Gargoyle Forum

Hello,

The case concerns: Gargoyle 1.14 and OpenVPN

If I understood correctly what happened, it works like this:

I remove one of the OpenVPN clients which causes two lines to be added to /etc/config/openvpn:
Then after restarting the OpenVPN server, the following lines are added to the /etc/openvpn/server.conf file:
And everything works fine, except I came across a problem of this type, that from one day to the next all my clients stopped connecting and the active connection stopped working. It turned out that the reason was an outdated file /etc/openvpn/crl.pem. The solution was to log into the router, and add and remove the client, which renewed the crl.pem file: And finally I get to the heart of the problem:

If the server has been running for over half a year and there was no need to add clients, the crl.pem file becomes outdated from one day to the next and it is impossible to connect to the server.

The solution is probably to log into the router to add and remove the client from time to time (let's say every 4 months), but maybe this renewal of the crl.pem file can be organized somehow in cron?

Best regards,
Marcin

You are 100% correct.
I also have run into this, and have implemented a back end function to fix it a few months ago.
https://github.com/ericpaulbishop/gargo ... 46c06fb5be

I have not yet built a front end button to trigger it. It’s coming!
Thanks for posting the workaround in the meantime.

Thanks for the fix.

I applied it to my openvpn.sh and added the following to crontab:
Looks like it works

Just double check you might also need to do an OpenVPN restart to read the new file? I’m not sure.
It will momentarily boot any connected clients so early in the morning (as you currently have it) is a good choice.

Hi,

I setup Gargoyle 1.14 last year and had OpenVPN working. Recently realized that I can't connect with the Android OpenVPN client anymore. Rarely every used it. Found this thread and tried to apply the fixes in here but no luck.
Now running 1.15 beta 025-03-31 gargoyle on my Nanopi 4 RS and restored my 1.14 backed up config but still same error..

System logs show
Do I have to generate a new CRL ?
How would that work on Gargoyle ? I can't figure out how this "backend function to regenerate OpenVPN CRLs" feature is supposed to work.

Sneidereij wrote: ↑

Sun Jul 13, 2025 1:24 pm

Hi,

I setup Gargoyle 1.14 last year and had OpenVPN working. Recently realized that I can't connect with the Android OpenVPN client anymore. Rarely every used it. Found this thread and tried to apply the fixes in here but no luck.
Now running 1.15 beta 025-03-31 gargoyle on my Nanopi 4 RS and restored my 1.14 backed up config but still same error..

System logs show

Code: Select all

Sun Jul 13 19:15:06 2025 daemon.err openvpn(custom_config)[10108]: 192.168.1.211:34684 VERIFY ERROR: depth=0, subject=C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=vpnuser, emailAddress=, serial=2: The CRL is expired
Sun Jul 13 19:15:06 2025 daemon.err openvpn(custom_config)[10108]: 192.168.1.211:34684 TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Sun Jul 13 19:15:06 2025 daemon.err openvpn(custom_config)[10108]: 192.168.1.211:34684 TLS Error: TLS object -> incoming plaintext read error
Sun Jul 13 19:15:06 2025 daemon.err openvpn(custom_config)[10108]: 192.168.1.211:34684 TLS Error: TLS handshake failed

Do I have to generate a new CRL ?
How would that work on Gargoyle ? I can't figure out how this "backend function to regenerate OpenVPN CRLs" feature is supposed to work.

Simply run
. /usr/lib/gargoyle/openvpn.sh && generate_crl
/etc/init.d/openvpn restart

This should refresh the CRL and get you back up and running

Great, got it working again. Thanks!