OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: scrensen on September 23, 2021, 12:23:11 pm

Title: 21.7.3 OpenVPN - tls-crypt not working?
Post by: scrensen on September 23, 2021, 12:23:11 pm

Hi all,

I just upgraded to 21.7.3 and I see it has tls-crypt support for OpenVPN.

So I headed over to my server config looking to enable tls-crypt and found an option under 'TLS Authentication' called 'enabled - authentication & encryption', which seemed the right option (Although not sure if this was there in a previous version or not).

So I select this option and press 'Save' and go back into the settings. And there I see that the option jumped back to 'Enabled - authentication only', which was the initial value.

Can't find anything in the logs that point in the right direction. Anyone any idea?

Title: Re: 21.7.3 OpenVPN - tls-crypt not working?
Post by: athurdent on September 23, 2021, 07:14:42 pm

Exactly the same here for both of my existing servers, that option does not stick.

Title: Re: 21.7.3 OpenVPN - tls-crypt not working?
Post by: athurdent on September 23, 2021, 07:25:31 pm

Not only existing servers, just tried a new one. Also does not stick.

Title: Re: 21.7.3 OpenVPN - tls-crypt not working?
Post by: sorano on September 23, 2021, 08:05:55 pm

If I remember correctly the configured options gets written to openvpn config file on the filesystem but next time you make changes the webui loads default value and if you forget to reconfigure it again and apply then the incorrect value will get saved.

I've encountered it for another openvpn option prior to 21.7.3

Title: Re: 21.7.3 OpenVPN - tls-crypt not working?
Post by: athurdent on September 24, 2021, 07:30:11 am

Quote from: sorano on September 23, 2021, 08:05:55 pm

If I remember correctly the configured options gets written to openvpn config file on the filesystem but next time you make changes the webui loads default value and if you forget to reconfigure it again and apply then the incorrect value will get saved.

I've encountered it for another openvpn option prior to 21.7.3

Not here, freshly applied

Code: [Select]

root@OPNsense:~ # cat /var/etc/openvpn/server*.conf | grep tls
tls-server
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'OpenVPN' 1"
tls-auth /var/etc/openvpn/server1.tls-auth 0
tls-server
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'OpenVPN' 1"
tls-auth /var/etc/openvpn/server2.tls-auth 0

Title: Re: 21.7.3 OpenVPN - tls-crypt not working?
Post by: franco on September 24, 2021, 07:53:39 am

Sorry that's https://github.com/opnsense/core/commit/98e6d76d

# opnsense-patch 98e6d76d

Something wrong with the initial merge to master after testing.


Cheers,
Franco

Title: Re: 21.7.3 OpenVPN - tls-crypt not working?
Post by: scrensen on September 24, 2021, 08:59:38 am

Thanks!

Never had to patch before, so nice to finally do this :)

And it works!

Title: Re: 21.7.3 OpenVPN - tls-crypt not working?
Post by: franco on September 24, 2021, 08:01:58 pm

Thanks for confirming. It's been hotfixed now and available as update to 21.7.3_1.


Cheers,
Franco