Pivpn: failure to connect after upgrade to stretch

Created on 30 Aug 2017  路  7Comments  路  Source: pivpn/pivpn

I decided to update my rpi to stretch, following the instructions given on the Raspberry Pi blog (change sources to stretch, do update, do dist-upgrade). After updating, OpenVPN is no longer able to establish a connection. I tried to run pivpn debug which did detect issues and was able to correct them. However, the problem persists and no additional issues are detected.

The OpenVPN client goes into a loop of TLS handshake failures as it receives no response from the server:

**2017-08-30 07:51:50 SIGUSR1[soft,tls-error] received, process restarting
2017-08-30 07:51:50 MANAGEMENT: >STATE:1504075910,RECONNECTING,tls-error,,
2017-08-30 07:51:50 MANAGEMENT: CMD 'hold release'
2017-08-30 07:51:50 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-08-30 07:51:50 MANAGEMENT: >STATE:1504075910,RESOLVE,,,
2017-08-30 07:51:50 UDPv4 link local: [undef]
2017-08-30 07:51:50 UDPv4 link remote: [AF_INET]82.14.182.251:1194
2017-08-30 07:51:50 MANAGEMENT: >STATE:1504075910,WAIT,,,
2017-08-30 07:51:50 MANAGEMENT: >STATE:1504075910,AUTH,,,
2017-08-30 07:51:50 TLS: Initial packet from [AF_INET]82.14.182.251:1194, sid=ab4eaa70 46626813
2017-08-30 07:51:51 VERIFY OK: depth=1, CN=ChangeMe
2017-08-30 07:51:51 Validating certificate key usage
2017-08-30 07:51:51 ++ Certificate has key usage  00a0, expects 00a0
2017-08-30 07:51:51 VERIFY KU OK
2017-08-30 07:51:51 Validating certificate extended key usage
2017-08-30 07:51:51 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2017-08-30 07:51:51 VERIFY EKU OK
2017-08-30 07:51:51 VERIFY X509NAME OK: CN=server
2017-08-30 07:51:51 VERIFY OK: depth=0, CN=server
2017-08-30 07:52:50 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2017-08-30 07:52:50 TLS Error: TLS handshake failed**

The openvpn process is running on the rpi, the iptables seem to be set up correctly. The port forwarding and such are all correct as this rpi has been in use as a VPN for quite some time (on jessie). No other software is installed; this is a jessie lite + pivpn + upgrade to stretch.

This is mainly a warning to others not to update to stretch at this time. If anyone would know how to fix my install though, I would be very grateful!

information

Most helpful comment

I have everything working again. So, the issue is that with the update to OpenVPN v2.4 CRLs with a nextUpdate in the past are no longer accepted (see here). It's probably best to verify that you are indeed having this issue. To do so, first, try to connect to OpenVPN on one of your clients (which won't work). Second, log into your OpenVPN server and type:

sudo systemctl status [email protected]

You should see an entry:

 VERIFY ERROR: depth=0, error=CRL has expired: CN=xxx

with xxx the name of the user that was trying to log in. If this is indeed the case, then don't worry. The solution is listed below.

To fix the issue, you need to regenerate the CRL. To do that, log into your OpenVPN server if you aren't in there yet and navigate to the easy-rsa folder:

cd /etc/openvpn/easy-rsa

Once you are in that folder, we need to regenerate the CRL. There's a script for that:

sudo ./easyrsa gen-crl

We now have the correct CRL, but it's not quite in the right place. If you type:

sudo cat ../server.conf | grep "crl-verify"

you will see the location of the crl.pem file. If the location it shows is /etc/openvpn/crl.pem then simply run:

sudo cp /etc/openvpn/easy-rsa/pki/crl.pem ../crl.pem

If your crl.pem file is stored somewhere else, all you have to do is replace ../crl.pem in the previous command with the path shown after crl-verify with the command we ran earlier.

With the crl.pem file in the right place, all that is left is to restart the OpenVPN server:

sudo systemctl restart [email protected]

That is it. You should now be able to connect to the OpenVPN server again. As you can see, the fix is rather easy as it is a change you have to make on the server. Once you have updated the CRL file on the server, all the clients will be able to connect again.

All 7 comments

I have everything working again. So, the issue is that with the update to OpenVPN v2.4 CRLs with a nextUpdate in the past are no longer accepted (see here). It's probably best to verify that you are indeed having this issue. To do so, first, try to connect to OpenVPN on one of your clients (which won't work). Second, log into your OpenVPN server and type:

sudo systemctl status [email protected]

You should see an entry:

 VERIFY ERROR: depth=0, error=CRL has expired: CN=xxx

with xxx the name of the user that was trying to log in. If this is indeed the case, then don't worry. The solution is listed below.

To fix the issue, you need to regenerate the CRL. To do that, log into your OpenVPN server if you aren't in there yet and navigate to the easy-rsa folder:

cd /etc/openvpn/easy-rsa

Once you are in that folder, we need to regenerate the CRL. There's a script for that:

sudo ./easyrsa gen-crl

We now have the correct CRL, but it's not quite in the right place. If you type:

sudo cat ../server.conf | grep "crl-verify"

you will see the location of the crl.pem file. If the location it shows is /etc/openvpn/crl.pem then simply run:

sudo cp /etc/openvpn/easy-rsa/pki/crl.pem ../crl.pem

If your crl.pem file is stored somewhere else, all you have to do is replace ../crl.pem in the previous command with the path shown after crl-verify with the command we ran earlier.

With the crl.pem file in the right place, all that is left is to restart the OpenVPN server:

sudo systemctl restart [email protected]

That is it. You should now be able to connect to the OpenVPN server again. As you can see, the fix is rather easy as it is a change you have to make on the server. Once you have updated the CRL file on the server, all the clients will be able to connect again.

Great piece of information! Thank you!! labeled the issue as information for further reference!

Closing! feel free add any comments if needed!

I did all this reimported profile with iTunes and still can't connect. this was working fine for over a year :-(

I think this should be documented on the pivpn website as pivpn creates certificates with an expiry date.
Furthermore there should be an easier way to do that, perhaps the command line tool pivpn can be expanded?
See #590

I'm with @Lagganmhouillin on this one. +1

Thanks you, this worked wonderfully to resolve my PiVPN login issues after upgrading to Raspbian GNU/Linux 9.6 (stretch) as i also had the _CRL has expired_ error. Simply following the instructions to regenerate the CRL using the easyrsa script was a breeze and now we're golden once again. Thanks VERY much for the huge assist.

Thank you kimbauters, your solution worked for me!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

andersonentwistle picture andersonentwistle  路  6Comments

InnovativeInventor picture InnovativeInventor  路  6Comments

jeffffc picture jeffffc  路  7Comments

orangepizza picture orangepizza  路  3Comments

peterHendrickx picture peterHendrickx  路  4Comments