OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: Julien on July 13, 2017, 10:19:09 am
-
Hi guys,
last day we update to 17.1.9 and everything went fine however today we've received that the users can't log in using the VPN
I remember this behaviour before and it was related to certificate on pfsense.
Can someone please advise ?
VPN Log files
Jul 13 10:13:54 openvpn[24476]: 77.88.99.000:52248 TLS: Initial packet from [AF_INET]77.88.99.000:52248, sid=976076f8 d31118b7
Jul 13 10:13:54 openvpn[24476]: 77.88.99.000:50706 TLS: Initial packet from [AF_INET]77.88.99.000:50706, sid=f47bd4f3 845ac041
Jul 13 10:13:54 openvpn[24476]: 77.88.99.000:58941 TLS: Initial packet from [AF_INET]77.88.99.000:58941, sid=3f8a60dc 76aab9ac
Jul 13 10:13:54 openvpn[24476]: 77.88.99.000:56991 TLS: Initial packet from [AF_INET]77.88.99.000:56991, sid=231370d3 f0826ead
Jul 13 10:13:52 openvpn[24476]: 77.88.99.000:56216 TLS: Initial packet from [AF_INET]77.88.99.000:56216, sid=22899881 6bca73f0
Jul 13 10:13:52 openvpn[24476]: 77.88.99.000:49308 TLS: Initial packet from [AF_INET]77.88.99.000:49308, sid=3af582a3 5a12ef17
Jul 13 10:13:52 openvpn[24476]: 77.88.99.000:49264 TLS: Initial packet from [AF_INET]77.88.99.000:49264, sid=3f0092c9 9c220082
Jul 13 10:13:52 openvpn[24476]: 77.88.99.000:52542 TLS: Initial packet from [AF_INET]77.88.99.000:52542, sid=e310c396 34b40c47
Jul 13 10:13:52 openvpn[24476]: 77.88.99.000:59184 TLS: Initial packet from [AF_INET]77.88.99.000:59184, sid=efca0703 b07d1165
Jul 13 10:13:51 openvpn[24476]: 77.88.99.000:52127 TLS: Initial packet from [AF_INET]77.88.99.000:52127, sid=814e8797 6a0b0030
Jul 13 10:13:51 openvpn[24476]: 77.88.99.000:63024 TLS: Initial packet from [AF_INET]77.88.99.000:63024, sid=da4d5997 84036cce
Jul 13 10:13:51 openvpn[24476]: 77.88.99.000:62575 TLS: Initial packet from [AF_INET]77.88.99.000:62575, sid=2635a33e be1db342
Also on the OPENVPN status it shows
UNDEF
3091 77.88.99.000:60056
UNDEF
5206 77.88.99.000:53991
-
Do you also have a log from the client?
-
Same behavior at my opnsense system after update...
Thu Jul 13 16:40:09 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Thu Jul 13 16:40:09 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Jul 13 16:40:09 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Thu Jul 13 16:40:10 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.4.1:11950
Thu Jul 13 16:40:10 2017 UDP link local (bound): [AF_INET][undef]:0
Thu Jul 13 16:40:10 2017 UDP link remote: [AF_INET]192.168.4.1:11950
Thu Jul 13 16:41:11 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul 13 16:41:11 2017 TLS Error: TLS handshake failed
Thu Jul 13 16:41:11 2017 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 13 16:41:16 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.4.1:11950
Thu Jul 13 16:41:16 2017 UDP link local (bound): [AF_INET][undef]:0
Thu Jul 13 16:41:16 2017 UDP link remote: [AF_INET]192.168.4.1:11950client log
don't worry, tried to connect from lan and it worked before...
At client connection status "bytes received" stay at 0 bytes for each client
-
Good Catch, on the client side it shows that the SSL is expired.
2017-07-13 19:03:12: State changed to Authenticating
2017-07-13 19:03:12: VERIFY ERROR: depth=1, error=certificate has expired:
2017-07-13 19:03:12: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017-07-13 19:03:12: TLS_ERROR: BIO read tls_read_plaintext error
2017-07-13 19:03:12: TLS Error: TLS object -> incoming plaintext read error
2017-07-13 19:03:12: TLS Error: TLS handshake failed
Thank you for posting me there.
right now we has found the error.
the certificate is expired, means we have to create a new one and push it to all devices ? we can just renew the existing one and don't have to resent it to users ?
Thank you
-
Got it working after I changed the installation from openssl to libressl and leaving all the other settings like before.
Only the connected since time is not shown correctly, still shown for example as 5453