Cannot connect from OpenVPN Client >= 2.6

Started by badstorm, July 24, 2023, 08:30:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 24, 2023, 08:30:58 PM
Hi, I'm using the last stable release of OPNSense (23.1) as vpn server. From the last linux distros (Ubuntu 23.04, Debian 12, etc) with OpenVPN >= 2.6 I cannot connect with the exported configuration. It seems that there is a problem with PKCS12.

This the error i get:

Code Select
...
2023-07-24 20:20:06 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-07-24 20:20:06 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-07-24 20:20:06 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-07-24 20:20:06 Error: private key password verification failed
2023-07-24 20:20:06 Exiting due to fatal error

The password is correct and on Ubuntu 22.04 (Openvpn 2.5.x) works.

There is any workaround?

Thanks
July 25, 2023, 10:57:08 AM #1
Use openssl to convert the PKCS12 file into a private key and a certificate:

To get the key:
openssl pkcs12 -in file.p12 -out private.key -nocerts -nodes

And the cert:
openssl pkcs12 -in file.p12 -out user.crt -clcerts -nokeys

Note that you can add the cert, CA chain and key to the OpenVPN conf file in <cert></cert>, <ca></ca> and <key></key> stanzas for portability https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV

Bart...
July 25, 2023, 01:26:44 PM #2
Thanks Bart I tried what you suggest but each commands give this error:

Code Select

Error outputting keys and certificates
40B7EC78967F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

I'm using Ubuntu 23.04 with OpenVPN 2.6.1 and OpenSSL 3.0.8 7
July 25, 2023, 02:00:17 PM #3
I think the problem is with your PKCS12 file

Are there any config download options for clients under VPN: OpenVPN: Client Export at all?

I get a small cloud with down arrow for each client which yields a fully formed ovpn file with all the PKI bits.
July 25, 2023, 04:05:03 PM #4
Here the option available in the Client-Export page. I use the Archive option. I also tried to use the Viscosity option and extract files from the viz file but same result.
July 25, 2023, 06:16:18 PM #5
July 26, 2023, 08:06:33 AM #6
Can you try:

Instead of Archive, select File Only
Fill in a hostname that your clients need to connect to (FQDN or IP) You can comma separate a list (e.g. address, IP)

That should give you a list of client certifiates and associated users each with a cloud download symbol. Click one and try the resulting file

Bart...
July 26, 2023, 10:45:50 AM #7
I tried what cookiemonster suggest. Adding the legacy options i can connect to VPN but I cannot access resources over VPN.
Later I try what propose Bart.

But why OPNsens cannot update support for newer openvpn/opensssl versions?
July 26, 2023, 12:44:19 PM #8
Now it can at least connect, good.
OPNSense ver 23.1 seems to be packing OpenVPN 2.6.5 so I don't expect your clients on OpenVPN 2.6.1 having a problem to do with these versions. Major and minor are the same, there _shouldn't_ be any breaking changes in between patch versions.
So either you discovered a defect or rare case in OpenVPN or there's something in the configuration that trips it up.
p.s. what the legacy element is doing is nothing to do with how the certs/bundles are created or used but is asking the initial tls dialogue to use a deprecated algorithm.
July 26, 2023, 01:18:00 PM #9
I also tried Bart suggestion and with "File Only" the VPN connect correctly (also removing the legacy options).

But I cannot connect to resources over vpn. For example I have an http server that i can ping but i get timeout if i try to connect with the browser.

With Ubuntu 22.04 i have no problem (with the seme vpn config files) but on Ubuntu 23.04 (and Debian 12) not work.
I'll try with a non debian-based distro like Fedora if there is the same problem.

Thansk for your help.
July 26, 2023, 02:17:41 PM #10
Quote from: badstorm on July 26, 2023, 01:18:00 PM
But I cannot connect to resources over vpn. For example I have an http server that i can ping but i get timeout if i try to connect with the browser.
That sounds a bit like an MTU problem. Check that you have the same value along the path and lower it if required.

Bart...
July 27, 2023, 05:53:19 PM #11
I also tried with the last Fedora (38) but same result. I can connect to the VPN, i can ping the servers over VPN, but i cannot connect to them (tried http and ssh). On old linux distro releases works.

I never changed MTU parameters. Cuold be a new default openvpn settings. I not much experience with MTU, what i need to check exaclty?
July 28, 2023, 08:19:54 AM #12
If you have a mismatch and a packet arrives that is too big, it will get fragmented. Firewalls drop packet fragments because they can't inspect the whole packet for hidden nasties.

The official maximum is 1500 bytes but jumbo frames takes it up to about 9K. DSL is capped at 1452 so 1400 is a reasonable safe setting that is not too inefficient.

Bart...
July 28, 2023, 02:41:17 PM #13
Thanks Bart, set it to 1400 works perfect.

But I don't understand why with old linux distro this setting is not necessary instead with the new ones it is.
July 28, 2023, 08:35:17 PM #14
Too many moving parts to say for sure, I'm afraid. There are default values all over the shop.

Glad you got it working  :)

Bart...
Print
Go Up Pages1
User actions