OpenVPN 2.3.5 - few issues. Serious TAP adapter problems mostly.

[michal.sokolowski]

I've got felling that if TAP adapter's version is higher then I experience more violence from OpenVPN. :-)

Issues:

• reinstall issues from version openvpn-install-2.3.4-I003 to openvpn-install-2.3.5-I001, TAP adapter does not install at all in reinstallation mode. (new)
• TAP adapter hangs and doesn't want to reconnect. (new)
• when tap adapter hangs I can't kill openvpn.exe process any more, only system reboot seems to help. I see this issue since 2.3.4-I002. (old)

OSes affected: Windows 7 x64, Windows 8 x64 (clean installs in VMware) and probably others too.
openvpn-install-2.3.4-I003 and I002 work fine.

Client config:

remote server.foobar.com 1194
dev tap
client
auth-user-pass
ca ca.crt
comp-lzo
nobind
keepalive 10 30
resolv-retry 120 # This sets the time for which openvpn will try to resolve a hostname before giving up
mute 5
verb 1
ping-timer-rem
persist-key

Server config:

dev tap0
mode server
port 1195
multihome
same IP address
client-to-client # allow client to client connections
tls-server
dh /etc/openvpn/ekoinwest/certs/dh2048.pem
ca /etc/openvpn/ekoinwest/certs/ca.crt
cert /etc/openvpn/ekoinwest/certs/centurion.ekoinwest.local.crt
key /etc/openvpn/ekoinwest/certs/centurion.ekoinwest.local.key
crl-verify /etc/openvpn/ekoinwest/certs/crl.pem
comp-lzo
user nobody
group nogroup
keepalive 5 15
persist-tun
persist-key
verb 1
mute 1
log-append /var/log/openvpn_ekoinwest.log

Client log:

Thu Nov 06 11:41:17 2014 Warning: cannot open --log file: C:\Program Files\OpenVPN\log\client_ekoinwest.log: Odmowa dostêpu.   (errno=5)
Thu Nov 06 11:41:17 2014 OpenVPN 2.3.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 28 2014
Thu Nov 06 11:41:17 2014 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.05
Thu Nov 06 11:41:23 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Nov 06 11:41:23 2014 UDPv4 link local: [undef]
Thu Nov 06 11:41:23 2014 UDPv4 link remote: [AF_INET]217.153.158.230:1194
Thu Nov 06 11:41:23 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Nov 06 11:41:23 2014 [centurion.ekoinwest.local] Peer Connection Initiated with [AF_INET]217.153.158.230:1194
Thu Nov 06 11:41:25 2014 open_tun, tt->ipv6=0
Thu Nov 06 11:41:25 2014 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{17553B12-AEB3-4BDF-AC95-E4927AAB7965}.tap
Thu Nov 06 11:41:30 2014 Initialization Sequence Completed
Thu Nov 06 11:41:40 2014 [centurion.ekoinwest.local] Inactivity timeout (--ping-restart), restarting

Gui status: still connected. Nothing else happens. Cert auth is affected either. Please do not blame LDAP plugin.

In log file I have only:

Thu Nov 06 11:40:20 2014 OpenVPN 2.3.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 28 2014
Thu Nov 06 11:40:20 2014 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.05
Enter Management Password:
Thu Nov 06 11:40:31 2014 ERROR: could not read Auth username/password/ok/string from management interface
Thu Nov 06 11:40:31 2014 Exiting due to fatal error

Server log:

Does not log anything. :(
I'll restart openvpn service later, because my users are working now. I'll paste it here.

Despription:
Server:

root@centurion:~# openvpn --version
OpenVPN 2.3.4 x86_64-slackware-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 14 2014
library versions: OpenSSL 0.9.8zb 6 Aug 2014, LZO 2.03
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

Please let me know if I can add any other info.

[michal.sokolowski]

screenshot, połączony means - connected, oczekiwanie na zakończenie means waiting for exit of ovpn process

[Gert Döring]

You're sure you installed I001? This behaviour has been observed with the new tap driver (I601) - for which a new version will show up next week.

Samuli, did you roll I001 installers with the tap6 driver?

[Steffan Karger]

For context on the I601 issues, check ticket #432. There's a link to a new (test) version of the tap driver there too.

[michal.sokolowski]

Replying to cron2:

You're sure you installed I001? This behaviour has been observed with the new tap driver (I601) - for which a new version will show up next week.

Yes, sir.

[michal.sokolowski]

More info about reinstallation problem. I've attached screenshot.

Let me know if u need translation.

Usługa zarządzania sterownikami zakończyła proces instalacji sterownika NULL Driver dla wystąpienia urządzenia o identyfikatorze ROOT\NET\0000 z następującym stanem: 0xE0000203.

Usługa zarządzania sterownikami zakończyła proces instalacji sterownika oemvista.inf_amd64_60e27a40aa3a5bf6\oemvista.inf dla wystąpienia urządzenia o identyfikatorze ROOT\NET\0000 z następującym stanem: 0x0.

[michal.sokolowski]

Full uninstall is required.

[michal.sokolowski]

Okay, tap-windows-9.21.1 fixes at least:

• TAP adapter hangs and doesn't want to reconnect. (new)
• #316

Thank you!