OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • 17.1.9 kills VPN
« previous next »
  • Print
Pages: [1]

Author Topic: 17.1.9 kills VPN  (Read 3449 times)

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
17.1.9 kills VPN
« on: July 13, 2017, 10:19:09 am »
Hi guys,
last day we update to 17.1.9 and everything went fine however today we've received that the users can't log in using the VPN
I remember this behaviour before and it was related to certificate on pfsense.
Can someone please advise ?

VPN Log files
Code: [Select]
Jul 13 10:13:54 openvpn[24476]: 77.88.99.000:52248 TLS: Initial packet from [AF_INET]77.88.99.000:52248, sid=976076f8 d31118b7
Jul 13 10:13:54 openvpn[24476]: 77.88.99.000:50706 TLS: Initial packet from [AF_INET]77.88.99.000:50706, sid=f47bd4f3 845ac041
Jul 13 10:13:54 openvpn[24476]: 77.88.99.000:58941 TLS: Initial packet from [AF_INET]77.88.99.000:58941, sid=3f8a60dc 76aab9ac
Jul 13 10:13:54 openvpn[24476]: 77.88.99.000:56991 TLS: Initial packet from [AF_INET]77.88.99.000:56991, sid=231370d3 f0826ead
Jul 13 10:13:52 openvpn[24476]: 77.88.99.000:56216 TLS: Initial packet from [AF_INET]77.88.99.000:56216, sid=22899881 6bca73f0
Jul 13 10:13:52 openvpn[24476]: 77.88.99.000:49308 TLS: Initial packet from [AF_INET]77.88.99.000:49308, sid=3af582a3 5a12ef17
Jul 13 10:13:52 openvpn[24476]: 77.88.99.000:49264 TLS: Initial packet from [AF_INET]77.88.99.000:49264, sid=3f0092c9 9c220082
Jul 13 10:13:52 openvpn[24476]: 77.88.99.000:52542 TLS: Initial packet from [AF_INET]77.88.99.000:52542, sid=e310c396 34b40c47
Jul 13 10:13:52 openvpn[24476]: 77.88.99.000:59184 TLS: Initial packet from [AF_INET]77.88.99.000:59184, sid=efca0703 b07d1165
Jul 13 10:13:51 openvpn[24476]: 77.88.99.000:52127 TLS: Initial packet from [AF_INET]77.88.99.000:52127, sid=814e8797 6a0b0030
Jul 13 10:13:51 openvpn[24476]: 77.88.99.000:63024 TLS: Initial packet from [AF_INET]77.88.99.000:63024, sid=da4d5997 84036cce
Jul 13 10:13:51 openvpn[24476]: 77.88.99.000:62575 TLS: Initial packet from [AF_INET]77.88.99.000:62575, sid=2635a33e be1db342

Also on the OPENVPN status it shows

UNDEF
3091   77.88.99.000:60056
UNDEF
5206   77.88.99.000:53991

Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

mimugmail

  • Hero Member
  • *****
  • Posts: 6293
  • Karma: 432
    • View Profile
Re: 17.1.9 kills VPN
« Reply #1 on: July 13, 2017, 12:02:33 pm »
Do you also have a log from the client?
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

maxbw

  • Newbie
  • *
  • Posts: 9
  • Karma: 1
    • View Profile
Re: 17.1.9 kills VPN
« Reply #2 on: July 13, 2017, 04:45:20 pm »
Same behavior at my opnsense system after update...
Code: [Select]
Thu Jul 13 16:40:09 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Thu Jul 13 16:40:09 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Jul 13 16:40:09 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Thu Jul 13 16:40:10 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.4.1:11950
Thu Jul 13 16:40:10 2017 UDP link local (bound): [AF_INET][undef]:0
Thu Jul 13 16:40:10 2017 UDP link remote: [AF_INET]192.168.4.1:11950
Thu Jul 13 16:41:11 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul 13 16:41:11 2017 TLS Error: TLS handshake failed
Thu Jul 13 16:41:11 2017 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 13 16:41:16 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.4.1:11950
Thu Jul 13 16:41:16 2017 UDP link local (bound): [AF_INET][undef]:0
Thu Jul 13 16:41:16 2017 UDP link remote: [AF_INET]192.168.4.1:11950
client log
don't worry, tried to connect from lan and it worked before...

At client connection status "bytes received" stay at 0 bytes for each client
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: 17.1.9 kills VPN
« Reply #3 on: July 13, 2017, 06:59:13 pm »
Good Catch, on the client side it shows that the SSL is expired.


Code: [Select]
2017-07-13 19:03:12: State changed to Authenticating
2017-07-13 19:03:12: VERIFY ERROR: depth=1, error=certificate has expired:
2017-07-13 19:03:12: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017-07-13 19:03:12: TLS_ERROR: BIO read tls_read_plaintext error
2017-07-13 19:03:12: TLS Error: TLS object -> incoming plaintext read error
2017-07-13 19:03:12: TLS Error: TLS handshake failed

Thank you for posting me there.
right now we has found the error.
the certificate is expired, means we have to create a new one and push it to all devices ? we can just renew the existing one and don't have to resent it to users ?

Thank you
« Last Edit: July 13, 2017, 07:27:11 pm by Julien »
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

maxbw

  • Newbie
  • *
  • Posts: 9
  • Karma: 1
    • View Profile
Re: 17.1.9 kills VPN
« Reply #4 on: July 13, 2017, 09:29:09 pm »
Got it working after I changed the installation from openssl to libressl and leaving all the other settings like before.
Only the connected since time is not shown correctly, still shown for example as 5453
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • 17.1.9 kills VPN
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2