A recent update to pfsense has OpenVPN version 2.5.4, which breaks 2.4.3-5.7.1 that is in OpenSUSE. Is a newer version available for OpenSUSE?
tnx jk
* James Knott james.knott@jknott.net [02-25-22 09:32]:
A recent update to pfsense has OpenVPN version 2.5.4, which breaks 2.4.3-5.7.1 that is in OpenSUSE. Is a newer version available for OpenSUSE?
09:36 crash:~ > opi openvpn You have selected package name: openvpn 1. openSUSE:Factory + | 2.5.5 | x86_64 2. network:vpn ? | 2.5.5 | x86_64 3. network:vpn ? | 2.5.5 | x86_64 5. home:dirkmueller:Factory ! | 2.5.5 | x86_64 6. home:frispete:tools ! | 2.5.5 | x86_64 7. home:stroeder:network ! | 2.5.5 | x86_64 8. home:testhans ! | 2.5.5 | x86_64 9. home:testhans ! | 2.5.5 | x86_64 10. home:Ximi1970:OpenVPN ! | 2.5.4 | x86_64 11. home:dirkmueller:Factory:Staging ! | 2.5.3 | x86_64 12. home:Alexander_Naumov:SSLmigration ! | 2.4.8 | x86_64 13. home:jejb2:Engines ! | 2.4.8 | x86_64 14. home:-miska- ! | 2.4.7 | x86_64 15. home:Ledest:bashisms ! | 2.4.2 | x86_64 16. home:leviathanch:4nt1_c3ns0r ! | 2.4.0.1449765284.4baec3e | x86_64 17. home:floewe ! | 2.4.0 | x86_64 18. home:testhans:network:network:vpn ! | 2.3.11 | x86_64 19. home:testhans:network:network:vpn ! | 2.3.11 | x86_64 20. home:rawar ! | 2.5.2 | x86_64 21. home:rawar ! | 2.5.2 | x86_64 22. home:testhans:network:network:vpn ! | 2.3.5 | x86_64 23. home:testhans:network:network:vpn ! | 2.3.5 | x86_64
* Patrick Shanahan paka@opensuse.org [02-25-22 09:39]:
- James Knott james.knott@jknott.net [02-25-22 09:32]:
A recent update to pfsense has OpenVPN version 2.5.4, which breaks 2.4.3-5.7.1 that is in OpenSUSE. Is a newer version available for OpenSUSE?
09:36 crash:~ > opi openvpn You have selected package name: openvpn
- openSUSE:Factory + | 2.5.5 | x86_64
- network:vpn ? | 2.5.5 | x86_64
- network:vpn ? | 2.5.5 | x86_64
- home:dirkmueller:Factory ! | 2.5.5 | x86_64
- home:frispete:tools ! | 2.5.5 | x86_64
- home:stroeder:network ! | 2.5.5 | x86_64
- home:testhans ! | 2.5.5 | x86_64
- home:testhans ! | 2.5.5 | x86_64
- home:Ximi1970:OpenVPN ! | 2.5.4 | x86_64
- home:dirkmueller:Factory:Staging ! | 2.5.3 | x86_64
- home:Alexander_Naumov:SSLmigration ! | 2.4.8 | x86_64
- home:jejb2:Engines ! | 2.4.8 | x86_64
- home:-miska- ! | 2.4.7 | x86_64
- home:Ledest:bashisms ! | 2.4.2 | x86_64
- home:leviathanch:4nt1_c3ns0r ! | 2.4.0.1449765284.4baec3e | x86_64
- home:floewe ! | 2.4.0 | x86_64
- home:testhans:network:network:vpn ! | 2.3.11 | x86_64
- home:testhans:network:network:vpn ! | 2.3.11 | x86_64
- home:rawar ! | 2.5.2 | x86_64
- home:rawar ! | 2.5.2 | x86_64
- home:testhans:network:network:vpn ! | 2.3.5 | x86_64
- home:testhans:network:network:vpn ! | 2.3.5 | x86_64
also: https://software.opensuse.org/package/openvpn
* James Knott james.knott@jknott.net [02-25-22 09:45]:
On 2022-02-25 9:41 a.m., Patrick Shanahan wrote:
09:36 crash:~ > opi openvpn You have selected package name: openvpn
Yes, I know about factory. However, it would be nice if it wasn't necessary to go there.
there are quite a few listed on https://software.opensuse.org/package/openvpn
they are rpm's and can easily be removed.
On 2022-02-25 9:51 a.m., Patrick Shanahan wrote:
there are quite a few listed on https://software.opensuse.org/package/openvpn
they are rpm's and can easily be removed.
My point is, given that link provides an "official" version of 2.5.5, why isn't it in the repository? If it's official enough to be available in one click, it's official enough for software update to find it without having to go elsewhere.
* James Knott james.knott@jknott.net [02-25-22 09:57]:
On 2022-02-25 9:51 a.m., Patrick Shanahan wrote:
there are quite a few listed on https://software.opensuse.org/package/openvpn
they are rpm's and can easily be removed.
My point is, given that link provides an "official" version of 2.5.5, why isn't it in the repository? If it's official enough to be available in one click, it's official enough for software update to find it without having to go elsewhere.
you don't "have to go elsewhere" but maybe you do have to refresh,
10:07 crash:~ > zypper se -sx openvpn Loading repository data... Reading installed packages...
S | Name | Type | Version | Arch | Repository ---+---------+---------+-----------+--------+------------------------ i+ | openvpn | package | 2.5.5-3.2 | x86_64 | openSUSE-Tumbleweed OSS v | openvpn | package | 2.5.5-3.2 | i586 | openSUSE-Tumbleweed OSS
On 2022-02-25 10:09 a.m., Patrick Shanahan wrote:
10:07 crash:~ > zypper se -sx openvpn Loading repository data... Reading installed packages...
That didn't work for me, even after a zypper update. I'm currently looking at software management and it still shows the old version. Software update didn't reveal anything new, as it normally runs and I am notified of updates, which I then accept. That did not happen with openvpn. Also, I just clicked on the one click link and get "Installation not possible The install link or file you opened does not contain instructions for openSUSE Leap 15.3". That page also says "There is no official package available for openSUSE Leap 15.3".
BTW, according to the OpenVPN site, v2.5.0 was available in Oct. 2020. That's well over a year ago, yet openSUSE is still on 2.4.3. I used to think FreeBSD, which pfsense runs on, tended to be behind Linux, but here it clearly isn't.
James Knott wrote:
On 2022-02-25 10:09 a.m., Patrick Shanahan wrote:
10:07 crash:~ > zypper se -sx openvpn Loading repository data... Reading installed packages...
That didn't work for me, even after a zypper update. I'm currently looking at software management and it still shows the old version. Software update didn't reveal anything new, as it normally runs and I am notified of updates, which I then accept. That did not happen with openvpn. Also, I just clicked on the one click link and get "Installation not possible The install link or file you opened does not contain instructions for openSUSE Leap 15.3". That page also says "There is no official package available for openSUSE Leap 15.3".
Patrick is on Tumbleweed.
BTW, according to the OpenVPN site, v2.5.0 was available in Oct. 2020. That's well over a year ago, yet openSUSE is still on 2.4.3.
We are keeping up with SLES. At least, I believe that is the explanation. I would do what Patrick suggested, and just upgrade from network:vpn (which has 2.5.5).
https://download.opensuse.org/repositories/network:/vpn/openSUSE_Leap_15.3
On 2022-02-25 10:34 a.m., Per Jessen wrote:
We are keeping up with SLES. At least, I believe that is the explanation. I would do what Patrick suggested, and just upgrade from network:vpn (which has 2.5.5).
https://download.opensuse.org/repositories/network:/vpn/openSUSE_Leap_15.3
"Package openvpn is broken, integrity check has failed."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Friday, 2022-02-25 at 16:34 +0100, Per Jessen wrote:
James Knott wrote:
On 2022-02-25 10:09 a.m., Patrick Shanahan wrote:
...
BTW, according to the OpenVPN site, v2.5.0 was available in Oct. 2020. That's well over a year ago, yet openSUSE is still on 2.4.3.
We are keeping up with SLES. At least, I believe that is the explanation. I would do what Patrick suggested, and just upgrade from network:vpn (which has 2.5.5).
https://download.opensuse.org/repositories/network:/vpn/openSUSE_Leap_15.3
Indeed, but it does not show on search:
https://software.opensuse.org/package/openvpn
Says: "There is no official package available for openSUSE Leap 15.3"
There is also no "experimental package", but there are four home repos.
cer@Telcontar:~> opi openvpn 1. NetworkManager-openvpn 2. NetworkManager-openvpn-lang 3. NetworkManager-openvpn-gnome 4. NetworkManager-openvpn-debuginfo 5. NetworkManager-openvpn-debugsource 6. NetworkManager-openvpn-gnome-debuginfo 7. openvpn ...
Pick a number (0 to quit): 7 You have selected package name: openvpn 1. network:vpn ? | 2.5.5 | x86_64 2. home:Herbster0815:HTPC ! | 2.5.5 | x86_64 3. home:dliw ! | 2.5.5 | x86_64 4. home:jejb1:Tumbleweed ! | 2.5.5 | x86_64 5. home:lemmy04 ! | 2.5.5 | x86_64 6. home:zippy:jx:packages-ready ! | 2.5.5 | x86_64 7. home:Ximi1970:OpenVPN ! | 2.5.4 | x86_64 8. home:aevseev ! | 2.5.2 | x86_64 9. home:fee:platon ! | 2.4.9 | x86_64 10. home:cabelo:heroes ! | 2.4.7 | x86_64 11. home:rawar ! | 2.5.2 | x86_64 Pick a number (0 to quit):
- -- Cheers, Carlos E. R. (from openSUSE 15.3 x86_64 at Telcontar)
* James Knott james.knott@jknott.net [02-25-22 10:29]:
On 2022-02-25 10:09 a.m., Patrick Shanahan wrote:
10:07 crash:~ > zypper se -sx openvpn Loading repository data... Reading installed packages...
That didn't work for me, even after a zypper update. I'm currently looking at software management and it still shows the old version. Software update didn't reveal anything new, as it normally runs and I am notified of updates, which I then accept. That did not happen with openvpn. Also, I just clicked on the one click link and get "Installation not possible The install link or file you opened does not contain instructions for openSUSE Leap 15.3". That page also says "There is no official package available for openSUSE Leap 15.3".
odd, I really cannot understand why you cannot update tumbleweed to officially listed packages.
WAIT-A-MINUTE: somehow you neglected to mention that you were on 15.3 and not 41.8, that might be a problem.
ps: if you must use latest packages, you have chosen the wrong version of openSUSE.
Am 25.02.2022 um 15:56 schrieb James Knott:
On 2022-02-25 9:51 a.m., Patrick Shanahan wrote:
there are quite a few listed on https://software.opensuse.org/package/openvpn
they are rpm's and can easily be removed.
My point is, given that link provides an "official" version of 2.5.5, why isn't it in the repository? If it's official enough to be available in one click, it's official enough for software update to find it without having to go elsewhere.
How about first telling us which version of openSUSE you're running?
Also, you're aware of the fact that SLED/SLES and Leap won't do "version jumps"? If you want the "always latest" you'll have to use Tumbleweed.
cheers
MH
On 2022-02-25 10:16 a.m., Mathias Homann wrote:
How about first telling us which version of openSUSE you're running?
Sorry, Leap 15.3.
Also, you're aware of the fact that SLED/SLES and Leap won't do "version jumps"? If you want the "always latest" you'll have to use Tumbleweed.
OpenVPN 2.5.0 has been out since Oct. 28, 2020. That's well over a year ago. I don't consider that the latest, which is 2.5.4, which was released Oct. 5, 2021. If Leap doesn't do "version jumps" then it leaves users stuck with a broken VPN. Not doing version jumps may be fine with standalone software, but not always with software such as this, where it has to connect to a server. OpenVPN is commonly used on a variety of platforms. Yet just updating a firewall, as is my case, breaks it with Leap 15.3.
On Fri, Feb 25, 2022 at 10:33:52AM -0500, James Knott wrote:
On 2022-02-25 10:16 a.m., Mathias Homann wrote:
How about first telling us which version of openSUSE you're running?
Sorry, Leap 15.3.
Also, you're aware of the fact that SLED/SLES and Leap won't do "version jumps"? If you want the "always latest" you'll have to use Tumbleweed.
OpenVPN 2.5.0 has been out since Oct. 28, 2020. That's well over a year ago. I don't consider that the latest, which is 2.5.4, which was released Oct. 5, 2021. If Leap doesn't do "version jumps" then it leaves users stuck with a broken VPN. Not doing version jumps may be fine with standalone software, but not always with software such as this, where it has to connect to a server. OpenVPN is commonly used on a variety of platforms. Yet just updating a firewall, as is my case, breaks it with Leap 15.3.
We are currently looking at a version update of openvpn for 15.3. / SLES 15 SP3.
Ciao, marcus
On 2022-02-25 16:33, James Knott wrote:
On 2022-02-25 10:16 a.m., Mathias Homann wrote:
How about first telling us which version of openSUSE you're running?
Sorry, Leap 15.3.
Also, you're aware of the fact that SLED/SLES and Leap won't do "version jumps"? If you want the "always latest" you'll have to use Tumbleweed.
OpenVPN 2.5.0 has been out since Oct. 28, 2020. That's well over a year ago. I don't consider that the latest, which is 2.5.4, which was released Oct. 5, 2021. If Leap doesn't do "version jumps" then it leaves users stuck with a broken VPN. Not doing version jumps may be fine with standalone software, but not always with software such as this, where it has to connect to a server. OpenVPN is commonly used on a variety of platforms. Yet just updating a firewall, as is my case, breaks it with Leap 15.3.
If it is broken, you have to report it in Bugzilla.
But Marchus said they are already working on it.
On 2022-02-25 20:03, James Knott wrote:
On 2022-02-25 1:30 p.m., Carlos E. R. wrote:
If it is broken, you have to report it in Bugzilla.
My understanding is not that it's broken, but the new server is incompatible with the old client. This has happened to me before.
Same thing, a report would be in order. Not now, because they are aware and working on it.
On Fri, 25 Feb 2022 14:03:42 -0500 James Knott james.knott@jknott.net wrote:
On 2022-02-25 1:30 p.m., Carlos E. R. wrote:
If it is broken, you have to report it in Bugzilla.
My understanding is not that it's broken, but the new server is incompatible with the old client. This has happened to me before.
It's not incompatible IIUC. You simply need to reconfigure your pfsense instance to recognize the old protocol. I could post a link but given you're attitude I shan't. :P
* James Knott james.knott@jknott.net [02-25-22 17:46]:
On 2022-02-25 5:36 p.m., Dave Howorth wrote:
It's not incompatible IIUC. You simply need to reconfigure your pfsense instance to recognize the old protocol. I could post a link but given you're attitude I shan't. :P
Is that something a user can do? Or the people who built pfsense?
surely not a question, but configure your pfsense to use the old protocol perhaps look at: rpm -ql pfsense |grep conf
and look at your older config files.
Am Freitag, 25. Februar 2022, 23:49:35 CET schrieb Patrick Shanahan:
- James Knott james.knott@jknott.net [02-25-22 17:46]:
On 2022-02-25 5:36 p.m., Dave Howorth wrote:
It's not incompatible IIUC. You simply need to reconfigure your pfsense instance to recognize the old protocol. I could post a link but given you're attitude I shan't. :P
Is that something a user can do? Or the people who built pfsense?
surely not a question, but configure your pfsense to use the old protocol perhaps look at: rpm -ql pfsense |grep conf
and look at your older config files.
BTW - this is something many people run into, and neither operationg system nor openvpn can do anything about it. Ok, it's much worse when you have to deal with IPsec, but the wide spread usage of openvpn has also lead to many devices using / offering it, and not all have reasonable update/upgrade policies – and for good reason, mostly, some newer versions e.g. of OpenVPN drop downward compatibility over security concerns, leaving users (me included) with a broken VPN.
Personaly I think that's a better choice than having a potentially insecure VPN running for months or whatever. In my case it helped me understand that I had totally forgotten an old raspberry Pi in my VPN and not included it in my upgrade strategies. What an idiot I was, no damage done, though. I only noticed it when the Pi fell out of the VPN because the OS (Raspian) did not support any of the server's (tumbleweed) SSL Crypto algorithms. And the ones the client offered were considered insecure by the server. For good reason, as I said.
In a nutshell: Not OS (TW or pfsense or raspbian) are to blame, ususally. It's more user error due to lack of awareness in terms of versions, libraries and updates / upgrades and release notes. My fault, in my case, but your mileage may vary.
Am I wrong?
-
Carlos E. R. -
Dave Howorth -
James Knott -
Marcus Meissner -
Markus Feilner -
Mathias Homann -
Patrick Shanahan -
Per Jessen