Page MenuHomeVyOS Platform
Create Task
Maniphest T7738

Improper OpenVPN certificates migration from 1.3 to 1.4
Closed, ResolvedPublicBUG
Actions

Description

If we have some OpenVPN interfaces that use the same certificates, migration to 1.4 creates its certificate for each interface.
The result is: instead of one certificate in the configuration, we have many identical certificates.
For instance:
Config of 1.3 version:

openvpn vtun5 {
     ....
    tls {
        ca-cert-file /config/auth/ca.crt
        cert-file /config/auth/server.crt
        key-file /config/auth/server.key
        role active
    }
}
openvpn vtun6 {
    ..........
    tls {
        ca-cert-file /config/auth/ca.crt
        cert-file /config/auth/server.crt
        key-file /config/auth/server.key
        role active
    }
}

After migration
Config of 1.4 version:

openvpn vtun5 {
    ..........
    tls {
        ca-certificate "openvpn_vtun5_1"
        certificate "openvpn_vtun5"
    }
}
openvpn vtun6 {
    ........... 
    tls {
        ca-certificate "openvpn_vtun6_1"
        certificate "openvpn_vtun6"
        role "active"
    }
}

If we have 10 interfaces, we get 10 identical CA certificates and 10 identical Server certificates.

Details

Version
2025.08.18-0022-rolling, 1.4.3
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

a.apostoliuk created this task.Aug 20 2025, 10:23 AM
a.apostoliuk triaged this task as Low priority.
a.apostoliuk changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
pasik subscribed.Aug 20 2025, 11:14 AM
Viacheslav edited projects, added VyOS 1.5 Circinus (1.5-stream-2025-Q4); removed VyOS 1.5 Circinus.Sep 25 2025, 1:59 AM
dmbaturin removed a project: VyOS 1.4 Sagitta (1.4.4).Wed, Nov 19, 2:21 PM
c-po changed the task status from Open to In progress.Mon, Dec 1, 6:57 AM
c-po claimed this task.
c-po added a project: VyOS 1.4 Sagitta (1.4.4).
c-po added a comment.EditedTue, Dec 2, 6:17 AM

https://github.com/vyos/vyos-1x/pull/4884

Before

vyos@vyos:~$ show pki
Certificate Authorities:
Name              Subject                                                                                                                             Issuer CN                                      Issued               Expiry               Private Key    Parent
----------------  ----------------------------------------------------------------------------------------------------------------------------------  ---------------------------------------------  -------------------  -------------------  -------------  ----------------
openvpn_vtun10_1  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev,CN=Easy-RSA CA,OU=VyOS Networks Test CA 1,O=VyOS Networks,L=Poway,ST=California,C=US  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:44:58  2035-11-29 07:44:58  No             N/A
openvpn_vtun11_1  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev,CN=Easy-RSA CA,OU=VyOS Networks Test CA 1,O=VyOS Networks,L=Poway,ST=California,C=US  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:44:58  2035-11-29 07:44:58  No             openvpn_vtun10_1
openvpn_vtun12_1  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev,CN=Easy-RSA CA,OU=VyOS Networks Test CA 1,O=VyOS Networks,L=Poway,ST=California,C=US  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:44:58  2035-11-29 07:44:58  No             openvpn_vtun10_1
openvpn_vtun20_1  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev,CN=Easy-RSA CA,OU=VyOS Networks Test CA 2,O=VyOS Networks,L=Poway,ST=California,C=US  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:53:19  2035-11-29 07:53:19  No             N/A
openvpn_vtun21_1  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev,CN=Easy-RSA CA,OU=VyOS Networks Test CA 2,O=VyOS Networks,L=Poway,ST=California,C=US  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:53:19  2035-11-29 07:53:19  No             openvpn_vtun20_1
openvpn_vtun22_1  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev,CN=Easy-RSA CA,OU=VyOS Networks Test CA 2,O=VyOS Networks,L=Poway,ST=California,C=US  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:53:19  2035-11-29 07:53:19  No             openvpn_vtun20_1

