Re: [leaf-user] OpenVPN Issues

[Robert K C. J. -I. F. D. Corp. <bco...@in...>]

   Marko,

   Yes - I was aware of that and bummed out when I found out I had a fleet
   of SHA1 certs out there.  I have some people (road warriors - is this
   term still used?) using the old certs but on different (client)
   firewalls and I have added a config option to allow them: tls-cipher
   "DEFAULT:@SECLEVEL=0"  (does not disable encryption, contrary to some
   postings on the internet, but I understand why this is not a permanent
   solution for them).

   I issued new SHA256 certs prior to this upgrade for my point to point
   VPNs, but even if the certs were bad, the service would normally
   respond or log an error saying so.  It does neither.

   But that being said, these were working even after the upgrade.  It
   appears to me that the service stops accepting connections - in some
   cases - after startup.  I've eliminated pwnage as the cause by building
   a new server from scratch and testing it on an isolated network, but I
   have not ruled out some kind of DoS.

   My busiest servers have about 20 point to point connections, but they
   are largely idle most of the time.  One thought I had was a lack of
   resources (specifically memory) because these are VMs and historically,
   I could get away with some meager RAM allocations - and I recently
   changed DNSMASQ to have a larger cache - but adding RAM to them did not
   have any effect on this problem.

   Is there somewhere I can find out which was the last Leaf version
   before OpenVPN 2.6?

   - Robert


   On 12/4/2024 6:48:34 PM, marko via leaf-user wrote:

Hi Robert,

I use OpenVPN 7.3.1.1 also on a standard upgrade path.  My system works ok,
though it is not busy.

One thing that has changed over time is the sha security level that the
scripts use when creating the machine keys.  It is/was hard coded into the
easyRSA scripts.

It would be worth ruling that one out first.

cheers
marko


On Thursday, 5 December 2024 7:36:42 AM AEDT Robert K Coffman Jr. -Info From
Data Corp. wrote:

   I'm having serious issues with OpenVPN, starting after an upgrade to
   7.3.1.1 (OpenVPN 2.6.10).

   Some or all of my OpenVPN servers exhibit a behavior where they stop
   accepting connections from clients.  What is very strange is that after
   the upgrade, things were fine - only later did this problem start to
   occur.  I made a copy of an affected box and eliminated every possible
   source of a potential issue - disabling shorewall, placing the server
   on the same RFC1918 subnet (unmanaged switch), disabling the HMAC
   signing, running OpenVPN as root - and it just refused to accept
   connections.  We did a packet capture, and we see an intermittent
   packet from the client on the server, but no response from the server.

   I upgraded two of the affected boxes to the latest Leaf beta (OpenVPN
   2.6.12) and on one of them, it started to allow connections again, but
   not from every client.  On the other, it allowed one connection, and
   then - no more.

   Additionally, and probably unrelated, with these OpenVPN versions,
   there seems to be a bug in the startup script.  Issuing
   "/etc/init.d/openvpn restart" sometimes (usually) results in this kind
   of error:

   Stopping virtual private network daemon:rm: can't remove
   '/var/run/openvpn.c_ifdroute_sweitzer.pid': No such file or directory

   And the daemon doesn't restart....  Issuing the same command again
   usually starts it up successfully.

   I am at a complete loss to explain this.  Even a reboot doesn't resolve
   the connection issue once it starts.

   Anyone else seeing issues with OpenVPN running as a server?  This does
   not seem to affect when running as a client.

   Thanks -

   Robert
--
Robert K Coffman Jr.
Info From Data Corp.
3307249000
[[1]1]su...@in...

References

   1. [2]mailto:su...@in...

------------------------------------------------------------------------
leaf-user mailing list: [3]lea...@li...
[4]https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- [5]http://leaf-project.org/





------------------------------------------------------------------------
leaf-user mailing list: [6]lea...@li...
[7]https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- [8]http://leaf-project.org/

--
Robert K Coffman Jr.
Info From Data Corp.
3307249000
[9]su...@in...

References

   1. mailto:1]su...@in...
   2. mailto:su...@in...
   3. mailto:lea...@li...
   4. https://lists.sourceforge.net/lists/listinfo/leaf-user
   5. http://leaf-project.org/
   6. mailto:lea...@li...
   7. https://lists.sourceforge.net/lists/listinfo/leaf-user
   8. http://leaf-project.org/
   9. mailto:su...@in...