OPNsense Forum

English Forums => General Discussion => Topic started by: seamus on March 03, 2019, 11:53:54 pm

Title: [SOLVED] OpenVPN breaks after upgrade from 18 to 19
Post by: seamus on March 03, 2019, 11:53:54 pm

So I've been using v 18.X for some time. My OpenVPN server on OPNsense had always worked just fine with my `Viscosity` client. Recently, I upgraded OPNsense from v 18.X to v 19.X. Everything seems to work except my OpenVPN client refuses to connect.

And it's a "quick disconnect": as soon as the authentication is entered (userid + 2FA password), the client reports the connection as "down". I've double-checked my password, and my IP address (dynamic IP), and they're correct. The timing makes me wonder if the client config that I exported over a year ago is now deprecated in some way.

Any ideas? Did something change between v 18 and v 19 that would have broken an existing OpenVPN configuration?

Title: Re: OpenVPN breaks after upgrade from 18 to 19
Post by: newsense on March 04, 2019, 05:05:19 am

If you do 12 in the console do you find any updates ? You might be on 19.1.1

Title: Re: OpenVPN breaks after upgrade from 18 to 19
Post by: seamus on March 04, 2019, 06:52:23 am

Quote from: newsense on March 04, 2019, 05:05:19 am

If you do 12 in the console do you find any updates ? You might be on 19.1.1

From the Dashboard, I see this:

Versions    
OPNsense 19.1.2-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2q 20 Nov 2018

A "check for updates" fm Dashboard reports "There are no updates available on the selected mirror."

It's as if something was blocking the VPN connection. But my fw rules haven't changed.

Title: Re: OpenVPN breaks after upgrade from 18 to 19
Post by: newsense on March 05, 2019, 04:19:13 am

Try reexporting the configuration and try both Viscosity and Tunnelblick. At the very least you should get some error messages that could narrow it down.

Title: Re: OpenVPN breaks after upgrade from 18 to 19
Post by: seamus on March 06, 2019, 05:53:03 pm

The System:Access:Tester has confirmed that my OTP generator, userid & Password are working as they should.

However... Looking at my self-signed CA and the certificates I generated last year, I see they are all expired. I am really fuzzy on the roles (and even the necessity for) Certs given that my OTP/2FA is in place, but it seems clear that they (Certs) must be required as they're included in the "How-To" guide.

Unless someone has a suggestion for eliminating the need for these Certs, I'll close this question. Once I've worked through the cert renewals, I'll post another question if I have difficulties.

Title: Re: OpenVPN breaks after upgrade from 18 to 19
Post by: seamus on March 07, 2019, 03:14:42 am

Just to close this out, expired certs was the source of my breakage,; the version upgrade was coincidental. Once I installed a new CA and generated new certs for the user and the server, things fell into place. I had to edit my user config, VPN server config to add the new certs, then export a new Viscosity client package. After installing the new Viscosity profile, I was able to make a connection.

And FWIW, I'd like to suggest that OPNsense incorporate a feature to flag expired certs for the admin. (Am I spoiled?  :)