Bug #7065
closed
OpenVPN Server conf files not created in /var/etc after upgrading to 2017.01.01.1906 release
Added by Jeff Wischkaemper over 7 years ago. Updated over 7 years ago.
0%
Description
After upgrading to the latest release (20170101.1906), OpenVPN server conf files are not populated in the /var/etc directory. .ca, .crt, and .key files are populated, but .tls-auth and .conf files are missing, causing OpenVPN servers to fail.
OpenVPN clients on PFS 2.4 do not seem to be affected by this issue.
Bug confirmed on multiple firewalls running a dozen servers, with many different configurations (e.g. site-to-site, remote, remote SSL/TLS, remote SSL/TLS + user auth, UDP, TCP, TLS-AUTH enabled and disabled, compression enabled and disabled, etc.) Firewalls had been running previous 2.4 releases with no problems - the problem seems to be related to the upgrade to OpenVPN 2.4.0 - similar behavior is not observed on 2.3.3. development snapshot. Also, creating a new OpenVPN server with configuration identical to existing servers does not seem to solve the problem.
Updated by Phillip Davis over 7 years ago
First problem I found is if you edit/save a client, it writes the protocol description to the config, rather than the "udp4" etc code.
https://github.com/pfsense/pfsense/pull/3339
But on a test VM I get server and client conf files, they are in /var/etc/openvpn
Updated by Jim Pingle over 7 years ago
- Category set to OpenVPN
- Assignee set to Jim Pingle
- Target version set to 2.4.0
- Affected Version set to 2.4
The only error that could cause the settings to not be written is if you have selected DH parameters that do not have a corresponding file in /etc/
Among other items I added yesterday was sanity checking and validation to the DH parameters selection to prevent (a) invalid DH parameters from being selected and (b) to prevent invalid DH parameters from being used. It bails on writing the configuration in that case because it could cause OpenVPN to fail. Or perhaps you have made some non-standard changes to your system such as moving /etc/?
Check your system log and OpenVPN log for any indication of an error regarding OpenVPN. I'll update some systems and try to reproduce this here as well in the meantime.
Updated by Greg M over 7 years ago
Hi!
I`m also affected.
First thing:
Crash report begins. Anonymous machine information:amd64
11.0-RELEASE-p5
FreeBSD 11.0-RELEASE-p5 #30 f1e039d(RELENG_2_4): Mon Jan 2 04:43:54 CST 2017 root@buildbot2.netgate.com:/builder/ce/tmp/obj/builder/ce/tmp/FreeBSD-src/sys/pfSense
Crash report details:
PHP Errors:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
And second:
I use DH Parameter Length 2048 BIT
In /etc I have:
dh-parameters.1024
dh-parameters.2048
dh-parameters.4096
Error in syslog:
"/vpn_openvpn_server.php: Failed to construct OpenVPN server configuration. The selected DH Parameter length cannot be used."
"/vpn_openvpn_server.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/server1.conf'' returned exit code '1', the output was 'Options error: In [CMD-LINE]:1: Error opening configuration file: /var/etc/openvpn/server1.conf Use --help for more information.'"
So there is something weird going on here...
Updated by Greg M over 7 years ago
Forgot to add...
If I use ECDH only it works...
Updated by Jeff Wischkaemper over 7 years ago
I am seeing the same errors as Greg, though I'm using a DH of 4096 instead of 2048.
Problem is still occurring on the 20170102.0439 snapshot.
Updated by Jim Pingle over 7 years ago
- Status changed from New to Feedback
This should be fixed by the PR that was merged a short while ago and is already in the latest snapshot. Update to the most recent snapshot and test again.
Updated by Greg M over 7 years ago
Ummm I`m on: 2.4.0.b.20170102.0439
Issue persists.
Updated by Renato Botelho over 7 years ago
Greg M wrote:
Ummm I`m on: 2.4.0.b.20170102.0439
Issue persists.
Try to gitsync with master or wait next snapshot
Updated by Jim Pingle over 7 years ago
I just pushed another change that should help, give it ~5-10 mins to show up on github and then gitsync or apply that commit as a patch.
Updated by Jim Pingle over 7 years ago
OK. We will wait for it to show up in snapshots and re-test and then if it's OK there, this can be closed.
Updated by Greg M over 7 years ago
I just have this now...
Crash report begins. Anonymous machine information:amd64
11.0-RELEASE-p5
FreeBSD 11.0-RELEASE-p5 #30 f1e039d(RELENG_2_4): Mon Jan 2 04:43:54 CST 2017 root@buildbot2.netgate.com:/builder/ce/tmp/obj/builder/ce/tmp/FreeBSD-src/sys/pfSense
Crash report details:
PHP Errors:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:11 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:11 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:07:42 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:07:42 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 4. array_keys() /etc/inc/openvpn.inc:1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/openvpn.inc on line 1055
[02-Jan-2017 14:10:13 Europe/Berlin] PHP Stack trace:
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 1. {main}() /usr/local/www/vpn_openvpn_server.php:0
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 2. openvpn_resync() /usr/local/www/vpn_openvpn_server.php:569
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 3. openvpn_reconfigure() /etc/inc/openvpn.inc:1362
[02-Jan-2017 14:10:13 Europe/Berlin] PHP 4. in_array() /etc/inc/openvpn.inc:1055
But everything seems OK.
Just gitsync`ed...
Updated by Jim Pingle over 7 years ago
That was probably from before the sync. Clear the error and check again. If you can, reboot and see if the error is gone then as well. I finally managed to find a VM that could replicate it and with that last fix all the errors were gone even on reboot.
Updated by Jeff Wischkaemper over 7 years ago
Thanks for the quick response on this Jim. I assume another snapshot will hit later this morning or early afternoon?
Updated by Jim Pingle over 7 years ago
Yes it's building right now, we restarted the snapshot builds to make sure it gets picked up.
Updated by Jeff Wischkaemper over 7 years ago
Working now.
Thanks again for the quick turnaround.
Updated by Renato Botelho over 7 years ago
- Status changed from Feedback to Resolved