OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: jorgevisentini on February 08, 2017, 01:55:23 pm

Title: [SOLVED] OpenVPN
Post by: jorgevisentini on February 08, 2017, 01:55:23 pm

Hello everyone
I am installing and configuring 17.1 here in the company, but I have not been able to upload VPN using OpenVPN yet.

I configure exactly the current one, in version 16.7 but I can not make this new one work.

The message that appears is "TLS Error: TLS handshake failed".

I have already reviewed and reconfigured the settings and have re-created the certificates, and always gives the same message.

Does anyone have the same problem?

Thank you!

Title: Re: OpenVPN
Post by: ejprice on February 08, 2017, 03:17:49 pm

Unfortunately, no. It's working fine for me.

Sounds like you might have a mismatch where one of the certificates was created by a different CA. Is that possible? Can you look at the entire certificate chain and verify that the same CA was used? And the same CA is selected in your server config. The devil is in the details with certificates.

Under System/Trust/Certificates click the "i" icon and take a look at the issuer right up at the top. Make sure the common name (cn) matches that of your CA in System/Trust/Authorities.

Hope that helps!

Title: Re: OpenVPN
Post by: elseym on February 08, 2017, 09:12:22 pm

There seem to be several problems with openvpn in this release:

First: I have exactly the same problem as jorge: Identical config parameters as in 16.7 but before establishing a tunnel, the connection is reset. I regenerated the client cert, the client configs, TLS-Key, etc... nothing worked. With Verbosity >5, the log shows (read bottom to top):

Code: [Select]

openvpn[12345]: TCP/UDP: Closing socket
openvpn[12345]: 12.34.56.78:12345 SIGUSR1[soft,tls-error] received, client-instance restarting
openvpn[12345]: 12.34.56.78:12345 Fatal TLS error (check_tls_errors_co), restarting
openvpn[12345]: 12.34.56.78:12345 TLS Error: TLS handshake failed
openvpn[12345]: 12.34.56.78:12345 TLS Error: TLS object -> incoming plaintext read error
openvpn[12345]: 12.34.56.78:12345 TLS_ERROR: BIO read tls_read_plaintext error
openvpn[12345]: 12.34.56.78:12345 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
openvpn[12345]: 12.34.56.78:12345 CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify

So TLS is failing because no revocation list could be loaded... maybe it's a bug which does not install the crl when applying the config. Or maybe the config is being generated with errors, which brings me to:


Second: When configuring an openvpn server listening on TCP6/1194, the server won't start. The log shows something about not being able to resolve an IPv4 address. Turns out, this is the interface's IPv4 address, not the IPv6 address. Manually changing this value ("local 12.34.56.78" to "local 2000:11:22:33::1") in the config file (/var/etc/openvpn/serverX.conf) resolves the issue temporarily.

Title: Re: OpenVPN
Post by: thegundalf on February 09, 2017, 09:18:48 am

I can totally second the problem with the CRL. As soon as it is defined in the server configuration, it is not possible to connect anymore due to the failing TLS handshake.

Greetings

Max

Title: Re: OpenVPN
Post by: franco on February 09, 2017, 08:12:02 pm

Was fixed in 17.1.1. Can someone confirm?

Title: Re: OpenVPN
Post by: thegundalf on February 10, 2017, 08:37:26 am

Works like a charm, thank you very much!

Title: Re: [SOLVED] OpenVPN
Post by: franco on February 10, 2017, 08:42:52 am

Purrfect! :)

Title: Re: [SOLVED] OpenVPN
Post by: jorgevisentini on February 10, 2017, 03:27:21 pm

Good morning everyone!

Really, it's working now.

I will continue with the other tests haha

Thank you all!!