Messages

1

24.1 Legacy Series / Re: OpenVPN servers > instances

« on: February 20, 2024, 05:55:26 pm »

Under 'General Settings' in the 'Server (IPv4)' I entered the VPN-Subnet (e.g. 192.168.150.0/27) and it's working for me.
In the misc section for the redirect gateway I only checked 'default'. I also had to manually create a outbond NAT rule for the 'OpenVPN net'.

2

German - Deutsch / Re: OPNsense 22.7.5 Rückkehr des Fehlers Peer Certificate Revocation List

« on: October 06, 2022, 02:55:13 pm »

Vorerst...

# opnsense-patch 1ba8910df4d6


Grüsse
Franco

Der Patch hat funktioniert (ohne Dummy-Zertifikat), hatte ebenfalls erneut das 'CRL-Problem' nach dem letzten Update.

Vielen Dank!

Grüsse
coolmint

3

22.7 Legacy Series / Re: OpenVPN after upgrading 22.7.3 -> 22.7.4

« on: September 16, 2022, 05:57:58 pm »

@MUD:
Sorry for hijacking your post!

@AdSchellevis:
Great - applying the suggested patch fixed the issue!
OpenVPN with enabled CRL option (using Elliptic Curve certificates) is up and running again.

Many many thanks!

4

22.7 Legacy Series / Re: OpenVPN after upgrading 22.7.3 -> 22.7.4

« on: September 14, 2022, 10:11:24 pm »

Same problem here - if I turn on the 'Peer Certificate Revocation List' option the GUI crashes when I hit the save button and shows the following error message:

Code: [Select]

Fatal error: Uncaught Error: Call to undefined method phpseclib3\Crypt\EC\PrivateKey::withPadding() in /usr/local/etc/inc/certs.inc:666 Stack trace: #0 /usr/local/etc/inc /plugins.inc.d/openvpn.inc(834): crl_update(Array) #1 /usr/local/etc/inc/plugins.inc.d/openvpn.inc(1115): openvpn_reconfigure('server', Array) #2 /usr/local/www/vpn_openvpn_server.php(450): openvpn_configure_single('1') #3 {main} thrown in /usr/local/etc/inc/certs.inc on line 666
With the CRL option enabled, the OpenVPN service fails to start after a reboot.

Without the CRL, the VPN works fine.

5

22.7 Legacy Series / Re: No VPN connection with CRL enabled after upgrade to 22.7

« on: August 09, 2022, 09:19:28 pm »

Jep, you are right - the 'phpseclib' currently installed doesn't support EC.

After applying the latest patch, the general log shows the following:

Code: [Select]

2022-08-09T21:09:06 Error opnsense Cert revocation error: Only RSA key type currently supported for CRL signing.
Great - thank you for your assistance!

6

22.7 Legacy Series / Re: No VPN connection with CRL enabled after upgrade to 22.7

« on: August 08, 2022, 10:04:52 pm »

I did some more tests today - I noticed the following:

If I use the ECDSA algorithm when creating the CA, I cannot revoke any certificates afterwards - the familiar error message appears.

However, if the CA is created with the RSA algorithm, everything works as it should - no errors, I can add certificates to the CRL.

It also doesn't matter how the client certificate was created (RSA or ECDSA) - it depends on how the CA was created.

If I now use the new (RSA generated) CA in the VPN server configuration, the '.crl-verify' file is also filled accordingly and no more errors appear in the OpenVPN log.

The system cannot work with the CA certificate which was generated using the Elliptic Curve Digital Signature Algorithm (ECDSA).

7

22.7 Legacy Series / Re: No VPN connection with CRL enabled after upgrade to 22.7

« on: August 07, 2022, 08:41:23 pm »

@coolmint

Using the new setup, the behavior is still the same - the system creates a zero-byte '.crl-verify' file.

any chance that you forgot to change "Peer Certificate Revocation List" in openvpn server config? )

That would have been nice, but no - I changed both, the new Peer Certificate Authority and the Peer Certificate Revocation List in the VPN server configuration before testing.

if you are willing to help sort out the reasons, can you try again (create a CRL and add a certificate to it) after:

Code: [Select]

opnsense-patch -a kulikov-a 91e13ae ?

any errors adding cert to CRL? is CRL valid if you download via GUI? any errors in General log?

I applied the patch, created a new CA, a new Cert and a CRL (and adjusted the VPN-Server config).

If I now try to revoke the Cert, I get the follwoing message:

Code: [Select]

Cannot revoke certificate. See general log for details.

The general log shows:

Code: [Select]

2022-08-07T20:18:43 Error opnsense Cert revocation error: CRL validation failed at first step.

The '.crl-verify' file still remains empty.
I can export the CRL file (no errors are shown here) and open it (it's - as expected - empty).

8

22.7 Legacy Series / Re: No VPN connection with CRL enabled after upgrade to 22.7

« on: August 06, 2022, 12:02:06 pm »

The CA is internal with a self-signed certificate and the certificate private key exists in the CA properties.

For testing purposes I created a completely new CA with a corresponding CRL.
Using the new setup, the behavior is still the same - the system creates a zero-byte '.crl-verify' file.

9

22.7 Legacy Series / Re: No VPN connection with CRL enabled after upgrade to 22.7

« on: August 06, 2022, 11:12:16 am »

Weird bevavior - if I revoke a certificate via GUI the timestap of the file changes to the current date and time but the file itself remains empty.

The content of the '/var/etc/openvpn' directory is shown as follows:

Code: [Select]

-rw-------  1 root  wheel   956B Aug  6 10:35 server1.ca
-rw-------  1 root  wheel   1.2K Aug  6 10:35 server1.cert
-rw-------  1 root  wheel   1.3K Aug  6 10:35 server1.conf
-rw-------  1 root  wheel     0B Aug  6 10:35 server1.crl-verify
-rw-------  1 root  wheel   227B Aug  6 10:35 server1.key
srwxrwxrwx  1 root  wheel     0B Aug  6 10:35 server1.sock
-rw-------  1 root  wheel   636B Aug  6 10:35 server1.tls-auth
I can do whatever I want, the only thing that changes regarding the 'server1.crl-verify' file is the timestamp. 

10

22.7 Legacy Series / Re: No VPN connection with CRL enabled after upgrade to 22.7

« on: August 04, 2022, 02:11:11 pm »

The system generated the 'server1.crl-verify' file as a zero-byte file.
I don't have any revoked certificates at the moment, so I expected an empty file as well.

Should the file contain data, even without revoked certificates?

11

22.7 Legacy Series / Re: No VPN connection with CRL enabled after upgrade to 22.7

« on: August 02, 2022, 09:19:57 pm »

Thank you for your reply, I tried the patch and regenerated the CRL but no luck.

The error is still the same.

Edit:

Additional there is a new error shown in the Log:

'OpenSSL: error:0909006C:PEM routines:get_name:no start line'

12

22.7 Legacy Series / No VPN connection with CRL enabled after upgrade to 22.7

« on: July 30, 2022, 11:51:47 am »

Using the OpenVPN Server with the Peer Certificate Revocation List option, the following error is shown in the Log file and no client can authenticate:

'CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify'

If I deactivate the CRL-Option in the server settings by setting it to 'none', Clients can connect again without problems.

13

Zenarmor (Sensei) / Re: Zenarmor fails after upgrade to OPNsense 22.1.10

« on: July 07, 2022, 06:01:47 pm »

After updating to Engine Version 1.11.3 everything is working again (after reboot).