Page MenuHomeVyOS Platform

OpenVPN options and site-to-site cannot pass smoketest
Closed, ResolvedPublicBUG

Description

OpenVPN options and site-to-site cannot pass smoketest

10:01:54  DEBUG - ======================================================================
10:01:54  DEBUG - FAIL: test_openvpn_options (__main__.TestInterfacesOpenVPN.test_openvpn_options)
10:01:54  DEBUG - ----------------------------------------------------------------------
10:01:54  DEBUG - Traceback (most recent call last):
10:01:54  DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py", line 600, in test_openvpn_options
10:01:54  DEBUG -     self.assertNotEqual(cur_pid, new_pid)
10:01:54  DEBUG - AssertionError: None == None
10:01:54  DEBUG - 
10:01:54  DEBUG - ======================================================================
10:01:54  DEBUG - FAIL: test_openvpn_site2site_interfaces_tun (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_interfaces_tun)
10:01:54  DEBUG - ----------------------------------------------------------------------
10:01:54  DEBUG - Traceback (most recent call last):
10:01:54  DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py", line 676, in test_openvpn_site2site_interfaces_tun
10:01:54  DEBUG -     self.assertTrue(process_named_running(PROCESS_NAME))
10:01:54  DEBUG - AssertionError: None is not true
10:01:54  DEBUG - 
10:01:54  DEBUG - ----------------------------------------------------------------------
10:01:54  DEBUG - Ran 8 tests in 62.183s
10:01:54  DEBUG - 
10:01:54  DEBUG - FAILED (failures=2)

Details

Difficulty level
Normal (likely a few hours)
Version
1.4-rolling-202302230739
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Config VyOS:

set interfaces openvpn vtun5001 local-address 203.0.113.1
set interfaces openvpn vtun5001 mode 'site-to-site'
set interfaces openvpn vtun5001 remote-address '192.0.2.5'
set interfaces openvpn vtun5001 shared-secret-key 'ovpn_test'
set pki openvpn shared-secret ovpn_test key '9caf354e0f313b3a671d01e62ea2b512346a651dd30a9e51d6c45dc1031f1b0931eabdf7a0ddcbe1a147ff882ccce35dcb5e1d4d6ddb5e909ca012a8d8e16fe50dd332005dff9a836a2852f36e84e27bad07993a8094c56fb0553866ef74c6c5cc6ddb8f4673d3ff300c48068b944bd8ba1100d41f91d156bcd2629ff39837ddcb34d93147a4aabc7e6ad95d5800c82c8ab60ba302d6625a3b26fbfe183fd6c06d884be44edde344fd0ac91a33064529e010eba0c0f495fa44519fd98adb97452a27fb3340bc20efadd68c9538aa4a238c9f58f542e3571ec78790fdd03e678e18631b82edb9358a2c55ce581d68b71881cad0d0419d4cc58c13641f84281260'
set pki openvpn shared-secret ovpn_test version '1'

Config OpenVPN:

vyos@r14# cat /run/openvpn/vtun5001.conf 
### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
# 
#

verb 3
dev-type tun
dev vtun5001
persist-key
proto udp
secret /run/openvpn/vtun5001_shared.key

#
# OpenVPN site-2-site mode
#
ping 10
ping-restart 60

ifconfig 203.0.113.1 192.0.2.5


# Encryption options


[edit]
vyos@r14#

Debug log:

Feb 23 10:55:52 r14 systemd[1]: [email protected]: Scheduled restart job, restart counter is at 10.
Feb 23 10:55:52 r14 systemd[1]: Stopped [email protected] - OpenVPN connection to vtun5001.
Feb 23 10:55:52 r14 systemd[1]: Starting [email protected] - OpenVPN connection to vtun5001...
Feb 23 10:55:52 r14 openvpn-vtun5001[10155]: DEPRECATED OPTION: The option --secret is deprecated.
Feb 23 10:55:52 r14 openvpn-vtun5001[10155]: No tls-client or tls-server option in configuration detected. Disabling data channel offload.
Feb 23 10:55:52 r14 openvpn-vtun5001[10155]: DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint.
Feb 23 10:55:52 r14 openvpn-vtun5001[10155]: WARNING: file '/run/openvpn/vtun5001_shared.key' is group or others accessible
Feb 23 10:55:52 r14 openvpn-vtun5001[10155]: OpenVPN 2.6.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
Feb 23 10:55:52 r14 openvpn-vtun5001[10155]: library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
Feb 23 10:55:52 r14 openvpn-vtun5001[10155]: Cipher BF-CBC not supported
Feb 23 10:55:52 r14 openvpn-vtun5001[10155]: Exiting due to fatal error
This comment was removed by Viacheslav.
secret has been deprecated
    static key mode (non-TLS) is no longer considered "good and secure enough" for today's requirements. Use TLS mode instead. If deploying a PKI CA is considered "too complicated", using --peer-fingerprint makes TLS mode about as easy as using --secret.

https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst

PR https://github.com/vyos/vyos-1x/pull/1842

vyos@r14:~$ /usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py
test_openvpn_client_interfaces (__main__.TestInterfacesOpenVPN.test_openvpn_client_interfaces) ... ok
test_openvpn_client_verify (__main__.TestInterfacesOpenVPN.test_openvpn_client_verify) ... ok
test_openvpn_options (__main__.TestInterfacesOpenVPN.test_openvpn_options) ... ok
test_openvpn_server_net30_topology (__main__.TestInterfacesOpenVPN.test_openvpn_server_net30_topology) ... ok
test_openvpn_server_subnet_topology (__main__.TestInterfacesOpenVPN.test_openvpn_server_subnet_topology) ... ok
test_openvpn_server_verify (__main__.TestInterfacesOpenVPN.test_openvpn_server_verify) ... ok
test_openvpn_site2site_interfaces_tun (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_interfaces_tun) ... ok
test_openvpn_site2site_verify (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_verify) ... ok

----------------------------------------------------------------------
Ran 8 tests in 96.620s

OK
vyos@r14:~$
Viacheslav claimed this task.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.