[Solved] Revoked User can still Connect / crl-verify is enabled

Use this forum to share your network setup and what's been working for you.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
ret411
OpenVpn Newbie
Posts: 6
Joined: Tue Sep 04, 2018 1:34 pm

[Solved] Revoked User can still Connect / crl-verify is enabled

Post by ret411 » Wed Sep 05, 2018 3:25 am

Hi guys, I hope you can help me because right now I really don't know what to do.

I am connected as test_user on the server, if I now set the certificate for this user revocations with easy-rsa gen-crl and the file rights afterwards with chmod 666 and then copy it into the crl directory which also has the 666 rights, I can still log in as test_user after a disconnect.

If I restart OpenVPN then it behaves normally, the certificate is rejected and a login is no longer possible.

If I understood everything correctly this should be possible without a restart of OpenVPN

Here is a log, it shows the login after the new crl.pem has been copied, then the restart of openvpn and the login where the certificate is rejected

Code: Select all

Sep  5 03:41:14 OpenVPN openvpn[35317]: MULTI: multi_create_instance called
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx Re-using SSL/TLS context
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx LZ4v2 compression initializing
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx TLS: Initial packet from [AF_INET6]::ffff:xx.xx.xx.xxx:61561, sid=69577139 d68d6ddb
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx WARNING: Failed to stat CRL file, not (re)loading CRL.
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx VERIFY OK: depth=1, CN=OPENVPN
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx VERIFY KU OK
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx Validating certificate extended key usage
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx VERIFY EKU OK
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx VERIFY OK: depth=0, CN=test_user
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_VER=2.4.6
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_PLAT=mac
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_PROTO=2
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_NCP=2
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_LZ4=1
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_LZ4v2=1
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_LZO=1
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_COMP_STUB=1
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_COMP_STUBv2=1
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_TCPNL=1
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5080_3.7.6a__build_5080)"
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1557'
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sep  5 03:41:14 OpenVPN openvpn[35317]: xx.xx.xx.xxx [test_user] Peer Connection Initiated with [AF_INET6]::ffff:xx.xx.xx.xxx:61561
Sep  5 03:41:14 OpenVPN openvpn[35317]: MULTI: new connection by client 'test_user' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Sep  5 03:41:14 OpenVPN openvpn[35317]: MULTI_sva: pool returned IPv4=10.8.0.102, IPv6=(Not enabled)
Sep  5 03:41:14 OpenVPN openvpn[35317]: MULTI: Learn: 10.8.0.102 -> test_user/xx.xx.xx.xxx
Sep  5 03:41:14 OpenVPN openvpn[35317]: MULTI: primary virtual IP for test_user/xx.xx.xx.xxx: 10.8.0.102
Sep  5 03:41:15 OpenVPN openvpn[35317]: test_user/xx.xx.xx.xxx PUSH: Received control message: 'PUSH_REQUEST'
Sep  5 03:41:15 OpenVPN openvpn[35317]: test_user/xx.xx.xx.xxx SENT CONTROL [test_user]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,compress lz4-v2,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.102 10.8.0.101,peer-id 1,cipher AES-256-GCM' (status=1)
Sep  5 03:41:15 OpenVPN openvpn[35317]: test_user/xx.xx.xx.xxx Data Channel: using negotiated cipher 'AES-256-GCM'
Sep  5 03:41:15 OpenVPN openvpn[35317]: test_user/xx.xx.xx.xxx Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Sep  5 03:41:15 OpenVPN openvpn[35317]: test_user/xx.xx.xx.xxx Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep  5 03:41:15 OpenVPN openvpn[35317]: test_user/xx.xx.xx.xxx Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep  5 03:41:44 OpenVPN openvpn[35317]: event_wait : Interrupted system call (code=4)
Sep  5 03:41:44 OpenVPN openvpn[35317]: SENT CONTROL [test_user]: 'RESTART' (status=1)
Sep  5 03:41:45 OpenVPN openvpn[35317]: MULTI: multi_create_instance called
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx Re-using SSL/TLS context
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx LZ4v2 compression initializing
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx TLS: Initial packet from [AF_INET6]::ffff:xx.xx.xx.xxx:57353, sid=e78e2296 031e0b6d
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx WARNING: Failed to stat CRL file, not (re)loading CRL.
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx VERIFY OK: depth=1, CN=OPENVPN
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx VERIFY KU OK
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx Validating certificate extended key usage
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx VERIFY EKU OK
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx VERIFY OK: depth=0, CN=test_user
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_VER=2.4.6
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_PLAT=mac
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_PROTO=2
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_NCP=2
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_LZ4=1
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_LZ4v2=1
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_LZO=1
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_COMP_STUB=1
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_COMP_STUBv2=1
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_TCPNL=1
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5080_3.7.6a__build_5080)"
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sep  5 03:41:45 OpenVPN openvpn[35317]: xx.xx.xx.xxx [test_user] Peer Connection Initiated with [AF_INET6]::ffff:xx.xx.xx.xxx:57353
Sep  5 03:41:45 OpenVPN openvpn[35317]: MULTI: new connection by client 'test_user' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Sep  5 03:41:45 OpenVPN openvpn[35317]: MULTI_sva: pool returned IPv4=10.8.0.102, IPv6=(Not enabled)
Sep  5 03:41:45 OpenVPN openvpn[35317]: MULTI: Learn: 10.8.0.102 -> test_user/xx.xx.xx.xxx
Sep  5 03:41:45 OpenVPN openvpn[35317]: MULTI: primary virtual IP for test_user/xx.xx.xx.xxx: 10.8.0.102
Sep  5 03:41:46 OpenVPN openvpn[35317]: TCP/UDP: Closing socket
Sep  5 03:41:46 OpenVPN openvpn[35317]: /sbin/route delete -net 10.8.0.0 10.8.0.2 255.255.255.0
Sep  5 03:41:46 OpenVPN openvpn[35317]: ERROR: FreeBSD route delete command failed: external program exited with error status: 77
Sep  5 03:41:46 OpenVPN openvpn[35317]: Closing TUN/TAP interface
Sep  5 03:41:46 OpenVPN openvpn[35317]: /sbin/ifconfig tun0 destroy
Sep  5 03:41:46 OpenVPN openvpn[35317]: FreeBSD 'destroy tun interface' failed (non-critical): external program exited with error status: 1
Sep  5 03:41:46 OpenVPN openvpn[35317]: SIGTERM[hard,] received, process exiting
Sep  5 03:41:46 OpenVPN openvpn[90018]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Sep  5 03:41:46 OpenVPN openvpn[90018]: Current Parameter Settings:
