5190 questions

6343 answers

10168 comments

6277 members

0 votes
180 views 6 comments
by

Dear support forum & Teltonika team,

since the latest firmware version RUT9XX_R_00.06.07_WEBUI it is not possible anymore for us to get a working OpenVPN Client connection from RUT950 to or servers. After doing the same setup as always (we sell preconfigured RUT950 to our customers since 2016), I get the following error:

Thu Oct 29 14:07:47 2020 daemon.err openvpn(client_ixsvpnip)[9712]: Options error: --pull cannot be used with --mode server
Thu Oct 29 14:07:47 2020 daemon.warn openvpn(client_ixsvpnip)[9712]: Use --help for more information.

However, we do not specify either "pull" nor "server". 

I assume that those uptions are auto generated during OpenVPN client configuration.

root@ixs:~# cat /tmp/etc/openvpn-client_ixsvpnip.conf
client
nobind
persist-key
auth none
auth-user-pass /etc/openvpn/auth_client_ixsvpnip
ca /lib/uci/upload/cbid.openvpn.client_ixsvpnip.ca
cipher none
dev tap
keepalive 20 120
mode server
port 1194
proto udp
remote XXX.XXX.XXX.XXX
resolv-retry infinite
verb 5
dev tun_ixsvpnip
dev-type tap
sndbuf 0
rcvbuf 0
tun-mtu 1500
explicit-exit-notify
persist-key
persist-tun
reneg-sec 0
reneg-bytes 0
setenv CLIENT_CERT 0
remote-cert-tls server
fast-io
auth-nocache
remote-cert-tls server
script-security 2
down /etc/openvpn/updown_dns
up /etc/openvpn/updown_dns


root@ixs:~# cat /etc/config/openvpn

config openvpn 'teltonika_auth_service'
        option persist_key '1'
        option persist_tun '1'
        option port '5002'
        option proto 'udp'
        option verb '4'
        option nobind '1'
        option enable '0'
        option remote 'rms.teltonika.lt'
        option resolv_retry 'infinite'
        option keepalive '10 120'
        option auth_user_pass '/etc/openvpn/auth'
        option ca '/etc/openvpn/tlt_ca.crt'
        option ns_cert_type 'server'
        option comp_lzo 'yes'
        option client '1'
        option dev 'tun_rms'
        option script_security '2'
        option up '"/etc/init.d/rms_uhttpd start"'
        option down '"/etc/init.d/rms_uhttpd rms_stop"'

config webui 'webui'
        option _auth 'tls'

config openvpn 'client_ixsvpnip'
        option persist_key '1'
        option port '1194'
        option _role 'client'
        option verb '5'
        option nobind '1'
        option proto 'udp'
        option enable '1'
        option dev 'tap'
        option remote 'XXX.XXX.XXX.XXX'
        option resolv_retry 'infinite'
        option keepalive '20 120'
        option _auth 'pass'
        option cipher 'none'
        option _tls_cipher 'all'
        option auth 'none'
        option _tls_auth 'none'
        option ca '/lib/uci/upload/cbid.openvpn.client_ixsvpnip.ca'
        option client '1'
        option auth_user_pass '/etc/openvpn/auth_client_ixsvpnip'
        list _extra 'dev tun_ixsvpnip'
        list _extra 'dev-type tap'
        list _extra 'sndbuf 0'
        list _extra 'rcvbuf 0'
        list _extra 'tun-mtu 1500'
        list _extra 'explicit-exit-notify'
        list _extra 'persist-key'
        list _extra 'persist-tun'
        list _extra 'reneg-sec 0'
        list _extra 'reneg-bytes 0'
        list _extra 'setenv CLIENT_CERT 0'
        list _extra 'remote-cert-tls server'
        list _extra 'fast-io'
        option mode 'server'

If I remove the last "option mode 'server'" from /etc/config/openvpn manually (SSH) everything works as always. After saving the OpenVPN client configuration via Web UI again, the "option mode 'server'" appears again also.

After downgrading to RUT9XX_R_00.06.06.1_WEBUI.bin, everything works.

by

Log Tengo el mismo inconveniente al actualizarlo a la versión RUT9XX_R_00.06.07.2.

Tue Nov 24 17:10:54 2020 daemon.warn openvpn(client_1786)[21105]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: Re-using SSL/TLS context

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: TCP/UDP: Preserving recently used remote address: [AF_INET]SERVERIP:1194

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: Socket Buffers: R=[8388608->8388608] S=[8388608->8388608]

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: UDP link local: (not bound)

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: UDP link remote: [AF_INET]SERVERIP:1194

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: TLS: Initial packet from [AF_INET]SERVERIP:1194, sid=cf51850a ec6eb06a

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: VERIFY OK: depth=1, C=EC, ST=Guayas, O=Saucinc, OU=Sistemas, CN=root, emailAddress=email

Tue Nov 24 17:10:54 2020 daemon.err openvpn(client_1786)[21105]: Certificate does not have key usage extension

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: VERIFY KU ERROR

Tue Nov 24 17:10:54 2020 daemon.err openvpn(client_1786)[21105]: OpenSSL: error:1416F086:lib(20):func(367):reason(134)

Tue Nov 24 17:10:54 2020 daemon.err openvpn(client_1786)[21105]: TLS_ERROR: BIO read tls_read_plaintext error

Tue Nov 24 17:10:54 2020 daemon.err openvpn(client_1786)[21105]: TLS Error: TLS object -> incoming plaintext read error

Tue Nov 24 17:10:54 2020 daemon.err openvpn(client_1786)[21105]: TLS Error: TLS handshake failed

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: TCP/UDP: Closing socket

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: SIGUSR1[soft,tls-error] received, process restarting

Tue Nov 24 17:10:54 2020 daemon.notice openvpn(client_1786)[21105]: Restart pause, 300 second(s)

by

This is yet another error that I (OP) got as well. 

