Project

General

Profile

Actions

Bug #7065

closed

OpenVPN Server conf files not created in /var/etc after upgrading to 2017.01.01.1906 release

Added by Jeff Wischkaemper about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
OpenVPN
Target version:
Start date:
01/01/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4
Affected Architecture:

Description

After upgrading to the latest release (20170101.1906), OpenVPN server conf files are not populated in the /var/etc directory. .ca, .crt, and .key files are populated, but .tls-auth and .conf files are missing, causing OpenVPN servers to fail.

OpenVPN clients on PFS 2.4 do not seem to be affected by this issue.

Bug confirmed on multiple firewalls running a dozen servers, with many different configurations (e.g. site-to-site, remote, remote SSL/TLS, remote SSL/TLS + user auth, UDP, TCP, TLS-AUTH enabled and disabled, compression enabled and disabled, etc.) Firewalls had been running previous 2.4 releases with no problems - the problem seems to be related to the upgrade to OpenVPN 2.4.0 - similar behavior is not observed on 2.3.3. development snapshot. Also, creating a new OpenVPN server with configuration identical to existing servers does not seem to solve the problem.

Actions #1

Updated by Phillip Davis about 7 years ago

First problem I found is if you edit/save a client, it writes the protocol description to the config, rather than the "udp4" etc code.
https://github.com/pfsense/pfsense/pull/3339

But on a test VM I get server and client conf files, they are in /var/etc/openvpn

Actions #2

Updated by Jim Pingle about 7 years ago

  • Category set to OpenVPN
  • Assignee set to Jim Pingle
  • Target version set to 2.4.0
  • Affected Version set to 2.4

The only error that could cause the settings to not be written is if you have selected DH parameters that do not have a corresponding file in /etc/

Among other items I added yesterday was sanity checking and validation to the DH parameters selection to prevent (a) invalid DH parameters from being selected and (b) to prevent invalid DH parameters from being used. It bails on writing the configuration in that case because it could cause OpenVPN to fail. Or perhaps you have made some non-standard changes to your system such as moving /etc/?

Check your system log and OpenVPN log for any indication of an error regarding OpenVPN. I'll update some systems and try to reproduce this here as well in the meantime.

Actions #3

Updated by Greg M about 7 years ago

Hi!

I`m also affected.

First thing:

Crash report begins.  Anonymous machine information:

amd64
11.0-RELEASE-p5
FreeBSD 11.0-RELEASE-p5 #30 f1e039d(RELENG_2_4): Mon Jan 2 04:43:54 CST 2017 :/builder/ce/tmp/obj/builder/ce/tmp/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055

And second:

I use DH Parameter Length 2048 BIT
In /etc I have:
dh-parameters.1024
dh-parameters.2048
dh-parameters.4096

Error in syslog:
"/vpn_openvpn_server.php: Failed to construct OpenVPN server configuration. The selected DH Parameter length cannot be used."

"/vpn_openvpn_server.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/server1.conf'' returned exit code '1', the output was 'Options error: In [CMD-LINE]:1: Error opening configuration file: /var/etc/openvpn/server1.conf Use --help for more information.'"

So there is something weird going on here...

Actions #4

Updated by Greg M about 7 years ago

Forgot to add...

If I use ECDH only it works...

Actions #5

Updated by Jeff Wischkaemper about 7 years ago

I am seeing the same errors as Greg, though I'm using a DH of 4096 instead of 2048.

Problem is still occurring on the 20170102.0439 snapshot.

Actions #6

Updated by Jim Pingle about 7 years ago

  • Status changed from New to Feedback

This should be fixed by the PR that was merged a short while ago and is already in the latest snapshot. Update to the most recent snapshot and test again.

Actions #7

Updated by Greg M about 7 years ago

Ummm I`m on: 2.4.0.b.20170102.0439
Issue persists.

Actions #8

Updated by Renato Botelho about 7 years ago

Greg M wrote:

Ummm I`m on: 2.4.0.b.20170102.0439
Issue persists.

Try to gitsync with master or wait next snapshot

Actions #9

Updated by Jim Pingle about 7 years ago

I just pushed another change that should help, give it ~5-10 mins to show up on github and then gitsync or apply that commit as a patch.

Actions #10

Updated by Greg M about 7 years ago

Yep, all works now.

Thanks!

Actions #11

Updated by Jim Pingle about 7 years ago

OK. We will wait for it to show up in snapshots and re-test and then if it's OK there, this can be closed.

Actions #12

Updated by Greg M about 7 years ago

I just have this now...

Crash report begins.  Anonymous machine information:

amd64
11.0-RELEASE-p5
FreeBSD 11.0-RELEASE-p5 #30 f1e039d(RELENG_2_4): Mon Jan 2 04:43:54 CST 2017 :/builder/ce/tmp/obj/builder/ce/tmp/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055

But everything seems OK.
Just gitsync`ed...

Actions #13

Updated by Jim Pingle about 7 years ago

That was probably from before the sync. Clear the error and check again. If you can, reboot and see if the error is gone then as well. I finally managed to find a VM that could replicate it and with that last fix all the errors were gone even on reboot.

Actions #14

Updated by Jeff Wischkaemper about 7 years ago

Thanks for the quick response on this Jim. I assume another snapshot will hit later this morning or early afternoon?

Actions #15

Updated by Jim Pingle about 7 years ago

Yes it's building right now, we restarted the snapshot builds to make sure it gets picked up.

Actions #16

Updated by Greg M about 7 years ago

Now it˛`s all good.

Thanks again!

Actions #17

Updated by Jeff Wischkaemper about 7 years ago

Working now.

Thanks again for the quick turnaround.

Actions #18

Updated by Renato Botelho about 7 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF