Announcement

Collapse
No announcement yet.

Notice for long time OpenVPN users

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Notice for long time OpenVPN users

    Many third party OpenVPN client applications are updating and no longer accept lower level encrypted certificates which was generated on version 12 or earlier of Untangle. Even if you upgraded your Untangle to the latest version, the OpenVPN certificate is still the same as we do not generate a new certificate on upgrade so OpenVPN connections won't break. Thus some OpenVPN connections will fail due to third party VPN clients restrictions.

    The solutions is to generate a new OpenVPN certificate and redistributing the OpenVPN config files for each OpenVPN user.
    Steps:
    - Export the server remote clients, groups, and networks from /admin/index.do#service/openvpn/server
    - Remove OpenVPN app from Untangle by clicking the remove button at the bottom of /admin/index.do#service/openvpn/status
    - Install OpenVPN again.
    - Import all the previous exports for server remote clients, groups, and networks
    - Send the new client config files to your OpenVPN clients.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email [email protected]

  • #2
    I had a server after upgrade to 14.0.1 early last week, result in working existing VPN clients but new clients would generate failed installations, I think because the installer version of OpenVPN wasn't aligned with the generated certificates. In practice new clients would install, but could never connect due to a TLS handshake error.

    The same process you mentioned here fixed it, just reinitialize everything and redistribute the VPN clients.
    Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: [email protected]

    Comment


    • #3
      Originally posted by sky-knight View Post
      TLS handshake error.
      Yes, if you see like that and something about the 'failed to verify' the certificate, that is almost certainly the issue.
      Lots of newer clients, and newer versions of the existing clients, are more demanding about what will and will not be accepted.
      Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
      If you need Untangle support please call or email [email protected]

      Comment


      • #4
        Originally posted by sky-knight View Post
        I had a server after upgrade to 14.0.1 early last week, result in working existing VPN clients but new clients would generate failed installations, I think because the installer version of OpenVPN wasn't aligned with the generated certificates. In practice new clients would install, but could never connect due to a TLS handshake error.

        The same process you mentioned here fixed it, just reinitialize everything and redistribute the VPN clients.
        wait, do you mean that on an existing v14 server, where the OpenVPN configuration has been around for awhile (i.e. all of mine), I can't install any new clients without ripping and replacing the whole thing?

        Comment


        • #5
          Originally posted by johnsonx42 View Post
          wait, do you mean that on an existing v14 server, where the OpenVPN configuration has been around for awhile (i.e. all of mine), I can't install any new clients without ripping and replacing the whole thing?
          No, not entirely. It all depends on the client software installed on the remote PC. If the PC software has updated, it might not accept the generated cert. The Windows installer on the UT will work on existing Windows but if you install the latest OpenVPN client on any OS, it will want a higher encryption than was offered on v12 or earlier OpenVPN server certificate generation.

          Again, this issue is due to client application updates, not Untangle upgrades.
          Last edited by jcoffin; 12-05-2018, 06:04 PM.
          Attention: Support and help on the Untangle Forums is provided by
          volunteers and community members like yourself.
          If you need Untangle support please call or email [email protected]

          Comment


          • #6
            Originally posted by johnsonx42 View Post
            wait, do you mean that on an existing v14 server, where the OpenVPN configuration has been around for awhile (i.e. all of mine), I can't install any new clients without ripping and replacing the whole thing?
            In my case the version of OpenVPN shipped by Untangle could no longer use the certificates it was generating. So I either nuked the module and reinitialized it, OR I was going to have to try to guess what old version of OpenVPN to install over the top of what Untangle provided for my new client.

            So what I'm seeing is Untangle v14 will ship broken stuff, if you've got old around because it's packing the newer client with old certificates. The already issued stuff was fine, this issue was limited to a new client I tried to create.