Sep  5 03:41:46 OpenVPN openvpn[90018]:   config = '/usr/local/etc/openvpn/openvpn.conf'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   mode = 1
Sep  5 03:41:46 OpenVPN openvpn[90018]:   show_ciphers = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   show_digests = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   show_engines = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   genkey = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   key_pass_file = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   show_tls_ciphers = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   connect_retry_max = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]: Connection profiles [0]:
Sep  5 03:41:46 OpenVPN openvpn[90018]:   proto = udp
Sep  5 03:41:46 OpenVPN openvpn[90018]:   local = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   local_port = '1194'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   remote = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   remote_port = '1194'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   remote_float = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   bind_defined = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   bind_local = ENABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   bind_ipv6_only = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   connect_retry_seconds = 5
Sep  5 03:41:46 OpenVPN openvpn[90018]:   connect_timeout = 120
Sep  5 03:41:46 OpenVPN openvpn[90018]:   socks_proxy_server = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   socks_proxy_port = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tun_mtu = 1500
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tun_mtu_defined = ENABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   link_mtu = 1500
Sep  5 03:41:46 OpenVPN openvpn[90018]:   link_mtu_defined = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tun_mtu_extra = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tun_mtu_extra_defined = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   mtu_discover_type = -1
Sep  5 03:41:46 OpenVPN openvpn[90018]:   fragment = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   mssfix = 1450
Sep  5 03:41:46 OpenVPN openvpn[90018]:   explicit_exit_notification = 1
Sep  5 03:41:46 OpenVPN openvpn[90018]: Connection profiles END
Sep  5 03:41:46 OpenVPN openvpn[90018]:   remote_random = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ipchange = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   dev = 'tun'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   dev_type = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   dev_node = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   lladdr = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   topology = 1
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_local = '10.8.0.1'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_remote_netmask = '10.8.0.2'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_noexec = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_nowarn = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_ipv6_local = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_ipv6_netbits = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_ipv6_remote = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   shaper = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   mtu_test = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   mlock = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   keepalive_ping = 10
Sep  5 03:41:46 OpenVPN openvpn[90018]:   keepalive_timeout = 120
Sep  5 03:41:46 OpenVPN openvpn[90018]:   xxxxxctivity_timeout = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ping_send_timeout = 10
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ping_rec_timeout = 240
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ping_rec_timeout_action = 2
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ping_timer_remote = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   remap_sigusr1 = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   persist_tun = ENABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   persist_local_ip = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   persist_remote_ip = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   persist_key = ENABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   passtos = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   resolve_retry_seconds = 1000000000
Sep  5 03:41:46 OpenVPN openvpn[90018]:   resolve_in_advance = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   username = 'nobody'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   groupname = 'nobody'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   chroot_dir = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   cd_dir = '/usr/local/etc/openvpn/'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   writepid = '/var/run/openvpn.pid'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   up_script = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   down_script = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   down_pre = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   up_restart = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   up_delay = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   daemon = ENABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   inetd = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   log = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   suppress_timestamps = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   machine_readable_output = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   nice = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   verbosity = 4
Sep  5 03:41:46 OpenVPN openvpn[90018]:   mute = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   gremlin = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   status_file = 'openvpn-status.log'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   status_file_version = 1
Sep  5 03:41:46 OpenVPN openvpn[90018]:   status_file_update_freq = 60
Sep  5 03:41:46 OpenVPN openvpn[90018]:   occ = ENABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   rcvbuf = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   sndbuf = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   sockflags = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   fast_io = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   comp.alg = 11
Sep  5 03:41:46 OpenVPN openvpn[90018]:   comp.flags = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   route_script = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   route_default_gateway = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   route_default_metric = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   route_noexec = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   route_delay = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   route_delay_window = 30
Sep  5 03:41:46 OpenVPN openvpn[90018]:   route_delay_defined = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   route_nopull = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   route_gateway_via_dhcp = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   allow_pull_fqdn = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   route 10.8.0.0/255.255.255.0/default (not set)/default (not set)
Sep  5 03:41:46 OpenVPN openvpn[90018]:   management_addr = '127.0.0.1'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   management_port = 'xxxx'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   management_user_pass = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   management_log_history_cache = 250
Sep  5 03:41:46 OpenVPN openvpn[90018]:   management_echo_buffer_size = 100
Sep  5 03:41:46 OpenVPN openvpn[90018]:   management_write_peer_info_file = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   management_client_user = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   management_client_group = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   management_flags = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   shared_secret_file = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   key_direction = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ciphername = 'AES-256-CBC'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ncp_enabled = ENABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   authname = 'SHA1'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   prng_hash = 'SHA1'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   prng_nonce_secret_len = 16
Sep  5 03:41:46 OpenVPN openvpn[90018]:   keysize = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   engine = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   replay = ENABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   mute_replay_warnings = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   replay_window = 64
Sep  5 03:41:46 OpenVPN openvpn[90018]:   replay_time = 15
Sep  5 03:41:46 OpenVPN openvpn[90018]:   packet_id_file = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   use_iv = ENABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   test_crypto = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tls_server = ENABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tls_client = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   key_method = 2
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ca_file = '/usr/local/etc/openvpn/keys/ca.crt'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ca_path = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   dh_file = '/usr/local/etc/openvpn/keys/dh.pem'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   cert_file = '/usr/local/etc/openvpn/keys/openvpn-server.crt'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   extra_certs_file = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   priv_key_file = '/usr/local/etc/openvpn/keys/openvpn-server.key'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   pkcs12_file = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   cipher_list = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tls_cert_profile = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tls_verify = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tls_export_cert = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   verify_x509_type = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   verify_x509_name = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   crl_file = '/crl/crl.pem'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ns_cert_type = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   remote_cert_ku[i] = 65535
Sep  5 03:41:46 OpenVPN openvpn[90018]:   remote_cert_ku[i] = 0
Sep  5 03:41:46 OpenVPN last message repeated 14 times
Sep  5 03:41:46 OpenVPN openvpn[90018]:   remote_cert_eku = 'TLS Web Client Authentication'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ssl_flags = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tls_timeout = 2
Sep  5 03:41:46 OpenVPN openvpn[90018]:   renegotiate_bytes = -1
Sep  5 03:41:46 OpenVPN openvpn[90018]:   renegotiate_packets = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   renegotiate_seconds = 3600
Sep  5 03:41:46 OpenVPN openvpn[90018]:   handshake_window = 60
Sep  5 03:41:46 OpenVPN openvpn[90018]:   transition_window = 3600
Sep  5 03:41:46 OpenVPN openvpn[90018]:   single_session = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_peer_info = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tls_exit = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tls_auth_file = '/usr/local/etc/openvpn/keys/ta.key'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tls_crypt_file = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   server_network = 10.8.0.0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   server_netmask = 255.255.255.0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   server_network_ipv6 = ::
Sep  5 03:41:46 OpenVPN openvpn[90018]:   server_netbits_ipv6 = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   server_bridge_ip = 0.0.0.0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   server_bridge_netmask = 0.0.0.0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   server_bridge_pool_start = 0.0.0.0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   server_bridge_pool_end = 0.0.0.0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_entry = 'route 192.168.0.0 255.255.255.0'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_entry = 'compress lz4-v2'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_entry = 'route 10.8.0.1'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_entry = 'topology net30'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_entry = 'ping 10'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_entry = 'ping-restart 120'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_pool_defined = ENABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_pool_start = 10.8.0.4
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_pool_end = 10.8.0.251
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_pool_netmask = 0.0.0.0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_pool_persist_filename = 'ipp.txt'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_pool_persist_refresh_freq = 600
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_ipv6_pool_defined = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_ipv6_pool_base = ::
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ifconfig_ipv6_pool_netbits = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   n_bcast_buf = 256
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tcp_queue_limit = 64
Sep  5 03:41:46 OpenVPN openvpn[90018]:   real_hash_size = 256
Sep  5 03:41:46 OpenVPN openvpn[90018]:   virtual_hash_size = 256
Sep  5 03:41:46 OpenVPN openvpn[90018]:   client_connect_script = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   learn_address_script = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   client_disconnect_script = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   client_config_dir = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   ccd_exclusive = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   tmp_dir = '/tmp'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_ifconfig_defined = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_ifconfig_local = 0.0.0.0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_ifconfig_remote_netmask = 0.0.0.0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_ifconfig_ipv6_defined = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_ifconfig_ipv6_local = ::/0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   push_ifconfig_ipv6_remote = ::
