After upgrde to 16.7.11 OpenVPN clients cannot connect anymore

Started by Rayman, December 17, 2016, 02:13:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 17, 2016, 02:13:10 PM
Hi,

I just upgraded to 16.7.11, my openvpn client cannot connect anymore. Before upgrade was fine, now it stays on connecting.

Server log:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

The firewall rules on wan and openvpn are there, and again, was working fine.

Any ideas?

Downgrade to previous version?

Kind regards,
Ray
December 18, 2016, 10:14:25 AM #1
Hi Rayman,

We should try to see of the older OpenVPN version still works for you.

For this I need your architecture/crypto combo (e.g. amd64/OpenSSL).


Cheers,
Franco
December 18, 2016, 12:08:50 PM #2 Last Edit: December 18, 2016, 02:48:01 PM by Rayman
Hi Franco,

The appliance is an A10 Quad Core with SSD with OpenSSL.

Actually, I have the same problem with 2 different clients, both A10/OpenSSL.

When I reboot the appliance, I can connect with OpenVPN, but just for 15-30 seconds, then it stops working...

Also, I tried to update to v17, but all shell commands seem to fail, even a pkg update fails...

I now go to my client, to downgrade to 16.7 with memstick, and then I don't upgrade the appliance, which I now should work.


Edit: I tried switching 1 of the appliances to LibreSSL, but same problem.

Edit2: I downgraded 1 of the clients with memstick to 16.7. Restored configuration, OpenVPN worked instantly.
December 19, 2016, 12:58:14 AM #3
If you stay on 16.7 it's going to be difficult to diagnose.

In any case, upgrading to 16.7.11 will leave you with OpenVPN 2.3.14, but you can install 2.3.13 using:

# pkg add -f https://pkg.opnsense.org/FreeBSD:10:amd64/16.7/MINT/16.7.10/OpenSSL/All/openvpn-2.3.13_1.txz

OpenVPN 2.4 is around the corner. I'm expecting more troubles due to latent changes in the near future.

You also really need to state which version you used prior to updating, otherwise 16.7 to 16.7.11 is a really wide window. ;)


Cheers,
Franco
December 20, 2016, 03:00:29 PM #4 Last Edit: December 20, 2016, 11:01:10 PM by Rayman
Hi Franco,

I tried to install OpenVPN 2.3.13 with the command you wrote, did not work. I don't recall the exact error, but when I entered the line, it took about 10 minutes and then it said something like: No package created, or no package available... (also pkg update takes long time and does nothing).

For the old version, I installed and updated this appliance on November 7th. According to the releases it should have been 16.7.7.

I now have downgraded with usb stick to 16.7 (.1?). Everything seems to work ok now.

Is it possible to upgrade to 16.7.7, which I know works? I can't do it from the webinterface, which would bring me back to 16.7.11 and (maybe) broken OpenVPN...

Edit: I seem to have a solution now. As you can read above this, I downgraded to 16.7 release. I then locked the OpenVPN package and upgraded to 16.7.11. After reboot OpenVPN (2.3.11) would not start, so I updated OpenVPN to 2.3.13. After this, also OpenVPN would start AND I can connect now! Finally I locked the OpenVPN package again.


Thanks,
Ray
December 21, 2016, 11:28:38 AM #5
I've found the root cause and created a bug report:
https://github.com/opnsense/core/issues/1314
December 21, 2016, 11:38:52 AM #6
Thank you, great!
December 21, 2016, 04:01:44 PM #7 Last Edit: December 21, 2016, 10:39:43 PM by franco
We have a new test package.... fraenki confirmed it works:

# pkg add -f https://pkg.opnsense.org/snapshots/openvpn-2.3.14_1.txz

A quick heads-up on this is appreciated. This would affect a lot of users outside of OPNsense, too.


Cheers,
Franco
December 21, 2016, 04:48:30 PM #8
@Rayman: It would be interesting to know if your OpenVPN configuration uses either "topology net30" or "topology subnet"? (it's the "Topology" setting in the GUI: unchecked means "net30", checked means "subnet")
December 21, 2016, 09:48:36 PM #9 Last Edit: December 21, 2016, 10:14:58 PM by Rayman
@fraenki: It's unchecked. I followed this guide: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html.
If I read correct (here: https://community.openvpn.net/openvpn/wiki/Topology), I should enable this, right?

@franco: If I try this, I get the following messages:
root@OPNsense:~ # pkg install -f https://pkg.opnsense.org/snapshots/openvpn-2.3.14_1.txz
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
pkg: No packages available to install matching 'https://pkg.opnsense.org/snapshots/openvpn-2.3.14_1.txz'; have been found in the repositories.

I did unlock Openvpn before I tried this. Also rechecked the currect package version, which is 2.3.13_1.

In System/firmware/settings I have both on Default.


Kind regards,
Ray


December 21, 2016, 10:40:08 PM #10
December 21, 2016, 10:47:41 PM #11
Hi Franco,

This works fine now. I have tried with Typology on and off.

Thanks, great!!
December 21, 2016, 10:57:25 PM #12
Hi Rayman,

Glad to hear. We're already talking to OpenVPN about this in the bug report that fraenki posted.


Cheers,
Franco
Print
Go Up Pages1
User actions