Hi all,
I had a backup (IPF) from a working machine. VPN was configured with OpenVPN and I could access / dial in from my mobile phone. After a hardware failure I reinstalled 158 again from scratch and restored my IPF. It’s showing the same configuration as I had before but it’s not working.
Can it be that any one of the certificates is now wrong because the Box generated a set of new keys upon the first start?
How can I debug that?
Thanks a lot in advance,
Thomas
Your restore from your backup will replace all the certificates, conf files etc to the state they were in when the backup was done.
When you say it is not working do you mean that your client fails to connect or that it connects but then fails with the certificate handshake or what?
What messages are in the OpenVPN server log and in your OpenVPN client log.
The OpenVPN server log can be accessed from the Logs - System Logs menu and selecting OpenVPN in the dropdown box and then pressing Update.
Was the backup you restored from, from Core Update 158 or recent or from a much older Core Update?
I had a similar problem after restoring from a backup. OpenVPN clients could no longer connect.
On the client side, the connection log showed:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed.
In IPFire, I found in /var/log/messages the following:
ipfire openvpnserver[2370]: … VERIFY ERROR: depth=0, error=CRL has expired: C=redacted, ST=redacted, O=redacted, CN=redacted, serial=16
I checked the CRL in the OpenVPN server settings using the button “Show certificate revocation list”, and saw that the “Next Update” value was in the past. I then followed the instructions on https://wiki.ipfire.org/configuration/services/openvpn/config/upload_gen to renew the CRL. After the CRL was renewed, clients could again connect.