This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

issue with vpn ssl connection

Hi,

I had vpn ssl setup and working on my UTM V9 9.715-3, yesterday suddenly I can not vpn into UTM anymore, I did not even made any changes. Can anybody to help me out. thanks in advance.

here is ssl vpn log:

2023:04:19-21:27:20 utm openvpn[8282]: SIGTERM[hard,] received, process exiting
2023:04:19-21:27:20 utm openvpn[8282]: PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_DOWN status=0
2023:04:19-21:27:20 utm openvpn[8282]: Closing TUN/TAP interface
2023:04:19-21:27:20 utm openvpn[8282]: /bin/ip addr del dev tun0 10.242.2.1/24
2023:04:19-21:27:20 utm openvpn[10104]: OpenVPN 2.3.10 i686-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 29 2017
2023:04:19-21:27:20 utm openvpn[10104]: library versions: OpenSSL 1.0.2j-fips  26 Sep 2016, LZO 2.09
2023:04:19-21:27:20 utm openvpn[10106]: MANAGEMENT: client_uid=0
2023:04:19-21:27:20 utm openvpn[10106]: MANAGEMENT: client_gid=0
2023:04:19-21:27:20 utm openvpn[10106]: MANAGEMENT: unix domain socket listening on /var/run/openvpn_mgmt
2023:04:19-21:27:20 utm openvpn[10106]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
2023:04:19-21:27:20 utm openvpn[10106]: PLUGIN_INIT: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so '[/usr/lib/openvpn/plugins/openvpn-plugin-utm.so]' intercepted=PLUGIN_UP|PLUGIN_DOWN|PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT 
2023:04:19-21:27:20 utm openvpn[10106]: Diffie-Hellman initialized with 2048 bit key
2023:04:19-21:27:20 utm openvpn[10106]: WARNING: experimental option --capath /etc/openvpn/ca.d
2023:04:19-21:27:20 utm openvpn[10106]: Socket Buffers: R=[87380->87380] S=[16384->16384]
2023:04:19-21:27:20 utm openvpn[10106]: TUN/TAP device tun0 opened
2023:04:19-21:27:20 utm openvpn[10106]: TUN/TAP TX queue length set to 100
2023:04:19-21:27:20 utm openvpn[10106]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
2023:04:19-21:27:20 utm openvpn[10106]: /bin/ip link set dev tun0 up mtu 1500
2023:04:19-21:27:20 utm openvpn[10106]: /bin/ip addr add dev tun0 10.242.2.1/24 broadcast 10.242.2.255
2023:04:19-21:27:20 utm openvpn[10106]: PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_UP status=0
2023:04:19-21:27:20 utm openvpn[10106]: Listening for incoming TCP connection on [undef]
2023:04:19-21:27:20 utm openvpn[10106]: TCPv4_SERVER link local (bound): [undef]
2023:04:19-21:27:20 utm openvpn[10106]: TCPv4_SERVER link remote: [undef]
2023:04:19-21:27:20 utm openvpn[10106]: MULTI: multi_init called, r=256 v=256
2023:04:19-21:27:20 utm openvpn[10106]: IFCONFIG POOL: base=10.242.2.2 size=252, ipv6=0
2023:04:19-21:27:20 utm openvpn[10106]: IFCONFIG POOL LIST
2023:04:19-21:27:20 utm openvpn[10106]: MULTI: TCP INIT maxclients=1024 maxevents=1028
2023:04:19-21:27:20 utm openvpn[10106]: Initialization Sequence Completed
2023:04:19-21:42:24 utm openvpn[10106]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
2023:04:19-21:42:24 utm openvpn[10106]: MANAGEMENT: CMD 'status -1'
2023:04:19-21:42:34 utm openvpn[10106]: MANAGEMENT: Client disconnected


This thread was automatically locked due to age.
Parents
  • Well, you are using DH cipher suite algorithm.  That was discontinued in 9.708 release.  Are you sure you aren't affected by that update?  Did you recently update when it was working, then recently discovered it would not? Is this paste from your Linux VPN client?  It doesn't look like UTM logs from what I remember.  What does your UTM log look like when you get disconnected? Your OpenSSL library version is also severely out of date.

    From 9.708 release

    Also included in this release is an update for OpenSSL which removes support for ciphersuites that include the non-EC Diffie-Hellman(DH) algorithm for key exchange. These ciphersuites have been considered weak for some time now. For uses where the UTM is a server (e.g. WAF, SMTP), these cipher suites were already excluded by default prior to this update so there should be no significant impact. Where the UTM acts as a client making connections to external SSL/TLS services running old software with limited support for more modern protocols, this could cause connection issues. For example, users connecting through the WebProxy with HTTPS decryption enabled will no longer be able to connect to old servers that have poor support for modern ciphers.

    • NUTM-12717 [Basesystem] Resolve OpenSSL issues - Remove DH cipher support - (CVE-2020-1968) & (CVE-2021-3712)

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Reply
  • Well, you are using DH cipher suite algorithm.  That was discontinued in 9.708 release.  Are you sure you aren't affected by that update?  Did you recently update when it was working, then recently discovered it would not? Is this paste from your Linux VPN client?  It doesn't look like UTM logs from what I remember.  What does your UTM log look like when you get disconnected? Your OpenSSL library version is also severely out of date.

    From 9.708 release

    Also included in this release is an update for OpenSSL which removes support for ciphersuites that include the non-EC Diffie-Hellman(DH) algorithm for key exchange. These ciphersuites have been considered weak for some time now. For uses where the UTM is a server (e.g. WAF, SMTP), these cipher suites were already excluded by default prior to this update so there should be no significant impact. Where the UTM acts as a client making connections to external SSL/TLS services running old software with limited support for more modern protocols, this could cause connection issues. For example, users connecting through the WebProxy with HTTPS decryption enabled will no longer be able to connect to old servers that have poor support for modern ciphers.

    • NUTM-12717 [Basesystem] Resolve OpenSSL issues - Remove DH cipher support - (CVE-2020-1968) & (CVE-2021-3712)

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Children
No Data