In your earlier comment about the client log you only mentioned
but now you mention that
If the client is expecting the ta.key file to be present and the server is not presenting it then this will cause the connection to fail.
That sounds like your server setup has not matched the setup as was originally defined in the old working IPFire system and that your clients will be expecting.
On your OpenVPN WUI page do you have the checkbox labelled “TLS Channel Protection:” checked as shown here
If the client profile is expecting the ta.key file then that checkbox needs to be checked on the IPFire server and the Hash algorithm box needs to have the same hash algorithm selected as when the certificates were originally created.
All of these would be defined from the restore from the backup.
If these are different that would suggest that the backup you restored from is an older or different one where those options were not selected as expected by your client(s).
What Core Update were you running on your old working system?
I presume that you installed the Core Update 182 version into your new system.
On your old working system did you run the backup WUI option just before installing the Core Update 182 into your new system and did you download the correct backup from that IPFire to your PC that is running the Web User Interface system?
Thanks for the instructions on getting the logs for OpenVPN.
This from the stop/start yesterday. OpenVPN-log.txt.zip (1.7 KB)
The client (in this case an Android using OpenVPN Connect) was using the .ovpn file successfully on the phone before I updated the server.
I noted that in the meantime, the app had been updated. So, I attempted to re-load the .ovpn and this is when I saw the issue with not finding the ta.key file. So, this is newly observed.
I don’t think the TLS checkbox has been changed.
The process of restore. I updated the old server to the current core at the time. I then made a full backup. I installed the same core on the new hardware. Then, to avoid introducing the new hardware into my network with the same name, I used a crossover cable to connect to the WUI and restored the backup.
Since I only have 2 devices ( 1 phone and 1 laptop) to setup as road warrior, I have no problem deleting the existing certs and creating new. But, not sure how to generate what the phone app wants. And, testing the laptop is difficult since I have no alternative way to connect from outside my LAN.
Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
So that indicates that you do have the TLS Checkbox ticked.
You can also see people trying to access the OpenVPN server from the internet and they are being dropped because they are not providing the ta.key info which is required first before the actual data channel setup is even attempted.
TLS Error: cannot locate HMAC in incoming packet from [AF_INET]223.113.128.133:49275
So if your server has the TLS Channel Protection enabled and that has not changed then your client profiles must all have the ta.key file as well.
So if your client is saying that it can’t find the ta.key file then something must have changed in that client that means it is no longer finding it wherever you placed it on your android phone file system.
Check the location where you have the connection info stored on your phone. There should be the .ovpn file, the .p12 certificate set file and the ta.key file.
If the ta.key file is still where it was when you originally set up your client connection then the client is no longer seeing it and you will need to remake theclient connection on the android phone and tell it where the ta.key file is stored.
Can you provide a copy of the log file from the OpenVPN Connect App. I don’t know where that app keeps the log info but it must be available somewhere. On my OpenVPN for Android App it provides a page with the log info in it which I can then copy into a file and download from my phone to my PC.
That log file must have more details about the problem with the ta.key file that the App is having.
I finally figured out what I was doing wrong when trying to import the .ovpn file. Now I get to the point where it wants me to select a certificate from the Android keychain.
If I select continue without, it say OpenSSLContext: CA not defined.
If I select the one offered it fails as well.
Logfile from phone:
[Feb 05, 2024, 10:36:36] ----- OpenVPN Start -----
[Feb 05, 2024, 10:36:36] EVENT: CORE_THREAD_ACTIVE
[Feb 05, 2024, 10:36:36] OpenVPN core 3.8.4connectX(3.git::c424d46c:RelWithDebInfo) android arm64 64-bit PT_PROXY
[Feb 05, 2024, 10:36:36] Frame=512/2112/512 mssfix-ctrl=1250
[Feb 05, 2024, 10:36:36] NOTE: This configuration contains options that were not used:
[Feb 05, 2024, 10:36:36] Internal option allowed only to be pushed by the server
[Feb 05, 2024, 10:36:36] 17 [auth-token-user] [USER]
[Feb 05, 2024, 10:36:36] 18 [auth-token] [TOTP]
[Feb 05, 2024, 10:36:36] EVENT: CORE_THREAD_ERROR info='option_error: sorry, unsupported options present in configuration: Internal option allowed only to be pushed by the server (auth-token,auth-token-user)'
[Feb 05, 2024, 10:36:36] EVENT: CORE_THREAD_DONE
OpenVPN is automatically reconfigured to use a secure Diffie-Hellman parameter, both of sufficient length of 4,096 bit and standardized (see RFC 7919, section A.3, bug #12632). All OpenVPN clients and peers will automatically benefit from this cryptography improvement; no manual action is required. This also obsoletes the necessity of generating or uploading Diffie-Hellman parameters while configuring OpenVPN, saving a lot of time, as the generation of such parameters could have taken hours on slower hardware.
