Project

General

Profile

Bug #7065

OpenVPN Server conf files not created in /var/etc after upgrading to 2017.01.01.1906 release

Added by Jeff Wischkaemper 11 months ago. Updated 11 months ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
OpenVPN
Target version:
Start date:
01/01/2017
Due date:
% Done:

0%

Affected Version:
2.4
Affected Architecture:

Description

After upgrading to the latest release (20170101.1906), OpenVPN server conf files are not populated in the /var/etc directory. .ca, .crt, and .key files are populated, but .tls-auth and .conf files are missing, causing OpenVPN servers to fail.

OpenVPN clients on PFS 2.4 do not seem to be affected by this issue.

Bug confirmed on multiple firewalls running a dozen servers, with many different configurations (e.g. site-to-site, remote, remote SSL/TLS, remote SSL/TLS + user auth, UDP, TCP, TLS-AUTH enabled and disabled, compression enabled and disabled, etc.) Firewalls had been running previous 2.4 releases with no problems - the problem seems to be related to the upgrade to OpenVPN 2.4.0 - similar behavior is not observed on 2.3.3. development snapshot. Also, creating a new OpenVPN server with configuration identical to existing servers does not seem to solve the problem.

Associated revisions

Revision 80d3effa
Added by Jim Pingle 11 months ago

Make sure $openvpn_dh_lengths is declared global. Ticket #7065

History

#1 Updated by Phillip Davis 11 months ago

First problem I found is if you edit/save a client, it writes the protocol description to the config, rather than the "udp4" etc code.
https://github.com/pfsense/pfsense/pull/3339

But on a test VM I get server and client conf files, they are in /var/etc/openvpn

#2 Updated by Jim Pingle 11 months ago

  • Category set to OpenVPN
  • Assignee set to Jim Pingle
  • Target version set to 2.4.0
  • Affected Version set to 2.4

The only error that could cause the settings to not be written is if you have selected DH parameters that do not have a corresponding file in /etc/

Among other items I added yesterday was sanity checking and validation to the DH parameters selection to prevent (a) invalid DH parameters from being selected and (b) to prevent invalid DH parameters from being used. It bails on writing the configuration in that case because it could cause OpenVPN to fail. Or perhaps you have made some non-standard changes to your system such as moving /etc/?

Check your system log and OpenVPN log for any indication of an error regarding OpenVPN. I'll update some systems and try to reproduce this here as well in the meantime.

#3 Updated by Greg M 11 months ago

Hi!

I`m also affected.

First thing:

Crash report begins.  Anonymous machine information:

amd64
11.0-RELEASE-p5
FreeBSD 11.0-RELEASE-p5 #30 f1e039d(RELENG_2_4): Mon Jan 2 04:43:54 CST 2017 :/builder/ce/tmp/obj/builder/ce/tmp/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055

And second:

I use DH Parameter Length 2048 BIT
In /etc I have:
dh-parameters.1024
dh-parameters.2048
dh-parameters.4096

Error in syslog:
"/vpn_openvpn_server.php: Failed to construct OpenVPN server configuration. The selected DH Parameter length cannot be used."

"/vpn_openvpn_server.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/server1.conf'' returned exit code '1', the output was 'Options error: In [CMD-LINE]:1: Error opening configuration file: /var/etc/openvpn/server1.conf Use --help for more information.'"

So there is something weird going on here...

#4 Updated by Greg M 11 months ago

Forgot to add...

If I use ECDH only it works...

#5 Updated by Jeff Wischkaemper 11 months ago

I am seeing the same errors as Greg, though I'm using a DH of 4096 instead of 2048.

Problem is still occurring on the 20170102.0439 snapshot.

#6 Updated by Jim Pingle 11 months ago

  • Status changed from New to Feedback

This should be fixed by the PR that was merged a short while ago and is already in the latest snapshot. Update to the most recent snapshot and test again.

#7 Updated by Greg M 11 months ago

Ummm I`m on: 2.4.0.b.20170102.0439
Issue persists.

#8 Updated by Renato Botelho 11 months ago

Greg M wrote:

Ummm I`m on: 2.4.0.b.20170102.0439
Issue persists.

Try to gitsync with master or wait next snapshot

#9 Updated by Jim Pingle 11 months ago

I just pushed another change that should help, give it ~5-10 mins to show up on github and then gitsync or apply that commit as a patch.

#10 Updated by Greg M 11 months ago

Yep, all works now.

Thanks!

#11 Updated by Jim Pingle 11 months ago

OK. We will wait for it to show up in snapshots and re-test and then if it's OK there, this can be closed.

#12 Updated by Greg M 11 months ago

I just have this now...

Crash report begins.  Anonymous machine information:

amd64
11.0-RELEASE-p5
FreeBSD 11.0-RELEASE-p5 #30 f1e039d(RELENG_2_4): Mon Jan 2 04:43:54 CST 2017 :/builder/ce/tmp/obj/builder/ce/tmp/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055

But everything seems OK.
Just gitsync`ed...

#13 Updated by Jim Pingle 11 months ago

That was probably from before the sync. Clear the error and check again. If you can, reboot and see if the error is gone then as well. I finally managed to find a VM that could replicate it and with that last fix all the errors were gone even on reboot.

#14 Updated by Jeff Wischkaemper 11 months ago

Thanks for the quick response on this Jim. I assume another snapshot will hit later this morning or early afternoon?

#15 Updated by Jim Pingle 11 months ago

Yes it's building right now, we restarted the snapshot builds to make sure it gets picked up.

#16 Updated by Greg M 11 months ago

Now it˛`s all good.

Thanks again!

#17 Updated by Jeff Wischkaemper 11 months ago

Working now.

Thanks again for the quick turnaround.

#18 Updated by Renato Botelho 11 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF