Openvpn issue - site 2 site



  • Hi!

    Pfsense 2.3 as server and 2.2.6 as client.
    Generated CA, server and client cert.
    Exported CA cert and client cert+key and imported on 2.2.6

    Created openvpn server on pfsense 2.3 with server cert.
    Created openvpn client on 2.2.6 with client cert and selected imported CA for peer ca

    On server side:
    Jan 15 15:43:22 openvpn 78648 CLIENT_IP:37466 TLS Error: TLS handshake failed
    Jan 15 15:43:22 openvpn 78648 CLIENT_IP:37466 TLS Error: TLS object -> incoming plaintext read error
    Jan 15 15:43:22 openvpn 78648 CLIENT_IP:37466 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Jan 15 15:43:22 openvpn 78648 CLIENT_IP:37466 WARNING: Failed running command (–tls-verify script): external program exited with error status: 1

    Known thing?

    BR,
    Greg



  • Hmmm OpenVPN SSL/TLS is messed up.
    Same certs 2.2.6 to 2.2.6 just fine.

    Also in SSL/TLS or shared key advanced options are missing and verbosity is missing too.

    In addition on 2.3 there is no way to select do not check certificate, which would probably mitigate above issue.

    Is this related:https://redmine.pfsense.org/issues/4329 ?

    BR,
    G



  • OMG.
    In addition this playing around has borked my roadwarrior too.
    I havent even touched roadwarrior server and now its giving me same error. ???


  • Developer Netgate

    The lack of "Advanced Configuration" panel is intentional. It is being displayed in 2.2.x due to a bug in that code (which is not present in 2.3) We are currently researching whether that panel should, or should not display when Peer-to-peer (TLS/SSL) is selected.

    I am looking at the other issue you have reported.


  • Developer Netgate

    The consensus is that the Advances config panel should always be visible, so I will make that so.


  • Developer Netgate

    A number of changes have been made to this page to correct the hide/show actions
    The "Do Not Check option has been added to the cert depth control

    Would you please test these changes to see if they help with the issues you have reported?

    Thanks.



  • Sure, will do it in coupke of hours when I come home .
    Still not sure why my roadwarrior doesnt work anymore with same error…



  • Wow, it`s more messed up as I thought…

    When I disable cert check I got this:

    Jan 15 20:17:16 	openvpn 	22678 	10.10.0.21:52813 [Myusername] Peer Connection Initiated with [AF_INET]10.10.0.21:52813
    Jan 15 20:17:16 	openvpn 	22678 	10.10.0.21:52813 TLS Auth Error: Auth Username/Password verification failed for peer
    Jan 15 20:17:16 	openvpn 	22678 	10.10.0.21:52813 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
    Jan 15 20:17:16 	openvpn 		user 'myusername' authenticated 
    


  • Local auth.

    Diagnostic-> Auth tested and it works ok.


  • Developer Netgate

    Would you please state as concisely as you can what is still broken in OpenVPN please? I am losing track :)



  • Sure.

    Forget about site2site.

    I have server that is configured as remote access server (roadwarrior).

    Everything was working just fine until today.

    Now it can`t check cert:

    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 SIGUSR1[soft,tls-error] received, client-instance restarting
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 TLS Error: TLS handshake failed
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 TLS Error: TLS object -> incoming plaintext read error
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 VERIFY SCRIPT ERROR: depth=1, C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=Internal CA
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 TLS: Initial packet from [AF_INET]10.10.0.21:56042, sid=1fd153e1 fab4ae72
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Expected Remote Options hash (VER=V4): '0f816d6e'
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Local Options hash (VER=V4): '2f3e190a'
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:12 ET:0 EL:3 ]
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Control Channel MTU parms [ L:1557 D:1184 EF:66 EB:0 ET:0 EL:3 ]
    Jan 15 21:25:12 	openvpn 	13760 	10.10.0.21:56042 Re-using SSL/TLS context
    Jan 15 21:25:12 	openvpn 	13760 	MULTI: multi_create_instance called
    Jan 15 21:25:07 	openvpn 	13760 	MANAGEMENT: Client disconnected
    Jan 15 21:25:07 	openvpn 	13760 	MANAGEMENT: CMD 'quit'
    Jan 15 21:25:07 	openvpn 	13760 	MANAGEMENT: CMD 'status 2'
    Jan 15 21:25:07 	openvpn 	13760 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock 
    

    If I configure to not check the certs, I get auth error (I DO USE CORRECT CREDENTIALS AS THEY WORK IN DIAG->AUTH)

