Getting started with openVPN

Hello everyone,

I am on the latest build of IPfire running on PCengines APU3a4.
With the information of the wiki I am unable to make the openVPN service work.

There are two problems:

  1. The openVPN service is not running (or I am not sure, because I got a positive and negative gui indicator)
  2. With the open vpn configuration on the client.

I started with creating the x509 certificate on the ipfire and I created the connection as well as established a dynamic DNS service connection.
When I try to start the server, I get these kind of error messages:

|23:21:44|openvpnserver[12808]:|/sbin/ip route del 10.182.113.0/24|
| — | — | — |
|23:21:44|openvpnserver[12808]:|Closing TUN/TAP interface|
|23:21:44|openvpnserver[12808]:|/sbin/ip addr del dev tun1 local 10.182.113.1 peer 10.182.113.2|
|23:22:01|openvpnserver[12969]:|DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated deb ug feature that will be removed in OpenVPN 2.6|
|23:22:01|openvpnserver[12969]:|WARNING: --topology net30 support for server configs with IPv4 pools will be rem oved in a future release. Please migrate to --topology subnet as soon as possibl e.|
|23:22:01|openvpnserver[12969]:|OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINF O] [AEAD] built on Jul 15 2021|
|23:22:01|openvpnserver[12969]:|library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10|
|23:22:01|openvpnserver[12970]:|WARNING: --keepalive option is missing from server config|
|23:22:01|openvpnserver[12970]:|NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192 .168.1.x. Be aware that this might create routing conflicts if you connect to t he VPN server from public locations such as internet cafes that use the same sub net.|
|23:22:01|openvpnserver[12970]:|NOTE: the current --script-security setting may allow this configuration to call user-defined scripts|
|23:22:01|openvpnserver[12970]:|Diffie-Hellman initialized with 4096 bit key|
|23:22:01|openvpnserver[12970]:|CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem|
|23:22:01|openvpnserver[12970]:|Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication|
|23:22:01|openvpnserver[12970]:|Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication|
|23:22:01|openvpnserver[12970]:|ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=red0 HWADDR=00:00:00:00:00:00|
|23:22:01|openvpnserver[12970]:|TUN/TAP device tun1 opened|
|23:22:01|openvpnserver[12970]:|/sbin/ip link set dev tun1 up mtu 1400|
|23:22:01|openvpnserver[12970]:|/sbin/ip link set dev tun1 up|
|23:22:01|openvpnserver[12970]:|/sbin/ip addr add dev tun1 local 10.182.113.1 peer 10.182.113.2|
|23:22:01|openvpnserver[12970]:|/sbin/ip route add 10.182.113.0/24 via 10.182.113.2|
|23:22:01|openvpnserver[12970]:|Could not determine IPv4/IPv6 protocol. Using AF_INET|
|23:22:01|openvpnserver[12970]:|Socket Buffers: R=[212992->212992] S=[212992->212992]|
|23:22:01|openvpnserver[12970]:|TCP/UDP: Socket bind failed on local address [AF_INET][undef]:1194: Address alre ady in use (errno=98)|
|23:22:01|openvpnserver[12970]:|Exiting due to fatal error|
|10:27:37|openvpnserver[5176]: |DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated deb ug feature that will be removed in OpenVPN 2.6|
|—|—|—|
|10:27:37|openvpnserver[5176]: |Options error: --server directive network/netmask combination is invalid|
|10:27:37|openvpnserver[5176]: |Use --help for more information.|
|11:02:30|openvpnserver[6068]: |DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated deb ug feature that will be removed in OpenVPN 2.6|
|11:02:30|openvpnserver[6068]: |Options error: --server directive network/netmask combination is invalid|
|11:02:30|openvpnserver[6068]: |Use --help for more information.|
|11:05:46|openvpnserver[6983]: |DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated deb ug feature that will be removed in OpenVPN 2.6|
|11:05:46|openvpnserver[6983]: |Options error: --server directive network/netmask combination is invalid|
|11:05:46|openvpnserver[6983]: |Use --help for more information.|

netstat -tulpen delivers also this line:

udp 0 0 0.0.0.0:1194 0.0.0.0:* 0 391891 9957/openvpn

Let me know if you need additional logfiles.

The second problem: The openVPN configuration file the system creates is not working on my ubuntu machine. I get an error message, that tls-client is not a valid pair. When I delete the first line and try again, it says the same for client.

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote ipfire.localdomain 1194
pkcs12 user.p12
cipher AES-256-GCM
auth SHA512
tls-auth ta.key
verb 3
remote-cert-tls server
verify-x509-name ipfire.localdomain name
mssfix 0

A last question because I am not sure If I am doing it right:
The 3 certificate files that are needed are ALL generated from the p.12 file on ubuntu, right? The x509 certificate that was generated prior and the ta.key file from the client package are not needed?

thanks in advance

I am kind of dissapointed that I did not receive even one reply :frowning:
Anyhow, the problems were solved in the following way:

  • I changed the network under openVPN settings to 10.25.178.0/255.255.255.0
  • I downloaded the new openVPN config file after build 159 and used the host from the dynDNS service
  • I am connecting direct from the commandline, since the config file does not work with the network manager
  • I imported the ca and host certificate on the client
  • Don’t forget to add port forwarding
  • And an iptables rule on your machine if necessary

Hi @redcon

Welcome to the IPFire community.

Sorry that you feel the response was not rapid enough but everyone here is a volunteer and may not be able to react on all topics.

Glad you got it sorted out and have a working system now.

Looking at your log, I was not sure what the problem was so could not provide any input.

However on your question

I have had a read through the perl code for the main cgi page where it shows online in green. The code is purely indicating that OpenVPN has been enabled on Red, Blue or Green. It is not indicating that the service is running.
If you uncheck the OpenVPN on RED box and save (with the service stopped) then you will find that the OpenVPN line on the main cgi page will no longer be visible.

I will look at raising a bug and creating a patch to change the wording from online to enabled.

Yes, that GUI response was kind of confusing.
I think the main problem that made the experience a little bit ‘uncomfortable’ here is somehow connected to the networkmanager of ubuntu. It shows an error message when I try to import the config while that very well works from the commandline.
It does not read the openvpn config properly. Now I was able to establish a connection by putting in the details hand by hand into the connection. Prior, I also did not set the option for for additional TLS authentication. In Ubuntu there are two options, TLS auth and TLS crypt. Once I set it to TLS auth and put in the ta.key, the connection suddenly started to work.

Another finding:
On my machine the export to pem certificate files does not work:

openssl pkcs12 -in IPFIRE.p12 -clcerts -nokeys -nodes -out user.pem
openssl pkcs12 -in IPFIRE.p12 -nocerts -nodes -out keys.pem
openssl pkcs12 -in IPFIRE.p12 -cacerts -nodes -out ca.pem

When I execute these commands I receive error messages and the exported pem files have 0 kbit file size.

asn1 encoding routines:ASN1_get_object:too long:…/crypto/asn1/asn1_lib.c:91:
asn1 encoding routines:asn1_check_tlen:bad object header:…/crypto/asn1/tasn_dec.c:1118:
asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:…/crypto/asn1/tasn_dec.c:290:Type=PKCS12_MAC_DATA
asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:…/crypto/asn1/tasn_dec.c:627:Field=mac, Type=PKCS12

Therefore at the moment I can not use a certificate password, I need to download the “unsecure client package” where pem files are already included.

This is also a confusing behaviour of the gui:

Even when the service is stopped, the connection still persists:

The connection does not actually persist but the connection status is only checked periodically and also the browser page then has to also be updated otherwise any update may still not show. If left alone it will eventually change to an updated status.

I believe that this is a consequence of the perl cgi based structure of the WUI and is not easily modified in IPFire2.

I understand that IPFire3, which is being worked on slowly in parallel with updating and fixing bugs in IPFire2, will be structured in a better way but will still take a bit of time to be ready for use as the IPFire development team is quite small.