Cannot connect with OpenVPN

hellfire · 9 July 2024 19:58

Hi!

Out of a sudden, I cannot connect with OpenVPN client on Android to IPFire anymore.

The last successful connection with same client to IPfire was on July 5th.

Since then, I see those log entries.

21:54:12	openvpnserver[13325]:	80.187.64.207:23678 SIGUSR1[soft,tls-error] received, client-instance restarting
21:54:12	openvpnserver[13325]:	80.187.64.207:23678 TLS Error: TLS handshake failed
21:54:12	openvpnserver[13325]:	80.187.64.207:23678 TLS Error: TLS object -> incoming plaintext read error
21:54:12	openvpnserver[13325]:	80.187.64.207:23678 TLS_ERROR: BIO read tls_read_plaintext error
21:54:12	openvpnserver[13325]:	80.187.64.207:23678 OpenSSL: error:0A000086:SSL routines::certificate verify fai led
21:54:12	openvpnserver[13325]:	80.187.64.207:23678 VERIFY ERROR: depth=0, error=CRL has expired: C=DE, O=Familie, CN=Michael, serial=3
21:54:12	openvpnserver[13325]:	80.187.64.207:23678 TLS: Initial packet from [AF_INET]80.187.64.207:23678, sid=b ddd17e0 0859d4eb
21:54:12	openvpnserver[13325]:	80.187.64.207:23678 Incoming Control Channel Authentication: Using 512 bit messa ge hash 'SHA512' for HMAC authentication
21:54:12	openvpnserver[13325]:	80.187.64.207:23678 Outgoing Control Channel Authentication: Using 512 bit messa ge hash 'SHA512' for HMAC authentication
21:54:06	openvpnserver[13325]:	80.187.64.207:23469 SIGUSR1[soft,tls-error] received, client-instance restarting
21:54:06	openvpnserver[13325]:	80.187.64.207:23469 TLS Error: TLS handshake failed
21:54:06	openvpnserver[13325]:	80.187.64.207:23469 TLS Error: TLS object -> incoming plaintext read error
21:54:06	openvpnserver[13325]:	80.187.64.207:23469 TLS_ERROR: BIO read tls_read_plaintext error
21:54:06	openvpnserver[13325]:	80.187.64.207:23469 OpenSSL: error:0A000086:SSL routines::certificate verify fai led
21:54:06	openvpnserver[13325]:	80.187.64.207:23469 VERIFY ERROR: depth=0, error=CRL has expired: C=DE, O=Familie, CN=Michael, serial=3
21:54:05	openvpnserver[13325]:	80.187.64.207:23469 TLS: Initial packet from [AF_INET]80.187.64.207:23469, sid=5 bec638c 110a03e7
21:54:05	openvpnserver[13325]:	80.187.64.207:23469 Incoming Control Channel Authentication: Using 512 bit messa ge hash 'SHA512' for HMAC authentication
21:54:05	openvpnserver[13325]:	80.187.64.207:23469 Outgoing Control Channel Authentication: Using 512 bit messa ge hash 'SHA512' for HMAC authentication

Furthermore, what is the source of thlse messages in OpenVPN log?

23:58:37	openvpnserver[5487]:	TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.116.67:49 864
20:37:43	openvpnserver[5487]:	TLS Error: cannot locate HMAC in incoming packet from [AF_INET]205.210.31.46:565 56
15:29:13	openvpnserver[5487]:	TLS Error: cannot locate HMAC in incoming packet from [AF_INET]161.35.236.158:49 294
12:32:57	openvpnserver[5487]:	TLS Error: cannot locate HMAC in incoming packet from [AF_INET]146.88.241.21:453 28
11:47:30	openvpnserver[5487]:	TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.116.36:57 755
07:46:32	openvpnserver[5487]:	TLS Error: cannot locate HMAC in incoming packet from [AF_INET]205.210.31.212:56 153
07:05:26	openvpnserver[5487]:	TLS Error: cannot locate HMAC in incoming packet from [AF_INET]48.217.212.6:5375 2
04:52:33	openvpnserver[5487]:	TLS Error: cannot locate HMAC in incoming packet from [AF_INET]13.83.43.53:49045
01:47:18	openvpnserver[5487]:	TLS Error: cannot locate HMAC in incoming packet from [AF_INET]167.94.138.135:20 917

Any hint what’s going on for not connecting to VPN and what’s the meaning of the last logs above.