Certificates:
Name            Type    Subject CN                                     Issuer CN                                      Issued               Expiry               Revoked    Private Key    CA Present
--------------  ------  ---------------------------------------------  ---------------------------------------------  -------------------  -------------------  ---------  -------------  ----------------------
openvpn_vtun10  Server  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:45:42  2028-11-15 07:45:42  No         Yes            Yes (openvpn_vtun10_1)
openvpn_vtun11  Server  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:45:42  2028-11-15 07:45:42  No         Yes            Yes (openvpn_vtun10_1)
openvpn_vtun12  Server  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:45:42  2028-11-15 07:45:42  No         Yes            Yes (openvpn_vtun10_1)
openvpn_vtun20  Server  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:53:43  2028-11-15 07:53:43  No         Yes            Yes (openvpn_vtun20_1)
openvpn_vtun21  Server  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:53:43  2028-11-15 07:53:43  No         Yes            Yes (openvpn_vtun20_1)
openvpn_vtun22  Server  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:53:43  2028-11-15 07:53:43  No         Yes            Yes (openvpn_vtun20_1)

Certificate Revocation Lists:
CA Name           Updated              Revokes
----------------  -------------------  ---------
openvpn_vtun10_1  2025-12-01 09:26:08
openvpn_vtun11_1  2025-12-01 09:26:08
openvpn_vtun12_1  2025-12-01 09:26:08
openvpn_vtun20_1  2025-12-01 09:26:31
openvpn_vtun21_1  2025-12-01 09:26:31
openvpn_vtun22_1  2025-12-01 09:26:31

After

vyos@vyos:~$ show pki
Certificate Authorities:
Name              Subject                                                                                                                             Issuer CN                                      Issued               Expiry               Private Key    Parent
----------------  ----------------------------------------------------------------------------------------------------------------------------------  ---------------------------------------------  -------------------  -------------------  -------------  ----------------
openvpn_vtun10_1  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev,CN=Easy-RSA CA,OU=VyOS Networks Test CA 1,O=VyOS Networks,L=Poway,ST=California,C=US  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:44:58  2035-11-29 07:44:58  No             N/A
openvpn_vtun20_1  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev,CN=Easy-RSA CA,OU=VyOS Networks Test CA 2,O=VyOS Networks,L=Poway,ST=California,C=US  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:53:19  2035-11-29 07:53:19  No             N/A

Certificates:
Name            Type    Subject CN                                     Issuer CN                                      Issued               Expiry               Revoked    Private Key    CA Present
--------------  ------  ---------------------------------------------  ---------------------------------------------  -------------------  -------------------  ---------  -------------  ----------------------
openvpn_vtun10  Server  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:45:42  2028-11-15 07:45:42  No         Yes            Yes (openvpn_vtun10_1)
openvpn_vtun20  Server  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  1.2.840.113549.1.9.1=test-ca.noreply@vyos.dev  2025-12-01 07:53:43  2028-11-15 07:53:43  No         Yes            Yes (openvpn_vtun20_1)

Certificate Revocation Lists:
CA Name           Updated              Revokes
----------------  -------------------  ---------
openvpn_vtun10_1  2025-12-01 09:26:08
openvpn_vtun20_1  2025-12-01 09:26:31
c-po mentioned this in rVYOSONEX63cc76fa2367: openvpn: T7738: avoid duplicate certs during 1.3 -> 1.4 migration.Thu, Dec 4, 11:59 AM
c-po mentioned this in rVYOSONEXb4299d7b9af8: smoketest: T7738: provide OpenVPN test certificates for migration tests.
Restricted Repository Identity mentioned this in rVYOSONEXa6ab36aab78a: Merge pull request #4884 from c-po/openvpn-t7738-migration.Thu, Dec 4, 11:59 AM
dmbaturin closed this task as Resolved.Mon, Dec 8, 6:28 PM