Sep  5 03:41:46 OpenVPN openvpn[90018]:   enable_c2c = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   duplicate_cn = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   cf_max = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   cf_per = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   max_clients = 1024
Sep  5 03:41:46 OpenVPN openvpn[90018]:   max_routes_per_client = 256
Sep  5 03:41:46 OpenVPN openvpn[90018]:   auth_user_pass_verify_script = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   auth_user_pass_verify_script_via_file = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   auth_token_generate = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   auth_token_lifetime = 0
Sep  5 03:41:46 OpenVPN openvpn[90018]:   port_share_host = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   port_share_port = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]:   client = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   pull = DISABLED
Sep  5 03:41:46 OpenVPN openvpn[90018]:   auth_user_pass_file = '[UNDEF]'
Sep  5 03:41:46 OpenVPN openvpn[90018]: OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 26 2018
Sep  5 03:41:46 OpenVPN openvpn[90018]: library versions: OpenSSL 1.0.2j-freebsd  26 Sep 2016, LZO 2.10
Sep  5 03:41:46 OpenVPN openvpn[90019]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7464
Sep  5 03:41:46 OpenVPN openvpn[90019]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sep  5 03:41:46 OpenVPN openvpn[90019]: Diffie-Hellman initialized with 2048 bit key
Sep  5 03:41:46 OpenVPN openvpn[90019]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep  5 03:41:46 OpenVPN openvpn[90019]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep  5 03:41:46 OpenVPN openvpn[90019]: TLS-Auth MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sep  5 03:41:46 OpenVPN openvpn[90019]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=epair0b HWADDR=e6:71:49:90:10:85
Sep  5 03:41:46 OpenVPN openvpn[90019]: TUN/TAP device /dev/tun0 opened
Sep  5 03:41:46 OpenVPN openvpn[90019]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sep  5 03:41:46 OpenVPN openvpn[90019]: /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Sep  5 03:41:46 OpenVPN openvpn[90019]: /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
Sep  5 03:41:46 OpenVPN openvpn[90019]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sep  5 03:41:46 OpenVPN openvpn[90019]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Sep  5 03:41:46 OpenVPN openvpn[90019]: Socket Buffers: R=[42080->42080] S=[9216->9216]
Sep  5 03:41:46 OpenVPN openvpn[90019]: setsockopt(IPV6_V6ONLY=0)
Sep  5 03:41:46 OpenVPN openvpn[90019]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Sep  5 03:41:46 OpenVPN openvpn[90019]: UDPv6 link remote: [AF_UNSPEC]
Sep  5 03:41:46 OpenVPN openvpn[90019]: GID set to nobody
Sep  5 03:41:46 OpenVPN openvpn[90019]: UID set to nobody
Sep  5 03:41:46 OpenVPN openvpn[90019]: MULTI: multi_init called, r=256 v=256
Sep  5 03:41:46 OpenVPN openvpn[90019]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.4', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.8', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.12', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.16', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.20', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.24', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.28', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.32', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.36', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.40', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.44', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.48', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.52', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.56', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.60', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.64', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.68', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.72', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.76', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.80', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.84', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.88', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.92', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='xxxxx,10.8.0.96', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: ifconfig_pool_read(), in='test_user,10.8.0.100', TODO: IPv6
Sep  5 03:41:46 OpenVPN openvpn[90019]: succeeded -> ifconfig_pool_set()
Sep  5 03:41:46 OpenVPN openvpn[90019]: IFCONFIG POOL LIST
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.4
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.8
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.12
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.16
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.20
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.24
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.28
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.32
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.36
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.40
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.44
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.48
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.52
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.60
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.64
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.68
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.72
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.76
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.80
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.84
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.88
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.92
Sep  5 03:41:46 OpenVPN openvpn[90019]: xxxxx,10.8.0.96
Sep  5 03:41:46 OpenVPN openvpn[90019]: test_user,10.8.0.100
Sep  5 03:41:46 OpenVPN openvpn[90019]: Initialization Sequence Completed
Sep  5 03:42:04 OpenVPN openvpn[90019]: MULTI: multi_create_instance called
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx Re-using SSL/TLS context
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx LZ4v2 compression initializing
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx TLS: Initial packet from [AF_INET6]::ffff:xx.xx.xx.xxx:52270, sid=15b1de24 a050ee54
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx WARNING: Failed to stat CRL file, not (re)loading CRL.
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx VERIFY ERROR: depth=0, error=certificate revoked: CN=test_user
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx TLS_ERROR: BIO read tls_read_plaintext error
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx TLS Error: TLS object -> incoming plaintext read error
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx TLS Error: TLS handshake failed
Sep  5 03:42:04 OpenVPN openvpn[90019]: xx.xx.xx.xxx SIGUSR1[soft,tls-error] received, client-instance restarting

