Page MenuHomeVyOS Platform

OpenVPN config migration errors upgrading from 1.3-rolling-202010280217 to 1.3-rolling-202012060217
Closed, ResolvedPublicBUG

Description

Trying to upgrade from 202010280217 to 202012060217 I get a config migration error related to the protocol udp4 line on the OpenVPN config.

Here my OpenVPN config commands:

set interfaces openvpn vtun10 encryption cipher 'aes256gcm'
set interfaces openvpn vtun10 encryption ncp-ciphers 'aes128gcm'
set interfaces openvpn vtun10 hash 'sha256'
set interfaces openvpn vtun10 mode 'client'
set interfaces openvpn vtun10 openvpn-option '--persist-key'
set interfaces openvpn vtun10 openvpn-option '--passtos'
set interfaces openvpn vtun10 openvpn-option '--key-direction 1'
set interfaces openvpn vtun10 openvpn-option '--resolv-retry infinite'
set interfaces openvpn vtun10 openvpn-option '--proto udp4'
set interfaces openvpn vtun10 openvpn-option '--pull-filter ignore redirect-gateway'
set interfaces openvpn vtun10 openvpn-option '--route 10.0.0.0 255.255.0.0'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp4'
set interfaces openvpn vtun10 remote-host 'vpnserver.example.com'
set interfaces openvpn vtun10 remote-port '1194'
set interfaces openvpn vtun10 tls auth-file '/config/auth/my-tls.key'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/my-ca.pem'
set interfaces openvpn vtun10 tls cert-file '/config/auth/my-cert.pem'
set interfaces openvpn vtun10 tls key-file '/config/auth/my-key.pem'

The error is the following:

Traceback (most recent call last):
  File "/usr/libexec/vyos/vyos-boot-config-loader.py", line 143, in <module>
    commit_out = session.commit()
  File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 164, in commit
    out = self.__run_command([COMMIT])
  File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 136, in __run_command
    raise ConfigSessionError(output)
vyos.configsession.ConfigSessionError: [ interfaces openvpn vtun10 protocol udp4 ]
Invalid value

[[interfaces openvpn vtun10]] failed
Commit failed

set interfaces openvpn vtun10 protocol 'udp4' was accepted as valid on 202010280217 but it's not on 202012060217.

Removing the protocol line (I already have that config within the "openvpn-option") the config is migrated succesfully, but not working.

Checking the openvpn logs I see an error related to the ncp-ciphers parameter:

Unsupported cipher in --ncp-ciphers: aes128gcm

set interfaces openvpn vtun10 encryption ncp-ciphers 'aes128gcm' is still valid on 202012060217 but isn't actually working.

Removing set interfaces openvpn vtun10 encryption ncp-ciphers 'aes128gcm' from the config allow the connection to be established (but at cost of loosing the ncp-ciphers specification)

Details

Difficulty level
Easy (less than an hour)
Version
1.3-rolling-202012060217
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Config syntax change (non-migratable)

Event Timeline

c-po changed the task status from Open to In progress.Dec 8 2020, 4:53 PM
c-po claimed this task.

Unfortunately setting udp4 was never "valid" in the first place, this was only possible by a wrong regex here: https://github.com/vyos/vyos-1x/blob/406083932ae62ccde5ff547ef7d7960efe0269e3/interface-definitions/interfaces-openvpn.xml.in#L345 this has been corrected already which shows the above mentioned result in a not loading config.

In regards to aes128gcm, I guess it should be rendered to aes-128-gcm as this is also not working in 1.3-rolling-202011280730 which gives the exact same erorr message.

In addition, no need to specify --resolve-retry as this is the default:

By default, --resolv-retry infinite is enabled. You can disable by setting n=0.

c-po changed the task status from In progress to Needs testing.Dec 8 2020, 7:38 PM
c-po triaged this task as High priority.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.
In T3117#81576, @c-po wrote:

Unfortunately setting udp4 was never "valid" in the first place, this was only possible by a wrong regex here: https://github.com/vyos/vyos-1x/blob/406083932ae62ccde5ff547ef7d7960efe0269e3/interface-definitions/interfaces-openvpn.xml.in#L345 this has been corrected already which shows the above mentioned result in a not loading config.

Ok, I understand that maybe "udp4" was never meant to be a valid value for the VyOS config, but it is a valid value for OpenVPN config: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
Why not include udp4, udp6, tcp4 and tcp6 within the regex and actually honor them while generating the OpenVPN config?

Anyway, that explains why "protocol udp4" never really worked and why I had to manually set it using "openvpn-option" ^^'

Thanks

Using udp4/6 can be automated if there is an v6 listen address or not, I will keep this in mind, thanks for the hint.