> On 29. Nov 2023, at 12:23, Antonio Quartulli <a...@unstable.cc> wrote: > > Hi, > > On 29/11/2023 11:21, Aleksandar Ivanisevic wrote: >> what is your openssl version, maybe that has something to do with it? mine is >> OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023) > > Same as yours. You can see it in my previous email: > > 2023-11-28 15:01:34 us=767885 library versions: OpenSSL 3.0.11 19 Sep 2023, > LZO 2.10 > >>> Do you see this error upon *every* client connect? >> yes, every connect is the same sequence (on verb 4): > > makes sense, because if the file has somehow changed and loading fails, it > will retry every time.
yes, but the same exact config with the only addition being "providers legacy default” does not show the error? > > Could you please share your config? > It may contain important details that otherwise we can only speculate on. here it is: ----------------------------------- mode server tls-server management 127.0.0.1 5001 script-security 3 multihome topology subnet push "topology subnet" ifconfig 192.168.13.1 255.255.255.0 ifconfig-pool 192.168.13.10 192.168.13.253 255.255.255.0 route-gateway 192.168.13.1 push "route-gateway 192.168.13.1" push "route 192.168.13.0 255.255.255.0" inactive 900 port 5001 proto udp dev tun0 mute-replay-warnings passtos # https://github.com/wangyu-/UDPspeeder/wiki/UDPspeeder-openvpn-config-guide # but it can be useful in general sndbuf 2000000 rcvbuf 2000000 txqueuelen 4000 push "sndbuf 2000000" push "rcvbuf 2000000" ca /home/support/config/vpn/ca.crt key /home/support/config/vpn/ca.key cert /home/support/config/vpn/server.crt crl-verify /home/support/config/vpn/2e.crl dh /home/support/config/vpn/dh2048.pem # send notifications for more graceful server and client restarts explicit-exit-notify 1 push "explicit-exit-notify" keepalive 10 30 comp-lzo max-clients 150 user root group root persist-key persist-tun status /var/run/openvpn/openvpn-status.log # maybe fix the spurious ssl errors like # OpenSSL: error:0308010C:digital envelope routines::unsupported while reading CRL providers legacy default route-up /home/support/config/vpn/routes.sh down /home/support/config/vpn/routes.sh client-config-dir /home/support/config/vpn/ccd ccd-exclusive verb 4 ---------------- the rest is just a bunch of route xxxx push “route xxx" routes.sh is ------------------ #!/bin/sh action=$6 logger "routes.sh $@" case "$action" in init|restart) systemctl try-restart nftables systemctl try-restart snmpd ;; esac exit 0 this is the systemd unit, im actually mounting the config dir read only, one reason less for the crl to change $ systemctl cat openvpn-server@qbs # /lib/systemd/system/openvpn-server@.service [Unit] Description=OpenVPN service for %I After=network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/server ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true KillMode=process RestartSec=5s Restart=on-failure [Install] WantedBy=multi-user.target # /etc/systemd/system/openvpn-server@qbs.service.d/openvpn.service.conf # copy or symlink to /etc/systemd/system/openvpn-server@qbs.service.d/openvpn.service.conf [Service] BindReadOnlyPaths=/home/support/config/vpn ProtectHome=tmpfs _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
