From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: Test of latest OpenVPN-2.6 repo up to commit "ovpnmain.cgi: Refactor top table of adding/creating connections" Date: Mon, 15 Apr 2024 19:55:18 +0200 Message-ID: In-Reply-To: <9e3a4fca-1347-4dd4-bc59-801ba5fc446f@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4052762742582152652==" List-Id: --===============4052762742582152652== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, Next feedback. I did a restore from CU184. The OpenVPN server failed to start. After some log checking I found that the ovpnmain.cgi code still has the line= s that put ncp-disable into the server.conf but this is no longer recognised = by OpenVPN-2.6.x Line 286 in your latest version of ovpnmain.cgi is the one in question. This = should not be getting written to server.conf under any circumstances as ncp-d= isable was removed from 2.6.0 onwards. I suspect this got missed to be remove= d. Due to this I can't test out how a CU184 existing client config will work wit= h the new OpenVPN-2.6 branch, whether it works as is or if some modification = will be needed in backup.pl to correct earlier versions. Regards, Adolf. On 15/04/2024 18:57, Adolf Belka wrote: > Hi Michael, > > I did a fetch of the latest status of the OpenVPN-2.6 branch in your repo a= nd then ran a build on it and did a fresh install with the iso that was creat= ed. > > > I then created the root/host x509 certificate set with no problems. > > Created a Static IP Address pool. One thing I found here was that after cre= ating it I could choose the edit function and modify the Name but the subnet = could not be modified. I had to delete the existing version and start again t= o get the correct subnet. I had made an error in the number I chose so that w= as why I was trying to edit it. > > Went into the Advanced settings and enabled the TLS Channel Protection and = added entries into the DHCP Settings section for the Domain and DNS. Then pre= ssed Save. > > Then I created a Client Connection. The file icon I saw now is only a .ovpn= file with the certificates embedded into the .ovpn. A point I noticed is tha= t if you put the mouse over the hard disk icon it still says "Download Encryp= ted Client Package (zip)". > > After creating the client connection the Server started when I pressed the = Save button in the Roadwarrior Settings section. > > I then installed the client .ovpn into my laptop's Network Manager OpenVPN = plugin and the connection was successfully made. > > However I have noticed that if I then go to the Advanced Server and press t= he Save Advanced Settings button, whether something has been modified or not = the Server Stops and will not restart. > > Checking the status on the CLI the message cam back that the server was not= running but the pid was present. > > If I deleted the pid then the server would start again. Running /etc/rc.d/i= nit.d/openvpn-rw reload results in an OK message but running the status comma= nd then gives the message that openvpn is not running but openvpn.pid exists = so it looks like the reload command is not executing correctly. > > > In the WUI System Logs OpenVPN section the following was shown. > > IPFire diagnostics > Section: openvpn > Date: April 15, 2024 > > 18:46:59 openvpnserver[12829]:=C2=A0 Use --help for more information. > 18:46:59 openvpnserver[12829]:=C2=A0 Options error: Please correct these er= rors. > 18:46:59 openvpnserver[12829]:=C2=A0 Options error: --status fails with '/v= ar/run/ovpnserver.log': Permission denied (errno=3D13) > 18:46:59 openvpnserver[12829]:=C2=A0 Options error: --writepid fails with '= /var/run/openvpn.pid': Permission denied (errno=3D13) > 18:46:59 openvpnserver[12829]:=C2=A0 Note: --cipher is not set. OpenVPN ver= sions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation fail= ed in this case. If you need this fallback please add '--data-ciphers-fallbac= k BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. > 18:46:59 openvpnserver[12829]:=C2=A0 SIGHUP[hard,] received, process restar= ting > 18:46:59 openvpnserver[12829]:=C2=A0 Linux ip addr del failed: external pro= gram exited with error status: 2 > 18:46:59 openvpnserver[12829]:=C2=A0 /sbin/ip addr del dev tun0 10.202.247.= 1/24 > 18:46:59 openvpnserver[12829]:=C2=A0 Closing TUN/TAP interface > 18:46:59 openvpnserver[12829]:=C2=A0 ERROR: Linux route delete command fail= ed > 18:46:59 openvpnserver[12829]:=C2=A0 ERROR: Linux route delete command fail= ed: external program exited with error status: 2 > 18:46:59 openvpnserver[12829]:=C2=A0 /sbin/ip route del 10.110.26.0/24 > 18:46:59 openvpnserver[12829]:=C2=A0 event_wait : Interrupted system call (= fd=3D-1,code=3D4) > > This looks like the reload is resulting in a SIGHUP[hard,] causing the proc= ess to restart but without having properly removed the pid file. > > There is also the message about the ovpnserver.log I did not touch that fil= e and after removing the pid file the server restarts and the system logs Ope= nVPN log has no mention about that log file in it. > > Let me know if you need any other information and I will provide it. > > > Regards, > > Adolf > > --===============4052762742582152652==--