OpenVPN error after updating to Core Update 120

General questions.
jinnicky
Posts: 11
Joined: July 16th, 2013, 7:16 pm

Re: OpenVPN error after updating to Core Update 120

Post by jinnicky » May 9th, 2018, 1:39 am

I did try 1195 which it took. I downloaded the client package and put it on the remote system. On the home page of both firewalls OpenVPN is 'online' but they aren't talking to each other.

From the message log:
May 8 21:05:34 bobs-ipfire openvpnserver[21713]: OpenVPN 2.4.5 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 27 2018
May 8 21:05:34 bobs-ipfire openvpnserver[21713]: library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.09
May 8 21:05:34 bobs-ipfire openvpnserver[21714]: WARNING: --keepalive option is missing from server config
May 8 21:05:34 bobs-ipfire openvpnserver[21714]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 8 21:05:34 bobs-ipfire openvpnserver[21714]: Diffie-Hellman initialized with 2048 bit key
May 8 21:05:34 bobs-ipfire openvpnserver[21714]: OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
May 8 21:05:34 bobs-ipfire openvpnserver[21714]: Cannot load certificate file /var/ipfire/ovpn/certs/servercert.pem
May 8 21:05:34 bobs-ipfire openvpnserver[21714]: Exiting due to fatal error

So openvpn is not running and ports 1194 and 1195 are not in use.

This from /var/ipfire/ovpn/certs
[root@bobs-ipfire certs]# openssl x509 -noout -text -in servercert.pem | grep Signature
Signature Algorithm: md5WithRSAEncryption
Signature Algorithm: md5WithRSAEncryption

Bob

sky7176
Posts: 15
Joined: August 13th, 2014, 9:21 am

Re: OpenVPN error after updating to Core Update 120

Post by sky7176 » May 9th, 2018, 6:59 am

This is my output from this command:
openssl x509 -noout -text -in servercert.pem | grep Signature

[root@ipfire certs]# openssl x509 -noout -text -in servercert.pem | grep Signature
Signature Algorithm: md5WithRSAEncryption
Signature Algorithm: md5WithRSAEncryption

ummeegge
Community Developer
Community Developer
Posts: 4476
Joined: October 9th, 2010, 10:00 am

Re: OpenVPN error after updating to Core Update 120

Post by ummeegge » May 9th, 2018, 7:57 am

Hi,
you both have the old signature algorithm which the new OpenVPN version do not accept anymore. The output should be

Code: Select all

-> openssl x509 -noout -text -in /var/ipfire/ovpn/certs/servercert.pem | grep Signature
    Signature Algorithm: sha256WithRSAEncryption
                Digital Signature, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
this command

Code: Select all

grep 'default_md' /var/ipfire/ovpn/openssl/ovpn.cnf
should looks like this:

Code: Select all

 
default_md			= sha256
the ovpn.cnf can be found in here --> https://git.ipfire.org/?p=ipfire-2.x.gi ... ds/core120 . If your ovpn.cnf is the same, the SHA256 algorithm will be used if you regenerate the whole x509, after that all before existing certificates (clients) needs to be newly generated.
Do not use backups of old systems cause they will not work.

UE
Image
Image
Image

troll-op
Posts: 12
Joined: September 23rd, 2010, 8:35 am
Location: South Africa

Re: OpenVPN error after updating to Core Update 120

Post by troll-op » May 9th, 2018, 11:37 am

Hi ummeegge

Thanks for the feedback.
my default_md claims to be md5, which is clearly the problem.
Can I just vi the ovpn.cnf and make the sha265 change there? As the webGUI says it is set to SHA2 (384bit) and the second machine is set to Whirlpool (512bit). ???
Is there anything else that needs to be moded?

All help is most appreciated. ^-^

troll-op
Posts: 12
Joined: September 23rd, 2010, 8:35 am
Location: South Africa

Re: OpenVPN error after updating to Core Update 120

Post by troll-op » May 9th, 2018, 12:27 pm

Ok turns out that did the trick.
vi /var/ipfire/ovpn/openssl/ovpn.cnf
changed the md5 to sha256.
removed x509
created the new server root and host certificate
started the OpenVPN server, and checked that it is running under services.
Now just need to create new user certificates, and all should be done. However unlike the past, the user certificate needs an expiry date, so I needed to add in for how many days the certificate will remain valid.

Thanks for the help all around. Most appreciated. :)

jinnicky
Posts: 11
Joined: July 16th, 2013, 7:16 pm

Re: OpenVPN error after updating to Core Update 120

Post by jinnicky » May 9th, 2018, 7:20 pm

I copied the ovpn.cnf file to both firewalls, deleted everything, rebooted both machines and re-created the server and client.

Both machines say that OpenVPN is online, but they are not talking to each other.

The server firewall has this for the initialization:
ay 9 14:51:42 bobs-ipfire openvpnserver[2482]: OpenVPN 2.4.5 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 27 2018
May 9 14:51:42 bobs-ipfire openvpnserver[2482]: library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.09
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: WARNING: --keepalive option is missing from server config
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: Diffie-Hellman initialized with 2048 bit key
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: ROUTE_GATEWAY 66.176.184.1/255.255.254.0 IFACE=red0 HWADDR=00:11:d8:3b:14:ed
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: TUN/TAP device tun0 opened
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: TUN/TAP TX queue length set to 100
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: /sbin/ip link set dev tun0 up mtu 1400
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: /sbin/ip addr add dev tun0 local 10.10.10.1 peer 10.10.10.2
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: /sbin/ip route add 10.2.3.0/30 via 10.10.10.2
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: /sbin/ip route add 10.10.10.0/24 via 10.10.10.2
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: Could not determine IPv4/IPv6 protocol. Using AF_INET
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: Socket Buffers: R=[180224->180224] S=[180224->180224]
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: UDPv4 link local (bound): [AF_INET][undef]:1195
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: UDPv4 link remote: [AF_UNSPEC]
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: GID set to nobody
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: UID set to nobody
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: MULTI: multi_init called, r=256 v=256
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: IFCONFIG POOL: base=10.10.10.4 size=62, ipv6=0
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: IFCONFIG POOL LIST
May 9 14:51:42 bobs-ipfire openvpnserver[2483]: Initialization Sequence Completed

However when the client attempts to connect we get:
May 9 14:51:55 bobs-ipfire collectd[2765]: openvpn plugin: Unable to read "/var/run/openvpn/xxxx-n2n": No such file or directory
May 9 14:51:55 bobs-ipfire collectd[2766]: Initialization complete, entering read-loop.

Which is not surprising since there is nothing in /var/run/openvpn

ovpn.cnf and servercert.pem checked out as you said.

Bob

jinnicky
Posts: 11
Joined: July 16th, 2013, 7:16 pm

Re: OpenVPN error after updating to Core Update 120

Post by jinnicky » May 9th, 2018, 7:26 pm

Question.

If I shutdown openvpn and delete the connections and certificates, then do a backup and install a fresh copy of Core 120, will I run into problem with restoring the backup?

Bob

ummeegge
Community Developer
Community Developer
Posts: 4476
Joined: October 9th, 2010, 10:00 am

Re: OpenVPN error after updating to Core Update 120

Post by ummeegge » May 10th, 2018, 7:08 am

Hi,
troll-op wrote:
May 9th, 2018, 12:27 pm
Ok turns out that did the trick.
vi /var/ipfire/ovpn/openssl/ovpn.cnf
changed the md5 to sha256.
please use then the complete ovpn.cnf from here --> https://git.ipfire.org/?p=ipfire-2.x.gi ... ds/core120 (copy and paste) cause there are also changes in 'extendedKeyUsage' usage which are important for the comming OpenVPN versions.
Don´t know why the ovpn.cnf wasn´t delivered correctly while the update, will take a look in there if i have more time...
jinnicky wrote:
May 9th, 2018, 7:20 pm
However when the client attempts to connect we get:
May 9 14:51:55 bobs-ipfire collectd[2765]: openvpn plugin: Unable to read "/var/run/openvpn/xxxx-n2n": No such file or directory
May 9 14:51:55 bobs-ipfire collectd[2766]: Initialization complete, entering read-loop.

Which is not surprising since there is nothing in /var/run/openvpn
The plugin message should not prevent the daemon from working, you can manually create the directory to fix this message but also to initialize the statistics. Nevertheless the 'Initialization complete' message indicates that your OpenVPN server is up and waiting for connections.
jinnicky wrote:
May 9th, 2018, 7:26 pm
Question.

If I shutdown openvpn and delete the connections and certificates, then do a backup and install a fresh copy of Core 120, will I run into problem with restoring the backup?
Don´t use backup´s cause the chance is great that you will include again deprecated directives. Also, if you remove the whole PKI nearly all will be deleted then.

UE
Image
Image
Image

stinga
Posts: 6
Joined: May 10th, 2018, 10:50 am

Re: OpenVPN error after updating to Core Update 120

Post by stinga » May 10th, 2018, 10:56 am

There seems to be more then one error in all of this thread, which makes it hard to follow.
I have just installed a new ipfire system and had the 256 error and found it was caused by the number of days being blank. Put some days in and it then worked for me. I raised a bug for it.
IPCop user.. still, but generally moving towards ipfire

User avatar
neopegasus
Posts: 31
Joined: July 12th, 2016, 11:15 pm

Re: OpenVPN error after updating to Core Update 120

Post by neopegasus » May 10th, 2018, 11:29 am

ummeegge wrote:
May 9th, 2018, 7:57 am
Hi,
you both have the old signature algorithm which the new OpenVPN version do not accept anymore. The output should be

Code: Select all

-> openssl x509 -noout -text -in /var/ipfire/ovpn/certs/servercert.pem | grep Signature
    Signature Algorithm: sha256WithRSAEncryption
                Digital Signature, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
this command

Code: Select all

grep 'default_md' /var/ipfire/ovpn/openssl/ovpn.cnf
should looks like this:

Code: Select all

 
default_md			= sha256
the ovpn.cnf can be found in here --> https://git.ipfire.org/?p=ipfire-2.x.gi ... ds/core120 . If your ovpn.cnf is the same, the SHA256 algorithm will be used if you regenerate the whole x509, after that all before existing certificates (clients) needs to be newly generated.
Do not use backups of old systems cause they will not work.

UE
hi, i use this codes and my output are correct but i can still not connect.

# openssl x509 -noout -text -in /var/ipfire/ovpn/certs/servercert.pem | grep Signature
Signature Algorithm: md5WithRSAEncryption
Signature Algorithm: md5WithRSAEncryption

# grep 'default_md' /var/ipfire/ovpn/openssl/ovpn.cnf
default_md = sha256

What am I missing?
Image

User avatar
neopegasus
Posts: 31
Joined: July 12th, 2016, 11:15 pm

Re: OpenVPN error after updating to Core Update 120

Post by neopegasus » May 10th, 2018, 1:38 pm

Ok,
Now it is working for me,
I did it like this:

Stop openvpn ->
delete x509 ->
generate root and hoost cert->
generate the deffie-hellman->
add road warriors again ( I do not have a lot)

by checking careful the difference of my output and the one from ummeegge I notice it finally, I was stil using md5 witch is not working anny more in the new update openvpn :-[

Thanks for helping me pin point it

Best regards Neopegasus
Image

jinnicky
Posts: 11
Joined: July 16th, 2013, 7:16 pm

Re: OpenVPN error after updating to Core Update 120

Post by jinnicky » May 10th, 2018, 10:47 pm

Thanks for your help ;D

I'm now up and connected.

Bob

palmeros
Posts: 1
Joined: June 12th, 2018, 4:49 pm

Re: OpenVPN error after updating to Core Update 120

Post by palmeros » June 12th, 2018, 6:06 pm

Main problem here (in my opinion) which took me many hours to discover was that my server clearly stated that OpenVPN was up and running, which it wasn't. So when i tail -f /var/log/messages | grep opnevpnserver i saw that openvpn gave an error about weak key on start.

This wouldn't be an issue if GUI would correctly show that OpenVPN service is not running.

Maybe you could get an notice when you have updated to 120 that the CA KEY is weak so you need to regen.

Just a little bonus would be that the updater could check before updating if the system is running on weak keys and give a warning that all roadwarriors and tunnels will stop working (which was really bad for me).

jinnicky
Posts: 11
Joined: July 16th, 2013, 7:16 pm

Re: OpenVPN error after updating to Core Update 120

Post by jinnicky » June 12th, 2018, 8:01 pm

I have to agree with palmeros.

If you make a change that will require reconfiguration, tell us about it. Don't bury it in the update output. Put it in BIG letters at the end of the update. Or, preferably put a pop up after the update to notify us what need to be done.

The gui needs to be fixed. The openVPN page said that it was running, but the status was a red bar with no information about why it wasn't connected.

After I got it working, it stopped again. I went through the whole procedure yet again and it's been running ever since (fingers crossed)

ummeegge
Community Developer
Community Developer
Posts: 4476
Joined: October 9th, 2010, 10:00 am

Re: OpenVPN error after updating to Core Update 120

Post by ummeegge » June 15th, 2018, 7:52 am

Hi,
palmeros wrote:
June 12th, 2018, 6:06 pm
This wouldn't be an issue if GUI would correctly show that OpenVPN service is not running.
the OpenVPN server do starts and runs also with the very old MD5 as default_md, only if the clients try to connect to the new OpenVPN the connection won´t establish. This wasn´t recognized while testing period cause IPFire works since 3 1/2 years with SHA256 for the host certificate --> https://git.ipfire.org/?p=ipfire-2.x.gi ... fa1b339e3a and mostly system do include this changes meanwhile. Furthermore OpenVPN did not lined it out clearly in their changelog --> https://community.openvpn.net/openvpn/w ... nOpenvpn24 that the connection won´t establish anymore if MD5 is in usage (same with the 1024 bit DH parameter).
palmeros wrote:
June 12th, 2018, 6:06 pm
Just a little bonus would be that the updater could check before updating if the system is running on weak keys and give a warning that all roadwarriors and tunnels will stop working (which was really bad for me).
It would have been announced if we had knew that before the release.

So sorry for that :( but thats how it is sometimes ;) ,

Greetings,

UE
Image
Image
Image

Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests