Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Jul 2007
    Posts
    13

    Default 15 and 12 OpenVPN Connection just stopped

    Yes, I realize I need to upgrade the 12 box but now with so many people connected from home I can't. I've been using an Untangle 15 machine at home to create a home lab for myself, setting up new machines on the domain and stuff, and driving into work after hours to swap stuff out. Beautiful setup for me because my quite prefer my home office to my work one. Unfortunately something in the 15 machine at home updates and won't connect to the 12 machine at work any longer.

    Tue Jul 21 20:39:09 2020 DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, please remove it from your configuration.
    Tue Jul 21 20:39:09 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
    Tue Jul 21 20:39:09 2020 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
    Tue Jul 21 20:39:09 2020 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
    Tue Jul 21 20:39:09 2020 OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
    Tue Jul 21 20:39:09 2020 Cannot load certificate file keys/something-SomethingHomeExportedNetwork.crt
    Tue Jul 21 20:39:09 2020 Exiting due to fatal error


    Again I realize the risk but I can't upgrade the factories 12 to 15 right now..... How can I get this connection back?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,949

    Default

    You don't...

    Untangle v12's OpenVPN uses MD5 based certificates.
    Untangle v15.1's OpenVPN will no longer use these certificates.

    So you can reinstall and reconfigure the v15.1 installation to be v15.0, and leave it there... or you can do without OpenVPN.

    You might be able to force your way around by adding this to the client config: tls-cipher "DEFAULT:@SECLEVEL=0"
    Last edited by sky-knight; 07-21-2020 at 07:34 PM.
    hpaunet likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,284

    Default

    Based on the log snippet, I think the tls-cipher directive will work. It's using the 2.4.7 OpenVPN client, which by default rejects MD5 certificates, but does accept the tls-cipher directive to allow an MD5 certificate to load. Add it to Advanced->Client and then regenerate the client config zip, then re-import it into the 15 box.
    Code:
    tls-cipher "DEFAULT:@SECLEVEL=0"
    But bear in mind that when do you upgrade the v12 box to v15.1 (which will be a many-step upgrade sequence), when you arrive at 15.1 OpenVPN server will be completely non-functional due to the MD5 certificate. There is NO way to a make a 15.1 server function with an MD5 certificate. At that time, you will have to delete OpenVPN and then install it again, which will generate a new SHA256 certificate.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,949

    Default

    Honestly, I'd just stay where you are... don't bother to upgrade.

    Just wait for v16.0, install both units fresh ditch OpenVPN forever and switch over to Wireguard.

    The latter can be automated via GPO or InTune, and simply doesn't have stupid client side configuration files.
    Last edited by sky-knight; 07-22-2020 at 07:54 AM.
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Jul 2007
    Posts
    13

    Default

    Thank you - I can't seem to find an ADVANCED tab with a Client option in OpenVPN? Can I add that directive to the conf file?

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,949

    Default

    Quote Originally Posted by Jakyll View Post
    Thank you - I can't seem to find an ADVANCED tab with a Client option in OpenVPN? Can I add that directive to the conf file?
    It's the advanced tab under OpenVPN settings. There are two exposed configuration sections there, one for client and one for server.

    If you don't have it, just extract the .zip file and add the line to the .conf and .ovpn files in there, then zip it back up again.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,284

    Default

    Quote Originally Posted by Jakyll View Post
    Thank you - I can't seem to find an ADVANCED tab with a Client option in OpenVPN? Can I add that directive to the conf file?
    I guess I should have been more clear - on the v12 SERVER, under OpenVPN-> Settings, go to Advanced, scroll down to the Client half of the screen, and add the tls-cipher directive there. Then you click the Download Client button on the Server tab to get a new copy of of the client config file. Then on the v15.x CLIENT, delete the existing connection from the Client tab, and upload the new connection you just downloaded from the server.

    Or, yes, you can do it by hand.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2