Project

General

Profile

Actions

Bug #10287

closed

OpenVPN TLS key direction value added to existing tunnels is 0.

Added by Steve Wheeler almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
02/24/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.5
Affected Architecture:
All

Description

Resaving an existing OpenVPN client in 2.4.5 adds additional values to the config.
The key direction value is set to 0 rather than the default "Use default direction" which can break the tunnel.

Config diff after changing just the logging level:

--- /conf/backup/config-1582578464.xml    2020-02-24 21:13:43.736529000 +0000
+++ /conf/config.xml    2020-02-24 21:13:43.741334000 +0000
@@ -140,7 +140,7 @@
             <descr><![CDATA[Allow all ipv4+ipv6 via pfSsh.php]]></descr>
             <created>
                 <time>1582577816</time>
-                <username>pfSsh.php added allow all wan rule</username>
+                <username><![CDATA[pfSsh.php added allow all wan rule]]></username>
             </created>
         </rule>
     </filter>
@@ -256,8 +256,8 @@
     </widgets>
     <openvpn>
         <openvpn-client>
-            <auth_user>Test</auth_user>
-            <auth_pass>Test</auth_pass>
+            <auth_user><![CDATA[Test]]></auth_user>
+            <auth_pass><![CDATA[Test]]></auth_pass>
             <vpnid>1</vpnid>
             <protocol>UDP4</protocol>
             <dev_mode>tun</dev_mode>
@@ -280,6 +280,7 @@
             <crlref></crlref>
             <tls>Iw0KIyAyMDQ4IGJpdCBPcGVuVlBOIHN0YXRpYyBrZXkNCiMNCi0tLS0tQkVHSU4gT3BlblZQTiBTdGF0aWMga2V5IFYxLS0tLS0NCjZhNWIyNGJhNjBjZjcyYWRmODYzYzRmZDhmNjNhYmQyDQo3MmFiZThlYTNhMWE2NmNjZDY0MmEyZjE0Njk2NDY5Yw0KNjJlMDVhNmU4NmI5NjEzYjEwOTI1ZWQwYjRkMDcwNjUNCjdjZmQ5MTA0NDU1MjNmZmE4OGQyNzMyMjA3OWMyOTc1DQozMTRmNDMzNzU5YTFmYTRiZDg5ZTYxNDgzYTQ4ZjY4YQ0KZGZmYjRiYzUwZmE0ZTk1YzYyYjQ0ZTVjNTI2ODVmMTUNCjY0MmQyMzJjMGJiYzU5MzY2OWI2MTIxZjE2OTlhNTUyDQpmMWZiOTc3YzlmZjNkMzhmNWRiZGYxOWY1Y2Y2YTM2Mg0KNjUxYWVkOTcwMWM4OTllOTM0ZThiMDAzOWFhOGUwZGUNCmYwNWYwZTQ2MTMyNzFmOGFmY2I2N2ZmMjE0MWY1Y2FhDQpkNzhhZTUxYzFjNTU4YjRhYmIwOGIxN2Y3ZDExY2YyMQ0KMzg4MjlkODNhMDdlNWI1YzQ2YjczMDhlMTU4MjNiM2ENCjc2YmQ3OGQwMzE5ZWM0NTgyNDBlY2Y1YjYwZDkwOTIwDQoyZWQyNGRhNmE3NTNhZGI2OTlkOTAwOWU5OTU0N2UxZA0KZWJkODRlMmZkM2UwM2YyYjc1MDk4ZTg5MGU3YjU0ODcNCmI1ZTBhZTJlODgxODU2NGQ3NjdiM2YwMzZlZmU3MGEzDQotLS0tLUVORCBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0K</tls>
             <tls_type>auth</tls_type>
+            <tlsauth_keydir>0</tlsauth_keydir>
             <crypto>AES-128-CBC</crypto>
             <digest>SHA256</digest>
             <engine>none</engine>
@@ -292,13 +293,21 @@
             <auth-retry-none></auth-retry-none>
             <passtos></passtos>
             <udp_fast_io></udp_fast_io>
+            <exit_notify>none</exit_notify>
             <sndrcvbuf></sndrcvbuf>
             <route_no_pull></route_no_pull>
             <route_no_exec></route_no_exec>
-            <verbosity_level>3</verbosity_level>
+            <verbosity_level>1</verbosity_level>
             <create_gw></create_gw>
             <ncp-ciphers>AES-128-GCM</ncp-ciphers>
             <ncp_enable>enabled</ncp_enable>
+            <ping_method>keepalive</ping_method>
+            <keepalive_interval>10</keepalive_interval>
+            <keepalive_timeout>60</keepalive_timeout>
+            <ping_seconds>10</ping_seconds>
+            <ping_action>ping_restart</ping_action>
+            <ping_action_seconds>60</ping_action_seconds>
+            <inactive_seconds>0</inactive_seconds>
         </openvpn-client>
     </openvpn>
     <dnshaper></dnshaper>
@@ -313,9 +322,9 @@
         <dnssecstripped></dnssecstripped>
     </unbound>
     <revision>
-        <time>1582578464</time>
-        <description><![CDATA[admin@172.21.16.5 (Local Database): Creating restore point before upgrade.]]></description>
-        <username>admin@172.21.16.5 (Local Database)</username>
+        <time>1582578823</time>
+        <description><![CDATA[admin@172.21.16.5 (Local Database): Updated OpenVPN client to server 172.21.16.86:1194 Test]]></description>
+        <username><![CDATA[admin@172.21.16.5 (Local Database)]]></username>
     </revision>
     <shaper></shaper>
     <cert>

Actions #1

Updated by Jim Pingle almost 2 years ago

  • Target version changed from Future to 2.4.5
Actions #2

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to In Progress
Actions #3

Updated by Jim Pingle almost 2 years ago

In the selection list, when tlsauth_keydir is empty/unset, both the list entry for default and 0 are marked with selected.

Probably we need to prefill the empty value with something like "default" and then check for that on the backend rather than rely on it being empty.

Actions #4

Updated by Jim Pingle almost 2 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Viktor Gurov almost 2 years ago

  • Status changed from Feedback to Resolved

tested on 2.4.5.r.20200228.0300

works as expected on the Client/Server pages

Actions

Also available in: Atom PDF