Jan 2024 VPN Beta changes: breakage (and a fix) on Linux

[forest]

Tuesday's VPN Beta maintenance made a change that requires downloading a new VPN profile, as stated in Sonic's last status update. Linux users may notice that the new profile doesn't work when imported into NetworkManager.

The problem is that Sonic switched from OpenVPN's tls-auth feature to tls-crypt-v2, which is not correctly handled by NetworkManager's importer.

You can fix the imported profile with the nmcli command line tool. Here's what to type:

• nmcli connection edit <connection-name>
• goto vpn.data
• change
• move the cursor to the part that says tls-crypt, change it to tls-crypt-v2, and press Enter.
• back
• save
• quit

Note that the incorrect entry might be named something like ta instead of tls-crypt. As long as its value points to a file path ending in "tls-crypt-v2.pem", it's the right one.

The entry might also be missing entirely, depending on how you imported the profile. In that case, you can add it by editing the connection in NetworkManager's GUI, and setting Advanced: TLS Settings: Mode: TLS-Auth. Then apply your change and fix it as described above.

[js9erfan]

For pfSense users, you can get around tls-crypt-v2 by generating a new profile:

Go here, click profiles management, uncheck tls-crypt-v2 and create.

pfSense supports tls-crypt but not v2 (yet).

The other issue related to pfSense is that Sonic has used the same CN (OpenVPN CA) for both of their CA's which confuses pfSense and the cert path when pairing both servers in a gateway group. For now its one server or the other defeating the purpose of failover. Using unique CA CN's would resolve this issue though I'm not sure that will happen anytime soon unfortunately.