    Jan 15 21:27:53 	openvpn 	30490 	10.10.0.21:49724 SIGTERM[soft,delayed-exit] received, client-instance exiting
    Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 TLS: Initial packet from [AF_INET]10.10.0.21:49725, sid=2c89bc8c 95d86f32
    Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Expected Remote Options hash (VER=V4): '0f816d6e'
    Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Local Options hash (VER=V4): '2f3e190a'
    Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:12 ET:0 EL:3 ]
    Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Control Channel MTU parms [ L:1557 D:1184 EF:66 EB:0 ET:0 EL:3 ]
    Jan 15 21:27:50 	openvpn 	30490 	10.10.0.21:49725 Re-using SSL/TLS context
    Jan 15 21:27:50 	openvpn 	30490 	MULTI: multi_create_instance called
    Jan 15 21:27:48 	openvpn 	30490 	10.10.0.21:49724 SENT CONTROL [username]: 'AUTH_FAILED' (status=1)
    Jan 15 21:27:48 	openvpn 	30490 	10.10.0.21:49724 Delayed exit in 5 seconds
    Jan 15 21:27:48 	openvpn 	30490 	10.10.0.21:49724 PUSH: Received control message: 'PUSH_REQUEST'
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 [username] Peer Connection Initiated with [AF_INET]10.10.0.21:49724
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 TLS Auth Error: Auth Username/Password verification failed for peer
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
    Jan 15 21:27:45 	openvpn 		user 'username' authenticated
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 VERIFY OK: depth=0, C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=username
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 CRL CHECK OK: C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=username
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 VERIFY OK: depth=1, C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=Internal CA
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 CRL CHECK OK: C=SI, ST=VL, L=VL, O=IT, emailAddress=email@email.si, CN=Internal CA
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 TLS: Initial packet from [AF_INET]10.10.0.21:49724, sid=895948a2 44e52937
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Expected Remote Options hash (VER=V4): '0f816d6e'
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Local Options hash (VER=V4): '2f3e190a'
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:12 ET:0 EL:3 ]
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Control Channel MTU parms [ L:1557 D:1184 EF:66 EB:0 ET:0 EL:3 ]
    Jan 15 21:27:45 	openvpn 	30490 	10.10.0.21:49724 Re-using SSL/TLS context
    Jan 15 21:27:45 	openvpn 	30490 	MULTI: multi_create_instance called 
    

    So I`m screwed pretty much :)


  • Developer Netgate

    Would you recheck with the depth set to "one" and see if that error goes away please?



  • I did it and the check cert error occured…


  • Developer Netgate

    Redmine ticket has been opened.

    https://redmine.pfsense.org/issues/5773



  • So you can repro?



  • @maverick_slo:

    So you can repro?

    No. Steve just figured there must be something to it. This all works fine with TLS and user auth on latest version, and nothing there has changed in some time. I upgraded a variety of test and production setups to latest and they all still work fine, and did a couple new configs from scratch which also worked fine.

    Could you get me into your system to review? Can PM me to arrange specifics if so.



  • There was snapshot issue or bad upgrade.
    Now I`m on 2.3.b.20160115.1858 and roadwarrior works.

    Now I have to test SSL/TLS peer to peer to confirm that working too.



  • peer2peer still not working between 2.3 and 2.2.6

    Client error: openvpn[56391]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Server no error.



  • hmmmm could it be topology issue on 2.2.6?
    mismatch between 2.3 server (subnet) and 2.2.6 client (net30) ?



  • UPDATE:
    If I leave all settings like they were and change only from SSL/TLS TO shared key VPN works.
    With TLS I get that add route error.

    wth??? :)



  • There is no way at all for me to connect 2.3 box to 2.2.6 with Openvpn SSL/TLS.
    With shared key it works just fine.



  • Guys I found the error.
    Look at screenshot.
    Shared key and ssl/tls don`t have same settings under tunnel options.






  • Shared key works for me, SSL/TLS not.



  • In addition, when changing modes (shared key to ssl/tls) firefox needs like 15 seconds to display other options while IE changes options instantly.

    EDIT:
    This only happens on firefox NIGHTLY build, so nevermind that.



  • Configs:

    Working shared key server config:

    dev ovpns2
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local MY WAN IP
    ifconfig 172.16.91.1 172.16.91.2
    lport 1199
    management /var/etc/openvpn/server2.sock unix
    push "route 10.10.0.0 255.255.255.0"
    route 192.168.1.0 255.255.255.0
    secret /var/etc/openvpn/server2.secret 
    comp-lzo adaptive
    

    Not working SSL/TLS config:

    dev ovpns2
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local MY WAN IP
    tls-server
    ifconfig 172.16.91.1 172.16.91.2
    lport 1199
    management /var/etc/openvpn/server2.sock unix
    push "route 10.10.0.0 255.255.255.0"
    route 192.168.1.0 255.255.255.0
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.1024
    crl-verify /var/etc/openvpn/server2.crl-verify 
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo adaptive
    topology subnet
    


  • @maverick_slo:

    Guys I found the error.
    Look at screenshot.
    Shared key and ssl/tls don`t have same settings under tunnel options.

    They're not supposed to have all the same settings. Which specific setting are you referring to?



