Some confusion with 1:1 OpenVPN migration legacy to Instances

[vpx]

Lately when I updated from OPNsense 24.4.3 to 24.10.2 I also tried to switch from "VPN: OpenVPN: Servers [legacy]" to the new "VPN: OpenVPN: Instances" but I had to cancel that because of an error in the OpenVPN log:

Code Select Expand

Options error: --local addresses must be distinct from --ifconfig addresses
So I used the first address of the OpenVPN pool as "Bind address" which probably was wrong and is a bind to a physical interface and not to a new virtual interface (ovpns2)?

OpenVPN	OPNsense legacy	OPNsense Instances (new)
--ifconfig	"Interface"	"Bind address"
--local	"IPv4 Tunnel Network"	"Server (IPv4)"
--route	"IPv4 Local Network"	"Local Network"
--remote	"IPv4 Remote Network"	"Remote Network"

Is the assignment of the above table correct (Road Warrior setup)? If yes then why does the new "Instances" not have a multi-select field for existing interfaces like the old one did?

[viragomann]

The bind address is the interface address the server is listening on.
If you want to have it listen on all interface addresses leave the field empty.

In case you want to have it listen on certain addresses, however, you can bind it to a specific one and forward the others to this one.

[vpx23]

Yeah, I got that now. But isn't it a step backwards. Before you could provide multiple system aliases like LAN1, WAN2 etc.

Now you can only provide a single IP which is not dynamically updated like the previous system aliases.

Edit: Sorry, I just checked again and the old "Interface" field was just a single-select field, not a multi-select field.

[vpx]

OK, here is a new problem. :-)

OpenVPN server (openvpn_server2) starting:

Code Select Expand

WARNING: --keepalive option is missing from server config
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Could not determine IPv4/IPv6 protocol. Using AF_INET6
Can I ignore the first two warnings? Last warning was a stupid mistake, I selected "UDP" as protocol instead of "UDP (IPv4)". That is fixed at least.

User connecting (old error just to see that it was IPv6):

Code Select Expand

tls-crypt unwrap error: packet authentication failed
TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:xx.xxx.xxx.xxx:34016 (via ::ffff:yyy.yyy.yy.yy%ix0)
User connecting (now correct IPv4):

Code Select Expand

tls-crypt unwrap error: packet authentication failed
TLS Error: tls-crypt unwrapping failed from [AF_INET]xx.xxx.xxx.xxx:53148 (via [AF_INET]yyy.yyy.yy.yy%)
https://forum.opnsense.org/index.php?topic=21602.0

This user says setting the OpenVPN (Connect?) client to UDP4 solved the problem but the default setting in the Connect client is "adaptive" which should automatically decide between TCP and UDP, also the server was always UDP4. So we can rule out the client.

The TLS Shared Key is set to "crypt (Encrypt and authenticate all control channel packets". The same key is selected as "TLS static key" in the instance.

This user got the same problem:

https://forum.opnsense.org/index.php?topic=43784.0

[vpx]

OK, I found the problem, this thread brought it to my attention.

https://www.reddit.com/r/OpenVPN/comments/hi2zgb/openvpn_configuration_not_connecting_to_server/

I didn't actually copy the old key from the legacy settings but created a new one.

Old one is tls-auth, new one is tls-crypt. So I either have to use the old key with auth only or download and distribute all .ovpn files again.

[vpx23]

When I look at the tutorial again I see why I did the mistake with the bind address.

https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html

The bind address is 10.10.8.1 (WAN), which is very similar to the VPN pool network address 10.1.8.0, so I misread that as 10.1.8.1.

By the way there is a mistake in the schema, the road warrior IP shows 10.2.8.2 when it should read 10.0.8.2.

I think I also understand now why there is not a migration assistant because the encryption algorithm (--cipher) is deprecated since server version 2.4.0. It's probably hidden to discourage its use.

If you want to do a 1:1 migration to save distributing the configs to the clients again you have to activate the "advanced mode" in the new instance and change "Auth" and "Data Ciphers" to match the legacy configuration.

Also according to the OpenVPN reference manual the default auth digest algorithm is SHA1 which differs from the old legacy tutorial where it is SHA512, isn't that contradicting the own recommendations from the previous tutorial? Or is "OpenVPN default" in OPNsense an own definition?