Openvpn N2N doesn't work since core update - Roadwarrior is fine

Hi everybody,
Please i need your help, i’m going crazy.
I do not update ipfire on regular basis. Sometimes, there are a few core update between two upgrades with pakfire.
Last summer, i was in core166 and i’ve decided to upgrade ipfire.
I have 2 Ipfire on 2 differents sites.
On both servers, i have Openvpn Roadwarrior connections and 3 differents NET2NET connections.
After upgrade, the NET2NET connections was broken.
For the work, i can’t stay with broken connections and i didn’t have time to find solutions at that time.
Now, i have tested to rebuild the 2 ipfire from scratch with a fresh iso (core 184) and update to core185 after. I have restored the backup configuration on both servers.
Unfortunally, NET2NET is still broken and i don’t know why.
The Roadwarrior connections are still fine. I can connect to both servers with my phone or from PC with openvpn client from outside enterprise
I’ve tried to delete all N2N connections, and rebuild them with the same parameters. Import the client package on the 2nd server, but it doesn’t work.
I’ve tried to look at the log, but i don’t find what is wrong and why it doesn’t work anymore unlike roadwarriors connections.

Can someone help me? I’m testing during two last days and if i don’t find solutions until tomorrow, i will have to rollback each servers to core166 that is working fine for that purpose.
I don’t want to rollback as i can’t update my ipfire anymore and it"s not a good thing.

thanks in advance for your answers

Hallo @pb29

Welcome to the IPFire community.

This is extremely irregular. There is over two years between this and your last update. That is 19 Core Updates covering a large and wide range of security CVE vulnerabilities in packages such as OpenVPN, OpenSSL, OpenSSH, Apache etc, etc.

From a security point of view you really should look at doing your upgrades much more regularly.

The other issue that can occur when an update is attempted over such a large number of updates is that things no longer work as they previously did. The same occurs if you restore from a version 19 Core Updates previously.

Your best option is to do a fresh install and then to configure the Net2Net connection from scratch. Do not do a restore of your previous configuration.

This looks like you did do a fresh install and then configure from scratch without doing a restore but that it failed to work.

Please show the log file from the failed connection so we can see what the problem that is being experienced.

For information, i have successfully had n2n connections working on at least cu175 to cu185 inclusive, might even be earlier than cu175, i can’t remember exactly when i started running n2n on my vm testbed.

Hi @bonnietwin

Thanks for your answer.
Yes, i know that about the updates.
It’s very difficult for me to update when the core update doesn’t work as it should.
The last two days was special. I was alone at work. So i could take time to try updates and testing. Unfortunally, Time is over. It’s holiday Time for me.
So i rollback to last working core update 166.
At school, it’s hard to even shutdown internet or services like vpn for 4h or more.
I will follow your advise and rebuilt a server from scratch and reconfigure all options manually.
Certs and keys from openvpn could be restore manually? as if i couldn’t have to rebuild certs for all vpn users, i would appreciate.

Thanks Pierre

The only way to restore the certs for all vpn users would be to do a restore from your backup. However, you have already said that did not function for you.

You could try doing the restore again and then show the log messages here so we can try and see if it is possible to figure out what has gone wrong and if it can be easily fixed or not.

Without any logs it is just guesswork as to what is not working after such a large update.

In that case it wight be a good idea to obtain a duplicate system and test out each new core update on that system to identify all issues before doing the update on your production system.

Then start requiring monthly maintenance windows. At least once a month there’s some security updates release. I can understand that “working 24h” is better than “scheduled stops”, but sometimes “working with issues 24h” is… way less secure and desirable.

I’ve tried but i’ve tried to have 2 ipfire running at the same time. It’s not possible. VPN is down after and also internet.
So i could have a 2nd ipfire running without RED, bur i can’t update it. So useless.

Thanks for the advice, i will suggest it.


You can connect the second IPFire’s red interface to the green network of the first IPFire. The second IPfire would then get it’s red IP via dhcp from your first IPFire, either via a dynamic lease or via a fixed lease.

The second IPfire would need to have a different subnet for its green network compared to the first IPFire.

I have the above setup on my home system but in my case the second IPFire is a virtual machine that then has a virtual network connected to it. I can test out updates and bug fixes via that approach.

You could do the same with your second physical IPFire and use a laptop connected to the second IPFire green network for accessing its WUI.