-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenVPN Ver 2.6.12 Connectivity Issue with OpenVPN Connect V3 #639
Comments
Are you running OpenVPN from command line as administrator or from OpenVPN-GUI as limited user or some other way? When the key stops working (after Connect V3 install), could you check whether the certificate shows as private key available? If the certificate is in the machine store, also check that permissions on the private key does not change. |
I'm using OpenVPN-Gui run by my user account (run no as Admin) and install certificate for my user by certmgr.msc |
Check the private key associated with the certificate is still present in user store or not after the Connect V3 install. |
I'm out of ideas. You may want to check whether the cert and key is accessible as user using, say, powershell. Something must be changing when Connect V3 is installed and the certificate is linked -- I do not use Connect so I have no way to reproduce this. |
I asked the OpenVPN Connect team they have an idea what could cause this issue and their response is the following:
That does not really answer the question why it is not working in this case but it indicates that there are scenarios where OpenVPN Connect messes with the keys it uses. |
One question that came back is what specific version of OpenVPN Connect you are using since the statement that I written before only applies to the latest 3.5.0 version of Connect. Older version used the older API. |
In OpenVN~-GUI~ we use CNG API so that could not be the issue. In fact the user says 2.4 works(!) which was probably using the legacy API. Also, we do not look for certificates in "OpenVPN Certificate Store" -- we only scan system stores for current-user and local machine. If OpenVPN Connect only migrates certificates in its own custom store, I suppose it should not affect us. We'll need to reproduce this to know what exactly is going on. |
Regarding use of CNG API: The fact that 2.4 works and 2.6 does not, to me it appears the opposite to be the case: in 2.6 we only support CNG keys, not legacy ones. Does older Connect versions move the key to a legacy provider? @Cancer-zern on re-installing the certificate, does it work under both Connect and OpenVPN-GUI ? |
I will check it today and let you know |
yep, if I re-install certificate for windows certificate storage as certmgr.msc then 2.6.* start working and connect also working with same certificate what I've installed before. But if I will install new certificate to OpenVPN connect, then all certificates for 2.6.* stop working again. |
|
|
OpenVPN 2.6.12 and OpenVPN-Connect V3.4.4 is working fine together |
I could not reproduce this with Connect 3.5.1 (A 100 MB download and 300 MB installed space -- ahem) and OpenVPN 2.6.11 (also tried git master version). Uploaded the same certificate as used by OpenVPN 2.6 via I did not test how Connect 3.5.0 behaves. See screenshots below showing certificates in the two stores -- here I'm using the one named "mra.." that can be seen to be present in two stores. |
Windows 11 Enterprise Same error as before
Enough install certificate for openvpn-connect-3.5.1.3946 and v2.6.12 is stop working |
Windows 10 Enterprise Same error as before
Enough install certificate for openvpn-connect-3.5.1.3946 and v2.6.12 is stop working |
Windows 11 Enterprise and Windows 10 Enterprise We are checking with freshly installed OS every time |
|
The powershell output "before" and "after" doesn't show any significant difference in my view. The handle change may be just because the certificate enumeration has changed after Connect added one to its custom store. All other parameters are the same and nothing to indicate why the original certificate and key could stop being usable from OpenVPN 2.6. FWIW, I also modified OpenVPN source to use "OpenVPN Certificate Store", and that also succeeds indicating that the certificate uploaded by Connect V3 is compatible with OpenVPN 2.6. But this should not matter as we only read the store "MY" for the user and machine. No idea how to reproduce the error you see. |
After openvpn-connect-3.5.1.3946 installation and import certificate, authentification on web panels stopped working with cert:\CurrentUser\My\
|
This is turning out to be a Connect issue isn't it, as it's not just OpenVPN 2 that's affected? If so, please report to connect customer support. |
Sure, I've added a ticket for https://support.openvpn.com/ ticket id 532649 |
There was an issue with OpenVPN V 2.6.12 logs are mentioned below
Logs:
2024-11-04 11:35:49 Error in cryptoapicert: failed to acquire key. Key not present or is in a legacy token not supported by Windows CNG API: Keyset does not exist (errno=-2146893802)
Troubleshooting:
We face that issue when we have both applications on the same PC. After connecting OpenVPN Connect V3, we will get this error in OpenVPN V 2.6.12.
Note:
We don't have this error while using OpenVPN V 2.4./2.5. with OpenVPN Connect V3.
The text was updated successfully, but these errors were encountered: