OpenVPN after upgrading 22.7.3 -> 22.7.4

[MUD]

Hey all,

Like most I was effected by the 22.7.3 issue with OpenVPN...

Most issues where resolve and I can connect with VPN, but not for a long period of time then no data is transmitted via openvpn.

This happens with all clients.

Seeing:
99.XXX.XXX.XXX:51444 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:99.XXX.XXX.XXX:51444 (via ::ffff:72.XXX.XXX.XXX%em0)

Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1662934470) 2022-09-11 18:14:30 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

If not how can I revert to 22.7.2 before these issues began using opnsense-revert  ?

[mimugmail]

opnsense-revert -r 22.7.2 openvpn

[MUD]

Thanks for the quick reply... This did not resolve the issue.

no changes where made and was working fine from (apx 1 year) >22.7.0 till 22.7.2 and seem to break after the 22.7.3 update and continued openvpn disconnects after the 22.7.4 update.

Still not resolved.    Any solution will be much appreciated =)

[mimugmail]

I'd guess this message comes from time to time for everyone and now since you only see warnings per default you see only these messages. Same to me .. but OpenVPN runs fine for all users.

[mschaeffler]

I also had such an issue with 22.7.4.
Please check if the OpenVPN baemon is running; at my setup it crashed at startup!
Removing the CRL from the OpenVPN config seems to fix the issue.

[MUD]

I also had such an issue with 22.7.4.
Please check if the OpenVPN baemon is running; at my setup it crashed at startup!
Removing the CRL from the OpenVPN config seems to fix the issue.

Once again thank you for the quick replies.

* OpenVPN daemon is running
- Yes

* Removing the CRL from the OpenVPN config
- I'm assuming you mean "Peer Certificate Revocation List" in the server config?  It is set to none

These have been set and running and the issue still remains.

[coolmint]

Same problem here - if I turn on the 'Peer Certificate Revocation List' option the GUI crashes when I hit the save button and shows the following error message:

Code Select Expand

Fatal error: Uncaught Error: Call to undefined method phpseclib3\Crypt\EC\PrivateKey::withPadding() in /usr/local/etc/inc/certs.inc:666 Stack trace: #0 /usr/local/etc/inc /plugins.inc.d/openvpn.inc(834): crl_update(Array) #1 /usr/local/etc/inc/plugins.inc.d/openvpn.inc(1115): openvpn_reconfigure('server', Array) #2 /usr/local/www/vpn_openvpn_server.php(450): openvpn_configure_single('1') #3 {main} thrown in /usr/local/etc/inc/certs.inc on line 666

With the CRL option enabled, the OpenVPN service fails to start after a reboot.

Without the CRL, the VPN works fine.

[AdSchellevis]

@coolmint can you try if https://github.com/opnsense/core/commit/67e4a1dd99a39b09c2c1424b34d280901ca0483f fixes your issue?

The withPadding error indicates that you're using Elliptic Curve certificates, which doesn't support/require padding. Given past issues phpseclib so far, I'm not 100% this will be a complete fix, but it's easy to try. From a console you can install the patch using the following command:

Code Select Expand


opnsense-patch 67e4a1d


Best regards,

Ad

[coolmint]

@MUD:
Sorry for hijacking your post!

@AdSchellevis:
Great - applying the suggested patch fixed the issue!
OpenVPN with enabled CRL option (using Elliptic Curve certificates) is up and running again.

Many many thanks!

[AdSchellevis]

@coolmint Thanks for confirming, we'll try to ship the fix in the next release. The phpseclib migration needed for php8 has been a bit more bumpy than expected, but eventually we'll get there.

Best regards,

Ad