iptables_web failing on startup 2.9.6

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
reddogg
OpenVpn Newbie
Posts: 2
Joined: Tue Nov 30, 2021 2:26 pm

iptables_web failing on startup 2.9.6

Post by reddogg » Tue Nov 30, 2021 2:28 pm

Unable to hit the UI, I am thinking it is due to the iptables_web failing to install/configure.
Running on CentOS 7.

I am also seeing this in the log files, does this have anything to do with it?

/usr/local/openvpn_as/lib/python/cryptography-3.2.1-py3.6-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py:235:
UserWarning: OpenSSL FIPS mode is enabled. Can't enable DRBG fork safety.

reddogg
OpenVpn Newbie
Posts: 2
Joined: Tue Nov 30, 2021 2:26 pm

Re: iptables_web failing on startup 2.9.6

Post by reddogg » Tue Nov 30, 2021 2:59 pm

Upgraded to 2.10, same issue.
Any suggestions?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 474
Joined: Tue Feb 16, 2021 10:41 am

Re: iptables_web failing on startup 2.9.6

Post by openvpn_inc » Tue Nov 30, 2021 6:35 pm

Hi red,

Please check the output of this:

Code: Select all

alternatives --display iptables
It should point to iptables-legacy.

But we think the issue is related to FIPS mode; the iptables-web issue is probably separate. We are looking at it and will post again.

Regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 474
Joined: Tue Feb 16, 2021 10:41 am

Re: iptables_web failing on startup 2.9.6

Post by openvpn_inc » Tue Nov 30, 2021 9:49 pm

Hi again dogg,

It appears we might have a bug with FIPS mode. Please open a Support ticket at the link in my signature. Thanks.

Regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

chilinux
OpenVPN Power User
Posts: 143
Joined: Thu Mar 28, 2013 8:31 am

Re: iptables_web failing on startup 2.9.6

Post by chilinux » Wed Dec 01, 2021 5:17 am

There seems to be two different things going on in this thread.

First is the UI coming up and the second is the warning produced by the Python Cryptography module. I believe they aren't related as the warning is no fatal and the module continues.

So, for the UI, the following commands might help to troubleshoot what is going on:

Code: Select all

iptables -nL INPUT | grep :443
ss -ntlp | grep :443
Those should show if the AS0_ACCEPT has been added to the INPUT chain in iptables. It should also show if openvpn-openssl process is running and listening on port 443.

If both of those commands produce expected results then it is installing the iptables rule and actively listening on the port. I think the next most likely cause of the problem is something with zope.

It should be noted that 2.9.6 is no longer the latest version of OpenVPN AS and you might want to try 2.10.0.

As to the warning from the Python Cryptography module, it looks like there is an issue with forking the already initialized random number generator when using OpenSSL version 1.0.2k that is bundled with CentOS 7. Looking at the python code making up the Cryptography module, it looks like if OpenSSL is version 1.1.1d or higher then the warning will no longer apply. The EPEL (Extra Packages for Enterprise Linux) for CentOS 7 has OpenSSL version 1.1.1k which would fix the potential issue which is causing the warning. It is just a matter of if OpenVPN AS is willing to support EPEL's OpenSSL for CentOS 7.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 474
Joined: Tue Feb 16, 2021 10:41 am

Re: iptables_web failing on startup 2.9.6

Post by openvpn_inc » Wed Dec 15, 2021 6:03 pm

chilinux wrote:
Wed Dec 01, 2021 5:17 am
As to the warning from the Python Cryptography module, it looks like there is an issue with forking the already initialized random number generator when using OpenSSL version 1.0.2k that is bundled with CentOS 7. Looking at the python code making up the Cryptography module, it looks like if OpenSSL is version 1.1.1d or higher then the warning will no longer apply. The EPEL (Extra Packages for Enterprise Linux) for CentOS 7 has OpenSSL version 1.1.1k which would fix the potential issue which is causing the warning. It is just a matter of if OpenVPN AS is willing to support EPEL's OpenSSL for CentOS 7.
Hi,

I don't believe AS will do this. Our packages are built against the system default openssl. You can try and see if your EPEL openssl will work, but I'd expect to have some obscure warnings about library incompatibilities.

The better long-term fix might be to move to RHEL/CentOS 8.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

chilinux
OpenVPN Power User
Posts: 143
Joined: Thu Mar 28, 2013 8:31 am

Re: iptables_web failing on startup 2.9.6

Post by chilinux » Wed Dec 15, 2021 10:14 pm

openvpn_inc wrote:
Wed Dec 15, 2021 6:03 pm
chilinux wrote:
Wed Dec 01, 2021 5:17 am
As to the warning from the Python Cryptography module, it looks like there is an issue with forking the already initialized random number generator when using OpenSSL version 1.0.2k that is bundled with CentOS 7. Looking at the python code making up the Cryptography module, it looks like if OpenSSL is version 1.1.1d or higher then the warning will no longer apply. The EPEL (Extra Packages for Enterprise Linux) for CentOS 7 has OpenSSL version 1.1.1k which would fix the potential issue which is causing the warning. It is just a matter of if OpenVPN AS is willing to support EPEL's OpenSSL for CentOS 7.
Hi,

I don't believe AS will do this. Our packages are built against the system default openssl. You can try and see if your EPEL openssl will work, but I'd expect to have some obscure warnings about library incompatibilities.

The better long-term fix might be to move to RHEL/CentOS 8.

regards, rob0
OpenSSL v1.1 is a different API/ABI than OpenSSL v1.0. It isn't possible to treat it as a drop in replacement. Rather it has to be selected at compile time. So, I would have to compile my own Python Cryptography module and replace the OpenVPN AS provided one after each upgrade. This would result in an unsupported product defeating the point of getting a commercially packaged version of OpenVPN.

To fully switch the product over to OpenSSL v1.1 would also required recompiling/replacing the bundled Python mysql client module and the openvpn-openssl executable as well.

I will just stick with the limitations of how OpenVPN AS chooses to package it for CentOS 7.

It is also odd to refer to CentOS 8 as a better long-term fix. End of Life is December 31, 2021 which as of the time I writing this is only 16 days away.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 474
Joined: Tue Feb 16, 2021 10:41 am

Re: iptables_web failing on startup 2.9.6

Post by openvpn_inc » Fri Dec 17, 2021 4:12 pm

Hi chilinux,

Point taken about CentOS 8. I did not know EOL was coming up so soon! We do support Ubuntu 20.04 and Debian 10 & 11 also, but Red Hat support is lagging. Sorry for the inconvenience.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply