iptables_web failing on startup 2.9.6
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Nov 30, 2021 2:26 pm
iptables_web failing on startup 2.9.6
Unable to hit the UI, I am thinking it is due to the iptables_web failing to install/configure.
Running on CentOS 7.
I am also seeing this in the log files, does this have anything to do with it?
/usr/local/openvpn_as/lib/python/cryptography-3.2.1-py3.6-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py:235:
UserWarning: OpenSSL FIPS mode is enabled. Can't enable DRBG fork safety.
Running on CentOS 7.
I am also seeing this in the log files, does this have anything to do with it?
/usr/local/openvpn_as/lib/python/cryptography-3.2.1-py3.6-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py:235:
UserWarning: OpenSSL FIPS mode is enabled. Can't enable DRBG fork safety.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Nov 30, 2021 2:26 pm
Re: iptables_web failing on startup 2.9.6
Upgraded to 2.10, same issue.
Any suggestions?
Any suggestions?
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: iptables_web failing on startup 2.9.6
Hi red,
Please check the output of this:
It should point to iptables-legacy.
But we think the issue is related to FIPS mode; the iptables-web issue is probably separate. We are looking at it and will post again.
Regards, rob0
Please check the output of this:
Code: Select all
alternatives --display iptables
But we think the issue is related to FIPS mode; the iptables-web issue is probably separate. We are looking at it and will post again.
Regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: iptables_web failing on startup 2.9.6
Hi again dogg,
It appears we might have a bug with FIPS mode. Please open a Support ticket at the link in my signature. Thanks.
Regards, rob0
It appears we might have a bug with FIPS mode. Please open a Support ticket at the link in my signature. Thanks.
Regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: iptables_web failing on startup 2.9.6
There seems to be two different things going on in this thread.
First is the UI coming up and the second is the warning produced by the Python Cryptography module. I believe they aren't related as the warning is no fatal and the module continues.
So, for the UI, the following commands might help to troubleshoot what is going on:
Those should show if the AS0_ACCEPT has been added to the INPUT chain in iptables. It should also show if openvpn-openssl process is running and listening on port 443.
If both of those commands produce expected results then it is installing the iptables rule and actively listening on the port. I think the next most likely cause of the problem is something with zope.
It should be noted that 2.9.6 is no longer the latest version of OpenVPN AS and you might want to try 2.10.0.
As to the warning from the Python Cryptography module, it looks like there is an issue with forking the already initialized random number generator when using OpenSSL version 1.0.2k that is bundled with CentOS 7. Looking at the python code making up the Cryptography module, it looks like if OpenSSL is version 1.1.1d or higher then the warning will no longer apply. The EPEL (Extra Packages for Enterprise Linux) for CentOS 7 has OpenSSL version 1.1.1k which would fix the potential issue which is causing the warning. It is just a matter of if OpenVPN AS is willing to support EPEL's OpenSSL for CentOS 7.
First is the UI coming up and the second is the warning produced by the Python Cryptography module. I believe they aren't related as the warning is no fatal and the module continues.
So, for the UI, the following commands might help to troubleshoot what is going on:
Code: Select all
iptables -nL INPUT | grep :443
ss -ntlp | grep :443
If both of those commands produce expected results then it is installing the iptables rule and actively listening on the port. I think the next most likely cause of the problem is something with zope.
It should be noted that 2.9.6 is no longer the latest version of OpenVPN AS and you might want to try 2.10.0.
As to the warning from the Python Cryptography module, it looks like there is an issue with forking the already initialized random number generator when using OpenSSL version 1.0.2k that is bundled with CentOS 7. Looking at the python code making up the Cryptography module, it looks like if OpenSSL is version 1.1.1d or higher then the warning will no longer apply. The EPEL (Extra Packages for Enterprise Linux) for CentOS 7 has OpenSSL version 1.1.1k which would fix the potential issue which is causing the warning. It is just a matter of if OpenVPN AS is willing to support EPEL's OpenSSL for CentOS 7.
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: iptables_web failing on startup 2.9.6
Hi,chilinux wrote: ↑Wed Dec 01, 2021 5:17 amAs to the warning from the Python Cryptography module, it looks like there is an issue with forking the already initialized random number generator when using OpenSSL version 1.0.2k that is bundled with CentOS 7. Looking at the python code making up the Cryptography module, it looks like if OpenSSL is version 1.1.1d or higher then the warning will no longer apply. The EPEL (Extra Packages for Enterprise Linux) for CentOS 7 has OpenSSL version 1.1.1k which would fix the potential issue which is causing the warning. It is just a matter of if OpenVPN AS is willing to support EPEL's OpenSSL for CentOS 7.
I don't believe AS will do this. Our packages are built against the system default openssl. You can try and see if your EPEL openssl will work, but I'd expect to have some obscure warnings about library incompatibilities.
The better long-term fix might be to move to RHEL/CentOS 8.
regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: iptables_web failing on startup 2.9.6
OpenSSL v1.1 is a different API/ABI than OpenSSL v1.0. It isn't possible to treat it as a drop in replacement. Rather it has to be selected at compile time. So, I would have to compile my own Python Cryptography module and replace the OpenVPN AS provided one after each upgrade. This would result in an unsupported product defeating the point of getting a commercially packaged version of OpenVPN.openvpn_inc wrote: ↑Wed Dec 15, 2021 6:03 pmHi,chilinux wrote: ↑Wed Dec 01, 2021 5:17 amAs to the warning from the Python Cryptography module, it looks like there is an issue with forking the already initialized random number generator when using OpenSSL version 1.0.2k that is bundled with CentOS 7. Looking at the python code making up the Cryptography module, it looks like if OpenSSL is version 1.1.1d or higher then the warning will no longer apply. The EPEL (Extra Packages for Enterprise Linux) for CentOS 7 has OpenSSL version 1.1.1k which would fix the potential issue which is causing the warning. It is just a matter of if OpenVPN AS is willing to support EPEL's OpenSSL for CentOS 7.
I don't believe AS will do this. Our packages are built against the system default openssl. You can try and see if your EPEL openssl will work, but I'd expect to have some obscure warnings about library incompatibilities.
The better long-term fix might be to move to RHEL/CentOS 8.
regards, rob0
To fully switch the product over to OpenSSL v1.1 would also required recompiling/replacing the bundled Python mysql client module and the openvpn-openssl executable as well.
I will just stick with the limitations of how OpenVPN AS chooses to package it for CentOS 7.
It is also odd to refer to CentOS 8 as a better long-term fix. End of Life is December 31, 2021 which as of the time I writing this is only 16 days away.
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: iptables_web failing on startup 2.9.6
Hi chilinux,
Point taken about CentOS 8. I did not know EOL was coming up so soon! We do support Ubuntu 20.04 and Debian 10 & 11 also, but Red Hat support is lagging. Sorry for the inconvenience.
regards, rob0
Point taken about CentOS 8. I did not know EOL was coming up so soon! We do support Ubuntu 20.04 and Debian 10 & 11 also, but Red Hat support is lagging. Sorry for the inconvenience.
regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support