Page MenuHomeVyOS Platform
Create Task
Maniphest T6374

Openvpn site-to-site mode with TLS not starting
Closed, ResolvedPublicBUG
Actions

Description

When trying to configure OpenVPN site-to-site from the documentation it doesn't start

vyos@Site1# run show conf com | match "pki|openvpn"
set interfaces openvpn vtun1 local-address 10.255.1.1
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 mode 'site-to-site'
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 protocol 'udp'
set interfaces openvpn vtun1 remote-address '10.255.1.2'
set interfaces openvpn vtun1 remote-host '203.0.113.11'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 tls certificate 'openvpn-local'
set interfaces openvpn vtun1 tls peer-fingerprint 'E3:B0:DA:C4:35:48:6D:1F:E5:1A:26:1F:0F:D9:E5:3C:A7:A8:C0:9E:9D:89:75:52:5C:6B:AB:89:5A:3E:35:AE'
set pki certificate openvpn-local certificate 'MIIDsTCCApmgAwIBAgIUarDuk6EtfCDNbYFpSUpMBz4H5zwwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yNDA1MjAxMjE2NDJaFw0yNTA1MjAxMjE2NDJaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo9SihO9Sl2Mgyi23j4PXzTRkSHgTMVKHNFz4tnoTrpaoRjvlpVQVGoiuiPUqUlFSu2GX6yDtCxRF9WPKtFBocMV/THAX+5MjnVDIgFjguKFtdop+OvgwUoEqabbaC4S1se0pzR5WkNw0NmSiTi1IMlzw9VbcnOysHJiidW4PVJuSEAE8alFkH6fpAFyVtnwvBJZiwOjGXONxpMqPAB4JVDqtIMstam8K7bC9zskB8WksgL8HOMnaqyqjoLVQbHFWbVOUKfktKIRbzyUaMkP1MP/03ba1ZHuMd4B31HqaaHb2ywn0XbGY/vnypaTwH12Jd8kztOkNtPP3o556cPBzjAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBQMj1AbFztIGoQRcasReiW+l4poFjAfBgNVHSMEGDAWgBQMj1AbFztIGoQRcasReiW+l4poFjANBgkqhkiG9w0BAQsFAAOCAQEAK4y1GvWD/Yx6U471oh7inIuXL9uzaCU58bcaPEK4t7FPEywFATcvLgGHV/ZpBrfaEtb7diiWMw2j9GxYF3Ao+fFnKLxo9BNgvz3BaE6+9V+c8UR/XxWj/DcJqIn8BslMkYRjROqvIHAsVo48LXHgqBWF0SkKgnEgXDW8tR/SWkiSp2AY+wWNKjVYGjeZ7OhEWgczVPz0wvWGjjQmVRrNiAWfVfi/v1kwZhB/PxK62PfFiPbnbeg/POrMeFC/z1ghBut51o+8wwz+y7xDSdRni6FQ5Axsx2cuR6pa3B1hRiKkkUarVQoaItqAr5/FRuYCfGZpbGtzpl3gJO8HuEN4ug=='
set pki certificate openvpn-local private key 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCo9SihO9Sl2Mgyi23j4PXzTRkSHgTMVKHNFz4tnoTrpaoRjvlpVQVGoiuiPUqUlFSu2GX6yDtCxRF9WPKtFBocMV/THAX+5MjnVDIgFjguKFtdop+OvgwUoEqabbaC4S1se0pzR5WkNw0NmSiTi1IMlzw9VbcnOysHJiidW4PVJuSEAE8alFkH6fpAFyVtnwvBJZiwOjGXONxpMqPAB4JVDqtIMstam8K7bC9zskB8WksgL8HOMnaqyqjoLVQbHFWbVOUKfktKIRbzyUaMkP1MP/03ba1ZHuMd4B31HqaaHb2ywn0XbGY/vnypaTwH12Jd8kztOkNtPP3o556cPBzjAgMBAAECggEAAVYzNJdbFtbQuqmkvG1OtNaS0LRhGFbBEvTQnp7G8XBVmJ73dTBhgs4Mp1Nx0BweUWXP5LyJz3zspv+5p8nlbPytA+gQWhRoTIA7h0p1tlPGaUa8mW4CfXVJMdCVZZKvf9C35ZKW6f4vgcCI9CXhh8z4gom3kb1jmUJhhuEu+VQ6oA0KwxVmlfiMRzZYJq+k6BhL4gNrUAFkSNICAN9HxfLrqKj/0EyBDj9aNCAusLTkIJfOj5f65uYIuXNIjUvHa7F3WPw/Z5SM09xcdyVyLgQgY4CQLTvjBzz7Xgrvs6uVcfBYmjQcSb+YsFO7LKL6pWlgmrlf6JPcZckZKwip9QKBgQDsxukpf7lLcPtr98XLUVWBqjuI1oN9hbroo47RovjpaQM6hHJ96m+A2Sk8jQIDlBEhVaBHm2ZEZtDn1MvIOZiz7fjYXSX5OukB+9AIzpHn+W7eQPcQeSYHvhddZq7/loDrCx+nqdbDf5QqwMOKz1kE9HBj5VI8w9PlUKv4pjm73wKBgQC2rLb2JQUu+ti1Z9srr0YJmeZesdGyn9UzHKOpMWgjTPejVRPBkJovPqKCloNmMFSZ4FEw7aepj8uHkEqWNcdppv81L+PaqUkpQXJKk1UUG51Te00NDV0zsMBOff44XZPg9j4XkEma66u1bvtaotEsF8iBiz/YRkjE1bRjfSC/fQKBgC77WRCO82lwxbKqu2iYfur3qFCCoBysCGZY7eHTAKjv2WAnH8C0X+OlM3V8VUX4f12p69/JigVQkWsu4jCcnRw2wAXOldZaRhnKqYDV3EW3TLR1F5EBOPaYVXKHCXpVlscMsf9GyAKKsg+5qBNHCVbeWd64hhTglo8N7tGryhDpAoGANTDneZbgAoUCUxgxpm+7+hG5Fbu7bsLBpsdhFGQRia3gscuVHBjJ/JXFZjcDfd7203OQ0Kly15nKTugB/+ka7rW0vDz8oPAIIJ4w9GwgKuG7ltJhZjqM9/8wj+p5+tmstKWfAOd/tz+GWSc+w26Db85hEO+GIKieicocY5fM0FUCgYEAhdgOGQdBWeSy3rnmTOVb6rmgzEC5g1/8RfvNIHvcgNUmujPHZ159waV6nbxi7rXnCo3xmnj9aELnB+MoAhrqJtYbECZO6a5hg4p55BdUjShgGWWSeCFXu6Px2E0DqDESw6yjAEUAOW9+bTGLNZXgGduVQ7C2gLyCoczNkrLjOfU='

generated config file

vyos@vyos# cat /run/openvpn/vtun1.conf
### Autogenerated by interfaces_openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
#
#

verb 3
dev-type tun
dev vtun1
persist-key
proto udp
lport 1195
rport 1195
remote 198.51.100.10
persist-tun
disable-dco

#
# OpenVPN site-2-site mode
#
ping 10
ping-restart 60

ifconfig 10.255.1.2 10.255.1.1

# TLS options
cert /run/openvpn/vtun1_cert.pem
key /run/openvpn/vtun1_cert.key
dh none

<peer-fingerprint>
E3:B0:DA:C4:35:48:6D:1F:E5:1A:26:1F:0F:D9:E5:3C:A7:A8:C0:9E:9D:89:75:52:5C:6B:AB:89:5A:3E:35:AE
</peer-fingerprint>

# Encryption options
providers default

logs

May 21 11:18:26 systemd[1]: openvpn@vtun1.service: Scheduled restart job, restart counter is at 60.
May 21 11:18:26 systemd[1]: Stopped openvpn@vtun1.service - OpenVPN connection to vtun1.
May 21 11:18:26 systemd[1]: Starting openvpn@vtun1.service - OpenVPN connection to vtun1...
May 21 11:18:26 openvpn-vtun1[4375]: WARNING: Ignoring option 'dh' in tls-client mode, please only include this in your server configuration
May 21 11:18:26 openvpn-vtun1[4375]: Using certificate fingerprint to verify peer (no CA option set).
May 21 11:18:26 openvpn-vtun1[4375]: DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similaquick setup with peer-fingerprint.
May 21 11:18:26 openvpn-vtun1[4375]: Options error: Parameter cert_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
May 21 11:18:26 openvpn-vtun1[4375]: Use --help for more information.
May 21 11:18:26 systemd[1]: openvpn@vtun1.service: Main process exited, code=exited, status=1/FAILURE
May 21 11:18:26 systemd[1]: openvpn@vtun1.service: Failed with result 'exit-code'.
May 21 11:18:26 systemd[1]: Failed to start openvpn@vtun1.service - OpenVPN connection to vtun1.

Details

Version
1.5-rolling-202405010020
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

natali-rs1985 created this task.May 21 2024, 12:26 PM
pasik subscribed.May 21 2024, 12:44 PM
natali-rs1985 updated the task description. (Show Details)May 21 2024, 1:53 PM
natali-rs1985 updated the task description. (Show Details)May 21 2024, 1:55 PM
natali-rs1985 updated the task description. (Show Details)
natali-rs1985 updated the task description. (Show Details)May 21 2024, 1:59 PM
dmbaturin triaged this task as High priority.May 27 2024, 7:49 AM
Restricted Repository Identity mentioned this in rVYOSONEX7ad2235761aa: Merge pull request #3528 from dmbaturin/T6374-openvpn-s2s-tls-validation.May 28 2024, 7:55 PM
dmbaturin mentioned this in rVYOSONEX380e998b1034: openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS.May 28 2024, 7:55 PM
Restricted Repository Identity mentioned this in rVYOSONEXa3763a233d13: openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS.May 28 2024, 7:56 PM
Restricted Repository Identity mentioned this in rVYOSONEXfbf12867c4ba: Merge pull request #3536 from vyos/mergify/bp/sagitta/pr-3528.May 28 2024, 8:57 PM
Restricted Repository Identity mentioned this in rVYOSONEX5b1539d65d97: Merge pull request #3541 from dmbaturin/T6374-openvpn-s2s-tls-validation-fix.May 29 2024, 1:57 PM
dmbaturin mentioned this in rVYOSONEXf4069582273e: openvpn: T6374: only check TLS role for s2s if TLS is configured.May 29 2024, 1:57 PM
Restricted Repository Identity mentioned this in rVYOSONEX3bfd91713a5c: openvpn: T6374: only check TLS role for s2s if TLS is configured.May 29 2024, 1:59 PM
Restricted Repository Identity mentioned this in rVYOSONEX0bada0f998c5: Merge pull request #3544 from vyos/mergify/bp/sagitta/pr-3541.May 29 2024, 5:14 PM
fahadysf subscribed.Jun 1 2024, 11:20 AM
Viacheslav closed this task as Resolved.Jun 28 2024, 11:32 AM
Viacheslav claimed this task.
Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus board.