I already did restart OpenVPN, to no avail. Core 186, btw.

nickh · 9 July 2024 20:04

hellfire · 9 July 2024 20:14

Ok, so according to the Wiki https://www.ipfire.org/docs/configuration/services/openvpn/troubles

I guess I get the same error as described in paragraph: A small collection of possible error reports

8. If the [Certificate Revocation List](https://tools.ietf.org/html/rfc2459#section-3.3) has been expired the following appears in server log

ipfire openvpnserver[16368]: a.b.c.d:46227 VERIFY ERROR: depth=0, error=CRL has expired: C=US, O=Tatoine, CN=LGG3
ipfire openvpnserver[16368]: a.b.c.d:46227 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
ipfire openvpnserver[16368]: a.b.c.d:46227 TLS_ERROR: BIO read tls_read_plaintext error
ipfire openvpnserver[16368]: a.b.c.d:46227 TLS Error: TLS object -> incoming plaintext read error
ipfire openvpnserver[16368]: a.b.c.d:46227 TLS Error: TLS handshake failed
ipfire openvpnserver[16368]: a.b.c.d:46227 Fatal TLS error (check_tls_errors_co), restarting

a solution is to [renew the CRL](https://www.ipfire.org/docs/configuration/services/openvpn/config/upload_gen) . With Core 120, this should be done by IPFire itself.

hellfire · 9 July 2024 20:17

Ok Nick, so I will give the linked solution a try, later on

hellfire · 10 July 2024 19:11

Success by editing the file and inserted correct path.

pscar13 · 11 July 2024 10:50

Hi,

Solved with the command:

openssl ca -config /usr/share/openvpn/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem

And restart ipfire

Thanks

raffe · 13 July 2024 00:46

openssl ca -config /usr/share/openvpn/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem

And restart ipfire

Thank you! Saved my day

Now it says:

OpenVPN

Certificate Revocation List:

Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer:
Last Update: Jul 13 00:36:28 2024 GMT
Next Update: Aug 12 00:36:28 2024 GMT
Revoked Certificates:
Serial Number: 02
Revocation Date: Jul 11 12:50:40 2023 GMT
Serial Number: 03
Revocation Date: Jul 11 12:50:34 2023 GMT

How often will I need to do a openssl ca -config /usr/share/openvpn/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem to keep OpenVPN working? I think this is the first time I have ever done it

adrb04 · 13 July 2024 12:58

I have the same issue on two ipfire devices. They were installed almost two years apart but the issue appeared now in July 2024.for both.
How often do we need to run this command and restart OpenVPN ?
openssl ca -config /usr/share/openvpn/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem

bonnietwin · 13 July 2024 13:49

Reply to both @raffe and @adrb04

The original thread on this topic has a post that explains the background of this bug a bit.

https://community.ipfire.org/t/log-summary-openvpn-no-crl-update/11816/7

So after updating with Core Update 187 when is has its full release (It went to Testing phase a couple of days ago) then everyone will have the fix applied to their systems.

Anyone updating to Core Update 186 since about 3 days ago will also get the fix as it was applied to the Core 186 updater.

https://community.ipfire.org/t/log-summary-openvpn-no-crl-update/11816/11

Core Update 187 is likely to get its full release by end of July or a bit earlier (dependent on if any issues fed back during the testing phase) so as you have updated your CRL you will have a period of a month before the next update is required by which time Core Update 187 will have been released and after update you will have the updated openvpn-crl-updater script installed so the updates will be getting done automatically again.

raffe · 14 July 2024 00:40

Thanks @bonnietwin for the background info!!!

According to the post Log Summary - OpenVPN - No CRL Update - #4 by ummeegge by @ummeegge a workaround, until the Core Update, could be to change OPENSSLCONF in the updater script.

So as I am at the moment abroad on vacation and do not want to be worried, I edited /etc/fcron.daily/openvpn-crl-updater to

#OPENSSLCONF=“${OVPN}/openssl/ovpn.cnf”
OPENSSLCONF=“/usr/share/openvpn/ovpn.cnf”

bonnietwin · 14 July 2024 07:41

That will ensure that if another crl update is required before you are able to update to Core Update 187 it will automatically occur.

When the update to Core Update 187 is run it will update the script to the correct one.

raffe · 10 August 2024 09:22

Hi! I have updated to Core-Update 187

So now I am about to delete this fcron file I wrote about above:

But before I may do something stupid because I just think I know what I am doing, maybe it is better I ask first

Am I correct in that this is now resolved in the new version, so I don’t need the fcron file anymore and it’s OK to delete it?

bonnietwin · 10 August 2024 09:43

Do not delete the openvpn-crl-updater file. That file was updated in the Core Update 187 release. The version you edited has been replaced by the released version.

So it is resolved in CU187 but you do not need to do anything.

If you want to confirm that everything is correct then compare the contents of the file in your /etc/fcron.daily/ directory with the contents of the CU187 released version from the git repo.

https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/ovpn/openvpn-crl-updater;h=5008d67254e031636a013f2b02be125fb285b352;hb=refs/heads/core187