OPNsense Forum

Hello,
Some years ago I've used the Server wizard to create an OpenVPN Server for the factory I work for.
I've configured every single certificate for each user added in the OPNsense local database. I've used TLS Authentication Only SHA1, AES-256-GCM (now says deprecated), LZ4 tunnel compression.
I'd like to migrate this configuration to the new "Instances" section without changing all the Client Export ovpn files (over 50 clients).
How can I do it?
Thank You

---

_{Lorenzo Bardi (Delphi Developer @Esse Srl)
3x Dell PowerEdge R730
Proxmox VE w/ Ceph
OPNsense 23.7}

I found no migration tool and the release notes indicate this as well.

I just copy pasted my single server configuration into the new form and it was working with my existing client configuration.

Now it does not anymore and I don't know why yet.

The static key has to be inserted into the new tab "Static Keys" in Instances.
The certificates are available as before, they just need to be selected.
Most options are available and some differ slightly in their new name.
I think "IPv4 Tunnel Network" is called "Server (IPv4)" now.
The "Topology" setting became a dropdown, where previously "net30" was default I think, now "subnet" is the default.
Some options like "Duplicate Connections" got merged into the Options multi-select field close to the end and corresponds to the parameter name.

Curiously the "Certificate Depth" setting does not keep its value for me and always reverts to "Do Not Check", as well as "Enforce local group".

Ok, I think I found the reason why it was not connecting anymore.

I exported the client configuration file and it was missing the "auth SHA512" parameter in my case.
I added it again manually and the connection is up and running again.

I got errors in my logfiles like this:

QuoteTLS Error: cannot locate HMAC in incoming packet from ...

But the "tls-auth" static key was appended to the configuration file, so I startet comparing again and the "cipher" and "auth" parameters were missing.

I've tried it yesterday evening, connection was ok but when I tried to web browsing OPNsense (or any other local IP) I got no response.
After that I replaced the new ovpn profile generated and it started to work.
These 3 lines in the new profile are missing:
cipher AES-256-GCM
auth SHA1
compress lz4
So:
- Cipher was deprecated
- I haven't found any compression option in the new setup
- auth SHA1 was setted up so I don't know why it was not shown on the profile
Any suggestions?

Ok, I didn't knew about "cipher" being deprecated.
The option "compress" is also deprecated (https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--compressStatus:Pendingremoval).

I created a GitHub issue https://github.com/opnsense/core/issues/6708.

As always, Franco is blazingly fast in responding  :)

There is a patch for "auth" available now:

Quoteopnsense-patch 01ba189

The value in the configuration file was not mapped.

Ok, after patching the client export shows "auth SHA1" row.
If "cipher AES-256-GCM" is written on the ovpn file it works anyway (probably ignored).
The problem is the "compress lz4" row. This row is not ignored so I can connect (green light) but my internal devices are not reachable.
I will have to delete this row on every ovpn profile :(

Hmm, ok, i upgrade to

OPNsense 23.7-amd64

Now i can not connect my Android Tablet to the OpenVPN Server.
Any hints?

Serverlog

2023-08-06T20:04:59 Error openvpn_server2 192.168.0.21:47648 TLS Error: Unroutable control packet received from [AF_INET]192.168.0.21:47648 (si=3 op=P_CONTROL_V1)
2023-08-06T20:04:59 Notice openvpn_server2 192.168.0.21:47648 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2023-08-06T20:04:59 Notice openvpn_server2 192.168.0.21:47648 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2023-08-06T20:04:59 Notice openvpn_server2 192.168.0.21:47648 LZ4v2 compression initializing
2023-08-06T20:04:59 Notice openvpn_server2 192.168.0.21:47648 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-08-06T20:04:59 Notice openvpn_server2 192.168.0.21:47648 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-08-06T20:04:59 Notice openvpn_server2 192.168.0.21:47648 Re-using SSL/TLS context
2023-08-06T20:04:59 Notice openvpn_server2 MULTI: multi_create_instance called
2023-08-06T20:04:58 Notice openvpn_server2 192.168.0.21:47648 SIGUSR1[soft,tls-error] received, client-instance restarting
2023-08-06T20:04:58 Error openvpn_server2 192.168.0.21:47648 TLS Error: TLS handshake failed
2023-08-06T20:04:58 Error openvpn_server2 192.168.0.21:47648 TLS Error: Auth Username/Password was not provided by peer
2023-08-06T20:04:58 Notice openvpn_server2 192.168.0.21:47648 peer info: IV_BS64DL=1
2023-08-06T20:04:58 Notice openvpn_server2 192.168.0.21:47648 peer info: IV_SSO=webauth,openurl,crtext
2023-08-06T20:04:58 Notice openvpn_server2 192.168.0.21:47648 peer info: IV_GUI_VER=net.openvpn.connect.android_3.3.4-9290


Client-Config:

dev tun
persist-tun
persist-key
auth SHA512
client
resolv-retry infinite
remote mydomain.org 1194 udp
lport 0
verify-x509-name "deleted" subject
remote-cert-tls server
compress lz4-v2
<ca>
...

Looks like you're missing the auth-user-pass directive

https://forum.opnsense.org/index.php?topic=35229.0 (https://forum.opnsense.org/index.php?topic=35229.0)