From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Test of latest OpenVPN-2.6 repo up to commit "ovpnmain.cgi: Refactor top table of adding/creating connections" Date: Mon, 22 Apr 2024 18:35:20 +0100 Message-ID: <19CEFA42-6B41-4355-9483-F40DC3633E80@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2313456726401099590==" List-Id: --===============2313456726401099590== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 22 Apr 2024, at 11:19, Adolf Belka wrote: >=20 > =EF=BB=BFHi Michael, >=20 >> On 16/04/2024 13:06, Michael Tremer wrote: >> Hello Adolf, >>>> On 15 Apr 2024, at 17:57, Adolf Belka wrote: >>>=20 >>> Hi Michael, >>>=20 >>> I did a fetch of the latest status of the OpenVPN-2.6 branch in your repo= and then ran a build on it and did a fresh install with the iso that was cre= ated. >> Thank you for helping me finding the nasty bugs that I building into all o= f this. > I think testing everything out is where I can definitely contribute on this= project. So far I haven't found anything that is a big problem. >=20 >>> I then created the root/host x509 certificate set with no problems. >>>=20 >>> Created a Static IP Address pool. One thing I found here was that after c= reating it I could choose the edit function and modify the Name but the subne= t could not be modified. I had to delete the existing version and start again= to get the correct subnet. I had made an error in the number I chose so that= was why I was trying to edit it. >> Yeah, this has been the same since forever. The problem is slightly that c= hanging the subnet is becoming complicated when hosts have been created using= IP addresses from that subnet. So I am not sure whether there is a lot value= in creating the option to edit this when it is unused. It is a nice to have,= but not essential. >=20 > Ah, I didn't realise that it was always like that. So I have never tried to= change the subnet, only the name. I would agree that removing the edit optio= n would seem to be a reasonable step. I am on a flight right now and can=E2=80=99t check. I think this is implement= ed like this now, or do I need to make any changes? >>> Went into the Advanced settings and enabled the TLS Channel Protection an= d added entries into the DHCP Settings section for the Domain and DNS. Then p= ressed Save. >> I am not entirely sure whether the defaults that we are choosing still mak= e sense. If we support TLS Channel Protection, why is this not enabled? How m= uch of a performance impact does it have? Why don=E2=80=99t we pre-fill the d= omain with the domain name of IPFire? We probably have to do a bit of investi= gation here what makes sense. >=20 > In terms of the TLS Channel Protection, I would definitely agree that we sh= ould select that by default and set the SHA512 as the default hash. It improv= es the security of the whole tunnel creation process and as far as I am aware= does not have any downsides. Since I started using OpenVPN on IPFire, I have= always had the TLS Channel Protection enabled and used. It=E2=80=99s does have a downside which I consider quite significant: it=E2= =80=99s slow. Mainly because of the hash function which needs to be run once = for each packet. It also adds some overhead to each packet since the hash has= to be transferred. I believe there is some truncation but this is still huge. Since OpenVPN is already quite slow and single-threaded, this is not going to= make it any faster. Now performance should not come before security but I do= n=E2=80=99t know what the actual impact is to the average user. >>> Then I created a Client Connection. The file icon I saw now is only a .ov= pn file with the certificates embedded into the .ovpn. A point I noticed is t= hat if you put the mouse over the hard disk icon it still says "Download Encr= ypted Client Package (zip)". >> Okay, I will change the text :) There is now only one single configuration= file. >>> After creating the client connection the Server started when I pressed th= e Save button in the Roadwarrior Settings section. >> Yay \o/ >>> I then installed the client .ovpn into my laptop's Network Manager OpenVP= N plugin and the connection was successfully made. >> Double yay! \o/ \o/ >>> However I have noticed that if I then go to the Advanced Server and press= the Save Advanced Settings button, whether something has been modified or no= t the Server Stops and will not restart. >> This is kind of a new =E2=80=9Cfeature=E2=80=9D. I am trying to reload the= server. Generally that works, but there are a couple of issues that I still = have to sort out, as OpenVPN drops its permissions and runs as a privileged u= ser. However, we are writing the PID file as root and OpenVPN cannot edit thi= s (I am not even sure why it is trying to do so at all). This is hopefully ea= sy to fix, but I have not made it to that just yet. >=20 > No problem. Can wait for the fix for that. I think I have some bad news then. This doesn=E2=80=99t quite work, simply be= cause OpenVPN is not