From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: Test of latest OpenVPN-2.6 repo up to commit "ovpnmain.cgi: Refactor top table of adding/creating connections" Date: Mon, 22 Apr 2024 12:19:47 +0200 Message-ID: In-Reply-To: <30219A16-BEF6-4632-8415-691C73476082@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5858934718932223248==" List-Id: --===============5858934718932223248== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On 16/04/2024 13:06, Michael Tremer wrote: > Hello Adolf, >=20 >> On 15 Apr 2024, at 17:57, Adolf Belka wrote: >> >> Hi Michael, >> >> I did a fetch of the latest status of the OpenVPN-2.6 branch in your repo = and then ran a build on it and did a fresh install with the iso that was crea= ted. >=20 > Thank you for helping me finding the nasty bugs that I building into all of= this. >=20 I think testing everything out is where I can definitely contribute on this p= roject. So far I haven't found anything that is a big problem. >> I then created the root/host x509 certificate set with no problems. >> >> Created a Static IP Address pool. One thing I found here was that after cr= eating it I could choose the edit function and modify the Name but the subnet= could not be modified. I had to delete the existing version and start again = to get the correct subnet. I had made an error in the number I chose so that = was why I was trying to edit it. >=20 > Yeah, this has been the same since forever. The problem is slightly that ch= anging the subnet is becoming complicated when hosts have been created using = IP addresses from that subnet. So I am not sure whether there is a lot value = in creating the option to edit this when it is unused. It is a nice to have, = but not essential. Ah, I didn't realise that it was always like that. So I have never tried to c= hange the subnet, only the name. I would agree that removing the edit option = would seem to be a reasonable step. >=20 >> Went into the Advanced settings and enabled the TLS Channel Protection and= added entries into the DHCP Settings section for the Domain and DNS. Then pr= essed Save. >=20 > I am not entirely sure whether the defaults that we are choosing still make= sense. If we support TLS Channel Protection, why is this not enabled? How mu= ch of a performance impact does it have? Why don=E2=80=99t we pre-fill the do= main with the domain name of IPFire? We probably have to do a bit of investig= ation here what makes sense. In terms of the TLS Channel Protection, I would definitely agree that we shou= ld select that by default and set the SHA512 as the default hash. It improves= the security of the whole tunnel creation process and as far as I am aware d= oes not have any downsides. Since I started using OpenVPN on IPFire, I have a= lways had the TLS Channel Protection enabled and used. >=20 >> Then I created a Client Connection. The file icon I saw now is only a .ovp= n file with the certificates embedded into the .ovpn. A point I noticed is th= at if you put the mouse over the hard disk icon it still says "Download Encry= pted Client Package (zip)". >=20 > Okay, I will change the text :) There is now only one single configuration = file. >=20 >> After creating the client connection the Server started when I pressed the= Save button in the Roadwarrior Settings section. >=20 > Yay \o/ >=20 >> I then installed the client .ovpn into my laptop's Network Manager OpenVPN= plugin and the connection was successfully made. >=20 > Double yay! \o/ \o/ >=20 >> However I have noticed that if I then go to the Advanced Server and press = the Save Advanced Settings button, whether something has been modified or not= the Server Stops and will not restart. >=20 > This is kind of a new =E2=80=9Cfeature=E2=80=9D. I am trying to reload the = server. Generally that works, but there are a couple of issues that I still h= ave to sort out, as OpenVPN drops its permissions and runs as a privileged us= er. However, we are writing the PID file as root and OpenVPN cannot edit this= (I am not even sure why it is trying to do so at all). This is hopefully eas= y to fix, but I have not made it to that just yet. No problem. Can wait for the fix for that. >=20 >> Checking the status on the CLI the message cam back that the server was no= t running but the pid was present. >=20 > If you click the Save button on the main page again it should start again, = though. That didn't work. I had to manually delete the pid from the console command l= ine and then pressing the Save button started the server again. >=20 >> If I deleted the pid then the server would start again. Running /etc/rc.d/= init.d/openvpn-rw reload results in an OK message but running the status comm= and then gives the message that openvpn is not running but openvpn.pid exists= so it looks like the reload command is not executing correctly. >=20 > This is a problem that is somewhere in the initscripts and keeps bothering = me for quite a while now. >=20 >> In the WUI System Logs OpenVPN section the following was shown. >> >> IPFire diagnostics >> Section: openvpn >> Date: April 15, 2024 >> >> 18:46:59 openvpnserver[12829]: Use --help for more information. >> 18:46:59 openvpnserver[12829]: Options error: Please correct these errors. >> 18:46:59 openvpnserver[12829]: Options error: --status fails with '/var/r= un/ovpnserver.log': Permission denied (errno=3D13) >> 18:46:59 openvpnserver[12829]: Options error: --writepid fails with '/var= /run/openvpn.pid': Permission denied (errno=3D13) >> 18:46:59 openvpnserver[12829]: Note: --cipher is not set. OpenVPN version= s before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed i= n this case. If you need this fallback please add '--data-ciphers-fallback BF= -CBC' to your configuration and/or add BF-CBC to --data-ciphers. >=20 > Wait. Why is it logging this? Does this make any sense? Not sure. I will check what the .ovpn profile contained that might have trigg= ered this. >=20 >> 18:46:59 openvpnserver[12829]: SIGHUP[hard,] received, process restarting >> 18:46:59 openvpnserver[12829]: Linux ip addr del failed: external program= exited with error status: 2 >> 18:46:59 openvpnserver[12829]: /sbin/ip addr del dev tun0 10.202.247.1/24 >> 18:46:59 openvpnserver[12829]: Closing TUN/TAP interface >> 18:46:59 openvpnserver[12829]: ERROR: Linux route delete command failed >> 18:46:59 openvpnserver[12829]: ERROR: Linux route delete command failed: = external program exited with error status: 2 >> 18:46:59 openvpnserver[12829]: /sbin/ip route del 10.110.26.0/24 >> 18:46:59 openvpnserver[12829]: event_wait : Interrupted system call (fd= =3D-1,code=3D4) >> >> This looks like the reload is resulting in a SIGHUP[hard,] causing the pro= cess to restart but without having properly removed the pid file. >> >> There is also the message about the ovpnserver.log I did not touch that fi= le and after removing the pid file the server restarts and the system logs Op= enVPN log has no mention about that log file in it. >> >> Let me know if you need any other information and I will provide it. >=20 > Which client versions did you use to test this with? This should work both = with OpenVPN 2.5 and 2.6. I believe we should support all clients that suppor= t NCP. If they don=E2=80=99t, they will not work with a newly generated confi= guration. This is intentional. I tested this on my Arch Linux laptop so it would have had 2.6.9 or 2.6.10 in= stalled. >=20 > Clients that don=E2=80=99t support NCP or where NCP has been disabled shoul= d still work on older installations as we will configure the fallback cipher. >=20 > So, this is great work. Thank you! It confirms that I have screwed this up = all the way :) Glad to be of service. Regards, Adolf. >=20 > -Michael >=20 >> Regards, >> >> Adolf >> >> >=20 --===============5858934718932223248==--