VPN clients won't connect

I did a hardware swap and restore that appears to be working fine for the most part. See: https://community.ipfire.org/t/hardware-swap-process/10751/15

I have now had the opportunity to check out the VPN clients that were previously created. And none will connect.

Do I just need to create new certs?
I assume if this is the case, I should just delete the old?

Ok. Then.

Which kind of VPN? I assume that’s OpenVPN but it’s not stated and which is the log output?

Sorry, yeah, OpenVPN.

Hmm…logs. On the server they are apparently empty.

On the clients it says something like core thread error unsupported options present in configuration internal option allowed only to be pushed by the server.

Might fit your case.
Due to what you seed, you seem using OpenVPN connect, not OpenVPN client.

In this case, this is the OpenVPN app on an android phone.

If it is, or isn’t, OpenVPN connect…I have no clue. I refer to it as client because it is on a phone and I connect to my home network where OpenVPN is running on the IPFire PC…

Edit: I found some notes that indicate that in 2021 I switched to OpenVPN connect app on the phone.

I don’t really understand why you are having problems with the OpenVPN connections after your move to new equipment.

In August 2022 my IPFire hardware died and I got some new hardware. The new did not have sata connectors internally that I could connect my old sata drive to so I just used the msata drive that was provided and installed from scratch using the same subnets for everything but with the new MAC Addresses for the nic’s, then did a restore of the system.

Everything worked fine, including the OpenVPN Road Warrior connections to both my Android Phone and my Linux laptop.

Nothing needed to be changed.

Looking back though your thread, the same should have happened to you, if I have understood the whole sequence.

To check, this is what I believe your sequence was.

  • You were replacing an old but still working x86_64 system with a new x86_64 system. So same architecture.
  • Your old working system was up to date in terms of the Core Update number.
  • You did a backup of the old working system and downloaded the backup to the system you were using for the WUI access.
  • You installed IPFire from scratch onto your new system using the same Core Update or the following one from what you had on your old working system.
  • You used the same IP Address for the green, blue and orange networks (or whichever ones you have on your system) as you had used on the old working system.
  • You then restored from the backup that you made earlier in this sequence which for the OpenVPN would have restored the old server certificate set and each of the client certificate and connection details as were working on the old system.

With the above sequence then your OpenVPN connections should have just worked the same as they did on your old working system.

Can you confirm that the above sequence was what you followed.

If it was then we will need to go into more detail for each step to understand where in the sequence something different was unintentionally carried out.

As far as I can see, that list is exactly what I did. I had/have only red and green. Green is the same IP as before.

I remember that in the thread about transferring to new hardware there were some discussions about using a different hostname initially and then changing it later.

Did that change occur correctly. Do you have the correct FQDN at the top of the WUI page.

If the hostname/domain name of your system did not get created the same as the old working system then the restored server and client certificates will be referring to different names and these are checked to be correct as part of the OpenVPN connection flow. That would be expected to show in the server logs.

Just starting the OpenVPN server should create logs. If the logs are really empty can you confirm that the OpenVPN Server is running.

On the OpenVPN WUI page it should show

Screenshot_2024-02-03_18-45-04

If that is showing the same on your system then if you press the “Stop OpenVPN Server” button and after it has stopped press the “Start OpenVPN Server” then you should end up with around 260 lines in the OpenVPN logs for the startup section. I just checked and confirmed that myself.

EDIT:
Here is the content of my logs from the WUI Logs - System Logs menu and OpenVPN from the drop down selection box

18:49:25 openvpnserver[21599]:  MANAGEMENT: Client connected from /var/run/openvpn.sock
18:49:25 openvpnserver[21599]:  Initialization Sequence Completed
18:49:25 openvpnserver[21599]:  IFCONFIG POOL LIST
18:49:25 openvpnserver[21599]:  IFCONFIG POOL IPv4: base=10.110.126.4 size=62
18:49:25 openvpnserver[21599]:  MULTI: multi_init called, r=256 v=256
18:49:25 openvpnserver[21599]:  UID set to nobody
18:49:25 openvpnserver[21599]:  GID set to nobody
18:49:25 openvpnserver[21599]:  UDPv4 link remote: [AF_UNSPEC]
18:49:25 openvpnserver[21599]:  UDPv4 link local (bound): [AF_INET][undef]:1194
18:49:25 openvpnserver[21599]:  Socket Buffers: R=[212992->212992] S=[212992->212992]
18:49:25 openvpnserver[21599]:  Could not determine IPv4/IPv6 protocol. Using AF_INET
18:49:25 openvpnserver[21599]:  Data Channel MTU parms [ L:1591 D:1591 EF:121 EB:401 ET:0 EL:3 ]
18:49:25 openvpnserver[21599]:  /sbin/ip route add 10.110.126.0/24 via 10.110.126.2
18:49:25 openvpnserver[21599]:  /sbin/ip route add 10.110.26.0/24 via 10.110.126.2
18:49:25 openvpnserver[21599]:  /sbin/ip addr add dev tun0 local 10.110.126.1 peer 10.110.126.2
18:49:25 openvpnserver[21599]:  /sbin/ip link set dev tun0 up
18:49:25 openvpnserver[21599]:  /sbin/ip link set dev tun0 up mtu 1470
18:49:25 openvpnserver[21599]:  do_ifconfig, ipv4=1, ipv6=0
18:49:25 openvpnserver[21599]:  TUN/TAP device tun0 opened
18:49:25 openvpnserver[21599]:  ROUTE_GATEWAY xxx.xxx.xxx.xxx/255.255.240.0 IFACE=red0 HWADDR=xx:xx:xx:xx:xx:xx
18:49:25 openvpnserver[21599]:  TLS-Auth MTU parms [ L:1591 D:1140 EF:110 EB:0 ET:0 EL:3 ]
18:49:25 openvpnserver[21599]:  Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
18:49:25 openvpnserver[21599]:  Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
18:49:25 openvpnserver[21599]:  CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem
18:49:25 openvpnserver[21599]:  Diffie-Hellman initialized with 4096 bit key
18:49:25 openvpnserver[21599]:  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
18:49:25 openvpnserver[21599]:  MANAGEMENT: unix domain socket listening on /var/run/openvpn.sock
18:49:25 openvpnserver[21598]:  library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
18:49:25 openvpnserver[21598]:  OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 19 2023
18:49:25 openvpnserver[21598]:    auth_user_pass_file = '[UNDEF]'
18:49:25 openvpnserver[21598]:    pull = DISABLED
18:49:25 openvpnserver[21598]:    client = DISABLED
18:49:25 openvpnserver[21598]:    vlan_pvid = 1
18:49:25 openvpnserver[21598]:    vlan_accept = all
18:49:25 openvpnserver[21598]:    vlan_tagging = DISABLED
18:49:25 openvpnserver[21598]:    port_share_port = '[UNDEF]'
18:49:25 openvpnserver[21598]:    port_share_host = '[UNDEF]'
18:49:25 openvpnserver[21598]:    auth_token_secret_file = '[UNDEF]'
18:49:25 openvpnserver[21598]:    auth_token_lifetime = 0
18:49:25 openvpnserver[21598]:    auth_token_generate = DISABLED
18:49:25 openvpnserver[21598]:    auth_user_pass_verify_script_via_file = DISABLED
18:49:25 openvpnserver[21598]:    auth_user_pass_verify_script = '[UNDEF]'
18:49:25 openvpnserver[21598]:    max_routes_per_client = 256
18:49:25 openvpnserver[21598]:    max_clients = 100
18:49:25 openvpnserver[21598]:    cf_per = 0
18:49:25 openvpnserver[21598]:    cf_max = 0
18:49:25 openvpnserver[21598]:    duplicate_cn = DISABLED
18:49:25 openvpnserver[21598]:    enable_c2c = DISABLED
18:49:25 openvpnserver[21598]:    push_ifconfig_ipv6_remote = ::
18:49:25 openvpnserver[21598]:    push_ifconfig_ipv6_local = ::/0
18:49:25 openvpnserver[21598]:    push_ifconfig_ipv6_defined = DISABLED
18:49:25 openvpnserver[21598]:    push_ifconfig_remote_netmask = 0.0.0.0
18:49:25 openvpnserver[21598]:    push_ifconfig_local = 0.0.0.0
18:49:25 openvpnserver[21598]:    push_ifconfig_defined = DISABLED
18:49:25 openvpnserver[21598]:    tmp_dir = '/tmp'
18:49:25 openvpnserver[21598]:    ccd_exclusive = DISABLED
18:49:25 openvpnserver[21598]:    client_config_dir = '/var/ipfire/ovpn/ccd'
18:49:25 openvpnserver[21598]:    client_disconnect_script = '/usr/sbin/openvpn-metrics client-disconnect'
18:49:25 openvpnserver[21598]:    learn_address_script = '[UNDEF]'
18:49:25 openvpnserver[21598]:    client_connect_script = '/usr/sbin/openvpn-metrics client-connect'
18:49:25 openvpnserver[21598]:    virtual_hash_size = 256
18:49:25 openvpnserver[21598]:    real_hash_size = 256
18:49:25 openvpnserver[21598]:    tcp_queue_limit = 64
18:49:25 openvpnserver[21598]:    n_bcast_buf = 256
18:49:25 openvpnserver[21598]:    ifconfig_ipv6_pool_netbits = 0
18:49:25 openvpnserver[21598]:    ifconfig_ipv6_pool_base = ::
18:49:25 openvpnserver[21598]:    ifconfig_ipv6_pool_defined = DISABLED
18:49:25 openvpnserver[21598]:    ifconfig_pool_persist_refresh_freq = 3600
18:49:25 openvpnserver[21598]:    ifconfig_pool_persist_filename = '/var/ipfire/ovpn/ovpn-leases.db'
18:49:25 openvpnserver[21598]:    ifconfig_pool_netmask = 0.0.0.0
18:49:25 openvpnserver[21598]:    ifconfig_pool_end = 10.110.126.251
18:49:25 openvpnserver[21598]:    ifconfig_pool_start = 10.110.126.4
18:49:25 openvpnserver[21598]:    ifconfig_pool_defined = ENABLED
18:49:25 openvpnserver[21598]:    push_entry = 'ping-restart 60'
18:49:25 openvpnserver[21598]:    push_entry = 'ping 10'
18:49:25 openvpnserver[21598]:    push_entry = 'topology net30'
18:49:25 openvpnserver[21598]:    push_entry = 'route 10.110.126.1'
18:49:25 openvpnserver[21598]:    push_entry = 'dhcp-option DNS 192.168.200.1'
18:49:25 openvpnserver[21598]:    push_entry = 'dhcp-option DOMAIN domain.name'
18:49:25 openvpnserver[21598]:    server_bridge_pool_end = 0.0.0.0
18:49:25 openvpnserver[21598]:    server_bridge_pool_start = 0.0.0.0
18:49:25 openvpnserver[21598]:    server_bridge_netmask = 0.0.0.0
18:49:25 openvpnserver[21598]:    server_bridge_ip = 0.0.0.0
18:49:25 openvpnserver[21598]:    server_netbits_ipv6 = 0
18:49:25 openvpnserver[21598]:    server_network_ipv6 = ::
18:49:25 openvpnserver[21598]:    server_netmask = 255.255.255.0
18:49:25 openvpnserver[21598]:    server_network = 10.110.126.0
18:49:25 openvpnserver[21598]:    tls_crypt_v2_metadata = '[UNDEF]'
18:49:25 openvpnserver[21598]:    tls_exit = DISABLED
18:49:25 openvpnserver[21598]:    push_peer_info = DISABLED
18:49:25 openvpnserver[21598]:    single_session = DISABLED
18:49:25 openvpnserver[21598]:    transition_window = 3600
18:49:25 openvpnserver[21598]:    handshake_window = 60
18:49:25 openvpnserver[21598]:    renegotiate_seconds = 86400
18:49:25 openvpnserver[21598]:    renegotiate_packets = 0
18:49:25 openvpnserver[21598]:    renegotiate_bytes = -1
18:49:25 openvpnserver[21598]:    tls_timeout = 2
18:49:25 openvpnserver[21598]:    ssl_flags = 200
18:49:25 openvpnserver[21598]:    remote_cert_eku = '[UNDEF]'
18:49:25 openvpnserver[21598]:    remote_cert_ku[i] = 0
18:49:25 openvpnserver[21598]:    ns_cert_type = 0
18:49:25 openvpnserver[21598]:    crl_file = '/var/ipfire/ovpn/crls/cacrl.pem'
18:49:25 openvpnserver[21598]:    verify_x509_name = '[UNDEF]'
18:49:25 openvpnserver[21598]:    verify_x509_type = 0
18:49:25 openvpnserver[21598]:    tls_export_cert = '[UNDEF]'
18:49:25 openvpnserver[21598]:    tls_verify = '/usr/lib/openvpn/verify'
18:49:25 openvpnserver[21598]:    tls_cert_profile = '[UNDEF]'
18:49:25 openvpnserver[21598]:    cipher_list_tls13 = '[UNDEF]'
18:49:25 openvpnserver[21598]:    cipher_list = '[UNDEF]'
18:49:25 openvpnserver[21598]:    pkcs12_file = '[UNDEF]'
18:49:25 openvpnserver[21598]:    priv_key_file = '/var/ipfire/ovpn/certs/serverkey.pem'
18:49:25 openvpnserver[21598]:    extra_certs_file = '[UNDEF]'
18:49:25 openvpnserver[21598]:    cert_file = '/var/ipfire/ovpn/certs/servercert.pem'
18:49:25 openvpnserver[21598]:    dh_file = '/etc/ssl/ffdhe4096.pem'
18:49:25 openvpnserver[21598]:    ca_path = '[UNDEF]'
18:49:25 openvpnserver[21598]:    ca_file = '/var/ipfire/ovpn/ca/cacert.pem'
18:49:25 openvpnserver[21598]:    tls_client = DISABLED
18:49:25 openvpnserver[21598]:    tls_server = ENABLED
18:49:25 openvpnserver[21598]:    test_crypto = DISABLED
18:49:25 openvpnserver[21598]:    packet_id_file = '[UNDEF]'
18:49:25 openvpnserver[21598]:    replay_time = 15
18:49:25 openvpnserver[21598]:    replay_window = 64
18:49:25 openvpnserver[21598]:    mute_replay_warnings = DISABLED
18:49:25 openvpnserver[21598]:    replay = ENABLED
18:49:25 openvpnserver[21598]:    engine = DISABLED
18:49:25 openvpnserver[21598]:    keysize = 0
18:49:25 openvpnserver[21598]:    prng_nonce_secret_len = 16
18:49:25 openvpnserver[21598]:    prng_hash = 'SHA1'
18:49:25 openvpnserver[21598]:    authname = 'SHA512'
18:49:25 openvpnserver[21598]:    ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
18:49:25 openvpnserver[21598]:    ncp_enabled = DISABLED
18:49:25 openvpnserver[21598]:    ciphername = 'AES-256-GCM'
18:49:25 openvpnserver[21598]:    key_direction = not set
18:49:25 openvpnserver[21598]:    shared_secret_file = '[UNDEF]'
18:49:25 openvpnserver[21598]:    management_flags = 320
18:49:25 openvpnserver[21598]:    management_client_group = '[UNDEF]'
18:49:25 openvpnserver[21598]:    management_client_user = '[UNDEF]'
18:49:25 openvpnserver[21598]:    management_write_peer_info_file = '[UNDEF]'
18:49:25 openvpnserver[21598]:    management_echo_buffer_size = 100
18:49:25 openvpnserver[21598]:    management_log_history_cache = 250
18:49:25 openvpnserver[21598]:    management_user_pass = '[UNDEF]'
18:49:25 openvpnserver[21598]:    management_port = 'unix'
18:49:25 openvpnserver[21598]:    management_addr = '/var/run/openvpn.sock'
18:49:25 openvpnserver[21598]:    route 10.110.26.0/255.255.255.0/default (not set)/default (not set)
18:49:25 openvpnserver[21598]:    route 10.110.126.0/255.255.255.0/default (not set)/default (not set)
18:49:25 openvpnserver[21598]:    allow_pull_fqdn = DISABLED
18:49:25 openvpnserver[21598]:    route_gateway_via_dhcp = DISABLED
18:49:25 openvpnserver[21598]:    route_nopull = DISABLED
18:49:25 openvpnserver[21598]:    route_delay_defined = DISABLED
18:49:25 openvpnserver[21598]:    route_delay_window = 30
18:49:25 openvpnserver[21598]:    route_delay = 0
18:49:25 openvpnserver[21598]:    route_noexec = DISABLED
18:49:25 openvpnserver[21598]:    route_default_metric = 0
18:49:25 openvpnserver[21598]:    route_default_gateway = '[UNDEF]'
18:49:25 openvpnserver[21598]:    route_script = '[UNDEF]'
18:49:25 openvpnserver[21598]:    comp.flags = 0
18:49:25 openvpnserver[21598]:    comp.alg = 0
18:49:25 openvpnserver[21598]:    fast_io = DISABLED
18:49:25 openvpnserver[21598]:    sockflags = 0
18:49:25 openvpnserver[21598]:    mark = 0
18:49:25 openvpnserver[21598]:    sndbuf = 0
18:49:25 openvpnserver[21598]:    rcvbuf = 0
18:49:25 openvpnserver[21598]:    occ = ENABLED
18:49:25 openvpnserver[21598]:    status_file_update_freq = 30
18:49:25 openvpnserver[21598]:    status_file_version = 1
18:49:25 openvpnserver[21598]:    status_file = '/var/run/ovpnserver.log'
18:49:25 openvpnserver[21598]:    gremlin = 0
18:49:25 openvpnserver[21598]:    mute = 0
18:49:25 openvpnserver[21598]:    verbosity = 6
18:49:25 openvpnserver[21598]:    nice = 0
18:49:25 openvpnserver[21598]:    machine_readable_output = DISABLED
18:49:25 openvpnserver[21598]:    suppress_timestamps = DISABLED
18:49:25 openvpnserver[21598]:    log = DISABLED
18:49:25 openvpnserver[21598]:    inetd = 0
18:49:25 openvpnserver[21598]:    daemon = ENABLED
18:49:25 openvpnserver[21598]:    up_delay = DISABLED
18:49:25 openvpnserver[21598]:    up_restart = DISABLED
18:49:25 openvpnserver[21598]:    down_pre = DISABLED
18:49:25 openvpnserver[21598]:    down_script = '[UNDEF]'
18:49:25 openvpnserver[21598]:    up_script = '[UNDEF]'
18:49:25 openvpnserver[21598]:    writepid = '/var/run/openvpn.pid'
18:49:25 openvpnserver[21598]:    cd_dir = '[UNDEF]'
18:49:25 openvpnserver[21598]:    chroot_dir = '[UNDEF]'
18:49:25 openvpnserver[21598]:    groupname = 'nobody'
18:49:25 openvpnserver[21598]:    username = 'nobody'
18:49:25 openvpnserver[21598]:    resolve_in_advance = DISABLED
18:49:25 openvpnserver[21598]:    resolve_retry_seconds = 1000000000
18:49:25 openvpnserver[21598]:    passtos = DISABLED
18:49:25 openvpnserver[21598]:    persist_key = ENABLED
18:49:25 openvpnserver[21598]:    persist_remote_ip = DISABLED
18:49:25 openvpnserver[21598]:    persist_local_ip = DISABLED
18:49:25 openvpnserver[21598]:    persist_tun = ENABLED
18:49:25 openvpnserver[21598]:    remap_sigusr1 = 0
18:49:25 openvpnserver[21598]:    ping_timer_remote = DISABLED
18:49:25 openvpnserver[21598]:    ping_rec_timeout_action = 2
18:49:25 openvpnserver[21598]:    ping_rec_timeout = 120
18:49:25 openvpnserver[21598]:    ping_send_timeout = 10
18:49:25 openvpnserver[21598]:    inactivity_minimum_bytes = 0
18:49:25 openvpnserver[21598]:    inactivity_timeout = 0
18:49:25 openvpnserver[21598]:    keepalive_timeout = 60
18:49:25 openvpnserver[21598]:    keepalive_ping = 10
18:49:25 openvpnserver[21598]:    mlock = DISABLED
18:49:25 openvpnserver[21598]:    mtu_test = 0
18:49:25 openvpnserver[21598]:    shaper = 0
18:49:25 openvpnserver[21598]:    ifconfig_ipv6_remote = '[UNDEF]'
18:49:25 openvpnserver[21598]:    ifconfig_ipv6_netbits = 0
