CU197 OVPN feedback

First of all, thank you to the team for such a major update going so smoothly! I love the OpenVPN Connection Statistics page. Is that new or have I just never noticed it?

I did notice that when I navigate to the Advanced page, that some of my previous settings are changed. For example, MTU is set to 1440 instead of my custom 1472. And it looks like the Hash is set to SHA2 256bit when I had it set to SHA2 512bit previously. So it looks like I will have to change and re-save those settings. No big deal, but I wanted to provide that feedback in case it is unintended.

Thanks, @ms and gang!

Hello,

That has been around for a while…

Those things should not have changed.

The default value for the MTU is 1400 in the update (and will change to 1420 in the upcoming update). SHA2 512 is the default value.

Can you check in the backup whether these values have actually been changed?

I checked the backup and the settings match up right with current settings. So my memory must have failed me. I have a screenshot of my configuration settings from a year ago and they match up with my memory. But apparently I changed those settings sometime in the past year and forgot about it. I apologize for the false alarm.

I installed the new update today, and now I’m having issues when the OTP option is enabled. When connecting, it still asks for the OpenVPN user’s password, but it no longer prompts for the OTP password afterward.

No problem. Happy that we could rule this out, because it would have really surprised me if I had broken that

Logs would be very helpful… The OTP code itself has not been changed in this update.

Mon Sep 22 17:49:25 2025 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add ‘–data-ciphers-fallback BF-CBC’ to your configuration and/or add BF-CBC to --data-ciphers.
Mon Sep 22 17:49:25 2025 OpenVPN 2.6.14 \[git:v2.6.14/f588592ee6c6323b\] Windows \[SSL (OpenSSL)\] \[LZO\] \[LZ4\] \[PKCS11\] \[AEAD\] \[DCO\] built on Aug  6 2025
Mon Sep 22 17:49:25 2025 Windows version 10.0 (Windows 10 or greater), amd64 executable
Mon Sep 22 17:49:25 2025 library versions: OpenSSL 3.5.1 1 Jul 2025, LZO 2.10
Mon Sep 22 17:49:25 2025 DCO version: 1.3.3
Mon Sep 22 17:49:35 2025 TCP/UDP: Preserving recently used remote address: \[AF_INET\]62.225.XXX.XXX:1194
Mon Sep 22 17:49:35 2025 ovpn-dco device \[OpenVPN Data Channel Offload\] opened
Mon Sep 22 17:49:35 2025 UDP link local: (not bound)
Mon Sep 22 17:49:35 2025 UDP link remote: \[AF_INET\]62.225.XXX.XXX:1194
Mon Sep 22 17:49:35 2025 \[ipfire.localdomain\] Peer Connection Initiated with \[AF_INET\]62.225.XXX.XXX:1194
Mon Sep 22 17:49:35 2025 AUTH: Received control message: AUTH_FAILED,CRV1:R,E:RGFuaWVsIEJ1ZWhyaW5n:VE9UUA==:One Time Token:
Mon Sep 22 17:49:35 2025 SIGUSR1\[soft,auth-failure (auth-token)\] received, process restarting
Mon Sep 22 17:49:40 2025 TCP/UDP: Preserving recently used remote address: \[AF_INET\]62.225.XXX.XXX:1194
Mon Sep 22 17:49:40 2025 ovpn-dco device \[OpenVPN Data Channel Offload\] opened
Mon Sep 22 17:49:40 2025 UDP link local: (not bound)
Mon Sep 22 17:49:40 2025 UDP link remote: \[AF_INET\]62.225.XXX.XXX:1194
Mon Sep 22 17:49:41 2025 \[ipfire.localdomain\] Peer Connection Initiated with \[AF_INET\]62.225.XXX.XXX:1194

EDIT - formatting modified by moderator.

If I remove the OTP option from my user, the connection works immediately.

This morning, with the older version, that wasn’t a problem.

Gentlemen,

performed a new install Core 197 on rpi 4b.

Restored Backup from Core 195. No addon installed.

Everything seemes to be fine, openvpn n2n works.

Unfortunately openvpn roadwarrior server does not start. No possibility to get in run in wui.

On cli I tried openvpnctrl -r or -s.

message from: bash: invalid connection type ‘-r”

tried with path /usr/local/bin/openvpnctrl. and without path. No success.

That is because the openvpnctrl code was changed with CU197.

The two options now are rw for roadwarrior and n2n for net-to-net.

It would also be good to see what the CU197 log file

/var/log/pakfire/update-core-upgrade-197.log

shows near the end as the update shuts down the OpenVPNH server, does the required file changes and then starts the service back up with the new initscripts and with the new daemons. If the startup of the new system did not work there should be some message for why not.

root on cli:

#: openvpnctrl rw status"

feedback: /usr/sbin/openvpn is not running

# openvpnctrl rw start

Starting OpenVPN Roadwarrior Server: FAIL

Starting OpenVPN Authenticator: OK

# openvpnctrl rw restart

Starting OpenVPN Authenticator: Not running WARN

Starting OpenVPN Roadwarrior Server: not running WARN

Starting OpenVPN Roadwarrior Server: FAIL

Starting OpenVPN Authenticator: OK

There is no /var/log/pakfire/update-core-upgrade-197.log, because I performed a fresh install as mentioned above.

cat /var/log/messages | grep “openvpn” :

grafik2704×843 339 KB

I found an empty file named ovpnserver.log in /var/run, but no file named “openvpn-rw.-log”

Sorry, missed that.

I think all my testing was with updates and not a fresh install.

The log file name was changed in the update process. Not sure why it would not work correctly in a fresh install. It was also added into the backup restore process and that was something I tested out and it worked at that time.

I also see from your image that you have ended up with ncp-disable in the server.conf.

There were explicit commits to ensure that both from an update and from a restore that ncp-disable was not inserted as that is no longer a valid option in openvpn-2.6.x

That entry in the server.conf will stop the server starting as the option is unrecognised.

I will try and find some time tomorrow to do a fresh install of CU197 and see if I confirm what you found both directly after the install and then after doing a restore from a backup from CU196 with the old system.

Unfortunately we had little feedback on CU197 Testing other than our own testing of multiple different conditions and prior settings. I will try and figure out what is going wrong here and see what needs to be modified to fix it for a fresh install.

I managed to make some time available now so I just did a fresh install of CU197 and after the install there was
/var/run/openvpn-rw.log
and in /var/ipfire/ovpn/collectd.vpn
there was /var/run/openvpn-rw.log

There was no /var/run/ovpnserver.log file.

So different from what you experienced.

I then did a restore of an old pre CU197 backup with the old names and without cipher negotiation. The backup contained ncp-disable in the server.conf file but after restore this was no longer in the server.conf file.

After restore my openvpn RW server was running with no problems. The correct log file names were present as after the fresh install.

So I have not been able to reproduce what you showed.

Can you confirm that the sha256sum hash of your CU197 iso was
c7141cf5a2dbf262d7c6c040c485bdc96f2a9ea556879299876755e5120803cf
which is the value I got on my version and is the same as the sha256sum value on the download website.
EDIT1:
I just saw that your install was a rpi4 so your sha256sum hash will not match mine but it should match the value in the download page for the aarch64 image file.
EDIT2:
I copied the aarch64 image file to a usb stick. Then I mounted that stick and I checked out some of the files.
The collectd.vpn file had openvpn-rw.log in it.
The backup.pl file had the correct section in it for restoring old openvpn settings and updating them to the correct Openvpn-2.6.x versions.

I can’t test out actually running the aarch64 image as I don’t have any arm system available to do that with. Both of the RPi’s I have are used for other applications in my network.

If the sha256sum for the aarch64 image file that you used is
23d143390d1013b1d15e2785dba0e6381b0e397031268a3332bcc825e9fa1e63
then it matches the one on the download page and that matches what I copied to my usb stick.

In that case I would suggest doing a fresh copy of the image to your RPi sdcard and repeat the network install again and backup restore and see how it goes for a second time. Do you end up duplicating the same problem or does it work after the repeat install.

If it duplicates, it would be good to know if the incorrect file names were already present directly after the install was completed and before doing a backup restore, or only after the backup restore.

Checksum of the file which I downloaded on 21.05.25, 16:55 h:

23d143390d1013b1d15e2785dba0e6381b0e397031268a3332bcc825e9fa1e63 ipfire-2.29-core197-aarch64.img.xz

Please keep in mind, I took my backup from core 195 as mentioned.

There was an remark within announcement some weeks ago, which led me to prefer a fresh install: Only a fresh install should make the new kernel available or something like that.

Checksum on download page right now:

23d143390d1013b1d15e2785dba0e6381b0e397031268a3332bcc825e9fa1e63

The backup structure was the same for CU195 and CU196. To confirm I installed CU197 fresh again on a vm system. It had the right logfile name in collectd.vpn again and after restoring from a CU195 backup OpenVPN was running correctly and I could successfully access via my mobile roadwarrior connection.

Your checksum for the image file you used shows it was not corrupted somehow during the download.

