Hello,
On 15 Apr 2024, at 18:55, Adolf Belka adolf.belka@ipfire.org wrote:
Hi Michael,
Next feedback.
I did a restore from CU184. The OpenVPN server failed to start.
After some log checking I found that the ovpnmain.cgi code still has the lines that put ncp-disable into the server.conf but this is no longer recognised by OpenVPN-2.6.x
This makes sense. Due to the vast amount of changes we will have to regenerate the configuration file on update or restore of an older backup. I did not write code for this, yet.
But if you go to the OpenVPN page and hit the Save button, it should write it all again and the server should start.
Line 286 in your latest version of ovpnmain.cgi is the one in question. This should not be getting written to server.conf under any circumstances as ncp-disable was removed from 2.6.0 onwards. I suspect this got missed to be removed.
Due to this I can't test out how a CU184 existing client config will work with the new OpenVPN-2.6 branch, whether it works as is or if some modification will be needed in backup.pl to correct earlier versions.
Regards,
Adolf.
On 15/04/2024 18:57, Adolf Belka wrote:
Hi Michael,
I did a fetch of the latest status of the OpenVPN-2.6 branch in your repo and then ran a build on it and did a fresh install with the iso that was created.
I then created the root/host x509 certificate set with no problems.
Created a Static IP Address pool. One thing I found here was that after creating it I could choose the edit function and modify the Name but the subnet could not be modified. I had to delete the existing version and start again to get the correct subnet. I had made an error in the number I chose so that was why I was trying to edit it.
Went into the Advanced settings and enabled the TLS Channel Protection and added entries into the DHCP Settings section for the Domain and DNS. Then pressed Save.
Then I created a Client Connection. The file icon I saw now is only a .ovpn file with the certificates embedded into the .ovpn. A point I noticed is that if you put the mouse over the hard disk icon it still says "Download Encrypted Client Package (zip)".
After creating the client connection the Server started when I pressed the Save button in the Roadwarrior Settings section.
I then installed the client .ovpn into my laptop's Network Manager OpenVPN plugin and the connection was successfully made.
However I have noticed that if I then go to the Advanced Server and press the Save Advanced Settings button, whether something has been modified or not the Server Stops and will not restart.
Checking the status on the CLI the message cam back that the server was not running but the pid was present.
If I deleted the pid then the server would start again. Running /etc/rc.d/init.d/openvpn-rw reload results in an OK message but running the status command then gives the message that openvpn is not running but openvpn.pid exists so it looks like the reload command is not executing correctly.
In the WUI System Logs OpenVPN section the following was shown.
IPFire diagnostics Section: openvpn Date: April 15, 2024
18:46:59 openvpnserver[12829]: Use --help for more information. 18:46:59 openvpnserver[12829]: Options error: Please correct these errors. 18:46:59 openvpnserver[12829]: Options error: --status fails with '/var/run/ovpnserver.log': Permission denied (errno=13) 18:46:59 openvpnserver[12829]: Options error: --writepid fails with '/var/run/openvpn.pid': Permission denied (errno=13) 18:46:59 openvpnserver[12829]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. 18:46:59 openvpnserver[12829]: SIGHUP[hard,] received, process restarting 18:46:59 openvpnserver[12829]: Linux ip addr del failed: external program exited with error status: 2 18:46:59 openvpnserver[12829]: /sbin/ip addr del dev tun0 10.202.247.1/24 18:46:59 openvpnserver[12829]: Closing TUN/TAP interface 18:46:59 openvpnserver[12829]: ERROR: Linux route delete command failed 18:46:59 openvpnserver[12829]: ERROR: Linux route delete command failed: external program exited with error status: 2 18:46:59 openvpnserver[12829]: /sbin/ip route del 10.110.26.0/24 18:46:59 openvpnserver[12829]: event_wait : Interrupted system call (fd=-1,code=4)
This looks like the reload is resulting in a SIGHUP[hard,] causing the process to restart but without having properly removed the pid file.
There is also the message about the ovpnserver.log I did not touch that file and after removing the pid file the server restarts and the system logs OpenVPN log has no mention about that log file in it.
Let me know if you need any other information and I will provide it.
Regards,
Adolf