Hi, forwarding this Debian report for visibility:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136961 where a user reports OpenVPN stopped passing traffic after upgrading the server kernel from 6.12.86-1 to 6.12.88-1 from trixie-security. --- Package: openvpn Version: 2.6.14-1+deb13u1 Severity: important X-Debbugs-Cc: [email protected] Dear Maintainer, * What led up to the situation? linux-image-amd64 was updated to latest version 6.12.88-1 from trixie security to fix recent security vulnerabilities. * What exactly did you do (or not do) that was effective (or ineffective)? Our production server was updated first and staging server was left on previous version of linux kernel 6.12.86-1 * What was the outcome of this action? This broke the production vpn - I can connect and get an ip address but cannot ping 9.9.9.9 or browse any websites (sometimes I need to lower the link mtu of tun0 interface to 1250 but that did not have any effect). staging vpn continued to work normally - ping 9.9.9.9 or browse any website. So I removed the 6.12.88-1 kernel package from production and vpn started working again. * What outcome did you expect instead? We should be able to update the kernel to get the recent security fixes. From the above observations I think this breakage is related to the recent kernel update - which affects ipsec related parts - though not sure if openvpn also depend on the same sub system. I'm not sure what logs would be relevant here, but I have a snapshot of the vm that was not working and can run any tests or get any logs. Attaching the server configuration for reference (ansible template which gets copied to server). -- System Information: Debian Release: forky/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 7.0.4+deb14-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.92 ii libc6 2.42-16 ii libcap-ng0 0.9.3-1 ii liblz4-1 1.10.0-10 ii liblzo2-2 2.10-3+b2 ii libnl-3-200 3.12.0-2+b1 ii libnl-genl-3-200 3.12.0-2+b1 ii libpam0g 1.7.0-5+b2 ii libpkcs11-helper1t64 1.31.0-1+b2 ii libssl3t64 3.6.2-1 ii libsystemd0 260.1-1 Versions of packages openvpn recommends: ii easy-rsa 3.2.6-1 Versions of packages openvpn suggests: ii openssl 3.6.2-1 ii openvpn-systemd-resolved 1.3.0-5+b1 ii systemd-resolved [resolvconf] 260.1-1 -- debconf information: openvpn/create_tun: false -- Server config: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1136961;filename=server.conf.j2;msg=5 -- Ralf Lici Mandelbit Srl
