search

OpenVPN / openvpn3-linux

OpenVPN 3 Linux client
GNU Affero General Public License v3.0
554 stars 148 forks source link

OpenVPN3 stopped working after kernel update #39

Closed sid-the-sloth closed 3 years ago

sid-the-sloth commented 3 years ago

Installed openvpn3 client as per instructions (https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux).

Everything worked fine until last kernel update. I can provide more info if needed -- please write back.

Running this openvpn3 version on Debian 10:

$ openvpn3 version
OpenVPN 3/Linux v13_beta (openvpn3)
OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

My system:

$ uname -a
Linux lenovo-m58 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux

and:

$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
dsommers commented 3 years ago

What is not working? Have you tried to use the DCO feature? Do you see anything in the logs; it's worth checking both journalctl --since today -u dbus and journalctl --since today SYSLOG_IDENTIFIER=net.openvpn.v3.log. You may want to increase the logging before you try to start a session again (openvpn3-admin log-service --log-level 6). Also, how do you start your VPN session?

sid-the-sloth commented 3 years ago

Sorry, just ran the commands suggested, I think this shows the issue -- please advise. The network-manager vpn client still connects okay, but openvpn3 fails.

I am starting the (persistent) session in terminal, with: openvpn3 session-start --config /etc/openvpn/my-connection.ovpn

Looks like the issue is: Certificate verification failed... Here is the output from respective command:

$ journalctl --since today SYSLOG_IDENTIFIER=net.openvpn.v3.log
-- Logs begin at Tue 2021-04-06 12:26:14 EDT, end at Fri 2021-04-09 17:52:59 EDT. --
Apr 09 17:49:34 lenovo-m58 net.openvpn.v3.log[485]: OpenVPN 3/Linux v13_beta (openvpn3-service-logger)
Apr 09 17:49:34 lenovo-m58 net.openvpn.v3.log[485]: OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit
Apr 09 17:49:34 lenovo-m58 net.openvpn.v3.log[485]: Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.
Apr 09 17:49:34 lenovo-m58 net.openvpn.v3.log[485]: Idle exit set to 10 minutes
Apr 09 17:49:34 lenovo-m58 net.openvpn.v3.log[11148]: Logger VERB2: Attached: {tag:6705874228307749449}  [:1.30849/net.openvpn.v3.sessions]
Apr 09 17:49:34 lenovo-m58 net.openvpn.v3.log[11148]: Logger VERB2: Attached: {tag:8119043309269686520}  [:1.30853/net.openvpn.v3.configuration]
Apr 09 17:49:34 lenovo-m58 net.openvpn.v3.log[11148]: {tag:8119043309269686520} Config Manager INFO: Parsed persistent configuration '/etc/openvpn/my-connection.ovpn', owner: <userowner>
Apr 09 17:49:35 lenovo-m58 net.openvpn.v3.log[11148]: Logger VERB2: Attached: {tag:5714097778400281831}  [:1.30855/net.openvpn.v3.backends]
Apr 09 17:49:35 lenovo-m58 net.openvpn.v3.log[11148]: Logger VERB2: Attached: {tag:9092037663648453378}  [:1.30856/net.openvpn.v3.backends]
Apr 09 17:49:35 lenovo-m58 net.openvpn.v3.log[11148]: Logger VERB2: Attached: {tag:4532280910588133140}  [:1.30856/net.openvpn.v3.sessions]
Apr 09 17:49:35 lenovo-m58 net.openvpn.v3.log[11148]: {tag:9092037663648453378} Client VERB1: Initializing VPN client session, token 1f2bccd2t736ft46cft9cfctd1c33a77d768
Apr 09 17:49:35 lenovo-m58 net.openvpn.v3.log[11148]: {tag:9092037663648453378} Client VERB1: Configuration override 'persist-tun' set to True
Apr 09 17:49:35 lenovo-m58 net.openvpn.v3.log[11148]: Logger VERB2: Attached: {tag:14389364352169869454}  [:1.30858/net.openvpn.v3.netcfg]
Apr 09 17:49:35 lenovo-m58 net.openvpn.v3.log[11148]: Logger VERB2: Attached: {tag:11683993212985576547}  [:1.30858/net.openvpn.v3.netcfg.core]
Apr 09 17:49:35 lenovo-m58 net.openvpn.v3.log[11148]: {tag:14389364352169869454} Network Configuration VERB1: Redirect method: host-route
Apr 09 17:49:41 lenovo-m58 net.openvpn.v3.log[11148]: Logger VERB2: Detached: {tag:5714097778400281831}  [:1.30855/net.openvpn.v3.backends]
Apr 09 17:49:47 lenovo-m58 net.openvpn.v3.log[11148]: {tag:14389364352169869454} Network Configuration INFO: Cleaning up resources for PID 11164.
Apr 09 17:49:47 lenovo-m58 net.openvpn.v3.log[11148]: {tag:9092037663648453378} Client INFO: Starting connection
Apr 09 17:49:47 lenovo-m58 net.openvpn.v3.log[11148]: {tag:9092037663648453378} Client VERB1: Username/password provided successfully for '<user>'
Apr 09 17:49:47 lenovo-m58 net.openvpn.v3.log[11148]: {tag:9092037663648453378} Client VERB1: Waiting for server response
Apr 09 17:49:47 lenovo-m58 net.openvpn.v3.log[11148]: {tag:14389364352169869454} Network Configuration INFO: Socket protect called for socket 8, remote: '75.98.196.242', tun: '', ipv6: no
Apr 09 17:49:48 lenovo-m58 net.openvpn.v3.log[11148]: {tag:9092037663648453378} Client INFO: Connecting
Apr 09 17:49:48 lenovo-m58 net.openvpn.v3.log[11148]: {tag:9092037663648453378} Client !! CRITICAL !!: Certificate verification failed:OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Apr 09 17:49:48 lenovo-m58 net.openvpn.v3.log[11148]: {tag:14389364352169869454} Network Configuration INFO: Cleaning up resources for PID 11164.
Apr 09 17:49:48 lenovo-m58 net.openvpn.v3.log[11148]: {tag:9092037663648453378} Client INFO: Forcing shutdown of backend process for token 1f2bccd2t736ft46cft9cfctd1c33a77d768
Apr 09 17:49:48 lenovo-m58 net.openvpn.v3.log[11148]: Logger VERB2: Detached: {tag:9092037663648453378}  [:1.30856/net.openvpn.v3.backends]
Apr 09 17:49:48 lenovo-m58 net.openvpn.v3.log[11148]: Logger VERB2: Detached: {tag:4532280910588133140}  [:1.30856/net.openvpn.v3.sessions]
Apr 09 17:49:50 lenovo-m58 net.openvpn.v3.log[11148]: {tag:6705874228307749449} Session Manager VERB1: Session is closing

Thanks!

sid-the-sloth commented 3 years ago

Sorry - again, very strange, I deleted the persisted config and re-imported it: now it works just fine.

Asked my network admin, nothing has changed on the server -- maybe something in this local config (of openvpn3) is related to the kernel version?

Thanks!

dsommers commented 3 years ago

I see this line in the log, which is why it failed:

Client !! CRITICAL !!: Certificate verification failed:OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

So something must have changed, resulting in the client not accepting the server certificate. Could be an expired CA certificate, could be server certificate had been reissued using a new CA certificate. Or something in the crossing of CA and server certificates.

This error has nothing to do with the kernel; that sounds more like a coincidence.