 21:27:45 	openvpn 	30490 	MULTI: multi_create_instance called 
                          

                          So I`m screwed pretty much :)

                          1 Reply Last reply Reply Quote 0
                          • S
                            Steve_B Netgate
                            last edited by

                            Would you recheck with the depth set to "one" and see if that error goes away please?

                            Als ik kan

                            1 Reply Last reply Reply Quote 0
                            • M
                              maverick_slo
                              last edited by

                              I did it and the check cert error occured…

                              1 Reply Last reply Reply Quote 0
                              • S
                                Steve_B Netgate
                                last edited by

                                Redmine ticket has been opened.

                                https://redmine.pfsense.org/issues/5773

                                Als ik kan

                                1 Reply Last reply Reply Quote 0
                                • M
                                  maverick_slo
                                  last edited by

                                  So you can repro?

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    cmb
                                    last edited by

                                    @maverick_slo:

                                    So you can repro?

                                    No. Steve just figured there must be something to it. This all works fine with TLS and user auth on latest version, and nothing there has changed in some time. I upgraded a variety of test and production setups to latest and they all still work fine, and did a couple new configs from scratch which also worked fine.

                                    Could you get me into your system to review? Can PM me to arrange specifics if so.

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      maverick_slo
                                      last edited by

                                      There was snapshot issue or bad upgrade.
                                      Now I`m on 2.3.b.20160115.1858 and roadwarrior works.

                                      Now I have to test SSL/TLS peer to peer to confirm that working too.

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        maverick_slo
                                        last edited by

                                        peer2peer still not working between 2.3 and 2.2.6

                                        Client error: openvpn[56391]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
                                        Server no error.

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          maverick_slo
                                          last edited by

                                          hmmmm could it be topology issue on 2.2.6?
                                          mismatch between 2.3 server (subnet) and 2.2.6 client (net30) ?

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            maverick_slo
                                            last edited by

                                            UPDATE:
                                            If I leave all settings like they were and change only from SSL/TLS TO shared key VPN works.
                                            With TLS I get that add route error.

                                            wth??? :)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.