Changed my home OS & need to make OpenVPN work again

I’ll try to make this as plain & short as possible…
Been using IPFire as the OpenVPN server to access a distant network for most of a decade.
At home, the client box was always XP & kept around for that use with VNC Viewer & that old, tired box still works perfectly for that access.

I have replaced my main PC at home with a box running Ubuntu 18.04, and tried everything I could find to get it to connect via OpenVPN, but it only fails.
Trying to get help at their support forum brought only flaming replies and offers to hire nameless, faceless strangers to tell me what I have to do.

I have the IP address of the server, and it has used DDNS as well - I also have all the files & info from the XP installation of OpenVPN.

It seems that this breaks down to 2 sections:
1 - Making sure that Ubuntu has the right settings for this connection;
2 - Using the correct info from the files in the right places.

In the Ubuntu network control it uses the ca.cert, user cert, user private key, and user key password.
The only file & data that I am certain of is the very obvious ca.cert - and I am uncertain what to do with which ones of the others.
Of course I have the .OVPN file as well, but it does not function without the correct settings being made as well, it seems.

I have opened the files & see that they contain key blocks, but I’ve no ideas as to which data to place in which spot.

I cannot visit my friend’s place during the present virus/pandemic emergency & he is working alone there, having sent his assistant & subordinate away until it is said to be safe again.

Please help me out with this if possible ??
Thanks.

Hi smallhagrid,
and welcome here. You can use a regular IPFire package with a PKCS#12 file, this is the *.p12 file (password protected) in the ZIP package so no need for ca and cert files. As far as i know you need to install the ’ network-manager-openvpn-gnome’ to import also the *.p12 file which you can install with a

sudo apt install network-manager-openvpn-gnome

If you haven´t install OpenVPN on your Ubuntu machine you can execute

sudo apt install openvpn network-manager-openvpn network-manager-openvpn-gnome

this delivers also the nmcli package. If you´d downloaded the OpenVPN package from IPFire, you can unzip it and import it via nmcli with the following command

nmcli connection import type openvpn file '/path/to/your/connectionname-TO-IPFire.ovpn'

after that you should see the connection in your network manager

and all settings should also be included which you can see if you click the icon in the right below corner -->


you can enter the PKCS#12 password in the mask or leave it empty and enter it when you start the connection -->

You can check the logs before you start the connection enter in Ubuntu a

sudo -s
tail -f /var/log/syslog | grep vpn

if finished enter ‘exit’ .
On IPFire you can do the same with a

tailf /var/log/messages | grep openvpn

Potential problems from which i know on Ubuntu: Do not use Whirlpool as ‘Hash algorithm’ since Ubuntu do not accept it --> https://forum.ipfire.org/viewtopic.php?t=23519 . Good settings might be AES-GCM(256 bit) as ‘Encryption’ and SHA2 (512 bit) as ‘Hash algorithm’ .

May this helps, if not try to post the logs and anonymize your private data such as IPs.

Another may more simpler way is to execute OpenVPN via terminal. If you unzip the IPFire package, cd into it and simply execute

sudo openvpn --config connectionname-TO-IPFire.ovpn

there, you should also see the log in the terminal on your Ubuntu machine.

As another idea.

Best,

Erik

2 Likes

Thank You Very Much Erik for your kind words of welcome and for this amazingly complete reply.

I hope I can ask a bit more of you, please ??

The PKCS#12 file you mentioned - is this specific to any version of IPFire and already present inside the installed server with whatever version it appeared with ??

I ask because ATM I have no direct access to the server via remote & I have not traveled there to update it in a while - so is this a file I can just get here somehow & it will just work no matter which version is there, or otherwise ??

I use Ubuntu Mate & do have OpenVPN installed, but not yet the Gnome portion of it that you’ve mentioned here.

Back when I made the original connection (a VERY long time ago !!) I did it for XP to IPFire and all was done step by step manually from the info provided by IPFire back then.

If this can be accomplished from here and has me regaining remote access I will be delighted !!

Thanks Again.

Your welcome,

you need to add a OpenVPN client in IPFires web user interface --> https://wiki.ipfire.org/configuration/services/openvpn/config/client_conf . IF you have already own created, you can download it via the ‘Download client .zip package’. If you have had it running on your XP machine you needed to do the exact same procedure,
.

If you have your old package (from XP) you can try this one. Old machines will mostly accept old packages the only exception is, if you certificate is expired you will be unable to connect. In that case you need to have access to your machine per remote (may SSH or IPSec) or by a helping hand which needs to be in the remote location.

I think you will need it if you want to include a PKCS#12 enrypted file via network-manager. If you only use the command
sudo openvpn --config {connectionname-To-IPFire.ovpn}
you should also be fine without.

This infos are still there but also extended. Not in the Ubuntu way as i explained it above but you will nevertheless find several new info.

I don´t know if you have an old package (e.g.: from you XP machine), if so, you can give it a try but i would recommend to update your IPFire as soon as possible since OpenVPN but also OpenSSL (but also the whole system) includes since the last months very important updates.

May this help you a step further.

Best,

Erik

Thanks Again Erik !!
Running the apt install command verified that all the needed things are in place, then I used the nmcli connection import & it declared success using my .OVPN file from before.

I do have the P12 file here, and the cert. is not expired, so that is not any concern right now.

After following all the steps the connection does appear in network manager, but when it is used either with or without the PW, it fails instantly.

The remote location is 120 miles from home - I cannot visit there during the present craziness - and there are no helping hands to be had there either, so my options are very limited.
Any updating will be done on-site, manually by me so that I am able to make 100% sure that all is working before traveling back home - and that will be only after things settle down such that it is OK to travel again around here.

Using the openvpn --config command you provided got only this response:
Options error: Unrecognized option or missing or extra parameter(s) in home-TO-IPFire.ovpn:13: tls-remote (2.4.4)

Viewing the log entries shows these errors:
VPN plugin: failed: connect-failed (1)
VPN plugin: state changed: stopping (5)
VPN plugin: state changed: stopped (6)
VPN service disappeared

In the settings under security it is set to use DES-CBC & the options there don’t match what was suggested otherwise.

I hope this has not reached a dead-end now, and I do thank you most sincerely for all your time & attention to my query.

Hi smallhagrid,
can you post the *.ovpn configuration file ?

Best,

Erik

Hi Again Erik & Thanks for replying.
As it happens, I very carefully examined the OVPN file, found 1 spurious character (which I removed) and also the last line from it to see if that was causing the error as that line mentioned tls-remote.

Much to my surprise it connected somewhat, but stopped with this appearing in the terminal:
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Cannot use certificate
Exiting due to fatal error

I may be partly responsible for this as I guessed that the PW may be the data (OpenVPN Static key) from key.txt - and if that is the wrong data, might you tell me how to find it & also possibly how to cure the above complaints under Ubuntu ??
I have looked at all the settings and found no exact match for the complaint text.

Thanks Again !!

And here is the text from the OVPN file, lightly sanitized to remove domain info:

#OpenVPN Server conf
tls-client
client
dev tun
proto udp
tun-mtu 1400
remote subdomain.domain.com 1194
pkcs12 home.p12
cipher DES-CBC
comp-lzo
verb 3
ns-cert-type server

OK, i think we come a little closer to the possible problem. I would guess that your IPFire installation is really a older one. Three points in there

  1. You OpenVPN server on IPFire is still running OpenVPN version 2.3.x
  1. You have still the old and dropped ‘ns-cert-type server’ directive in your configuration which should be meanwhile ‘remote-cert-tls’ .
  1. The server and host certificate on IPFire uses still an MD5 HMAC algorithm.

Since your Ubuntu 18.04 uses now OpenVPN-2.4, point 2) and 3) won´t be accepted by OpenVPN-2.4 since there are critical, weak and attackable vectors.

The only thing i can currently imagine to bring your old configuration back to life might be to downgrade the OpenVPN on your Ubuntu to OpenVPN-2.3.x . You can give it a try like explained e.g. here --> https://askubuntu.com/questions/138284/how-to-downgrade-a-package-via-apt-get .

May you find also other sources according to this topic

Best,

Erik

1 Like

Thank You, Thank You, Thank You Erik !!

Had to remove the installed version 1st, and then=>
“Error Dependency is not satisfiable: initscripts (>=2.88dsf-13.3)”

Most likely this is now a dead end until I can get there, I’m guessing.
(I will work on this more after I get some sleep as it is near to 5AM here…)

Your welcome :slightly_smiling_face: ,
hope you find a good sleep. May it is also possible to over install an older package via DPKG --> https://packages.debian.org/de/jessie/openvpn (2.3.5 should work) or may in the Ubuntu package archiv --> https://packages.ubuntu.com/xenial/openvpn (may 2.3.10 works too but am not 100% sure). If the over install do not works, in here -> https://askubuntu.com/questions/863264/cant-solve-unmet-dependencies-initscripts your error can also be found.

