Regression #13056
closed
OpenVPN ``remote_cert_tls`` option does not behave correctly when enabled and later disabled
0%
Description
I have a OpenVPN server running on a pfsense with version 22.01 for some month now.
Multiple clients connect to the server.
Since the update to 22.01, I guess, client connections break with errors like:
Apr 13 11:01:57 192.168.253.1 openvpn56270: x.x.x.x:y VERIFY KU ERROR
Apr 13 11:01:57 192.168.253.1 openvpn56270: x.x.x.x:y TLS_ERROR: BIO read tls_read_plaintext error
Then, when I reload the OpenVPN server the problem persists.
However, when I open the configuration and save it again the problem disappears.
After some research I figured out that this problem probably occurs after rc.renewwanip[v6] was executed.
I compared the config.ovpn after the problem occured and after I saved the OpenVPN server configuration again and there was the option remote-cert-tls client in this file.
Currently, I am not using TLS auth, however there seems a script (openvpn.inc?) which adds the unwanted option remote-cert-tls client.
I am not sure if relevant but there are the following custom options:
mode server;
client-config-dir /var/etc/openvpn/server6/csc;
ccd-exclusive;
ifconfig 10.8.1.254 255.255.255.0;
push "route-gateway 10.8.1.254";
route 10.5.1.0 255.255.255.0 10.8.1.1;
route 10.5.2.0 255.255.255.0 10.8.1.2;
Related issues
Updated by Jim Pingle over 2 years ago
- Status changed from New to Not a Bug
- Plus Target Version deleted (
22.01)
That setting won't prevent clients from connecting on auth-only VPNs. There must be something else happening in your environment (could be your custom options setting up incompatible settings) but there isn't nearly enough information here to say what that might be. This site is not for support or diagnostic discussion, however, so it's not the place to debug it.
For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .
See Reporting Issues with pfSense Software for more information.
Updated by Michael Ruder over 2 years ago
I think this is a bug: Regardless of the newly introduced setting "Client Certificate Key Usage Validation", the @remote-cert-tls client" ends up in the configuration if the OpenVPN server instance is restarted (via Status=>OpenVPN or other means).
However, when saving the configuration from VPN=>OpenVPN (after changing anything, for instance only the log level) the line is not there, unless the option is ticked.
Updated by Viktor Gurov over 2 years ago
- Tracker changed from Bug to Regression
- Status changed from Not a Bug to New
- Assignee set to Viktor Gurov
- Target version set to 2.7.0
- Plus Target Version set to 22.05
- Affected Version set to 2.6.0
Updated by Viktor Gurov over 2 years ago
- Related to Feature #11865: Option to validate OpenVPN peer TLS certificate key usage added
Updated by Viktor Gurov over 2 years ago
- Is duplicate of Bug #13077: remote-cert-tls client set in configuration regardless of Client Certificate Key Usage Validation option (after server restart only!) added
Updated by Michael Ruder over 2 years ago
Works for me now as expected. I however noticed, that with the patch now in config.xml there is either <remote_cert_tls></remote_cert_tls> if the option is active or nothing if it is not. Before when the problem occured, the option was always in the config.xml, either empty (as above) or with yes between the tags: <remote_cert_tls>yes</remote_cert_tls>
Other boolean options (like passtos) are handled also with the tags always being present and either yes or empty and they do not show the faulty behaviour. So the remote_cert_tls option seems to be implemented somehow differently than the others.
As I have a (very) limited understanding on how the config is parsed etc., just ignore this comment if this is the intended way of doing things here. :)
Thanks for the quick fix.
Updated by Viktor Gurov over 2 years ago
- Status changed from New to Feedback
Updated by Viktor Gurov over 2 years ago
Michael Ruder wrote in #note-6:
Works for me now as expected. I however noticed, that with the patch now in
config.xmlthere is either<remote_cert_tls></remote_cert_tls>if the option is active or nothing if it is not. Before when the problem occured, the option was always in theconfig.xml, either empty (as above) or withyesbetween the tags:<remote_cert_tls>yes</remote_cert_tls>
That's fine. Some parts of the config.xml use such behavior.
Updated by Thorsten Zitterell over 2 years ago
Viktor Gurov wrote in #note-7:
Merged:
https://github.com/pfsense/pfsense/commit/48cf54f850c5bf4fe26a8e33deb449807e71c204
Sure, this patch is right?
In src/usr/local/www/vpn_openvpn_client.php, line 588
- $client['remote_cert_tls'] = $pconfig['remote_cert_tls'];
+ if (isset($client['remote_cert_tls'])) {
+ $client['remote_cert_tls'] = true;
+ }
Shouldn't it be
- $client['remote_cert_tls'] = $pconfig['remote_cert_tls'];
+ if (isset($pconfig['remote_cert_tls'])) {
+ $client['remote_cert_tls'] = true;
+ }
(analogous to src/usr/local/www/vpn_openvpn_server.php:751)
Updated by Viktor Gurov over 2 years ago
- Status changed from Feedback to New
Thorsten Zitterell wrote in #note-9:
Viktor Gurov wrote in #note-7:
Merged:
https://github.com/pfsense/pfsense/commit/48cf54f850c5bf4fe26a8e33deb449807e71c204Sure, this patch is right?
In src/usr/local/www/vpn_openvpn_client.php, line 588
- $client['remote_cert_tls'] = $pconfig['remote_cert_tls'];
+ if (isset($client['remote_cert_tls'])) {
+ $client['remote_cert_tls'] = true;
+ }Shouldn't it be
- $client['remote_cert_tls'] = $pconfig['remote_cert_tls'];
+ if (isset($pconfig['remote_cert_tls'])) {
+ $client['remote_cert_tls'] = true;
+ }(analogous to src/usr/local/www/vpn_openvpn_server.php:751)
Thank you!
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/735
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
Updated by Viktor Gurov over 2 years ago
- Status changed from Pull Request Review to Feedback
Updated by Jim Pingle over 2 years ago
- Subject changed from OpenVPN Server configuration altered when interface is renewed to OpenVPN ``remote_cert_tls`` option does not behave correctly when enabled and later disabled
Updating subject for release notes.
Updated by Jim Pingle over 2 years ago
- Status changed from Feedback to Resolved
Option toggles correctly now. I can enable it and the option goes into the config. Disable it and it comes out.