Hmm…logs. On the server they are apparently empty.
On the clients it says something like core thread error unsupported options present in configuration internal option allowed only to be pushed by the server.
In this case, this is the OpenVPN app on an android phone.
If it is, or isn’t, OpenVPN connect…I have no clue. I refer to it as client because it is on a phone and I connect to my home network where OpenVPN is running on the IPFire PC…
Edit: I found some notes that indicate that in 2021 I switched to OpenVPN connect app on the phone.
I don’t really understand why you are having problems with the OpenVPN connections after your move to new equipment.
In August 2022 my IPFire hardware died and I got some new hardware. The new did not have sata connectors internally that I could connect my old sata drive to so I just used the msata drive that was provided and installed from scratch using the same subnets for everything but with the new MAC Addresses for the nic’s, then did a restore of the system.
Everything worked fine, including the OpenVPN Road Warrior connections to both my Android Phone and my Linux laptop.
Nothing needed to be changed.
Looking back though your thread, the same should have happened to you, if I have understood the whole sequence.
To check, this is what I believe your sequence was.
You were replacing an old but still working x86_64 system with a new x86_64 system. So same architecture.
Your old working system was up to date in terms of the Core Update number.
You did a backup of the old working system and downloaded the backup to the system you were using for the WUI access.
You installed IPFire from scratch onto your new system using the same Core Update or the following one from what you had on your old working system.
You used the same IP Address for the green, blue and orange networks (or whichever ones you have on your system) as you had used on the old working system.
You then restored from the backup that you made earlier in this sequence which for the OpenVPN would have restored the old server certificate set and each of the client certificate and connection details as were working on the old system.
With the above sequence then your OpenVPN connections should have just worked the same as they did on your old working system.
Can you confirm that the above sequence was what you followed.
If it was then we will need to go into more detail for each step to understand where in the sequence something different was unintentionally carried out.
I remember that in the thread about transferring to new hardware there were some discussions about using a different hostname initially and then changing it later.
Did that change occur correctly. Do you have the correct FQDN at the top of the WUI page.
If the hostname/domain name of your system did not get created the same as the old working system then the restored server and client certificates will be referring to different names and these are checked to be correct as part of the OpenVPN connection flow. That would be expected to show in the server logs.
Just starting the OpenVPN server should create logs. If the logs are really empty can you confirm that the OpenVPN Server is running.
On the OpenVPN WUI page it should show
If that is showing the same on your system then if you press the “Stop OpenVPN Server” button and after it has stopped press the “Start OpenVPN Server” then you should end up with around 260 lines in the OpenVPN logs for the startup section. I just checked and confirmed that myself.
EDIT:
Here is the content of my logs from the WUI Logs - System Logs menu and OpenVPN from the drop down selection box
If you can see something similar when you stop then start the server, presuming that the server actually successfully starts, then you should also see lines in the log for when the RW connection is attempted.
I never did the rename thing. I built it from scratch, and restored. Then I disconnected the old hardware and plugged in the new.
The only thing I had to do was get the ISP to clear the lease and re-DHCP.
But, the dynamic dhcp seems to be ok.
To be clear, the log I referred to earlier, was the Roadwarrior log.
Yes it says it is running.
I stopped it. Started it.
I see none of the logs in WUI show anything about VPN. (Or, I simply don’t know which to look at and how.)
And, the ovpn file create in WUI, apparently isn’t valid anymore. (or the android connect has a bug…) it apparently wants the ta key in the ovpn file.
In your earlier comment about the client log you only mentioned
but now you mention that
If the client is expecting the ta.key file to be present and the server is not presenting it then this will cause the connection to fail.
That sounds like your server setup has not matched the setup as was originally defined in the old working IPFire system and that your clients will be expecting.
On your OpenVPN WUI page do you have the checkbox labelled “TLS Channel Protection:” checked as shown here
If the client profile is expecting the ta.key file then that checkbox needs to be checked on the IPFire server and the Hash algorithm box needs to have the same hash algorithm selected as when the certificates were originally created.
