Bug #12802
closed
OpenVPN client imported using Client Import works until first time editing and saving settings (SHA1 replaced with SHA256)
Added by cromo cromo over 3 years ago.
Updated over 3 years ago.
Category:
OpenVPN Client Import
Description
Disclaimer: You don't have a "OpenVPN Client Importer" category in your tracker, so I used OpenVPN Client Export
I updated the CE to Plus today. Then I installed OpenVPN Client Importer package, followed by importing a configuration. Once done, the client connected as expected.
However, it's enough to edit the client configuration and save again to have the client no longer connect and get stuck in a continuous loop. Comparing the .ovpn files from /var/etc before and after editing, I see:
16c16
< auth SHA256
---
> auth SHA1
38a39
>
Pretty self-explanatory. Manually changing SHA256 back to SHA1 fixes the issue.
If you go to Diagnostics > Backup/Restore on the Config History tab and do a diff on the config entries before/after you clicked Save, what changed? What about a diff between when it was broken and fixed?
Without seeing the configuration you imported it's hard to say what might have happened but it's possible your original configuration used a variation of a specific string that didn't match up 100% with what it looks like on pfSense/FreeBSD, but it was close enough that OpenVPN knew what to do with it.
Jim Pingle wrote in #note-1:
Without seeing the configuration you imported it's hard to say what might have happened but it's possible your original configuration used a variation of a specific string that didn't match up 100% with what it looks like on pfSense/FreeBSD, but it was close enough that OpenVPN knew what to do with it.
The original config does not even mention auth, so this is entirely between the importer and the UI itself. I checked the config diff, as you suggested, and indeed there's an answer there:
- <digest></digest>
+ <digest>SHA256</digest>
Since my config did not come with
auth, the importer left the
digest empty, which per current OpenVPN spec means it defaulted to SHA1. However, upon editing, the UI updated its value to
SHA256. I guess there are two solutions:
- to have the importer explicitly set
digest to SHA1 if it wasn't provided by the config file
- have the UI default to SHA1, but this wouldn't be safe in other use cases, like when setting up a new configuration from scratch, which should rather hint the SHA160 at least
- Assignee set to Viktor Gurov
from man openvpn(5):
--auth alg
Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest
algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a
data string, a secure hash algorithm and a key to produce a digital signature.
if auth is empty, it must be SHA1
Internal redmine NG7540 is opened
- Category changed from OpenVPN Client Export to OpenVPN Client Import
- Status changed from New to Pull Request Review
- Status changed from Pull Request Review to Feedback
Merged
fixed in OpenVPN Client Export 1.0
- Status changed from Feedback to Resolved
Tested on the:
22.01-RELEASE (amd64)
built on Mon Feb 07 16:37:59 UTC 2022
FreeBSD 12.3-STABLE
OpenVPN Client Export 1.0.
It works as expected. I am closing this ticket.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Viktor Gurov 
Updated by