Project

General

Profile

Actions

Regression #13056

open

OpenVPN ``remote_cert_tls`` option does not behave correctly when enabled and later disabled

Added by Thorsten Zitterell about 1 month ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:
amd64

Description

I have a OpenVPN server running on a pfsense with version 22.01 for some month now.
Multiple clients connect to the server.

Since the update to 22.01, I guess, client connections break with errors like:

Apr 13 11:01:57 192.168.253.1 openvpn56270: x.x.x.x:y VERIFY KU ERROR
Apr 13 11:01:57 192.168.253.1 openvpn56270: x.x.x.x:y TLS_ERROR: BIO read tls_read_plaintext error

Then, when I reload the OpenVPN server the problem persists.
However, when I open the configuration and save it again the problem disappears.

After some research I figured out that this problem probably occurs after rc.renewwanip[v6] was executed.

I compared the config.ovpn after the problem occured and after I saved the OpenVPN server configuration again and there was the option remote-cert-tls client in this file.

Currently, I am not using TLS auth, however there seems a script (openvpn.inc?) which adds the unwanted option remote-cert-tls client.

I am not sure if relevant but there are the following custom options:

mode server;
client-config-dir /var/etc/openvpn/server6/csc;
ccd-exclusive;
ifconfig 10.8.1.254 255.255.255.0;
push "route-gateway 10.8.1.254";
route 10.5.1.0 255.255.255.0 10.8.1.1;
route 10.5.2.0 255.255.255.0 10.8.1.2;


Related issues

Related to Feature #11865: Option to validate OpenVPN peer TLS certificate key usageResolvedViktor Gurov04/28/2021

Actions
Is duplicate of Bug #13077: remote-cert-tls client set in configuration regardless of Client Certificate Key Usage Validation option (after server restart only!)Duplicate

Actions
Actions #1

Updated by Jim Pingle about 1 month ago

  • Status changed from New to Not a Bug
  • Plus Target Version deleted (22.01)

That setting won't prevent clients from connecting on auth-only VPNs. There must be something else happening in your environment (could be your custom options setting up incompatible settings) but there isn't nearly enough information here to say what that might be. This site is not for support or diagnostic discussion, however, so it's not the place to debug it.

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

Actions #2

Updated by Michael Ruder about 1 month ago

I think this is a bug: Regardless of the newly introduced setting "Client Certificate Key Usage Validation", the @remote-cert-tls client" ends up in the configuration if the OpenVPN server instance is restarted (via Status=>OpenVPN or other means).

However, when saving the configuration from VPN=>OpenVPN (after changing anything, for instance only the log level) the line is not there, unless the option is ticked.

Actions #3

Updated by Viktor Gurov about 1 month ago

  • Tracker changed from Bug to Regression
  • Status changed from Not a Bug to New
  • Assignee set to Viktor Gurov
  • Target version set to 2.7.0
  • Plus Target Version set to 22.05
  • Affected Version set to 2.6.0
Actions #4

Updated by Viktor Gurov about 1 month ago

  • Related to Feature #11865: Option to validate OpenVPN peer TLS certificate key usage added
Actions #5

Updated by Viktor Gurov about 1 month ago

  • Is duplicate of Bug #13077: remote-cert-tls client set in configuration regardless of Client Certificate Key Usage Validation option (after server restart only!) added
Actions #6

Updated by Michael Ruder about 1 month ago

Works for me now as expected. I however noticed, that with the patch now in config.xml there is either <remote_cert_tls></remote_cert_tls> if the option is active or nothing if it is not. Before when the problem occured, the option was always in the config.xml, either empty (as above) or with yes between the tags: <remote_cert_tls>yes</remote_cert_tls>

Other boolean options (like passtos) are handled also with the tags always being present and either yes or empty and they do not show the faulty behaviour. So the remote_cert_tls option seems to be implemented somehow differently than the others.

As I have a (very) limited understanding on how the config is parsed etc., just ignore this comment if this is the intended way of doing things here. :)

Thanks for the quick fix.

Actions #8

Updated by Viktor Gurov about 1 month ago

Michael Ruder wrote in #note-6:

Works for me now as expected. I however noticed, that with the patch now in config.xml there is either <remote_cert_tls></remote_cert_tls> if the option is active or nothing if it is not. Before when the problem occured, the option was always in the config.xml, either empty (as above) or with yes between the tags: <remote_cert_tls>yes</remote_cert_tls>

That's fine. Some parts of the config.xml use such behavior.

Actions #9

Updated by Thorsten Zitterell about 1 month ago

Viktor Gurov wrote in #note-7:

Merged:
https://github.com/pfsense/pfsense/commit/48cf54f850c5bf4fe26a8e33deb449807e71c204

Sure, this patch is right?

In src/usr/local/www/vpn_openvpn_client.php, line 588

- $client['remote_cert_tls'] = $pconfig['remote_cert_tls'];
+ if (isset($client['remote_cert_tls'])) {
+ $client['remote_cert_tls'] = true;
+ }

Shouldn't it be

- $client['remote_cert_tls'] = $pconfig['remote_cert_tls'];
+ if (isset($pconfig['remote_cert_tls'])) {
+ $client['remote_cert_tls'] = true;
+ }

(analogous to src/usr/local/www/vpn_openvpn_server.php:751)

Actions #10

Updated by Viktor Gurov about 1 month ago

  • Status changed from Feedback to New

Thorsten Zitterell wrote in #note-9:

Viktor Gurov wrote in #note-7:

Merged:
https://github.com/pfsense/pfsense/commit/48cf54f850c5bf4fe26a8e33deb449807e71c204

Sure, this patch is right?

In src/usr/local/www/vpn_openvpn_client.php, line 588

- $client['remote_cert_tls'] = $pconfig['remote_cert_tls'];
+ if (isset($client['remote_cert_tls'])) {
+ $client['remote_cert_tls'] = true;
+ }

Shouldn't it be

- $client['remote_cert_tls'] = $pconfig['remote_cert_tls'];
+ if (isset($pconfig['remote_cert_tls'])) {
+ $client['remote_cert_tls'] = true;
+ }

(analogous to src/usr/local/www/vpn_openvpn_server.php:751)

Thank you!

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/735

Actions #11

Updated by Jim Pingle about 1 month ago

  • Status changed from New to Pull Request Review
Actions #12

Updated by Viktor Gurov about 1 month ago

  • Status changed from Pull Request Review to Feedback
Actions #13

Updated by Jim Pingle about 1 month ago

  • Subject changed from OpenVPN Server configuration altered when interface is renewed to OpenVPN ``remote_cert_tls`` option does not behave correctly when enabled and later disabled

Updating subject for release notes.

Actions

Also available in: Atom PDF