Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - xjan

Pages1
#1
25.7 Series / Re: [25.7] Legacy OpenVPN clent to new OpenVPN transition
September 02, 2025, 01:34:43 PM
Quote from: dracocephalum on July 26, 2025, 06:33:28 AM3. The "Compression" dropdown box is gone, and this is where I got stuck - I need to set it to "Partial" (e.g. --compress) for the connection to my VPN provider to work
The general recommendation is to move away from using compression because it introduces unnecessary vulnerabilities. However, if you need to support OpenVPN clients that are requesting compression, then you can configure the OpenVPN server option "compress migrate". This option is also exposed in the new OPNsense OpenVPN instance configuration page if you select "advanced mode".

## Ha, on second read I realised you're looking to configure the OpenVPN client, not the server. Feel free to ignore this. : o)
#2
25.1, 25.4 Series / OpenVPN log warning "CRL: cannot read CRL from file"
July 07, 2025, 07:50:58 PM
When configuring an OpenVPN server where the "Certificate Revocation List" is in OPNsense's Trust store and where "Verify Client Certificate" is set to "required", the OpenVPN server logs the following warnings:
Code Select
2025-07-07T20:10:22 Warning openvpn_server1  {IP_REDACTED}:57866 CRL: cannot read CRL from file /var/etc/openvpn/server-2eb6ff80-fa3f-4c59-a785-acca7c44f471.crl-verify
2025-07-07T20:10:22 Warning openvpn_server1  {IP_REDACTED}:57866 OpenSSL: error:0480006C:PEM routines::no start line:
2025-07-07T20:10:22 Warning openvpn_server1  {IP_REDACTED}:57866 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (none : 0), Properties (<null>)
My first thought was that perhaps the CRL is malformed, but when verifying the contents of the CRL file with openssl, the CRL seems to be valid:
Code Select
root@mono:~ # openssl crl -in /var/etc/openvpn/server-2eb6ff80-fa3f-4c59-a785-acca7c44f471.crl-verify -inform PEM -CAfile ca.crt -noout
verify OK
There also shouldn't be a problem with file permissions – the CRL file has 644 permissions and its parent directories are world accessible. Besides, the OpenVPN server process runs as root.

The structure of the CRL file is:
Code Select
-----BEGIN X509 CRL-----
BASE64 CRL
-----END X509 CRL-----
When revoking certificates, it appears that the OpenVPN server can actually read the CRL, as the revoked certs can no longer be used to connect to the OpenVPN server. However, seeing those warnings still makes me feel uneasy. Any thoughts on what's causing these warnings? Am I in for further problems down the line?

All of this is happening on OPNsense 25.1.10-amd64.
Pages1