Bug #12802
closed
OpenVPN client imported using Client Import works until first time editing and saving settings (SHA1 replaced with SHA256)
0%
Description
Disclaimer: You don't have a "OpenVPN Client Importer" category in your tracker, so I used OpenVPN Client Export
I updated the CE to Plus today. Then I installed OpenVPN Client Importer package, followed by importing a configuration. Once done, the client connected as expected.
However, it's enough to edit the client configuration and save again to have the client no longer connect and get stuck in a continuous loop. Comparing the .ovpn files from /var/etc before and after editing, I see:
16c16
< auth SHA256
---
> auth SHA1
38a39
>
Pretty self-explanatory. Manually changing SHA256 back to SHA1 fixes the issue.
Updated by Jim Pingle over 3 years ago
If you go to Diagnostics > Backup/Restore on the Config History tab and do a diff on the config entries before/after you clicked Save, what changed? What about a diff between when it was broken and fixed?
Without seeing the configuration you imported it's hard to say what might have happened but it's possible your original configuration used a variation of a specific string that didn't match up 100% with what it looks like on pfSense/FreeBSD, but it was close enough that OpenVPN knew what to do with it.
Updated by cromo cromo over 3 years ago
Jim Pingle wrote in #note-1:
Without seeing the configuration you imported it's hard to say what might have happened but it's possible your original configuration used a variation of a specific string that didn't match up 100% with what it looks like on pfSense/FreeBSD, but it was close enough that OpenVPN knew what to do with it.
The original config does not even mention auth, so this is entirely between the importer and the UI itself. I checked the config diff, as you suggested, and indeed there's an answer there:
- <digest></digest>
+ <digest>SHA256</digest>
auth, the importer left the digest empty, which per current OpenVPN spec means it defaulted to SHA1. However, upon editing, the UI updated its value to SHA256. I guess there are two solutions:
- to have the importer explicitly set
digestto SHA1 if it wasn't provided by the config file - have the UI default to SHA1, but this wouldn't be safe in other use cases, like when setting up a new configuration from scratch, which should rather hint the SHA160 at least
Updated by Viktor Gurov over 3 years ago
- Assignee set to Viktor Gurov
from man openvpn(5):
--auth alg
Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest
algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a
data string, a secure hash algorithm and a key to produce a digital signature.
if auth is empty, it must be SHA1
Internal redmine NG7540 is opened
Updated by Jim Pingle over 3 years ago
- Category changed from OpenVPN Client Export to OpenVPN Client Import
- Status changed from New to Pull Request Review
Updated by Viktor Gurov over 3 years ago
- Status changed from Pull Request Review to Feedback
Merged
fixed in OpenVPN Client Export 1.0
Updated by Danilo Zrenjanin over 3 years ago
- Status changed from Feedback to Resolved
Tested on the:
22.01-RELEASE (amd64) built on Mon Feb 07 16:37:59 UTC 2022 FreeBSD 12.3-STABLE
OpenVPN Client Export 1.0.
It works as expected. I am closing this ticket.