Results 1 to 4 of 4
  1. #1
    Untanglit
    Join Date
    Dec 2011
    Posts
    29

    Default OpenVPN Site to Site

    I'll start by saying, maybe I've been doing this wrong all along... but....

    I have multiple sites linked back to a main site via OpenVPN. Most connections are Site-to-Site Untangle OpenVPN connections, though one was an OpenVPN Client for Windows running as a service. (Of the Untangle sites, two sites are running paid versions of Untangle, 3 sites are not). It's a hub and spoke type of configuration where the Hub is a paid version of Untangle. Most sites run Untangle 15, but one is on 11 (which I've been running upgrades on all weekend and is now up to 13.1.1 and running another upgrade...)

    Up until this weekend, when I upgraded the hub to 15.1, all sites had connectivity and were really working pretty flawlessly. I had created the site package for each site and enabled the server on each untangle install thereby allowing the Hub to communicate with all sites, the sites to communicate to the hub, and all sites to reach each other through the hub. For my purposes, this was fine.

    After the 15.1 upgrade, all but one VPN connection stopped working completely. One that continued is only partly working - it can ping the hub but the hub can't ping it.

    I did see something that suggested it was an MD5 issue, I think, and one recommendation that I remove the OpenVPN component and re-add it. I tried that on one system but it doesn't seem to have done anything...

    In one case, I completely wiped and reloaded a free install and was able to fully restore the VPN connection... but I'm really hoping there's a way to do this without COMPLETELY re-installing each site. If absolutely necessary, I could do that, but that's going to involve some degree of travel I'm trying to avoid. I'm fairly sure my Hub is ok since I was able to reload the one spoke and restore service.

    I'm open to ideas as I need to get these links working again...

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,174

    Default

    ooof.

    Quote Originally Posted by Multiverse View Post
    I did see something that suggested it was an MD5 issue, I think, and one recommendation that I remove the OpenVPN component and re-add it. I tried that on one system but it doesn't seem to have done anything...
    ...I'm fairly sure my Hub is ok since I was able to reload the one spoke and restore service.
    with a quick read-through of the O.P., I would start by removing OpenVPN from the hub, re-installing it, and re-generating the client files / certificates, then get them to the remote sites. As a part of that (and the first step if you choose to), consider some threads here about excluding the compression option on the Server side of the Advanced tab.

  3. #3
    Newbie
    Join Date
    Jul 2018
    Posts
    3

    Default

    Quote Originally Posted by Multiverse View Post
    I did see something that suggested it was an MD5 issue, I think, and one recommendation that I remove the OpenVPN component and re-add it. I tried that on one system but it doesn't seem to have done anything...
    Jim.Alles' post above this is the correct process. Do this on all your NGFWs; especially those already upgraded to v15.1.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,660

    Default

    The only OpenVPN instance that matters when it comes to certificate problems (MD5 issue), are platforms operating as a server.

    If you have a hub and spoke model, that means the one in the middle. Everyone else has client configurations from that one in the middle. That's the one that needs its OpenVPN module nuked, new clients configured manually, and then distributed to the other Untangle servers. The configurations from a v15.1 install should work on older versions too.

    The problem is v15.1's OpenVPN software is of a version that flat will not work with MD5 anymore. So if you didn't manage the MD5 problem when it was announced (two years ago now), the ticking time bomb has exploded.

    So you don't need to reinstall every site, all you need to do is get into remote administration on each unit and rebuild all the tunnels. if you don't have remote admin, then yeah... I guess you're driving. Though, in an effort to save you some of that, Windows 10 has Quick Assist built in, you can use it with some assistance of a user at one of the sites to get control of that machine remotely, and perhaps from there get into the local admin of the Untangle in question.

    This stuff is why I maintain a static IP address, HTTPs admin from my static address is always enabled. Command Center helps too, but only for boxes with subscriptions.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2