The only way for you to end up with ncp-disable still in your server.conf file would be if the restore function restored the files but then missed out the command to run the openvpn.cgi page.

Just to confirm, for the restore of your backup you are using the restore function from the backup WUI page and not manually restoring the files from the .ipf file?

Check in you messages log for when the restore has completed. There should be the line

Sep 23 11:58:32 ipfire sudo:     root : PWD=/srv/web/ipfire/cgi-bin ; USER=nobody ; COMMAND=/srv/web/ipfire/cgi-bin/ovpnmain.cgi

This is the line from the backup.pl process that is run after the restore has been completed.

If that line did not get executed properly for some reason then the server.conf file from the backup would not be updated to use negotiation and to have the ncp-disable line and others removed.

Do you see any error messages in the lines after the above entry in your logs?

Hi Adolf,

on this production system ipfire runs from stick on my rpi 4.

I do not use iso but flash image.

Thats why I have got core 195 running and another stick with failed core 197 on it.

If you tell me what you need, you’ll get it.

I restored in WUI and rebooted.. No addons.

No DHCP in use.

Be careful reading the logs. I’m not sure, which part of the logs has been changed by restoring.

Here is /var/log/messages out of my failed 197 installation for you. I wonder to see n2nNIBE described as “failed”. This connection worked with core 197. Maybe it took some time to come up.

Sep 22 18:46:27 ipfire syslogd 1.5.1: restart (remote reception).
Sep 22 18:46:27 ipfire useradd\[3320\]: failed adding user ‘dhcpcd’, exit code: 9
Sep 22 18:47:00 ipfire root: “RED watchdog: no internet, restarting UNBOUND”
Sep 22 18:47:00 ipfire vnstatd\[1969\]: Error: Exec step failed (8: attempt to write a readonly database): “update interface set updated=datetime(1758559620, ‘unixepoch’, ‘localtime’) where id=4”
Sep 22 18:47:00 ipfire vnstatd\[1969\]: Error: Fatal database error detected, exiting.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “syslog” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “conntrack” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “cpu” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “cpufreq” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “disk” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “interface” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “iptables” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “load” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “memory” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “ping” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “rrdtool” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “sensors” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “match_regex” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “thermal” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5837\]: plugin_load: plugin “openvpn” successfully loaded.
Sep 22 18:47:16 ipfire collectd\[5838\]: cpufreq plugin: Found 4 CPUs
Sep 22 18:47:16 ipfire collectd\[5838\]: Initialization complete, entering read-loop.
Sep 22 18:47:16 ipfire collectd\[5838\]: openvpn plugin: fopen(/var/run/ovpnserver.log) failed: No such file or directory
Sep 22 18:47:16 ipfire collectd\[5838\]: read-function of plugin `openvpn/ovpnserver.log' failed. Will suspend it for 60.000 seconds. Sep 22 18:47:16 ipfire collectd[5838]: openvpn plugin: fopen(/var/run/openvpn/n2nNIBE-n2n) failed: No such file or directory Sep 22 18:47:16 ipfire collectd[5838]: read-function of plugin `openvpn/n2nNIBE-n2n’ failed. Will suspend it for 60.000 seconds.
Sep 22 18:47:16 ipfire sudo:     root : PWD=/srv/web/ipfire/cgi-bin ; USER=nobody ; COMMAND=/srv/web/ipfire/cgi-bin/vpnmain.cgi
Sep 22 18:47:16 ipfire sudo:     root : PWD=/srv/web/ipfire/cgi-bin ; USER=nobody ; COMMAND=/srv/web/ipfire/cgi-bin/ovpnmain.cgi
Sep 22 18:47:20 ipfire kernel: tun: Universal TUN/TAP device driver, 1.6

Modeator edit to format log info.

Okay so the restore script called the ovpnmain.cgi code to run as it should.

This should have updated the openvpn server.conf file contents to remove ncp-disable etc

The next command in the restore code carries out a sed command on the file
/var/ipfire/ovpn/collectd.vpn
to replace
/var/run/ovpnserver.log in that file to
/var/run/openserver-rw.log

Can you check the contents of /var/ipfire/ovpn/collectd.vpn
to see which of the lines above it has. There should also be a line for any n2n connections that you had in your backup.

Could you also show the contents of the /var/run/ovpn/server.conf file, redacting any sensitive info like your public IP.

Hi Adolf,

here is the contents of

I.

/var/ipfire/ovpn/collectd.vpn

“Loadplugin openvpn

“

It’s the first hint of trouble, because there is another n2n connection called “n2nBeNi” in /var/ipfire/ovpn/n2nconf.

