Then you didn’t select the TLS Channel Protection checkbox on the Global Settings page for the OpenVPN server.
If you select that checkbox then when you create the client connection, the ta.key is included in the zip file.
I have now added it to the command line in Manjaro:
When trying to connect comes: The VPN connection could not be established because there are no valid VPN secrets…
Did you create the client connection originally with a password or without?
Before you got the message about “no valid VPN secrets” did you get asked for the password?
Or, are you 100% sure that you typed in the same password as when you created the client connection?
The password now matches, but a new message appears, the connection cannot be established.
Is there something missing in the kernel?
2023-05-23 21:59:07 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2023-05-23 21:59:07 WARNING: file 'Javier.p12' is group or others accessible
2023-05-23 21:59:07 WARNING: file 'ta.key' is group or others accessible
2023-05-23 21:59:07 OpenVPN 2.6.3 [git:makepkg/94aad8c51043a805+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Apr 13 2023
2023-05-23 21:59:07 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-05-23 21:59:07 DCO version: N/A
Enter Private Key Password: ***************
2023-05-23 21:59:34 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-05-23 21:59:34 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-05-23 21:59:34 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-05-23 21:59:34 SIGUSR1[soft,private-key-password-failure] received, process restarting
2023-05-23 21:59:34 Restart pause, 1 second(s)
Enter Private Key Password: ***************
2023-05-23 21:59:39 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-05-23 21:59:39 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-05-23 21:59:39 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-05-23 21:59:39 SIGUSR1[soft,private-key-password-failure] received, process restarting
2023-05-23 21:59:39 Restart pause, 1 second(s)
Enter Private Key Password: ***************
2023-05-23 21:59:43 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-05-23 21:59:43 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-05-23 21:59:43 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-05-23 21:59:43 SIGUSR1[soft,private-key-password-failure] received, process restarting
2023-05-23 21:59:43 Restart pause, 1 second(s)
Enter Private Key Password: ***************
2023-05-23 21:59:46 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-05-23 21:59:46 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-05-23 21:59:46 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-05-23 21:59:46 SIGUSR1[soft,private-key-password-failure] received, process restarting
2023-05-23 21:59:46 Restart pause, 1 second(s)
Enter Private Key Password: ***************
2023-05-23 21:59:55 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-05-23 21:59:55 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-05-23 21:59:55 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-05-23 21:59:55 SIGUSR1[soft,private-key-password-failure] received, process restarting
2023-05-23 21:59:55 Restart pause, 2 second(s)
Enter Private Key Password: ***************
Now the OPENVPN server no longer starts. It remains in the suspended state.
Can I restart the VPN server on the console via the GUI?
If it is showing as Stopped in the WUI then you can press the button which will be labelled Start OpenVPN Server
This message is because your client has OpenSSL-3.x
You can confirm this on your client by running the command
openssl --version
If it is 3.x and not 1.1.1x then you need to follow the approach in this post/thread
https://community.ipfire.org/t/ovpn-cert-creation-algo/7911/18
of adding into your clients openssl configuration the legacy option.
Click the button labeled “Start OpenVPN Server”.
Unfortunately nothing happens anymore, it stays offline. =((
Thanks for your help!
I don’t have openssl --version.?
openssl --version
Invalid command '--version'; type "help" for a list.
Then you need to look in the logs of the server to see what the problem is.
Goto the WUI menu Logs - System Logs and select OpneVPN in the dropdown box labelled Section:
Then press the Update button.
Somewhere in the logs it will say why it is not starting.
The best approach is to press the Start OpenVPN Server button and then immediately go to the System Logs and the most recent logs will be at the top if you have the Log Settings checked for
“Sort in reverse chronological order”
Sorry my fault. the option of --version is correct for openvpn and not for openssl.
For openssl you need
openssl version
IPFIRE:
OpenSSL 1.1.1t 7 Feb 2023
Client Manjaro:
openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
As long as the server is on fire offline, it’s bad anyway
But why, didn’t change anything there except try to connect?
So you need to follow that post/thread I linked to for adding in the legacy option into your Manjaro openssl.cnf configuration file.
Ok, I will try my best, Thank you very much!
But why does the server stay offline?
Yes, but if the system logs are empty then I am not sure about the console logs because that is where the System Logs extracts its info from.
Run
less /var/log/messages | grep openvpn
I don’t know and if nothing is in the logs then it is even more difficult.
You could try rebooting and see if the OpenVPN server then will start.
Before trying reboot you try starting it from the console with the command
openvpnctrl -s
Then check on the WUI page if the openvpn server is now Running.
WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
May 23 22:49:58 ho openvpnserver[4655]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
openvpnctrl -s
runs without errors but the GUI still says “paused”
OpenVPN 2.5.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 22 2023
library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.09
MANAGEMENT: unix domain socket listening on /var/run/openvpn.sock
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Diffie-Hellman initialized with 4096 bit key
CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem
Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
TUN/TAP device tun1 opened
/sbin/ip link set dev tun1 up mtu 1400
/sbin/ip link set dev tun1 up
Could not determine IPv4/IPv6 protocol. Using AF_INET
On the IPFIRE start page it says Online but under Services → OPENVPN it says paused.
I’m offline for a moment. See you later