Best,

Erik

Thanks Erik.
More pressing matters have demanded my attentions since you posted your helpful reply.
I did give it a try & had no more free time to wrestle with it when it wouldn’t work.

Since the my friend’s place is closed & I cannot go there yet, this can easily wait until things may liven up once again - then I’ll do what is needed to get it up to date over there.

I do think that despite their youth such alternatives as ZeroTier, Wireguard & Tailscale (which are clearly loads simpler to deploy than OpenVPN…) should be considered for use within IPFire without delay.

There has been mention of Wireguard here that I saw & IMO it has been dismissed too quickly in light of the current world conditions.

Thanks Again.

I’ve been checking into info relating with gaining remote access for all the time since before I started using IPFire - which is actually quite a few years already.

Lately lots of other tech folks have come forward admitting that they too had to struggle and spent far too much time & efforts getting either OpenVPN or other older technologies to work at all - and have also compared their previous frustrations with the ease promoted by using the newer tools as previously mentioned.

For me, whose hands-on access is very limited lately, and with my best way of getting connected either being by Anydesk (very slow) or by firing up the old PC that still works over OpenVPN (also very slow) - the opportunity to use another PC there as the means of network access is highly appealing.

This would allow the existing IPFire installation to make the needed wait until I have time to work on it in person - and I can also easily install the newer stuff to either of the newer PCs there remotely.

That is a win-win solution IMO.

The only question remaining for me to answer right now will be whether to use Tailscale or ZeroTier (as Wireguard itself can be more easily used via Tailscale).

Hi,
we are getting here a little OT, this discussion has been partly held in the Wireguard topic, from this point of view i won´t help here.
Spoken a little of spending too much time & efforts for OpenVPN, your installation is very very outdated there appears MD5 in your log which is in IPFire since 2017 deprecated --> https://blog.ipfire.org/post/ipfire-2-19-core-update-111-is-available-for-testing . Am not sure if you used the installation since then or may longer time before but even two years are a long period also in the crypto world, there has been so much also very critical bugs but also fixes since then and this is not only related to OpenVPN but to the crypto libraries in general. The “set it and forget it” :wink: might work for such a long time but you will need also for newer technologies to take an eye on it since we are especially in the IT scope in a world which is rapidly changing.

Some thoughts even now with no help in specific from my side.

Best,

Erik

3 Likes

Hi @smallhagrid, i’ve been using the same Firewall distro on a firewall since 2008.
Once installed on a Compaq DeskPro 500, now on some bit more fresh Socket 775 Pentium 4 by Acer.
My distro killed two hard drives, i had to restore some older backups for disaster recovery.
I started using the configuration of OpenVPN since 2008, with Windows XP. I also used it into Vista, Windows 7, Windows 10, Xubuntu Linux 14.04, 16.04, 18.04, Kubuntu Linux 20.04.
4 years ago, for sake of safety, i generated another server certificate.
My OpenVPN Client keeps telling me that i should improve my OpenVPN client configuration, but that keeps working, even during the italian lockdown: currently serves 5 users, 3 more than before (me and the boss of this office).

So i do not have your same experience. I don’t know why, but believe me, most of the time is far more easy to deal with an OS upgrade than your experience.

be kind to your systems and your boss :stuck_out_tongue_winking_eye: OpenVPN-2.5 will bring some more features but also some hassle if you have some old inconsistent X509 stuff on board. The warnings from the WUI are well intentioned ones.

:innocent:

Keep the good work operating.

Best,

Erik

Considered my options - the distance - and time available, and so…

Given how slow both OpenVPN & Anydesk connections have become with the heavily loaded internet in that town - I did a test install of ZeroTier.

Wow.
To say that I am very favourably impressed is a huge understatement.
So simple - so easily installed & set up - and FAST !!!

It creates a whole new & additional network for remote access and has shown me that OpenVPN needs to become extinct now because it is (thus far…) so vastly much better.

I have no need to waste my time & efforts trying to ‘please’ the demands of OpenVPN anymore - and the IPFire remains in use just as it has been, and is fine for that, so=>
IMO this means problem solved.

Also:
My friend now has both his home PC and his notebook PC on that same new network and I have already used it to help him from ~120 miles away.

Is this perfect enough for the purists ??
Most likely not, BUT;
It serves well to provide for our needs at least during this crazy time.