This n2n connection was not active / not in use. Only the above mentioned n2nNIBE is in use and was working with core 195 and 197.

II.

/var/run/ovpn/server.conf does not exist.

A file named server.conf is located in /var/ipfire/ovpn and contains:

“#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange

\# hint by author: I do not use orange, but red, green and blue. Routes are set correctly. roadwarrior worked with Core 195

;local (deleted by author)

dev tun
proto udp
port 1024
script-security 3
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /etc/ssl/ffdhe4096.pem
server (deleted by author)
tun-mtu 1360
push “(deleted by author)”
push “(deleted by author)”
route (deleted by author)
client-to-client
mssfix 0
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
ncp-disable
cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
tls-auth /var/ipfire/ovpn/certs/ta.key
push “dhcp-option DOMAIN …”
push “dhcp-option DNS 192.168.10.1”
max-clients 100
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
auth-user-pass-optional
reneg-sec 86400
user nobody
group nobody
persist-key
persist-tun
verb 3

# Log clients connecting/disconnecting

client-connect “/usr/sbin/openvpn-metrics client-connect”
client-disconnect “/usr/sbin/openvpn-metrics client-disconnect”

# Enable Management Socket

management /var/run/openvpn.sock unix
management-client-auth”

Moderator edited formatting.

That is not a problem. Only enabled n2n client connections are listed in collectd.vpn.

If that other n2n connection was enabled then it would be automatically added to collectd.vpn

Also it has openvpn-rw.log in it.

This means that the sed command after the running of ovpnmain.cgi waqs carried out successfully. That also mean that the ovpnmain.cgi will have run but from your server.conf it is clear that nothing got changed in it.

Sorry, typo from me.

The server.conf file has not been updated but it is not clear why not.

It still has the lines

The status line should have been updated, the ncp-disable removed and the cipher AES-256-GCM line changed to data-ciphers-fallback AES-256-GCM

There should also have been added the line
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
plus a line topology subnet

None of that happened.

The .ipf backup file is basically just a tar archive. Can you view inside it and look at the
/var/ipfire/ovpn/settings file and see if it has a line
ENABLED=
or
ENABLED=on

All of my restore testing was with a backup of an enabled openvpn setup. Maybe that is a difference.

Hi Adolf,

you wrote:

“The status line should have been updated, the ncp-disable removed and the cipher AES-256-GCM line changed to data-ciphers-fallback AES-256-GCM

There should also have been added the line
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
plus a line topology subnet"

Can I change these lines within my stick and boot after that or should I boot Core 197 and change these lines via cli?

Is your line “topology subnet” complete? Or do I need something like “green0” ?

Here is /var/ipfire/ovpn/settings out of my backup Core 195:

VPN_IP=(deleted by author)
ADDITIONAL_CONFIGS=
DDEST_PORT=1024
DCIPHER=AES-256-GCM
DMTU=1360
ROOTCERT_ORGANIZATION=(deleted by author)
DOVPN_SUBNET=(deleted by author)
TLSAUTH=on
ROOTCERT_HOSTNAME=(deleted by author)

DAUTH=SHA512
KEEPALIVE_2=60
MAX_CLIENTS=100
ROOTCERT_OU=(deleted by author)
DHCP_DOMAIN=(deleted by author)
LOG_VERB=3
CLIENT2CLIENT=on
DCOMPLZO=off
ENABLED_BLUE=on
ROOTCERT_COUNTRY=(deleted by author)
ENABLED_ORANGE=off
DPROTOCOL=udp
DHCP_WINS=
ROOTCERT_CITY=(deleted by author)
ENABLED=on
ROUTES_PUSH=
ROOTCERT_STATE=(deleted by author)
REDIRECT_GW_DEF1=
KEEPALIVE_1=10
DHCP_DNS=(deleted by author)

Update worked fine, everything looks good. Thanks a lot.

|18:27:07|openvpnserver[5996]:|library versions: OpenSSL 3.5.1 1 Jul 2025, LZO 2.10|
|18:27:07|openvpnserver[5996]:|OpenVPN 2.6.14 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]|

Those are lines that should be different but there may be addi9tional differences.

It might be worth to press the Save button on the main OpenVPN WUI page. That might correct the issues in the server.conf by forcing the ovpnmain.cgi code to run as it appears to have not run correctly from the restore process.

If that does not work then I would suggest doing a fresh write of the CU197 .img file to your USB memory stick and then doing a restore of the backup again.

If the same happens again then it suggests some sort of systematic issue but someone that has an arm based system to test it out on will need to look at it.

If a new fresh install and restore works then it indicates some hiccup in the original install or restore.