21.7.3 OpenVPN - tls-crypt not working?

Started by scrensen, September 23, 2021, 12:23:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 23, 2021, 12:23:11 PM
Hi all,

I just upgraded to 21.7.3 and I see it has tls-crypt support for OpenVPN.

So I headed over to my server config looking to enable tls-crypt and found an option under 'TLS Authentication' called 'enabled - authentication & encryption', which seemed the right option (Although not sure if this was there in a previous version or not).

So I select this option and press 'Save' and go back into the settings. And there I see that the option jumped back to 'Enabled - authentication only', which was the initial value.

Can't find anything in the logs that point in the right direction. Anyone any idea?
September 23, 2021, 07:14:42 PM #1
Exactly the same here for both of my existing servers, that option does not stick.
September 23, 2021, 07:25:31 PM #2
Not only existing servers, just tried a new one. Also does not stick.
September 23, 2021, 08:05:55 PM #3
If I remember correctly the configured options gets written to openvpn config file on the filesystem but next time you make changes the webui loads default value and if you forget to reconfigure it again and apply then the incorrect value will get saved.

I've encountered it for another openvpn option prior to 21.7.3
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
September 24, 2021, 07:30:11 AM #4
Quote from: sorano on September 23, 2021, 08:05:55 PM
If I remember correctly the configured options gets written to openvpn config file on the filesystem but next time you make changes the webui loads default value and if you forget to reconfigure it again and apply then the incorrect value will get saved.

I've encountered it for another openvpn option prior to 21.7.3

Not here, freshly applied

Code Select
root@OPNsense:~ # cat /var/etc/openvpn/server*.conf | grep tls
tls-server
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'OpenVPN' 1"
tls-auth /var/etc/openvpn/server1.tls-auth 0
tls-server
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'OpenVPN' 1"
tls-auth /var/etc/openvpn/server2.tls-auth 0
September 24, 2021, 07:53:39 AM #5
Sorry that's https://github.com/opnsense/core/commit/98e6d76d

# opnsense-patch 98e6d76d

Something wrong with the initial merge to master after testing.


Cheers,
Franco
September 24, 2021, 08:59:38 AM #6
Thanks!

Never had to patch before, so nice to finally do this :)

And it works!
September 24, 2021, 08:01:58 PM #7
Thanks for confirming. It's been hotfixed now and available as update to 21.7.3_1.


Cheers,
Franco
Print
Go Up Pages1
User actions