core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon opnsense

OpenVPN crashes when <auth-gen-token/> is not empty

Open stuart-edge opened this issue 1 year ago • 4 comments

|| || |Version|24.7_9|

If I configure anything in VPN --> OpenVPN --> Instances --> Instance --> Auth Token Lifetime The OpenVPN service will not start or restart. If I remove the value (blank) the OpenVPN service will start. Also fails with the value set to 0 The value looks OK in the backup file. 36000

OpenVPN will not start with this config <keepalive_interval/> <keepalive_timeout/> 0 60 <redirect_gateway/> <route_metric/>

OpenVPN will run with this config <keepalive_interval/> <keepalive_timeout/> 0 <redirect_gateway/> <route_metric/>

opnsense Version | 24.7_9 |   Architecture | amd64 |   Commit | 0d38c7804 |   Mirror | https://pkg.opnsense.org/FreeBSD:14:amd64/24.7 |   Repositories | OPNsense |   Updated on | Tue Jul 30 13:51:49 AEST 2024

stuart-edge avatar Jul 30 '24 22:07 stuart-edge

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

OPNsense-bot avatar Jul 30 '24 23:07 OPNsense-bot

Same thing I posted here and got no response https://www.reddit.com/r/opnsense/comments/1efq0cg/openvpn_crashes_when_authgentoken_is_not_empty/

This might clash with another setting that the OpenVPN daemon complains about and refuses to start. Can you check your log?

fichtner avatar Jul 31 '24 05:07 fichtner

I thinks this is the error. I gave up on OpenVPN and started using WireGuard. /usr/local/opnsense/scripts/openvpn/ovpn_service_control.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/instance-226a3474-1caa-4f0a-9cf1-e0cb671bb1d3.conf'' returned exit code '1', the output was ''

stuart-edge avatar Aug 02 '24 02:08 stuart-edge

I think we know the service didn't start. The question is what OpenVPN service itself logged when it decided not to start ;)

fichtner avatar Aug 02 '24 08:08 fichtner

I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

I guess, the problem is probably the same as described before:

Environment

OPNsense 24.7.4_1-amd64 FreeBSD 14.1-RELEASE-p4 OpenSSL 3.0.15

Describe the bug

If you set renegotiaion time to 0 the openvpn intance will crash silently.

To Reproduce

VPN -> OpenVPN -> Instances -> Add / Edit

image image image

Save and Apply

Shell

I tried to get more information on the shell: instance stopped

The gui produces this config: image

execute this image

will produce image

Logs

2024-09-20T11:11:29 Error openvpn /usr/local/opnsense/scripts/openvpn/ovpn_service_control.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/instance-d785bb53-fb3c-4204-886a-14c086a5a6af.conf'' returned exit code '1', the output was '' 2024-09-20T11:11:29 Warning openvpn_server2 Use --help for more information. 2024-09-20T11:11:29 Error openvpn_server2 Options error: --auth-gen-token needs a non-infinite --renegotiate_seconds setting

Screenshots

2024-09-20 15_37_39-Instances_OpenVPN_VPN perhaps you can remove those hints until this is fixed

hsiewert avatar Sep 20 '24 14:09 hsiewert

Thanks for the details. Looks like we miss a validation. I’m passing this to @AdSchellevis to fix.

Cheers, Franco

fichtner avatar Sep 20 '24 14:09 fichtner