Page 1 of 7 123 ... LastLast
Results 1 to 10 of 61
  1. #1
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,928

    Default Notice for long time OpenVPN users

    Many third party OpenVPN client applications are updating and no longer accept lower level encrypted certificates which was generated on version 12 or earlier of Untangle. Even if you upgraded your Untangle to the latest version, the OpenVPN certificate is still the same as we do not generate a new certificate on upgrade so OpenVPN connections won't break. Thus some OpenVPN connections will fail due to third party VPN clients restrictions.

    The solutions is to generate a new OpenVPN certificate and redistributing the OpenVPN config files for each OpenVPN user.
    Steps:
    - Export the server remote clients, groups, and networks from /admin/index.do#service/openvpn/server
    - Remove OpenVPN app from Untangle by clicking the remove button at the bottom of /admin/index.do#service/openvpn/status
    - Install OpenVPN again.
    - Import all the previous exports for server remote clients, groups, and networks
    - Send the new client config files to your OpenVPN clients.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,437

    Default

    I had a server after upgrade to 14.0.1 early last week, result in working existing VPN clients but new clients would generate failed installations, I think because the installer version of OpenVPN wasn't aligned with the generated certificates. In practice new clients would install, but could never connect due to a TLS handshake error.

    The same process you mentioned here fixed it, just reinitialize everything and redistribute the VPN clients.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,740

    Default

    Quote Originally Posted by sky-knight View Post
    TLS handshake error.
    Yes, if you see like that and something about the 'failed to verify' the certificate, that is almost certainly the issue.
    Lots of newer clients, and newer versions of the existing clients, are more demanding about what will and will not be accepted.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,161

    Default

    Quote Originally Posted by sky-knight View Post
    I had a server after upgrade to 14.0.1 early last week, result in working existing VPN clients but new clients would generate failed installations, I think because the installer version of OpenVPN wasn't aligned with the generated certificates. In practice new clients would install, but could never connect due to a TLS handshake error.

    The same process you mentioned here fixed it, just reinitialize everything and redistribute the VPN clients.
    wait, do you mean that on an existing v14 server, where the OpenVPN configuration has been around for awhile (i.e. all of mine), I can't install any new clients without ripping and replacing the whole thing?

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,928

    Default

    Quote Originally Posted by johnsonx42 View Post
    wait, do you mean that on an existing v14 server, where the OpenVPN configuration has been around for awhile (i.e. all of mine), I can't install any new clients without ripping and replacing the whole thing?
    No, not entirely. It all depends on the client software installed on the remote PC. If the PC software has updated, it might not accept the generated cert. The Windows installer on the UT will work on existing Windows but if you install the latest OpenVPN client on any OS, it will want a higher encryption than was offered on v12 or earlier OpenVPN server certificate generation.

    Again, this issue is due to client application updates, not Untangle upgrades.
    Last edited by jcoffin; 12-05-2018 at 07:04 PM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,437

    Default

    Quote Originally Posted by johnsonx42 View Post
    wait, do you mean that on an existing v14 server, where the OpenVPN configuration has been around for awhile (i.e. all of mine), I can't install any new clients without ripping and replacing the whole thing?
    In my case the version of OpenVPN shipped by Untangle could no longer use the certificates it was generating. So I either nuked the module and reinitialized it, OR I was going to have to try to guess what old version of OpenVPN to install over the top of what Untangle provided for my new client.

    So what I'm seeing is Untangle v14 will ship broken stuff, if you've got old around because it's packing the newer client with old certificates. The already issued stuff was fine, this issue was limited to a new client I tried to create.

    This change has been in the wild for a year, we've had plenty of time to migrate, I didn't get all mine done and now I'm paying the price in support. That's on me, I'm hardly critical of Untangle for this.
    Last edited by sky-knight; 12-05-2018 at 07:19 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,740

    Default

    Quote Originally Posted by sky-knight View Post
    In my case the version of OpenVPN shipped by Untangle could no longer use the certificates it was generating. So I either nuked the module and reinitialized it, OR I was going to have to try to guess what old version of OpenVPN to install over the top of what Untangle provided for my new client.
    Just to be clear, the windows installer created by Untangle's OpenVPN app (v2.4.3) still accepts 2048-bit and MD5 certs.

    If you are using your own OpenVPN client with the config file produced by Untangle's OpenVPN app, what it accepts entirely depends on what client you are using. Some have minimum requirements on certs, and some actually won't accept certain deprecated arguments (though those are mostly non-official clients in my experience)
    Last edited by dmorris; 12-06-2018 at 12:09 AM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,161

    Default

    sky's experience seems to contradict dmorris's explanation.

  9. #9
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,161

    Default

    i dunno... there seem to be several threads here indicating a 14.1 upgrade breaks existing site-to-site connections (involving only untangle, nothing 3rd party). I'm logging in to my sites that depend on site-to-site and disabling upgrades until this picture becomes clear... I can't have the sites suddenly go down.

    (followup: at one site the client side had already upgraded 14.1 and all was well; however that site is pretty new, the OpenVPN config was created with 13.x so it may not be affected. at another the site, which is older, probably goes back to 11.x, the server was about to upgrade and I stopped it and the client side as well. Neither of the sites will be a big problem to re-generate the OpenVPN config on both ends if I have to, I just don't want the 6am panic call "everything is down, no one can work!")
    Last edited by johnsonx42; 12-06-2018 at 02:25 PM.

  10. #10
    Master Untangler
    Join Date
    May 2008
    Posts
    943

    Default

    I do updates by clean install and importing the backup. I am guessing that brings along the old certs. Does it?

Page 1 of 7 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2