All of these would be defined from the restore from the backup.
If these are different that would suggest that the backup you restored from is an older or different one where those options were not selected as expected by your client(s).
What Core Update were you running on your old working system?
I presume that you installed the Core Update 182 version into your new system.
On your old working system did you run the backup WUI option just before installing the Core Update 182 into your new system and did you download the correct backup from that IPFire to your PC that is running the Web User Interface system?
Thanks for the instructions on getting the logs for OpenVPN.
This from the stop/start yesterday. OpenVPN-log.txt.zip (1.7 KB)
The client (in this case an Android using OpenVPN Connect) was using the .ovpn file successfully on the phone before I updated the server.
I noted that in the meantime, the app had been updated. So, I attempted to re-load the .ovpn and this is when I saw the issue with not finding the ta.key file. So, this is newly observed.
I don’t think the TLS checkbox has been changed.
The process of restore. I updated the old server to the current core at the time. I then made a full backup. I installed the same core on the new hardware. Then, to avoid introducing the new hardware into my network with the same name, I used a crossover cable to connect to the WUI and restored the backup.
Since I only have 2 devices ( 1 phone and 1 laptop) to setup as road warrior, I have no problem deleting the existing certs and creating new. But, not sure how to generate what the phone app wants. And, testing the laptop is difficult since I have no alternative way to connect from outside my LAN.
Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
So that indicates that you do have the TLS Checkbox ticked.
You can also see people trying to access the OpenVPN server from the internet and they are being dropped because they are not providing the ta.key info which is required first before the actual data channel setup is even attempted.
TLS Error: cannot locate HMAC in incoming packet from [AF_INET]223.113.128.133:49275
So if your server has the TLS Channel Protection enabled and that has not changed then your client profiles must all have the ta.key file as well.
So if your client is saying that it can’t find the ta.key file then something must have changed in that client that means it is no longer finding it wherever you placed it on your android phone file system.
Check the location where you have the connection info stored on your phone. There should be the .ovpn file, the .p12 certificate set file and the ta.key file.
If the ta.key file is still where it was when you originally set up your client connection then the client is no longer seeing it and you will need to remake theclient connection on the android phone and tell it where the ta.key file is stored.
Can you provide a copy of the log file from the OpenVPN Connect App. I don’t know where that app keeps the log info but it must be available somewhere. On my OpenVPN for Android App it provides a page with the log info in it which I can then copy into a file and download from my phone to my PC.
That log file must have more details about the problem with the ta.key file that the App is having.
I finally figured out what I was doing wrong when trying to import the .ovpn file. Now I get to the point where it wants me to select a certificate from the Android keychain.
If I select continue without, it say OpenSSLContext: CA not defined.
If I select the one offered it fails as well.
Logfile from phone:
[Feb 05, 2024, 10:36:36] ----- OpenVPN Start -----
[Feb 05, 2024, 10:36:36] EVENT: CORE_THREAD_ACTIVE
[Feb 05, 2024, 10:36:36] OpenVPN core 3.8.4connectX(3.git::c424d46c:RelWithDebInfo) android arm64 64-bit PT_PROXY
[Feb 05, 2024, 10:36:36] Frame=512/2112/512 mssfix-ctrl=1250
[Feb 05, 2024, 10:36:36] NOTE: This configuration contains options that were not used:
[Feb 05, 2024, 10:36:36] Internal option allowed only to be pushed by the server
[Feb 05, 2024, 10:36:36] 17 [auth-token-user] [USER]
[Feb 05, 2024, 10:36:36] 18 [auth-token] [TOTP]
[Feb 05, 2024, 10:36:36] EVENT: CORE_THREAD_ERROR info='option_error: sorry, unsupported options present in configuration: Internal option allowed only to be pushed by the server (auth-token,auth-token-user)'
[Feb 05, 2024, 10:36:36] EVENT: CORE_THREAD_DONE