Page 1 of 1

OpenVPN and crl-verify option

Posted: Sat Feb 15, 2025 6:46 pm
by marcinkk
Hello,

The case concerns: Gargoyle 1.14 and OpenVPN

If I understood correctly what happened, it works like this:

I remove one of the OpenVPN clients which causes two lines to be added to /etc/config/openvpn:

Code: Select all

option tls_verify '/usr/lib/gargoyle/ovpn-cn-check.sh /etc/openvpn/verified-userlist'
option crl_verify '/etc/openvpn/crl.pem'
Then after restarting the OpenVPN server, the following lines are added to the /etc/openvpn/server.conf file:

Code: Select all

crl-verify /etc/openvpn/crl.pem
tls-verify "/usr/lib/gargoyle/ovpn-cn-check.sh /etc/openvpn/verified-userlist"
And everything works fine, except I came across a problem of this type, that from one day to the next all my clients stopped connecting and the active connection stopped working. It turned out that the reason was an outdated file /etc/openvpn/crl.pem. The solution was to log into the router, and add and remove the client, which renewed the crl.pem file:

Code: Select all

Last Update: Feb 15 21:56:58 2025 GMT
Next Update: Aug 14 21:56:58 2025 GMT
And finally I get to the heart of the problem:

If the server has been running for over half a year and there was no need to add clients, the crl.pem file becomes outdated from one day to the next and it is impossible to connect to the server.

The solution is probably to log into the router to add and remove the client from time to time (let's say every 4 months), but maybe this renewal of the crl.pem file can be organized somehow in cron?

Best regards,
Marcin

Re: OpenVPN and crl-verify option

Posted: Sat Feb 15, 2025 8:43 pm
by Lantis
You are 100% correct.
I also have run into this, and have implemented a back end function to fix it a few months ago.
https://github.com/ericpaulbishop/gargo ... 46c06fb5be

I have not yet built a front end button to trigger it. It’s coming!
Thanks for posting the workaround in the meantime.

Re: OpenVPN and crl-verify option

Posted: Sun Feb 16, 2025 8:17 am
by marcinkk
Thanks for the fix.

I applied it to my openvpn.sh and added the following to crontab:

Code: Select all

30 5 1 1,3,5,7,9,11 * . /usr/lib/gargoyle/openvpn.sh && generate_crl
Looks like it works :)

Re: OpenVPN and crl-verify option

Posted: Sun Feb 16, 2025 10:42 pm
by Lantis
Just double check you might also need to do an OpenVPN restart to read the new file? I’m not sure.
It will momentarily boot any connected clients so early in the morning (as you currently have it) is a good choice.

Re: OpenVPN and crl-verify option

Posted: Sun Jul 13, 2025 1:24 pm
by Sneidereij
Hi,

I setup Gargoyle 1.14 last year and had OpenVPN working. Recently realized that I can't connect with the Android OpenVPN client anymore. Rarely every used it. Found this thread and tried to apply the fixes in here but no luck.
Now running 1.15 beta 025-03-31 gargoyle on my Nanopi 4 RS and restored my 1.14 backed up config but still same error.. :?

System logs show

Code: Select all

Sun Jul 13 19:15:06 2025 daemon.err openvpn(custom_config)[10108]: 192.168.1.211:34684 VERIFY ERROR: depth=0, subject=C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=vpnuser, emailAddress=, serial=2: The CRL is expired
Sun Jul 13 19:15:06 2025 daemon.err openvpn(custom_config)[10108]: 192.168.1.211:34684 TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Sun Jul 13 19:15:06 2025 daemon.err openvpn(custom_config)[10108]: 192.168.1.211:34684 TLS Error: TLS object -> incoming plaintext read error
Sun Jul 13 19:15:06 2025 daemon.err openvpn(custom_config)[10108]: 192.168.1.211:34684 TLS Error: TLS handshake failed
Do I have to generate a new CRL ?
How would that work on Gargoyle ? I can't figure out how this "backend function to regenerate OpenVPN CRLs" feature is supposed to work.

Re: OpenVPN and crl-verify option

Posted: Mon Jul 14, 2025 12:01 am
by Lantis
Sneidereij wrote:
Sun Jul 13, 2025 1:24 pm
Hi,

I setup Gargoyle 1.14 last year and had OpenVPN working. Recently realized that I can't connect with the Android OpenVPN client anymore. Rarely every used it. Found this thread and tried to apply the fixes in here but no luck.
Now running 1.15 beta 025-03-31 gargoyle on my Nanopi 4 RS and restored my 1.14 backed up config but still same error.. :?

System logs show

Code: Select all

Sun Jul 13 19:15:06 2025 daemon.err openvpn(custom_config)[10108]: 192.168.1.211:34684 VERIFY ERROR: depth=0, subject=C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=vpnuser, emailAddress=, serial=2: The CRL is expired
Sun Jul 13 19:15:06 2025 daemon.err openvpn(custom_config)[10108]: 192.168.1.211:34684 TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Sun Jul 13 19:15:06 2025 daemon.err openvpn(custom_config)[10108]: 192.168.1.211:34684 TLS Error: TLS object -> incoming plaintext read error
Sun Jul 13 19:15:06 2025 daemon.err openvpn(custom_config)[10108]: 192.168.1.211:34684 TLS Error: TLS handshake failed
Do I have to generate a new CRL ?
How would that work on Gargoyle ? I can't figure out how this "backend function to regenerate OpenVPN CRLs" feature is supposed to work.
Simply run
. /usr/lib/gargoyle/openvpn.sh && generate_crl
/etc/init.d/openvpn restart

This should refresh the CRL and get you back up and running

Re: OpenVPN and crl-verify option

Posted: Mon Jul 14, 2025 9:41 am
by Sneidereij
Great, got it working again. Thanks! 8-)