OPNsense 24.1 - OpenVPN TLS handshake failed

[GreenMatter]

I upgraded (remotely) to 24.1. And I'd lost OpenVPN connectivity with client throwing:

TLS handshake failed

OPNsense instance runs in VM and since I couldn't afford loosing a time for troubleshooting, I asked person with local access to rollback VM snapshot, back to 23.7.12.
So, my UDP server config is as follows:

Code: [Select]

dev ovpns9
verb 3
dev-type tun
dev-node /dev/tun9
writepid /var/run/openvpn_server9.pid
script-security 3
daemon openvpn_server9
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-GCM
auth SHA256
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
client-connect "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '9'"
tls-server
server 172.16.6.0 255.255.255.240
client-config-dir /var/etc/openvpn-csc/9
server-ipv6 2001:X:X:X::/112
client-config-dir /var/etc/openvpn-csc/9
tls-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '9'"
lport XXXX
management /var/etc/openvpn/server9.sock unix
max-clients 20
push "dhcp-option DOMAIN XYZ.net"
push "dhcp-option DNS 172.16.1.47"
push "dhcp-option DNS 172.16.6.1"
push "dhcp-option DNS 2001:X:X:X::1"
push "dhcp-option DNS 2001:X:X:X::47"
push "dhcp-option NTP 172.16.6.1"
push "dhcp-option NTP 2001:X:X:X::1"
push "redirect-gateway def1"
client-to-client
ca /var/etc/openvpn/server9.ca
cert /var/etc/openvpn/server9.cert
key /var/etc/openvpn/server9.key
dh /usr/local/etc/inc/plugins.inc.d/openvpn/dh.rfc7919
tls-crypt /var/etc/openvpn/server9.tls-crypt
passtos
persist-remote-ip
float
topology subnet
push "redirect-gateway ipv6 def1 block-local"
persist-local-ip
persist-remote-ip
fast-io
ifconfig-pool-persist ipp.txt
script-security 2
allow-pull-fqdn
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
local X.X.X.X
user openvpn
group openvpn
tls-version-min 1.3
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
What could have been a reason for this error in 24.1, openssl 3 and tis cipher suites?

[franco]

TLS_CHACHA20_POLY1305_SHA256 is definitely not TLS 1.3 ?

Ok, I double checked with https://wiki.openssl.org/index.php/TLS1.3 and I was wrong.

Your ciphers look ok. No idea at the moment.


Cheers,
Franco

[GreenMatter]

I’m guessing now, could have this been related to tls crypt or CA cert coming from OpenSSL 1?
I’ve seen (briefly) through shared desktop settings page of server while it was running under 24.1 and looked ok, all certificates were in place…

[sven0r]

I don't know if you already solved your problem. We had the exact same issue. OpenVPN didn't connect with an TLS handshake error, even IPsec tunnels were down.

The only issue was, that our main gateway was dropped while updating. The issue occured on both our firewalls.
Perhaps this happened to you, too.

[GreenMatter]

....
The only issue was, that our main gateway was dropped while updating. The issue occured on both our firewalls.
Perhaps this happened to you, too.

I don't think so as LAN had no connectivity issues and other services with forwarded ports were reachable.
At the moment I can't verify that as I prefer to wait with next update try until I'm physically there.
Maybe, in the meantime - 24 series will become more mature 

[GreenMatter]

OK, so I have physical access to server and after updating to 24.1 or 24.2 OpenVPN server produces following error:

172.16.4.2:55011 TLS Error: Unroutable control packet received from [AF_INET]172.16.4.2:55011 (si=3 op=P_CONTROL_V1)

What does it mean, is it TLS or firewall error?


EDIT:
After increasing verbosity...:

2024-02-23T20:13:23 Error openvpn_server9 172.16.4.2:50060 TLS Error: Unroutable control packet received from [AF_INET]172.16.4.2:50060 (si=3 op=P_CONTROL_V1)
2024-02-23T20:13:23 Error openvpn_server9 172.16.4.2:50060 TLS Error: TLS handshake failed
2024-02-23T20:13:23 Error openvpn_server9 172.16.4.2:50060 TLS Error: TLS object -> incoming plaintext read error
2024-02-23T20:13:23 Error openvpn_server9 172.16.4.2:50060 TLS_ERROR: BIO read tls_read_plaintext error  2024-02-23T20:13:23 Error openvpn_server9 172.16.4.2:50060 OpenSSL: error:0A000086:SSL routines::certificate verify failed::ssl/statem/statem_srvr.c:3524:tls_process_client_certificate
2024-02-23T20:13:23 Warning openvpn_server9 172.16.4.2:50060 WARNING: Failed running command (--tls-verify script): external program exited with error status: 255
2024-02-23T20:13:10 Warning openvpn_server9 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Is it certificate or tls-crypt?

[GreenMatter]

Anybody, anything?
Otherwise, I will need once again to downgrade opnsense... 

[GreenMatter]

So, using the same certificates and crypt, and all available settings in Openvpn server instance let me to connect to server. 
But despite I have set redirect gateway (default, block local and ipv6 default) I can connect only to LAN hosts and nothing in WAN.
What's wrong in OpenVPN in 24 series?
Everything worked great in Opnsense 23...

[GreenMatter]

So, reason for issue in 24.1 were these options:

Code: [Select]

user openvpn
group openvpnMore likely this particular user/group

# id openvpn
uid=301(openvpn) gid=301(openvpn) groups=301(openvpn)

can't run:

tls-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '9'"

despite script is allowed to be executed by everybody:

-rwxr-xr-x  1 root  wheel  4522 Feb 21 12:49 ovpn_event.py