  • Local subnet for example



  • Tunnell settings MUST be same only encryption should vary. 2.2.6 has same tunnell settings for both methods and encryption different which is ok.
    Clearly there is something wrong with openvpn gui and how it generates config.
    Between 2.2.6 no problem at all.


  • Developer Netgate

    There is a difference between the Tunnel settings display (Peer to peer (Shared Key) ) 2.2.x vs 2.3

    I will correct that. I'm sure it will make a difference to the shared configuration though. I will make a note here once a correction has been pushed and perhaps you would let me know if you see any improvement.

    Thanks for continuing to work on this!



  • Thanks Steve!

    I sure will test it because I need it :)


  • Developer Netgate

    Researching this further I find that although the IPv4 Local network(s) and IPv6 Local network(s) controls are hidden when "Peer to peer (shared Key)" is selected, that is the desired behavior since they make no sense in a peer to peer environment. Whether they are hidden or not, the values are ignored so it really makes no difference.

    There was a display bug in 2.2.x that caused the controls to be displayed.

    So if we are to track down a potential GUI problem, the best approach would be to set up identical server configurations in 2.2.6 and in 2.3 and to then compare the /cf/conf/config.xml files looking at the <openvpn-server>section.

    Is that something you could do?</openvpn-server>



  • On it.



  • @Steve_B:

    Researching this further I find that although the IPv4 Local network(s) and IPv6 Local network(s) controls are hidden when "Peer to peer (shared Key)" is selected, that is the desired behavior since they make no sense in a peer to peer environment. Whether they are hidden or not, the values are ignored so it really makes no difference.

    What about force all traffic trough gateway? This is also hidden in shared key peer2peer.
    Are you sure local networks on SERVER pae should be hidden?



  • Here we go, configs attached.

    SHARED226.txt
    SHARED230.txt
    TLS226.txt
    TLS230.txt


  • Developer Netgate

    perfect. Thanks.


  • Developer Netgate

    The only differences I see between the two TLS files are these:

    2.2.6: <topology_subnet>2.3:    <topology>subnet</topology>

    But that is deliberate and is accommodated in the system.

    So I don't think we have a GUI issue.

    I'll check elsewhere.

    Here: https://forum.pfsense.org/index.php?topic=105341.msg588703#msg588703 you posted your OpenVPN config files. Could you do the same again but from 2.2.6 SSL/TLS (working) and from 2.3 SSL/TLS (NOT working) ?

    That way we can check the XML -> OpenVPN translation.</topology_subnet>





  • I don`t get it any more.

    Why the hell shared works and SSL gives me this in logs:

    Jan 21 17:25:24 	openvpn[75325]: Initialization Sequence Completed
    Jan 21 17:25:24 	openvpn[75325]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1557 172.16.26.2 255.255.255.0 init
    Jan 21 17:25:24 	openvpn[75325]: /sbin/ifconfig ovpnc2 172.16.26.2 172.16.26.1 mtu 1500 netmask 255.255.255.0 up
    Jan 21 17:25:24 	openvpn[75325]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Jan 21 17:25:24 	openvpn[75325]: TUN/TAP device /dev/tun2 opened
    Jan 21 17:25:24 	openvpn[75325]: TUN/TAP device ovpnc2 exists previously, keep at program end
    Jan 21 17:25:22 	openvpn[75325]: [nabiralnik.eu] Peer Connection Initiated with [AF_INET]212.18.40.185:1199
    Jan 21 17:25:21 	openvpn[75325]: UDPv4 link remote: [AF_INET]SERVERIP:1199
    Jan 21 17:25:21 	openvpn[75325]: UDPv4 link local (bound): [AF_INET]CLIENTIP
    Jan 21 17:25:21 	openvpn[75325]: Control Channel Authentication: using '/var/etc/openvpn/client2.tls-auth' as a OpenVPN static key file
    Jan 21 17:25:21 	openvpn[75325]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 21 17:25:21 	openvpn[75325]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jan 21 17:25:21 	openvpn[75325]: WARNING: using --pull/--client and --ifconfig together is probably not what you want
    Jan 21 17:25:21 	openvpn[75109]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Jan 21 17:25:21 	openvpn[75109]: OpenVPN 2.3.8 i386-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
    Jan 21 17:25:21 	openvpn[73428]: SIGTERM[hard,] received, process exiting
    Jan 21 17:25:21 	openvpn[73428]: /usr/local/sbin/ovpn-linkdown ovpnc2 1500 1557 172.16.26.2 255.255.255.0 init
    

    And tunnel shows as up in status -> openvpn.

    I really don`t get it anymore.


  • Developer Netgate

    Looks like there is a problem in that "topology subnet" is being added to the config when it should not. There is a dependency on the tunnel network size that may be broken. We are testing now.



  • Please confirm my problems if you dont Im probably crazy :)
    Ah at least friday is here :)


Log in to reply