Page 1 of 1

iptables_web failing on startup 2.9.6

Posted: Tue Nov 30, 2021 2:28 pm
by reddogg
Unable to hit the UI, I am thinking it is due to the iptables_web failing to install/configure.
Running on CentOS 7.

I am also seeing this in the log files, does this have anything to do with it?

/usr/local/openvpn_as/lib/python/cryptography-3.2.1-py3.6-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py:235:
UserWarning: OpenSSL FIPS mode is enabled. Can't enable DRBG fork safety.

Re: iptables_web failing on startup 2.9.6

Posted: Tue Nov 30, 2021 2:59 pm
by reddogg
Upgraded to 2.10, same issue.
Any suggestions?

Re: iptables_web failing on startup 2.9.6

Posted: Tue Nov 30, 2021 6:35 pm
by openvpn_inc
Hi red,

Please check the output of this:

Code: Select all

alternatives --display iptables
It should point to iptables-legacy.

But we think the issue is related to FIPS mode; the iptables-web issue is probably separate. We are looking at it and will post again.

Regards, rob0

Re: iptables_web failing on startup 2.9.6

Posted: Tue Nov 30, 2021 9:49 pm
by openvpn_inc
Hi again dogg,

It appears we might have a bug with FIPS mode. Please open a Support ticket at the link in my signature. Thanks.

Regards, rob0

Re: iptables_web failing on startup 2.9.6

Posted: Wed Dec 01, 2021 5:17 am
by chilinux
There seems to be two different things going on in this thread.

First is the UI coming up and the second is the warning produced by the Python Cryptography module. I believe they aren't related as the warning is no fatal and the module continues.

So, for the UI, the following commands might help to troubleshoot what is going on:

Code: Select all

iptables -nL INPUT | grep :443
ss -ntlp | grep :443
Those should show if the AS0_ACCEPT has been added to the INPUT chain in iptables. It should also show if openvpn-openssl process is running and listening on port 443.

If both of those commands produce expected results then it is installing the iptables rule and actively listening on the port. I think the next most likely cause of the problem is something with zope.

It should be noted that 2.9.6 is no longer the latest version of OpenVPN AS and you might want to try 2.10.0.

As to the warning from the Python Cryptography module, it looks like there is an issue with forking the already initialized random number generator when using OpenSSL version 1.0.2k that is bundled with CentOS 7. Looking at the python code making up the Cryptography module, it looks like if OpenSSL is version 1.1.1d or higher then the warning will no longer apply. The EPEL (Extra Packages for Enterprise Linux) for CentOS 7 has OpenSSL version 1.1.1k which would fix the potential issue which is causing the warning. It is just a matter of if OpenVPN AS is willing to support EPEL's OpenSSL for CentOS 7.

Re: iptables_web failing on startup 2.9.6

Posted: Wed Dec 15, 2021 6:03 pm
by openvpn_inc
chilinux wrote:
Wed Dec 01, 2021 5:17 am
As to the warning from the Python Cryptography module, it looks like there is an issue with forking the already initialized random number generator when using OpenSSL version 1.0.2k that is bundled with CentOS 7. Looking at the python code making up the Cryptography module, it looks like if OpenSSL is version 1.1.1d or higher then the warning will no longer apply. The EPEL (Extra Packages for Enterprise Linux) for CentOS 7 has OpenSSL version 1.1.1k which would fix the potential issue which is causing the warning. It is just a matter of if OpenVPN AS is willing to support EPEL's OpenSSL for CentOS 7.
Hi,

I don't believe AS will do this. Our packages are built against the system default openssl. You can try and see if your EPEL openssl will work, but I'd expect to have some obscure warnings about library incompatibilities.

The better long-term fix might be to move to RHEL/CentOS 8.

regards, rob0

Re: iptables_web failing on startup 2.9.6

Posted: Wed Dec 15, 2021 10:14 pm
by chilinux
openvpn_inc wrote:
Wed Dec 15, 2021 6:03 pm
chilinux wrote:
Wed Dec 01, 2021 5:17 am
As to the warning from the Python Cryptography module, it looks like there is an issue with forking the already initialized random number generator when using OpenSSL version 1.0.2k that is bundled with CentOS 7. Looking at the python code making up the Cryptography module, it looks like if OpenSSL is version 1.1.1d or higher then the warning will no longer apply. The EPEL (Extra Packages for Enterprise Linux) for CentOS 7 has OpenSSL version 1.1.1k which would fix the potential issue which is causing the warning. It is just a matter of if OpenVPN AS is willing to support EPEL's OpenSSL for CentOS 7.
Hi,

I don't believe AS will do this. Our packages are built against the system default openssl. You can try and see if your EPEL openssl will work, but I'd expect to have some obscure warnings about library incompatibilities.

The better long-term fix might be to move to RHEL/CentOS 8.

regards, rob0
OpenSSL v1.1 is a different API/ABI than OpenSSL v1.0. It isn't possible to treat it as a drop in replacement. Rather it has to be selected at compile time. So, I would have to compile my own Python Cryptography module and replace the OpenVPN AS provided one after each upgrade. This would result in an unsupported product defeating the point of getting a commercially packaged version of OpenVPN.

To fully switch the product over to OpenSSL v1.1 would also required recompiling/replacing the bundled Python mysql client module and the openvpn-openssl executable as well.

I will just stick with the limitations of how OpenVPN AS chooses to package it for CentOS 7.

It is also odd to refer to CentOS 8 as a better long-term fix. End of Life is December 31, 2021 which as of the time I writing this is only 16 days away.

Re: iptables_web failing on startup 2.9.6

Posted: Fri Dec 17, 2021 4:12 pm
by openvpn_inc
Hi chilinux,

Point taken about CentOS 8. I did not know EOL was coming up so soon! We do support Ubuntu 20.04 and Debian 10 & 11 also, but Red Hat support is lagging. Sorry for the inconvenience.

regards, rob0