Messages

1

17.1 Legacy Series / Re: OpenVPN

« on: February 08, 2017, 09:12:22 pm »

There seem to be several problems with openvpn in this release:

First: I have exactly the same problem as jorge: Identical config parameters as in 16.7 but before establishing a tunnel, the connection is reset. I regenerated the client cert, the client configs, TLS-Key, etc... nothing worked. With Verbosity >5, the log shows (read bottom to top):

Code: [Select]

openvpn[12345]: TCP/UDP: Closing socket
openvpn[12345]: 12.34.56.78:12345 SIGUSR1[soft,tls-error] received, client-instance restarting
openvpn[12345]: 12.34.56.78:12345 Fatal TLS error (check_tls_errors_co), restarting
openvpn[12345]: 12.34.56.78:12345 TLS Error: TLS handshake failed
openvpn[12345]: 12.34.56.78:12345 TLS Error: TLS object -> incoming plaintext read error
openvpn[12345]: 12.34.56.78:12345 TLS_ERROR: BIO read tls_read_plaintext error
openvpn[12345]: 12.34.56.78:12345 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
openvpn[12345]: 12.34.56.78:12345 CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify

So TLS is failing because no revocation list could be loaded... maybe it's a bug which does not install the crl when applying the config. Or maybe the config is being generated with errors, which brings me to:


Second: When configuring an openvpn server listening on TCP6/1194, the server won't start. The log shows something about not being able to resolve an IPv4 address. Turns out, this is the interface's IPv4 address, not the IPv6 address. Manually changing this value ("local 12.34.56.78" to "local 2000:11:22:33::1") in the config file (/var/etc/openvpn/serverX.conf) resolves the issue temporarily.