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Revoked User can still Connect / crl-verify is enabled

Post by TinCanTech » Wed Sep 05, 2018 10:17 am

It would be more interesting to see a log showing the problem not the solution ..

ret411
OpenVpn Newbie
Posts: 6
Joined: Tue Sep 04, 2018 1:34 pm

Re: Revoked User can still Connect / crl-verify is enabled

Post by ret411 » Wed Sep 05, 2018 12:31 pm

The problem is the first part! The user can log in although his certificate has been revoked.
I don't know if it has anything to do with the warning "Failed to stat CRL file, not (re)loading CRL".

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Revoked User can still Connect / crl-verify is enabled

Post by TinCanTech » Wed Sep 05, 2018 12:52 pm

ret411 wrote:
Wed Sep 05, 2018 12:31 pm
I don't know if it has anything to do with the warning "Failed to stat CRL file, not (re)loading CRL".
If openvpn cannot read the CRL file then how would it know the certificate is revoked..
In other words, Yes, that would be a/the reason.

ret411
OpenVpn Newbie
Posts: 6
Joined: Tue Sep 04, 2018 1:34 pm

Re: Revoked User can still Connect / crl-verify is enabled

Post by ret411 » Wed Sep 05, 2018 1:56 pm

Good to know but can you also give a technical hint why it doesn't work. I mean why and what are possible reasons for this message. The permissions for the file and the folder it is located in have 666 so user nobody should be able to access it without problems. Is there a way to find out why? I'm not a very good coder so the source code of the error message doesn't tell me much.

ret411
OpenVpn Newbie
Posts: 6
Joined: Tue Sep 04, 2018 1:34 pm

Re: Revoked User can still Connect / crl-verify is enabled

Post by ret411 » Wed Sep 05, 2018 3:52 pm

Ok I have removed the user nobody from the config and now let openvpn run as root and it works the way it should.

But why is it that this doesn't work with user nobody i mean /crl/crl.pem is both 666 this should be enough ?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Revoked User can still Connect / crl-verify is enabled

Post by TinCanTech » Wed Sep 05, 2018 4:18 pm

All I can tell you is that openvpn could not stat the file ..

If you want me to dial in and see what you have done you can contact me privately : tincanteksup <at> gmail

ret411
OpenVpn Newbie
Posts: 6
Joined: Tue Sep 04, 2018 1:34 pm

Re: Revoked User can still Connect / crl-verify is enabled

Post by ret411 » Wed Sep 05, 2018 5:16 pm

Hey no thanks, I know the reason now but I just don't understand why when openvpn is running as user nobody it can't access /crl/crl.pem even if I give the folder and the file 777 it doesn't work. It would be great if one of the developers could say something about this, maybe I made a mistake here but I have no idea where :D

ret411
OpenVpn Newbie
Posts: 6
Joined: Tue Sep 04, 2018 1:34 pm

Re: Revoked User can still Connect / crl-verify is enabled

Post by ret411 » Wed Sep 12, 2018 1:04 pm

Stupid ret411 :) After chown to nobody it works ^^

Locked