It's related to this option:

        list _extra 'remote-cert-tls server'
This option seems to be forced in OpenVPN client configs also since (I believe, not absolutely sure) RUT9XX_R_00.06.07.2 like the "option mode 'server'" and will not work with existing server certificates that do not have the extended key usage extension "serverAuth" (not 100% sure about that but it's related to EKU). 
Kind regards
by

Hi,

RUT9XX_R_00.06.07.3 hotfix will be released by friday to resolve this OpenVPN issue.

Firmware will be uploaded to Teltonika wiki and FOTA server.

1 Answer

0 votes
by
Hi,

So you're saying that when you create a client and save its configurations in WebUI, in OpenVPN client config "option mode 'server'" appears, which breaks it?

EB.
by

Hi EB,

yes, that's the case.
I've wrote down all steps in a minimal manner I've done a few minutes ago to reproduce:

(Because the RUTs we have in stock came with an older firmware, we do an upgrade first)

1.) Login admin / admin01
2.) Change Password
3.) Skip setup wizard
4.) Go to Administration > Firmware
5.) De-select "Keep all settings"
6.) Click "Upgrade from Server"
7.) Wait for download
8.) Click "Upgrade"
9.) Wait for upgrade until redirect to login page

With RUT9XX_R_00.06.07 installed:

1.) Login with admin / admin01
2.) Change password
3.) Skip wizard
4.) Go to services > VPN
5.) Role: Client
6.) New configuration name: ixsvpnip
7.) Click "Add New"
8.) Click "Save"

Check via SSH:

root@Teltonika:~# cat /etc/config/openvpn

config openvpn 'teltonika_auth_service'
        option persist_key '1'
        option persist_tun '1'
        option port '5002'
        option proto 'udp'
        option verb '4'
        option nobind '1'
        option enable '0'
        option remote 'rms.teltonika.lt'
        option resolv_retry 'infinite'
        option keepalive '10 120'
        option auth_user_pass '/etc/openvpn/auth'
        option ca '/etc/openvpn/tlt_ca.crt'
        option ns_cert_type 'server'
        option comp_lzo 'yes'
        option client '1'
        option dev 'tun_rms'
        option script_security '2'
        option up '"/etc/init.d/rms_uhttpd start"'
        option down '"/etc/init.d/rms_uhttpd rms_stop"'

config webui 'webui'
        option _auth 'tls'

config openvpn 'client_ixsvpnip'
        option enable '0'
        option persist_key '1'
        option port '1194'
        option _role 'client'
        option dev 'tun_c_ixsvpnip'
        option verb '5'
        option nobind '1'
        option proto 'udp'

=> No "option mode 'server'" there

9.) Edit connection
10.) Switch e.g. from tun to tap (no other settings made via WebGUI)
11.) Save

Check via SSH:

root@Teltonika:~# cat /etc/config/openvpn

config openvpn 'teltonika_auth_service'
        option persist_key '1'
        option persist_tun '1'
        option port '5002'
        option proto 'udp'
        option verb '4'
        option nobind '1'
        option enable '0'
        option remote 'rms.teltonika.lt'
        option resolv_retry 'infinite'
        option keepalive '10 120'
        option auth_user_pass '/etc/openvpn/auth'
        option ca '/etc/openvpn/tlt_ca.crt'
        option ns_cert_type 'server'
        option comp_lzo 'yes'
        option client '1'
        option dev 'tun_rms'
        option script_security '2'
        option up '"/etc/init.d/rms_uhttpd start"'
        option down '"/etc/init.d/rms_uhttpd rms_stop"'

config webui 'webui'

        option _auth 'tls'

config openvpn 'client_ixsvpnip'
        option enable '0'
        option persist_key '1'
        option port '1194'
        option _role 'client'
        option verb '5'
        option nobind '1'
        option proto 'udp'
        option client '1'
        option dev 'tap'
        option resolv_retry 'infinite'
        option _auth 'tls'
        option cipher 'BF-CBC'
        option _tls_cipher 'all'
        option auth 'sha1'
        option _tls_auth 'none'
        option mode 'server'

=> "option mode 'server'" appeared.

by
Hi,

Information has been relayed to RnD, I'll inform you once fixes will be available.
by
Hi,

Test firmware with a fix can be downloaded from here:

https://kaunas.teltonika.lt:444/f/87f64c9a3a7b43d78d32/

Official hotfix should be released in roughly 1-2 weeks.