FEDORA-2017-0ffb8246fa created by dsommers 4 years ago for Fedora 25
stable

Mainly a package maintenance update but does also fix a particular systemd unit file issue with the old and deprecated openvpn@.service unit file.

How to install

sudo dnf upgrade --advisory=FEDORA-2017-0ffb8246fa

This update has been submitted for testing by dsommers.

4 years ago

This update has been pushed to testing.

4 years ago
User Icon alexpl commented & provided feedback 4 years ago
karma

Problem solved, but I think both #1435831 and the new config should have been dealt with differently. An announcement on devel was certainly warranted and for the rest of our users it would have been even better if there was an announcement somewhere visible, like fedora magazine. When the old configurations start failing, I don't expect there will be many people searching for README.systemd (which is very useful with the examples and all) in /usr/share/doc.

BZ#1435036 openvpn-2.4.1 is available
BZ#1435831 openvpn@.service uses --daemon and --writepid
User Icon dimitrisk commented & provided feedback 4 years ago
karma

Works here, after creating the /etc/openvpn/server directory and moving config files there.

On the client side, NetworkManager-controlled, no change was needed.

BZ#1435831 openvpn@.service uses --daemon and --writepid
User Icon cserpentis commented & provided feedback 4 years ago
karma

works for me still, no regressions noted

This update has been submitted for stable by bodhi.

4 years ago
User Icon jayjayjazz commented & provided feedback 4 years ago
karma

Works fine on x86_64.

BZ#1435036 openvpn-2.4.1 is available
User Icon dsommers commented & provided feedback 4 years ago

@dimitrisk, I will have a new 2.4.1-3 update soon which takes care of the /etc/openvpn/{client,server} directories and fixes a lot of the rpmlint issues as well.

@alexpl, I completely agree that the process around v2.4 have been incredibly ugly. I appreciate the work of former package maintainers, they've done a great job over a long period of time. Unfortunately, the state of the package had drifted away from upstream expectations and there was a lot of legacy cruft which in several areas was just wrong. So despite the v2.4 upgrade not really being this dramatic, it turned out way more ugly than I wanted. And in all this, I didn't consider the state of openvpn@.service carefully enough. The initial plan was that users of openvpn@.service wouldn't notice this at all in F25 and F26, but there were some entanglements I didn't consider carefully enough. Depending on how F25/F26 goes with all this fixed, I will consider if openvpn@.service deprecation will be postponed from F27 to F28. And I will certainly send mails to Fedora ML once the dust settles. Silly of me not doing that in the beginning.

Again, I'm truly sorry about this mess. But I'm the type of person who seldom looks back and rather tries to fix issues ASAP and move forward.

This update has been pushed to stable.

4 years ago
User Icon anonymous commented & provided feedback 4 years ago

Not sure if this is the correct place to add this feedback, but the Update from 2.3 to 2.4 broke OpenVPN completely for me. I rely on a config with a static tls-auth file and OpenVPN 2.4 just refuses to read the key from that file with:

Mar 31 10:44:11 kandalingo nm-openvpn[15831]: Insufficient key material or header text not found in file '/home/bascht/.cert/customer-abc/tls-auth.txt' (0/128/256 bytes found/min/max)

Manually downgrading OpenVPN to 2.3.14-1.fc25 fixes the problem.

I'm posting this here, as it might help someone else later. ;-)

User Icon dsommers commented & provided feedback 4 years ago

@anonymous, This sounds like an invalid tls-auth key file. Earlier versions could somehow try to make some sense out of it. But most commonly that would result in a weaker security compared to using a proper key file. The reason I believe this is due to the last part of the line "(0/128/256 bytes found/min/max)". It means it didn't find any keying material at all, and it expects at least 128 bits.

Users experiencing these issues must update their keys ASAP, regardless of OpenVPN version. The recommended way is to let OpenVPN generate the key: $ openvpn --secret tls-auth.key --genkey


Please login to add feedback.

Metadata
Type
enhancement
Karma
4
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-2
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
4 years ago
in testing
4 years ago
in stable
4 years ago
BZ#1435036 openvpn-2.4.1 is available
0
2
BZ#1435831 openvpn@.service uses --daemon and --writepid
0
2

Automated Test Results