OpenVPN Windows Client 2.6

Andi.K · February 13, 2023, 06:26:27 PM

Hello all,

I currently have the problem that various VPN profiles no longer work under Windows with version 2.6. The OPNsense have mostly 23.1_6

It seems to be a problem with the exported VPN profiles with OpenSSL 1.1.1

Is there a way to accept the profiles (p12 certificates) again?

Best, Andy

superfox · February 14, 2023, 10:46:29 AM

What exactly is your problem? Can you describe with more details please? :-)

tiermutter · February 14, 2023, 11:07:11 AM

Abscent from OPNsense I already heard about problems using this client.
Logs could be useful. Deprecated encryption settings maybe... ?

superfox · February 14, 2023, 11:10:06 AM

I have kind of similar problem here on my machine, after updating OpenVPN Windows Client from 2.5.8 to 2.6.0.

I click on "Connect" via the tray icon and enter my username and password, as always.
After clicking "OK" then a (for me) new dialog comes up, asking for Private Key Password. Which password is meant?

I never set a password for private key. The files were exported via OPNsense export function.

Quote
Tue Feb 14 10:41:03 2023 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Tue Feb 14 10:41:03 2023 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
Tue Feb 14 10:41:03 2023 OpenVPN 2.6.0 [git:v2.6.0/b999466418dddb89] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jan 25 2023
Tue Feb 14 10:41:03 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Tue Feb 14 10:41:03 2023 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
Tue Feb 14 10:41:44 2023 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 14 10:41:44 2023 OpenSSL: error:0308010C:digital envelope routines::unsupported
Tue Feb 14 10:41:44 2023 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
Tue Feb 14 10:41:44 2023 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Tue Feb 14 10:41:44 2023 SIGUSR1[soft,private-key-password-failure] received, process restarting

franco · February 14, 2023, 11:11:48 AM

I wonder why maintainers strengthen their policies by rejecting their old defaults... We've heard this about OpenSSL 3 and OpenVPN 2.6 now and it feels like foot-shooting especially for integrated solutions where no "human on a keyboard" is running the command on a prompt to add a trivial "--broken-by-maintainer-unfix-for-security" command line option. ;)

Also DO NOT update a client software without updating the server side.

Cheers,
Franco

superfox · February 14, 2023, 02:03:38 PM

Thanks for your input franco and tiermutter!
I am not sure, if I understand the problem here :-|

Is the problem caused by changes in OpenVPN Client?
I cannot see a change here, but maybe I don't fully understand: https://github.com/OpenVPN/openvpn/blob/v2.6.0/Changes.rst

I updated my server side (OPNsense) now and exported the VPN configuration - same dialog for password input comes up.

tiermutter · February 14, 2023, 02:32:43 PM

Have a look at the full changelog: https://github.com/OpenVPN/openvpn/blob/master/Changes.rst ;)

Simply use the 2.5.x client until there is an update for OVPN on OPNsense :)

superfox · February 16, 2023, 04:47:45 PM

Got it now... Thanks again :-)

The password dialog is gone after uninstalling 2.6.0 and installing 2.5.8.

I noticed the extra sentence in release notes regarding OpenVPN situation. Good work!

smema79 · May 05, 2023, 08:01:52 PM

Hello everyone
I tried to install OPN version 23.1.7_3 which includes OpenVPN 2.6.3 server and tried again to install the 2.6.x client but, after entering the user's credentials, I continuously get the password prompt for the private key.

I tried exporting the config file again as an "Archive" and to generate again the User Cert, but nothing.

I probably misrepresented what was stated.
Wasn't it enough to wait until the version of openvpn server was 2.6.x?

Thanks

benyamin · May 08, 2023, 12:28:07 PM

~~Is this problem related to issue 6293 by any chance?~~

Reiter der OPNsense · May 09, 2023, 11:31:03 AM

Hello,
I am dealing with the same issue.

I think the problem is that when using "export as archive" the user certificate is somehow exported "wrong". At least it doesn't work anymore with the Community Client from version 2.6 on. The client log says "Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption".

If you do the export as a file, then it works as it should.

According to the following document, the file variant seems to be the preferred one anyway, because it works with almost all OpenVPN clients.
https://openvpn.net/vpn-server-resources/extracting-separate-certificate-files-for-a-user/
I think I'll switch to this variant, I don't see anything that would speak against it.

I wonder if the export as archive has to be improved anyway, so that it works with OpenVPN 2.6? For which scenario is this used in practice?

benyamin · May 09, 2023, 03:59:01 PM

@Franco alluded to the problem in his post above.

Essentially, OPNsense uses OpenSSL 1.1.1t but OpenVPN Community Client uses OpenSSL 3. OpenSSL 3 uses new envelope routines and is no longer able to parse or create PKCS#12 archives with the new default ciphers.

More info here: https://github.com/openssl/openssl/issues/11672

Apparently the work around is to add providers legacy default to the ovpn file.

benyamin · May 09, 2023, 05:35:41 PM

Is it worth mentioning that OpenVPN Connect Client for Windows should not be affected...?

https://openvpn.net/client-connect-vpn-for-windows/

The change log indicates two things. First, it is likely still running OpenSSL 1.1.1n, and second, it appears ~~to be poorly maintained~~ releases are infrequently published.

Reiter der OPNsense · May 09, 2023, 08:10:07 PM

Ah, now I see more clearly, thanks for the clarification regarding OpenSSL 3.

Let me sort that out then. So users using the community client have the following options until OPNsense moves to OpenSSL 3. Clarifications and additions are welcome.

1. Stay with client version 2.5.x as long as support is guaranteed (July 2023?).
https://community.openvpn.net/openvpn/wiki/SupportedVersions

2. Use client version 2.6.x, with "providers legacy default" in client config.

3. Choose export type "File only", without possibility to protect the user certificate and private key with a password.

benyamin · May 09, 2023, 08:16:58 PM

4. Use the openvpn3-based OpenVPN Connect Clients:
Windows: https://openvpn.net/client-connect-vpn-for-windows/
Linux: https://openvpn.net/openvpn-client-for-linux/
macOS: https://openvpn.net/client-connect-vpn-for-mac-os/

OpenVPN Windows Client 2.6

Andi.K

February 13, 2023, 06:26:27 PM

superfox

February 14, 2023, 10:46:29 AM #1

tiermutter

February 14, 2023, 11:07:11 AM #2

superfox

February 14, 2023, 11:10:06 AM #3

franco

February 14, 2023, 11:11:48 AM #4 Last Edit: February 14, 2023, 11:13:49 AM by franco

superfox

February 14, 2023, 02:03:38 PM #5

tiermutter

February 14, 2023, 02:32:43 PM #6

superfox

February 16, 2023, 04:47:45 PM #7

smema79

May 05, 2023, 08:01:52 PM #8 Last Edit: May 08, 2023, 06:19:48 PM by smema79

benyamin

May 08, 2023, 12:28:07 PM #9 Last Edit: May 09, 2023, 03:42:01 PM by benyamin

Reiter der OPNsense

May 09, 2023, 11:31:03 AM #10

benyamin

May 09, 2023, 03:59:01 PM #11 Last Edit: May 09, 2023, 05:23:01 PM by benyamin

benyamin

May 09, 2023, 05:35:41 PM #12 Last Edit: May 09, 2023, 05:51:17 PM by benyamin

Reiter der OPNsense

May 09, 2023, 08:10:07 PM #13

benyamin

May 09, 2023, 08:16:58 PM #14 Last Edit: May 09, 2023, 08:21:33 PM by benyamin