Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 32
  1. #11
    Newbie
    Join Date
    Jun 2020
    Posts
    1

    Default

    I can ping my resources printer/NAS but I can not access any of them since the update I am going to attempt to recreate the VPN and see if that helps I can connect to the network from the vpn just none of the internal items needed.
    15.0 worked 15.1 VPN is now a problem

  2. #12
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,284

    Default

    Quote Originally Posted by sky-knight View Post
    *I* am saying that, and it WAS mentioned in the change-log... ages ago.

    If you're on MD5 certificates NOW, honestly... you kind of deserve it. Those things are a security nightmare TWO YEARS past reasonable mitigation.

    You can't blame Untangle for that, because there's no reasonable way for them to know about this stuff until someone runs into it. Heck, how would they test that? Drag out an install from 10.0 and upgrade it all the way?
    MD5 certificates being deprecated is well known. MD5 installs becoming broken without warning was not. Untangle well knows there are MD5 certs out there, since their software created them until just 4-5 years ago, and testing for them is one line of script.

    This was my last site with MD5; I had several which I transitioned over the past couple of years. This one seemed like the biggest headache because almost all of their users are road-warriors, most of the employees don't live even in the same time zone as the main office. It was supposed to happen earlier this year, but then covid happened and messing with people's remote access didn't seem like a hot idea.
    For this site today, I was just about to implement a plan to restore a 15.0 backup on to a VM and setup a parallel system to temporarily support the old vpn connections as I detailed in another thread a few months back, which worked very well at two other sites. However I went and ran the connection report and found that only 3 users actually regularly connect to the VPN, the other dozen or so hadn't connected in months (I've setup more things to work over https in the past few years, so the VPN has actually become optional for many). The client agreed that setting up the temporary vpn support wasn't worth the trouble, the 3 users can install new VPN clients today, and the rest can get a new VPN when they needed. So I blew out the old OpenVPN config and went 100% new; the users are now using the Connect v3 client.

  3. #13
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,284

    Default

    Quote Originally Posted by sky-knight View Post
    Can we also please confirm that default settings on v15.1 also eliminate the compress verb? Because I'd hate to recommend a nuke and pave only to set installs up for yet another one.
    the compress verb is still there on both the client and server side (this is after removing and re-installing OpenVPN). But no compression option is pushed.

    I agree though, things being as they are, the compress verb should be dropped from the default settings.

  4. #14
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,958

    Default

    Yeah, why Untangle didn't make an admin alert that bugged you every time you logged into the UI that MD5 was present a year ago is a bit... odd. Because you're right, it's a trivial test.

    But, a year ago if you "fixed" MD5, you still kept compression... which puts this ugly mess right back into your face again for a different problem, because that feature is also being phased out by OpenVPN.

    So hopefully you don't have any compression directives in your current configuration, or you'll be right back here in a year doing this again for yet another known issue.

    Managing all this is the Achilles's heel of using OpenVPN... all those configurations static and unchangeable on all those endpoints.

    We can't get a WireGuard module fast enough... but that's only possible for Windows 10 2004 clients, and 2004 has its own issues right now. So it's no panacea, at least... not yet.

    And for the record, I warned my customers to check their certificates before the upgrade because I knew the version of OpenVPN in Debian 10 would puke on MD5. So the information was out there, it was on these forums too. But up until a few moments ago, it wasn't in the change log... and yes that was a bit of an oops.

    *Edit* I HIGHLY recommend you exclude the compress verbs and push clients without that directive at all for future proofing. This is based on OpenVPN's development post VORACLE.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #15
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,231

    Default

    Ok I remember doing the mda fix. I can't remember doing the compression fix. Is there a thread about the compression fix?

  6. #16
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,958

    Default

    Quote Originally Posted by donhwyo View Post
    Ok I remember doing the mda fix. I can't remember doing the compression fix. Is there a thread about the compression fix?
    Several, but you probably want this one: https://forums.untangle.com/openvpn/...directive.html
    donhwyo likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #17
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,284

    Default

    Quote Originally Posted by hpaunet View Post
    Just in case there might be any other users still using MD5 certificates, we have added a note in the changelog.
    yes, that changelog note is what I would've been looking for

  8. #18
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,284

    Default

    Quote Originally Posted by sky-knight View Post
    But, a year ago if you "fixed" MD5, you still kept compression... which puts this ugly mess right back into your face again for a different problem, because that feature is also being phased out by OpenVPN.

    So hopefully you don't have any compression directives in your current configuration, or you'll be right back here in a year doing this again for yet another known issue.
    Many of my configurations have already been updated to put the compress verb in the client config, and then push compression from the server. So I can easily change the push to leave compression off. I would expect them to deprecate the compress verb for a long time before they make it non-functional; right now the Connect v3 client accepts the compress verb just fine, even with compression itself disabled in the client settings. So I think at least in that regard the client configs will be ok for a good long while (and it might be reasonable to imagine the 2.x client series will support it for longer too).

    This is not a defense of leaving the Compress verb in on NEW configurations, I think Untangle should change the default verb set, just an observation that those who modified their settings as you and I discussed a year or so ago should be good with only server-side changes.

  9. #19
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,958

    Default

    Yeah, it's enough of a limp along to get us to WireGuard.

    But it does seem the configuration Untangle has presented isn't as bad as I thought:

    https://community.openvpn.net/openvp...recatedOptions

    Providing just --compress without an algorithm is the equivalent of --comp-lzo no which disables compression but enables the packet framing for compression.
    --compress isn't currently deprecated, only --comp-lzo is.

    Which affords the admin the ability to push a compression directive after the fact, which intelligently used can enable SHA clients to use compression if configured to do so. Still seems... odd... The admin needs made aware of this mess to manage it. There's no magic way out of this situation. So we have this hard thing, in our easy Untangle.
    Last edited by sky-knight; 06-12-2020 at 04:06 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #20
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,284

    Default

    Quote Originally Posted by gbroughman View Post
    I can ping my resources printer/NAS but I can not access any of them since the update I am going to attempt to recreate the VPN and see if that helps I can connect to the network from the vpn just none of the internal items needed.
    15.0 worked 15.1 VPN is now a problem
    That kind of symptom is always a compression mismatch between client and server. Pings and portscans work, but no real protocol traffic will go through. If you had the MD5 issue, you wouldn't be able to complete the connection at all. It puts a repeating error in red in the client-side log, something about UDP and WSACONNECT.
    Jim.Alles likes this.

Page 2 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2