            This change has been in the wild for a year, we've had plenty of time to migrate, I didn't get all mine done and now I'm paying the price in support. That's on me, I'm hardly critical of Untangle for this.
            Last edited by sky-knight; 12-05-2018, 06:19 PM.
            Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
            NexgenAppliances.com
            Phone: 866-794-8879 x201
            Email: [email protected]

            Comment


            • #7
              Originally posted by sky-knight View Post
              In my case the version of OpenVPN shipped by Untangle could no longer use the certificates it was generating. So I either nuked the module and reinitialized it, OR I was going to have to try to guess what old version of OpenVPN to install over the top of what Untangle provided for my new client.
              Just to be clear, the windows installer created by Untangle's OpenVPN app (v2.4.3) still accepts 2048-bit and MD5 certs.

              If you are using your own OpenVPN client with the config file produced by Untangle's OpenVPN app, what it accepts entirely depends on what client you are using. Some have minimum requirements on certs, and some actually won't accept certain deprecated arguments (though those are mostly non-official clients in my experience)
              Last edited by dmorris; 12-05-2018, 11:09 PM.
              Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
              If you need Untangle support please call or email [email protected]

              Comment


              • #8
                sky's experience seems to contradict dmorris's explanation.

                Comment


                • #9
                  i dunno... there seem to be several threads here indicating a 14.1 upgrade breaks existing site-to-site connections (involving only untangle, nothing 3rd party). I'm logging in to my sites that depend on site-to-site and disabling upgrades until this picture becomes clear... I can't have the sites suddenly go down.

                  (followup: at one site the client side had already upgraded 14.1 and all was well; however that site is pretty new, the OpenVPN config was created with 13.x so it may not be affected. at another the site, which is older, probably goes back to 11.x, the server was about to upgrade and I stopped it and the client side as well. Neither of the sites will be a big problem to re-generate the OpenVPN config on both ends if I have to, I just don't want the 6am panic call "everything is down, no one can work!")
                  Last edited by johnsonx42; 12-06-2018, 01:25 PM.

                  Comment


                  • #10
                    I do updates by clean install and importing the backup. I am guessing that brings along the old certs. Does it?

                    Comment


                    • #11
                      Originally posted by donhwyo View Post
                      I do updates by clean install and importing the backup. I am guessing that brings along the old certs. Does it?
                      Yes, the certificate for the server is in the backup (it has to be otherwise the clients would refuse to connect to restored servers!)

                      We switched from MD5 to SHA many years ago so unless your backup is really old you won't have an issue.

                      People with MD5 are just noticing because they're officially dropping MD5 support in many clients. This includes the official openvpn client for windows (2.4.6) that you would download from the directly from them as well as some others like tunnelblick.

                      You can check your cert with:
                      sudo openssl x509 -text -noout -in /usr/share/untangle/settings/openvpn/server.crt | grep "Signature Algo"
                      Last edited by dmorris; 12-06-2018, 03:02 PM.
                      Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
                      If you need Untangle support please call or email [email protected]

                      Comment


                      • #12
                        Thanks they have probably been drug forward from 10.

                        Comment


                        • #13
                          Originally posted by donhwyo View Post
                          Thanks they have probably been drug forward from 10.


                          In that case you probably want to regen the cert before too long. Our client (2.4.3) still accepts it, but if you use others they're getting more stringent. Also eventually we'll want to update the one included in Untangle and when we do that even it won't accept MD5 certs.
                          Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
                          If you need Untangle support please call or email [email protected]

                          Comment


                          • #14
                            Done. Thanks

                            Comment


                            • #15
                              Originally posted by dmorris View Post
                              You can check your cert with:
                              sudo openssl x509 -text -noout -in /usr/share/untangle/settings/openvpn/server.crt | grep "Signature Algo"
                              At the site I'm at now I get "md5WithRSAEncryption"

                              So this one is going to be a problem, yes?

                              Comment

                              Working...
                              X
                              😀
                              🥰
                              🤢
                              😎
                              😡
                              👍
                              👎