doing consistent things the first time it starts and whe= n it reloads. It checks some directory permissions instead of the actual file= it needs to access and that does not seem to make any sense to me. So we nee= d to maybe reach out to upstream and see if we can fix this long-term. But overall I didn=E2=80=99t think that this is what I was hoping for as the = OpenVPN server shuts down the entire tun interface and therefore disconnects = every client. Since it does all that, we might just as well re-execute the en= tire binary from scratch. I wanted to just reload the configuration but keep = all connections alive. In the meantime, I have changed the default configuration so that the server = will send a notification to the client that it is going down. Therefore UDP c= lients will try to reconnect very quickly and hopefully the user doesn=E2=80= =99t notice too much. This has however the downside that if the admin clicks Save, all clients will= reconnect without warning. This might be better than what we had before but = it isn=E2=80=99t good. >>> Checking the status on the CLI the message cam back that the server was n= ot running but the pid was present. >> If you click the Save button on the main page again it should start again,= though. >=20 > That didn't work. I had to manually delete the pid from the console command= line and then pressing the Save button started the server again. Yes I ran into that too but wasn=E2=80=99t sure if this was because of my dev= elopment system. This is a general issue with the init functions. >>> If I deleted the pid then the server would start again. Running /etc/rc.d= /init.d/openvpn-rw reload results in an OK message but running the status com= mand then gives the message that openvpn is not running but openvpn.pid exist= s so it looks like the reload command is not executing correctly. >> This is a problem that is somewhere in the initscripts and keeps bothering= me for quite a while now. >>> In the WUI System Logs OpenVPN section the following was shown. >>>=20 >>> IPFire diagnostics >>> Section: openvpn >>> Date: April 15, 2024 >>>=20 >>> 18:46:59 openvpnserver[12829]: Use --help for more information. >>> 18:46:59 openvpnserver[12829]: Options error: Please correct these error= s. >>> 18:46:59 openvpnserver[12829]: Options error: --status fails with '/var/= run/ovpnserver.log': Permission denied (errno=3D13) >>> 18:46:59 openvpnserver[12829]: Options error: --writepid fails with '/va= r/run/openvpn.pid': Permission denied (errno=3D13) >>> 18:46:59 openvpnserver[12829]: Note: --cipher is not set. OpenVPN versio= ns before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed = in this case. If you need this fallback please add '--data-ciphers-fallback B= F-CBC' to your configuration and/or add BF-CBC to --data-ciphers. >> Wait. Why is it logging this? Does this make any sense? >=20 > Not sure. I will check what the .ovpn profile contained that might have tri= ggered this. >>> 18:46:59 openvpnserver[12829]: SIGHUP[hard,] received, process restarting >>> 18:46:59 openvpnserver[12829]: Linux ip addr del failed: external progra= m exited with error status: 2 >>> 18:46:59 openvpnserver[12829]: /sbin/ip addr del dev tun0 10.202.247.1/24 >>> 18:46:59 openvpnserver[12829]: Closing TUN/TAP interface >>> 18:46:59 openvpnserver[12829]: ERROR: Linux route delete command failed >>> 18:46:59 openvpnserver[12829]: ERROR: Linux route delete command failed:= external program exited with error status: 2 >>> 18:46:59 openvpnserver[12829]: /sbin/ip route del 10.110.26.0/24 >>> 18:46:59 openvpnserver[12829]: event_wait : Interrupted system call (fd= =3D-1,code=3D4) >>>=20 >>> This looks like the reload is resulting in a SIGHUP[hard,] causing the pr= ocess to restart but without having properly removed the pid file. >>>=20 >>> There is also the message about the ovpnserver.log I did not touch that f= ile and after removing the pid file the server restarts and the system logs O= penVPN log has no mention about that log file in it. >>>=20 >>> Let me know if you need any other information and I will provide it. >> Which client versions did you use to test this with? This should work both= with OpenVPN 2.5 and 2.6. I believe we should support all clients that suppo= rt NCP. If they don=E2=80=99t, they will not work with a newly generated conf= iguration. This is intentional. >=20 > I tested this on my Arch Linux laptop so it would have had 2.6.9 or 2.6.10 = installed. Okay, let=E2=80=99s keep it to 2.6 for now until we have stabilised this and = then check if 2.5 still works fine. >> Clients that don=E2=80=99t support NCP or where NCP has been disabled shou= ld still work on older installations as we will configure the fallback cipher. >> So, this is great work. Thank you! It confirms that I have screwed this up= all the way :) >=20 > Glad to be of service. lol. Of course :) >=20 > Regards, > Adolf. >> -Michael >>> Regards, >>>=20 >>> Adolf >>>=20 >>>=20 --===============2313456726401099590==--