OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: Fossi on September 07, 2021, 12:12:35 pm

Title: OPENVPN - Big Problem since Upgrade to 21.7.2 (SOLVED)
Post by: Fossi on September 07, 2021, 12:12:35 pm

Hello Forum.

Need really Help. Today I updated to 21.7.2 and the whole OPNVPN config stopps working.

CDIR for VPN Net set to 10.10.10.0/30 - didn't acceppted anymore

CDIR for lokal and remot 10.x.x.0/25 - didn't acceppted anymore

What can I do? Whats wrong there? Is it a bug. What configs must be changed. Im totally helpless, because this configuration worked for years and now all is down and i cant get to the whole remote-hosts.

I will set up my firewall new and get back to 21.7.1. I have no idea to tholve this quickly.

thx for helping

Fossi

Title: Re: OPENVPN - Big Problem since Upgrade to 21.7.2
Post by: franco on September 07, 2021, 12:16:05 pm

Maybe you can append your error message...

Quick guess: make sure to remove whitespaces from your input.


Cheers,
Franco

Title: Re: OPENVPN - Big Problem since Upgrade to 21.7.2
Post by: michaelsage on September 07, 2021, 02:39:01 pm

Hi Franco,
I believe he may have stumbled on a bug I am having with 21.7.2.

I have the following in my IPv4 Local Network for my OPNVPN Server 192.168.1.0/24, 192.168.3.0/24,192.168.4.0/24,192.168.8.0/24

When I click save changes I get the following error:
The following input errors were detected:

'192.168.1.0/24, 192.168.3.0/24,192.168.4.0/24,192.168.8.0/24' in 'IPv4 Local Network' may only contain valid ipv4 CIDR range(s) separated by commas.

I also have the same issue on another firewall this time it is the OPNVPN Client:

IPv4 Remote network 192.168.1.0/24,192.168.3.0/24,192.168.8.0/24

And get the error:
The following input errors were detected:

'192.168.1.0/24, 192.168.3.0/24,192.168.8.0/24' in 'IPv4 Remote Network' may only contain valid ipv4 CIDR range(s) separated by commas.

Title: Re: OPENVPN - Big Problem since Upgrade to 21.7.2
Post by: franco on September 07, 2021, 02:40:32 pm

Yes, please remove the stray " " space.


Cheers,
Franco

Title: Re: OPENVPN - Big Problem since Upgrade to 21.7.2
Post by: michaelsage on September 07, 2021, 02:43:59 pm

Weird. I could have sworn I'd removed that! It had worked previously, but you're right there was a space in both lists. That has fixed my issue.

Thank you!

Title: Re: OPENVPN - Big Problem since Upgrade to 21.7.2
Post by: franco on September 07, 2021, 02:52:07 pm

No problem... we did notice that while working on compatibility issues with OpenVPN 2.5 and unfortunately it meant that some input was not properly enforced leading to garbage in the config.xml which can always produce worse surprises later on so this had to find its way into a minor release to avoid breaking major updates potentially.


Cheers,
Franco

Title: Re: OPENVPN - Big Problem since Upgrade to 21.7.2
Post by: Fossi on September 07, 2021, 07:47:26 pm

Ok thats, what we dicussed in bashclub also. But i didn't arrived yet.

First of all I reinstalled the sytem with 21.1.9, the the productive lines are back. Thats for not loose too much time.

Now i can start a virtualized or a second hardware. To test the .xml

Title: Re: OPENVPN - Big Problem since Upgrade to 21.7.2
Post by: franco on September 07, 2021, 08:33:19 pm

It's fixed in 5 seconds, really no need to revert to 21.1.9.


Cheers,
Franco

Title: Re: OPENVPN - Big Problem since Upgrade to 21.7.2
Post by: Fossi on September 14, 2021, 11:20:45 am

Hello Franco.

Thx for the reply. Yesterday a found some time for testing. I got a config working but found more changes, which wondering me a bit.

- peer2peer didn't work in TLS/SSL mode. I have changed it to pre-shared-key. I thought, ssl/tls is more secure, 10 years ago i changed all openvpn-configs to work with certs. (IPFire)
- The cipher GCM (256-GCM) didn't worked, I changed it to CBC but I thought till today that GCM is the more secure cipher. But that coul'd be a fault. Wouldn't it be nice, if only the possible ciphers would choosable in the drop down if someone chose peer2peer in top of the menu?
- for the ovpn-intern-net (Transfernetz) I have chooseen a /30 net, (I migrated some version of 18 or 19 from IPFire to Opnsense) and the well known /24 didn't worked with opnsense for me and ther /30 for Opnsense I found in a forum thread. So now the /24 is working.

The littel remote and lokal-subnets wasn't the challenge, the spaces I don't know exactly, but I removed them here.

Quote

Markus
Ich hatte genau das lokaale und remote Netze /24 und /25er, das Transfernetz als /30er. Das will er nicht mehr.
Nee kein Haken bei Topology gesetzt. Geht bei dem, was ich gestern testen konnte auch mit dem 24er Netz ohne Topologie IPs werden die 1 und die 2 vergeben. Davor, als es mit 24er nicht ging, waren es die 1 und die6 meine ich.
NilsS
ja logisch , das /24 kann natürlich auch las net30 laufen
hmm der parser von opnsense mag das /30 nicht
NilsS
https://github.com/opnsense/core/blob/master/src/www/vpn_openvpn_server.php#L207 ist der Punkt. sollte eingengrenzt werden auf Remote SSL und nicht peer2peer
https://github.com/opnsense/core/commit/35b373407cdde12c882dc6ef49b2ea5f3cf0eb78#diff-0eba9f068e6802636d7ff3e578931a563210eee384260648bfff7ad739b72339
NilsS
(($pconfig['mode'] == "server_user") || ($pconfig['mode'] == "server_tls_user")) muss da mit rein für die überprüfung
eigentlich macht doch bei peer2peer alles ausser /30 keinen sinn

The quote is from an other conversation. Nils is more familiar to code as me. I shell remark the commit in behalf of peer2peer.

I hope, this is helping a bit.

VG - Markus

Title: Re: OPENVPN - Big Problem since Upgrade to 21.7.2
Post by: Fossi on September 16, 2021, 08:45:53 pm

https://github.com/opnsense/core/commit/0ee3ecde53ff336d3c49ec48e5cb86d5c9d90813

This solved the whole challenge. The spaces i removed - so that could be still a challenge, but that could be fixed within minutes.

After this everything working fine again. Many Thx to Nils.