From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Test of latest OpenVPN-2.6 repo up to commit "ovpnmain.cgi: Refactor top table of adding/creating connections" Date: Tue, 16 Apr 2024 12:08:05 +0100 Message-ID: <6E6414C9-43F1-4CC3-9A8A-BE4195B5069D@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6410015316907815209==" List-Id: --===============6410015316907815209== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 15 Apr 2024, at 18:55, Adolf Belka wrote: >=20 > Hi Michael, >=20 > Next feedback. >=20 > I did a restore from CU184. The OpenVPN server failed to start. >=20 > After some log checking I found that the ovpnmain.cgi code still has the li= nes that put ncp-disable into the server.conf but this is no longer recognise= d by OpenVPN-2.6.x This makes sense. Due to the vast amount of changes we will have to regenerat= e the configuration file on update or restore of an older backup. I did not w= rite code for this, yet. But if you go to the OpenVPN page and hit the Save button, it should write it= all again and the server should start. > Line 286 in your latest version of ovpnmain.cgi is the one in question. Thi= s should not be getting written to server.conf under any circumstances as ncp= -disable was removed from 2.6.0 onwards. I suspect this got missed to be remo= ved. >=20 > Due to this I can't test out how a CU184 existing client config will work w= ith the new OpenVPN-2.6 branch, whether it works as is or if some modificatio= n will be needed in backup.pl to correct earlier versions. >=20 > Regards, >=20 > Adolf. >=20 > On 15/04/2024 18:57, Adolf Belka wrote: >> Hi Michael, >>=20 >> I did a fetch of the latest status of the OpenVPN-2.6 branch in your repo = and then ran a build on it and did a fresh install with the iso that was crea= ted. >>=20 >>=20 >> I then created the root/host x509 certificate set with no problems. >>=20 >> Created a Static IP Address pool. One thing I found here was that after cr= eating it I could choose the edit function and modify the Name but the subnet= could not be modified. I had to delete the existing version and start again = to get the correct subnet. I had made an error in the number I chose so that = was why I was trying to edit it. >>=20 >> Went into the Advanced settings and enabled the TLS Channel Protection and= added entries into the DHCP Settings section for the Domain and DNS. Then pr= essed Save. >>=20 >> Then I created a Client Connection. The file icon I saw now is only a .ovp= n file with the certificates embedded into the .ovpn. A point I noticed is th= at if you put the mouse over the hard disk icon it still says "Download Encry= pted Client Package (zip)". >>=20 >> After creating the client connection the Server started when I pressed the= Save button in the Roadwarrior Settings section. >>=20 >> I then installed the client .ovpn into my laptop's Network Manager OpenVPN= plugin and the connection was successfully made. >>=20 >> However I have noticed that if I then go to the Advanced Server and press = the Save Advanced Settings button, whether something has been modified or not= the Server Stops and will not restart. >>=20 >> Checking the status on the CLI the message cam back that the server was no= t running but the pid was present. >>=20 >> If I deleted the pid then the server would start again. Running /etc/rc.d/= init.d/openvpn-rw reload results in an OK message but running the status comm= and then gives the message that openvpn is not running but openvpn.pid exists= so it looks like the reload command is not executing correctly. >>=20 >>=20 >> In the WUI System Logs OpenVPN section the following was shown. >>=20 >> IPFire diagnostics >> Section: openvpn >> Date: April 15, 2024 >>=20 >> 18:46:59 openvpnserver[12829]: Use --help for more information. >> 18:46:59 openvpnserver[12829]: Options error: Please correct these errors. >> 18:46:59 openvpnserver[12829]: Options error: --status fails with '/var/r= un/ovpnserver.log': Permission denied (errno=3D13) >> 18:46:59 openvpnserver[12829]: Options error: --writepid fails with '/var= /run/openvpn.pid': Permission denied (errno=3D13) >> 18:46:59 openvpnserver[12829]: Note: --cipher is not set. OpenVPN version= s before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed i= n this case. If you need this fallback please add '--data-ciphers-fallback BF= -CBC' to your configuration and/or add BF-CBC to --data-ciphers. >> 18:46:59 openvpnserver[12829]: SIGHUP[hard,] received, process restarting >> 18:46:59 openvpnserver[12829]: Linux ip addr del failed: external program= exited with error status: 2 >> 18:46:59 openvpnserver[12829]: /sbin/ip addr del dev tun0 10.202.247.1/24 >> 18:46:59 openvpnserver[12829]: Closing TUN/TAP interface >> 18:46:59 openvpnserver[12829]: ERROR: Linux route delete command failed >> 18:46:59 openvpnserver[12829]: ERROR: Linux route delete command failed: = external program exited with error status: 2 >> 18:46:59 openvpnserver[12829]: /sbin/ip route del 10.110.26.0/24 >> 18:46:59 openvpnserver[12829]: event_wait : Interrupted system call (fd= =3D-1,code=3D4) >>=20 >> This looks like the reload is resulting in a SIGHUP[hard,] causing the pro= cess to restart but without having properly removed the pid file. >>=20 >> There is also the message about the ovpnserver.log I did not touch that fi= le and after removing the pid file the server restarts and the system logs Op= enVPN log has no mention about that log file in it. >>=20 >> Let me know if you need any other information and I will provide it. >>=20 >>=20 >> Regards, >>=20 >> Adolf >>=20 >>=20 --===============6410015316907815209==--