18:49:25 openvpnserver[21598]:    ifconfig_ipv6_local = '[UNDEF]'
18:49:25 openvpnserver[21598]:    ifconfig_nowarn = DISABLED
18:49:25 openvpnserver[21598]:    ifconfig_noexec = DISABLED
18:49:25 openvpnserver[21598]:    ifconfig_remote_netmask = '10.110.126.2'
18:49:25 openvpnserver[21598]:    ifconfig_local = '10.110.126.1'
18:49:25 openvpnserver[21598]:    topology = 1
18:49:25 openvpnserver[21598]:    lladdr = '[UNDEF]'
18:49:25 openvpnserver[21598]:    dev_node = '[UNDEF]'
18:49:25 openvpnserver[21598]:    dev_type = '[UNDEF]'
18:49:25 openvpnserver[21598]:    dev = 'tun'
18:49:25 openvpnserver[21598]:    ipchange = '[UNDEF]'
18:49:25 openvpnserver[21598]:    remote_random = DISABLED
18:49:25 openvpnserver[21598]:  Connection profiles END
18:49:25 openvpnserver[21598]:    tls_crypt_v2_file = '[UNDEF]'
18:49:25 openvpnserver[21598]:    tls_crypt_file = '[UNDEF]'
18:49:25 openvpnserver[21598]:    key_direction = not set
18:49:25 openvpnserver[21598]:    tls_auth_file = '[INLINE]'
18:49:25 openvpnserver[21598]:    explicit_exit_notification = 0
18:49:25 openvpnserver[21598]:    mssfix = 0
18:49:25 openvpnserver[21598]:    fragment = 0
18:49:25 openvpnserver[21598]:    mtu_discover_type = -1
18:49:25 openvpnserver[21598]:    tun_mtu_extra_defined = DISABLED
18:49:25 openvpnserver[21598]:    tun_mtu_extra = 0
18:49:25 openvpnserver[21598]:    link_mtu_defined = DISABLED
18:49:25 openvpnserver[21598]:    link_mtu = 1500
18:49:25 openvpnserver[21598]:    tun_mtu_defined = ENABLED
18:49:25 openvpnserver[21598]:    tun_mtu = 1470
18:49:25 openvpnserver[21598]:    socks_proxy_port = '[UNDEF]'
18:49:25 openvpnserver[21598]:    socks_proxy_server = '[UNDEF]'
18:49:25 openvpnserver[21598]:    connect_timeout = 120
18:49:25 openvpnserver[21598]:    connect_retry_seconds = 5
18:49:25 openvpnserver[21598]:    bind_ipv6_only = DISABLED
18:49:25 openvpnserver[21598]:    bind_local = ENABLED
18:49:25 openvpnserver[21598]:    bind_defined = DISABLED
18:49:25 openvpnserver[21598]:    remote_float = DISABLED
18:49:25 openvpnserver[21598]:    remote_port = '1194'
18:49:25 openvpnserver[21598]:    remote = '[UNDEF]'
18:49:25 openvpnserver[21598]:    local_port = '1194'
18:49:25 openvpnserver[21598]:    local = '[UNDEF]'
18:49:25 openvpnserver[21598]:    proto = udp
18:49:25 openvpnserver[21598]:  Connection profiles [0]:
18:49:25 openvpnserver[21598]:    connect_retry_max = 0
18:49:25 openvpnserver[21598]:    show_tls_ciphers = DISABLED
18:49:25 openvpnserver[21598]:    key_pass_file = '[UNDEF]'
18:49:25 openvpnserver[21598]:    genkey_filename = '[UNDEF]'
18:49:25 openvpnserver[21598]:    genkey = DISABLED
18:49:25 openvpnserver[21598]:    show_engines = DISABLED
18:49:25 openvpnserver[21598]:    show_digests = DISABLED
18:49:25 openvpnserver[21598]:    show_ciphers = DISABLED
18:49:25 openvpnserver[21598]:    persist_mode = 1
18:49:25 openvpnserver[21598]:    persist_config = DISABLED
18:49:25 openvpnserver[21598]:    mode = 1
18:49:25 openvpnserver[21598]:    config = '/var/ipfire/ovpn/server.conf'
18:49:25 openvpnserver[21598]:  Current Parameter Settings:
18:49:25 openvpnserver[21598]:  WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
18:49:25 openvpnserver[21598]:  DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6

If you can see something similar when you stop then start the server, presuming that the server actually successfully starts, then you should also see lines in the log for when the RW connection is attempted.

I never did the rename thing. I built it from scratch, and restored. Then I disconnected the old hardware and plugged in the new.

The only thing I had to do was get the ISP to clear the lease and re-DHCP.

But, the dynamic dhcp seems to be ok.

To be clear, the log I referred to earlier, was the Roadwarrior log.

Yes it says it is running.

I stopped it. Started it.

I see none of the logs in WUI show anything about VPN. (Or, I simply don’t know which to look at and how.)

And, the ovpn file create in WUI, apparently isn’t valid anymore. (or the android connect has a bug…) it apparently wants the ta key in the ovpn file.

You need to look in the WUI (Web User Interface) - press the menu item labelled Logs on the top menu line - right hand most menu item.

Screenshot_2024-02-03_23-22-00
Then select the bottom most menu on that list labelled System Logs.

That will show the following screen.

In the drop down box labelled Section select the option labelled OpenVPN

and then press the button labelled Update and this will trhen show the OpenVPN Logs.


In your earlier comment about the client log you only mentioned

but now you mention that

If the client is expecting the ta.key file to be present and the server is not presenting it then this will cause the connection to fail.

That sounds like your server setup has not matched the setup as was originally defined in the old working IPFire system and that your clients will be expecting.

On your OpenVPN WUI page do you have the checkbox labelled “TLS Channel Protection:” checked as shown here

or not.

If the client profile is expecting the ta.key file then that checkbox needs to be checked on the IPFire server and the Hash algorithm box needs to have the same hash algorithm selected as when the certificates were originally created.

All of these would be defined from the restore from the backup.

If these are different that would suggest that the backup you restored from is an older or different one where those options were not selected as expected by your client(s).

What Core Update were you running on your old working system?

I presume that you installed the Core Update 182 version into your new system.

On your old working system did you run the backup WUI option just before installing the Core Update 182 into your new system and did you download the correct backup from that IPFire to your PC that is running the Web User Interface system?

Thanks for the instructions on getting the logs for OpenVPN.
This from the stop/start yesterday.
OpenVPN-log.txt.zip (1.7 KB)

The client (in this case an Android using OpenVPN Connect) was using the .ovpn file successfully on the phone before I updated the server.
I noted that in the meantime, the app had been updated. So, I attempted to re-load the .ovpn and this is when I saw the issue with not finding the ta.key file. So, this is newly observed.

I don’t think the TLS checkbox has been changed.

The process of restore. I updated the old server to the current core at the time. I then made a full backup. I installed the same core on the new hardware. Then, to avoid introducing the new hardware into my network with the same name, I used a crossover cable to connect to the WUI and restored the backup.

Since I only have 2 devices ( 1 phone and 1 laptop) to setup as road warrior, I have no problem deleting the existing certs and creating new. But, not sure how to generate what the phone app wants. And, testing the laptop is difficult since I have no alternative way to connect from outside my LAN.

From that log I can see

Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

So that indicates that you do have the TLS Checkbox ticked.

You can also see people trying to access the OpenVPN server from the internet and they are being dropped because they are not providing the ta.key info which is required first before the actual data channel setup is even attempted.

TLS Error: cannot locate HMAC in incoming packet from [AF_INET]223.113.128.133:49275

So if your server has the TLS Channel Protection enabled and that has not changed then your client profiles must all have the ta.key file as well.

So if your client is saying that it can’t find the ta.key file then something must have changed in that client that means it is no longer finding it wherever you placed it on your android phone file system.

Check the location where you have the connection info stored on your phone. There should be the .ovpn file, the .p12 certificate set file and the ta.key file.

If the ta.key file is still where it was when you originally set up your client connection then the client is no longer seeing it and you will need to remake theclient connection on the android phone and tell it where the ta.key file is stored.

Can you provide a copy of the log file from the OpenVPN Connect App. I don’t know where that app keeps the log info but it must be available somewhere. On my OpenVPN for Android App it provides a page with the log info in it which I can then copy into a file and download from my phone to my PC.
That log file must have more details about the problem with the ta.key file that the App is having.

I finally figured out what I was doing wrong when trying to import the .ovpn file. Now I get to the point where it wants me to select a certificate from the Android keychain.

If I select continue without, it say OpenSSLContext: CA not defined.

If I select the one offered it fails as well.

Logfile from phone:

[Feb 05, 2024, 10:36:36] ----- OpenVPN Start -----

[Feb 05, 2024, 10:36:36] EVENT: CORE_THREAD_ACTIVE

[Feb 05, 2024, 10:36:36] OpenVPN core 3.8.4connectX(3.git::c424d46c:RelWithDebInfo) android arm64 64-bit PT_PROXY

[Feb 05, 2024, 10:36:36] Frame=512/2112/512 mssfix-ctrl=1250

[Feb 05, 2024, 10:36:36] NOTE: This configuration contains options that were not used:

[Feb 05, 2024, 10:36:36] Internal option allowed only to be pushed by the server

[Feb 05, 2024, 10:36:36] 17 [auth-token-user] [USER]

[Feb 05, 2024, 10:36:36] 18 [auth-token] [TOTP]

[Feb 05, 2024, 10:36:36] EVENT: CORE_THREAD_ERROR info='option_error: sorry, unsupported options present in configuration: Internal option allowed only to be pushed by the server (auth-token,auth-token-user)'

[Feb 05, 2024, 10:36:36] EVENT: CORE_THREAD_DONE

Can you follow this tutorial (ignoring the iOS part)?

2 Likes

I followed that tutorial.

The order of putting in the password was different, but it created the profile.

Attempting to connect fails after asking to select a certificate and selecting the one added during this procedure.

This may have something to do with what’s happening:

I note in the WUI OpenVPN that the download icons for Root/Host/TLS-Authentication-Key are greyed out.

I’m not sure how to proceed.

Should I attempt to generate new certificates?

Should I remove OpenVPN and start over?

In these cases, I start over from step 0.

How do I remove the diffie-Hellman parameters?

Stop the server and click on remove x509

Ye, did that and the DH is still there: