OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: Rayman on December 17, 2016, 02:13:10 pm
-
Hi,
I just upgraded to 16.7.11, my openvpn client cannot connect anymore. Before upgrade was fine, now it stays on connecting.
Server log:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
The firewall rules on wan and openvpn are there, and again, was working fine.
Any ideas?
Downgrade to previous version?
Kind regards,
Ray
-
Hi Rayman,
We should try to see of the older OpenVPN version still works for you.
For this I need your architecture/crypto combo (e.g. amd64/OpenSSL).
Cheers,
Franco
-
Hi Franco,
The appliance is an A10 Quad Core with SSD with OpenSSL.
Actually, I have the same problem with 2 different clients, both A10/OpenSSL.
When I reboot the appliance, I can connect with OpenVPN, but just for 15-30 seconds, then it stops working...
Also, I tried to update to v17, but all shell commands seem to fail, even a pkg update fails...
I now go to my client, to downgrade to 16.7 with memstick, and then I don't upgrade the appliance, which I now should work.
Edit: I tried switching 1 of the appliances to LibreSSL, but same problem.
Edit2: I downgraded 1 of the clients with memstick to 16.7. Restored configuration, OpenVPN worked instantly.
-
If you stay on 16.7 it's going to be difficult to diagnose.
In any case, upgrading to 16.7.11 will leave you with OpenVPN 2.3.14, but you can install 2.3.13 using:
# pkg add -f https://pkg.opnsense.org/FreeBSD:10:amd64/16.7/MINT/16.7.10/OpenSSL/All/openvpn-2.3.13_1.txz
OpenVPN 2.4 is around the corner. I'm expecting more troubles due to latent changes in the near future.
You also really need to state which version you used prior to updating, otherwise 16.7 to 16.7.11 is a really wide window. ;)
Cheers,
Franco
-
Hi Franco,
I tried to install OpenVPN 2.3.13 with the command you wrote, did not work. I don't recall the exact error, but when I entered the line, it took about 10 minutes and then it said something like: No package created, or no package available... (also pkg update takes long time and does nothing).
For the old version, I installed and updated this appliance on November 7th. According to the releases it should have been 16.7.7.
I now have downgraded with usb stick to 16.7 (.1?). Everything seems to work ok now.
Is it possible to upgrade to 16.7.7, which I know works? I can't do it from the webinterface, which would bring me back to 16.7.11 and (maybe) broken OpenVPN...
Edit: I seem to have a solution now. As you can read above this, I downgraded to 16.7 release. I then locked the OpenVPN package and upgraded to 16.7.11. After reboot OpenVPN (2.3.11) would not start, so I updated OpenVPN to 2.3.13. After this, also OpenVPN would start AND I can connect now! Finally I locked the OpenVPN package again.
Thanks,
Ray
-
I've found the root cause and created a bug report:
https://github.com/opnsense/core/issues/1314
-
Thank you, great!
-
We have a new test package.... fraenki confirmed it works:
# pkg add -f https://pkg.opnsense.org/snapshots/openvpn-2.3.14_1.txz
A quick heads-up on this is appreciated. This would affect a lot of users outside of OPNsense, too.
Cheers,
Franco
-
@Rayman: It would be interesting to know if your OpenVPN configuration uses either "topology net30" or "topology subnet"? (it's the "Topology" setting in the GUI: unchecked means "net30", checked means "subnet")
-
@fraenki: It's unchecked. I followed this guide: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html.
If I read correct (here: https://community.openvpn.net/openvpn/wiki/Topology), I should enable this, right?
@franco: If I try this, I get the following messages:
root@OPNsense:~ # pkg install -f https://pkg.opnsense.org/snapshots/openvpn-2.3.14_1.txz
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
pkg: No packages available to install matching 'https://pkg.opnsense.org/snapshots/openvpn-2.3.14_1.txz' have been found in the repositories.
I did unlock Openvpn before I tried this. Also rechecked the currect package version, which is 2.3.13_1.
In System/firmware/settings I have both on Default.
Kind regards,
Ray
-
Sorry, typo:
# pkg add -f https://pkg.opnsense.org/snapshots/openvpn-2.3.14_1.txz
-
Hi Franco,
This works fine now. I have tried with Typology on and off.
Thanks, great!!
-
Hi Rayman,
Glad to hear. We're already talking to OpenVPN about this in the bug report that fraenki posted.
Cheers,
Franco