Topics

1

22.7 Legacy Series / openvpn not working after upgrade

« on: August 20, 2022, 01:42:35 am »

Hi there,
I've just upgraded my installation from 22.1.10 to 22.7.2. Everything worked fine so far, but openvpn clients couldn't connect. Every time the openvpn is restarted the logs show the same warnings, which for me looks like the process can't read the files (server1.*) in the config folder (/var/etc/openvpn). The process is running as root, the access for the folder is 750 root/wheel and for the files 600 root/wheel. In the web GUI the config can be read, but after saving (which implies a restart for openvpn)  the same warnings are shown in the log. Client connects are refused as the CRL file is not readable.

content of folder:

Code: [Select]

root@mfw005:/var/etc/openvpn # ll
total 40
-rw-------  1 root  wheel  1757 Aug 20 00:52 server1.ca
-rw-------  1 root  wheel  1862 Aug 20 00:52 server1.cert
-rw-------  1 root  wheel  1352 Aug 20 00:52 server1.conf
-rw-------  1 root  wheel  1432 Aug 20 00:52 server1.crl-verify
-rw-------  1 root  wheel  1704 Aug 20 00:52 server1.key
srwxrwxrwx  1 root  wheel     0 Aug 20 00:52 server1.sock=
warnings in log on service start:

Code: [Select]

2022-08-20T00:52:17 Warning openvpn Could not determine IPv4/IPv6 protocol. Using AF_INET6
2022-08-20T00:52:16 Warning openvpn CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify
2022-08-20T00:52:16 Warning openvpn OpenSSL: error:0909006C:PEM routines:get_name:no start line
2022-08-20T00:52:16 Warning openvpn NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-08-20T00:52:16 Warning openvpn NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
2022-08-20T00:52:15 Warning openvpn DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-08-20T00:52:15 Warning openvpn WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
2022-08-20T00:52:15 Warning openvpn WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
errors in log on client connect:

Code: [Select]

2022-08-20T00:47:28 Error openvpn 192.168.***.***:43982 Fatal TLS error (check_tls_errors_co), restarting
2022-08-20T00:47:28 Error openvpn 192.168.***.***:43982 TLS Error: TLS handshake failed
2022-08-20T00:47:28 Error openvpn 192.168.***.***:43982 TLS Error: TLS object -> incoming plaintext read error
2022-08-20T00:47:28 Error openvpn 192.168.***.***:43982 TLS_ERROR: BIO read tls_read_plaintext error
2022-08-20T00:47:28 Error openvpn 192.168.***.***:43982 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
2022-08-20T00:47:28 Error openvpn 192.168.***.***:43982 VERIFY ERROR: CRL not loaded
2022-08-20T00:47:21 Error openvpn fdf0:***:e554 Fatal TLS error (check_tls_errors_co), restarting
2022-08-20T00:47:21 Error openvpn fdf0:***:e554 TLS Error: TLS handshake failed
2022-08-20T00:47:21 Error openvpn fdf0:***:e554 TLS Error: TLS object -> incoming plaintext read error
2022-08-20T00:47:21 Error openvpn fdf0:***:e554 TLS_ERROR: BIO read tls_read_plaintext error
2022-08-20T00:47:21 Error openvpn fdf0:***:e554 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
2022-08-20T00:47:21 Error openvpn fdf0:***:e554 VERIFY ERROR: CRL not loaded

Any idea to get that fixed?

best regards Jan