Hello all,
I currently have the problem that various VPN profiles no longer work under Windows with version 2.6. The OPNsense have mostly 23.1_6
It seems to be a problem with the exported VPN profiles with OpenSSL 1.1.1
Is there a way to accept the profiles (p12 certificates) again?
Best, Andy
What exactly is your problem? Can you describe with more details please? :-)
Abscent from OPNsense I already heard about problems using this client.
Logs could be useful. Deprecated encryption settings maybe... ?
I have kind of similar problem here on my machine, after updating OpenVPN Windows Client from 2.5.8 to 2.6.0.
I click on "Connect" via the tray icon and enter my username and password, as always.
After clicking "OK" then a (for me) new dialog comes up, asking for Private Key Password. Which password is meant?
I never set a password for private key. The files were exported via OPNsense export function.
Quote
Tue Feb 14 10:41:03 2023 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Tue Feb 14 10:41:03 2023 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
Tue Feb 14 10:41:03 2023 OpenVPN 2.6.0 [git:v2.6.0/b999466418dddb89] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jan 25 2023
Tue Feb 14 10:41:03 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Tue Feb 14 10:41:03 2023 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
Tue Feb 14 10:41:44 2023 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 14 10:41:44 2023 OpenSSL: error:0308010C:digital envelope routines::unsupported
Tue Feb 14 10:41:44 2023 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
Tue Feb 14 10:41:44 2023 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Tue Feb 14 10:41:44 2023 SIGUSR1[soft,private-key-password-failure] received, process restarting
I wonder why maintainers strengthen their policies by rejecting their old defaults... We've heard this about OpenSSL 3 and OpenVPN 2.6 now and it feels like foot-shooting especially for integrated solutions where no "human on a keyboard" is running the command on a prompt to add a trivial "--broken-by-maintainer-unfix-for-security" command line option. ;)
Also DO NOT update a client software without updating the server side.
Cheers,
Franco
Thanks for your input franco and tiermutter!
I am not sure, if I understand the problem here :-|
Is the problem caused by changes in OpenVPN Client?
I cannot see a change here, but maybe I don't fully understand: https://github.com/OpenVPN/openvpn/blob/v2.6.0/Changes.rst
I updated my server side (OPNsense) now and exported the VPN configuration - same dialog for password input comes up.
Have a look at the full changelog: https://github.com/OpenVPN/openvpn/blob/master/Changes.rst ;)
Simply use the 2.5.x client until there is an update for OVPN on OPNsense :)
Got it now... Thanks again :-)
The password dialog is gone after uninstalling 2.6.0 and installing 2.5.8.
I noticed the extra sentence in release notes regarding OpenVPN situation. Good work!
Hello everyone
I tried to install OPN version 23.1.7_3 which includes OpenVPN 2.6.3 server and tried again to install the 2.6.x client but, after entering the user's credentials, I continuously get the password prompt for the private key.
I tried exporting the config file again as an "Archive" and to generate again the User Cert, but nothing.
I probably misrepresented what was stated.
Wasn't it enough to wait until the version of openvpn server was 2.6.x?
Thanks
Is this problem related to issue 6293 (https://github.com/opnsense/core/issues/6293) by any chance?
Hello,
I am dealing with the same issue.
I think the problem is that when using "export as archive" the user certificate is somehow exported "wrong". At least it doesn't work anymore with the Community Client from version 2.6 on. The client log says "Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption".
If you do the export as a file, then it works as it should.
According to the following document, the file variant seems to be the preferred one anyway, because it works with almost all OpenVPN clients.
https://openvpn.net/vpn-server-resources/extracting-separate-certificate-files-for-a-user/
I think I'll switch to this variant, I don't see anything that would speak against it.
I wonder if the export as archive has to be improved anyway, so that it works with OpenVPN 2.6? For which scenario is this used in practice?
@Franco alluded to the problem in his post above.
Essentially, OPNsense uses OpenSSL 1.1.1t but OpenVPN Community Client uses OpenSSL 3. OpenSSL 3 uses new envelope routines and is no longer able to parse or create PKCS#12 archives with the new default ciphers.
More info here: https://github.com/openssl/openssl/issues/11672
Apparently the work around is to add providers legacy default to the ovpn file.
Is it worth mentioning that OpenVPN Connect Client for Windows should not be affected...?
https://openvpn.net/client-connect-vpn-for-windows/
The change log (https://openvpn.net/vpn-server-resources/openvpn-connect-for-windows-change-log/) indicates two things. First, it is likely still running OpenSSL 1.1.1n, and second, it appears to be poorly maintained releases are infrequently published.
Ah, now I see more clearly, thanks for the clarification regarding OpenSSL 3.
Let me sort that out then. So users using the community client have the following options until OPNsense moves to OpenSSL 3. Clarifications and additions are welcome.
1. Stay with client version 2.5.x as long as support is guaranteed (July 2023?).
https://community.openvpn.net/openvpn/wiki/SupportedVersions
2. Use client version 2.6.x, with "providers legacy default" in client config.
3. Choose export type "File only", without possibility to protect the user certificate and private key with a password.
4. Use the openvpn3-based OpenVPN Connect Clients:
Windows: https://openvpn.net/client-connect-vpn-for-windows/
Linux: https://openvpn.net/openvpn-client-for-linux/
macOS: https://openvpn.net/client-connect-vpn-for-mac-os/
Option 4 only if you can live without community client. Not for me. At least not on my Windows machine, because (at least):
1. No support for multiple, simultaneous connections (occasionally useful for admins).
2. No support for the Wintune driver (as long as OPNsense/FreeBSD does not support OpenVPN Data Channel Offload (DCO)).
And further, if someone wants to password protect their client certificate, they can't use the Connect Client either.
Quote from: Reiter der OPNsense on May 09, 2023, 08:38:04 PM
Option 4 only if you can live without community client. Not for me. At least not on my Windows machine...
Nor me. :)
What I am seeing is that the Android client connects but my Windows client does not connect. No change to configuration. It seems to be Windows client related?
My Windows client tells me authentication is not right when the Android client connects. I can eliminate password, as I know I am using the same password.
Quote from: spetrillo on May 11, 2023, 10:48:31 PM
What I am seeing is that the Android client connects but my Windows client does not connect.
The Android client is openvpn3-based and uses OpenSSL 1.1.1n.
The v2.6+ Windows Community Client uses OpenSSL 3.0 and is incompatible (OPNsense uses OpenSSL 1.1.1t) without one of the workarounds Reiter mentions here (https://forum.opnsense.org/index.php?topic=32458.msg164154#msg164154). I think #2 is probably the best option for now.
Quote from: Reiter der OPNsense on May 09, 2023, 08:10:07 PM
Ah, now I see more clearly, thanks for the clarification regarding OpenSSL 3.
Let me sort that out then. So users using the community client have the following options until OPNsense moves to OpenSSL 3. Clarifications and additions are welcome.
1. Stay with client version 2.5.x as long as support is guaranteed (July 2023?).
https://community.openvpn.net/openvpn/wiki/SupportedVersions
2. Use client version 2.6.x, with "providers legacy default" in client config.
3. Choose export type "File only", without possibility to protect the user certificate and private key with a password.
How do I use the providers legacy default, within the context of OPNsense? Do I export the client config and then edit it? Is there an option in OPNsense that supports this?
Client config is just a text file, so, yes.
Quote from: benyamin on May 09, 2023, 08:16:58 PM
4. Use the openvpn3-based OpenVPN Connect Clients:
This can I suggest also - still running pfSense but prepared to switch to OPNsense...
We have no problems since nearly one year running the 3.x clients and they offer also 2FA requests (like the Open Source version) and they offer nice autostart/autoconnect service which wasn't availabe in the 2.x versions so far we used them.
OpenVPN Connect 3 does not work at all. The log say Frame=512/2112/512 mssfix-ctrl=1250 and the app closes without an error on Windows 11 and with a error on Windows 10.
OpenVPN 2.6.6 GUI Community did work after I added "providers legacy default" as a new line config.
I saw something similar recently.
After creating new certificates and exporting the profiles, windows clients reported that there was an unknown parameter in the config file.
Upgrading the windows client to 2.6.5 resolved the issue.
Quote from: Reiter der OPNsense on May 09, 2023, 08:10:07 PM
Ah, now I see more clearly, thanks for the clarification regarding OpenSSL 3.
Let me sort that out then. So users using the community client have the following options until OPNsense moves to OpenSSL 3. Clarifications and additions are welcome.
1. Stay with client version 2.5.x as long as support is guaranteed (July 2023?).
https://community.openvpn.net/openvpn/wiki/SupportedVersions
2. Use client version 2.6.x, with "providers legacy default" in client config.
3. Choose export type "File only", without possibility to protect the user certificate and private key with a password.
Can confirm with win10 OpenVPN GUI (community edition) v2.6.0 that appending
providers legacy defaultto the config file named CLIENT_userID.ovpn
stifled the requirement for an encrypted CLIENT_userID.p12 file.
That is, the dialog box "OpenVPN - Private Key Password (CLIENT_..." did not appear, and the connection was made as it has always been. screen shot of the offending dialog box attached, just to remove all doubt
Hello, sorry for reviving this old post. In my 25.1 opnsense test machine, OpenVPNConnect 3.6 works just fine. The community edition refuses to connect
VERIFY ERROR: could not extract CN from X509 subject string ('C=GR, ST=Attiki, L=Athens, O=OPN Sense') -- note that the username length is limited to 64 characters
OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.5.201:4494
UDP link local (bound): [AF_INET][undef]:0
UDP link remote: [AF_INET]192.168.5.201:4494
I tried also exporting as archive, also tried exporting with providers legacy default and used 2.6.x community version but nothing worked.
Any ideas dear friends?
Hello, I found what is causing the error. When setting trust and certificates, all fields must be entered (organization, department etc).
Then community edition works flawlessly (both 2.5.x and 2.6.x).
BR