Problem after upgrade to FreeBSD 14 + OpenSSL 3.0.12 + openvpn-2.6.8_1

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Budi Janto <budijanto_at_studiokaraoke.co.id>
Date: Wed, 13 Dec 2023 03:11:29 UTC
Hallo,

I recently upgrading my server from FreeBSD 13.2 RELEASE to FreeBSD 14.0 
RELEASE trough `freebsd-update`.

# freebsd-version
14.0-RELEASE-p2

# # openssl version
OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)

# pkg info openvpn
openvpn-2.6.8_1
Name           : openvpn
Version        : 2.6.8_1
Installed on   : Tue Dec 12 06:31:48 2023 WIB
Origin         : security/openvpn
Architecture   : FreeBSD:14:amd64
Prefix         : /usr/local
Categories     : security net-vpn net
Licenses       : GPLv2
Maintainer     : mandree@FreeBSD.org
WWW            : https://openvpn.net/community/
Comment        : Secure IP/Ethernet tunnel daemon
[...]

Server have a public IP static address: xxx.xxx.xxx.xxx and port yyyy. 
Here is server config file:
# cat /usr/local/etc/openvpn/server.conf
auth SHA512
block-ipv6
ca /usr/local/etc/openvpn/easy-rsa/pki/ca.crt
cert /usr/local/etc/openvpn/easy-rsa/pki/issued/server.crt
cipher AES-256-GCM
client-config-dir /usr/local/etc/openvpn/client
client-to-client
comp-lzo no
crl-verify /usr/local/etc/openvpn/easy-rsa/pki/crl.pem
data-ciphers-fallback AES-256-GCM
dev tun
dh /usr/local/etc/openvpn/easy-rsa/pki/dh.pem
explicit-exit-notify 1
group openvpn
keepalive 10 120
key /usr/local/etc/openvpn/easy-rsa/pki/private/server.key
log /var/log/openvpn/openvpn.log
management 127.0.0.1 5555
mode server
mssfix 1300
persist-key
persist-tun
port 5276
proto udp
remote-cert-tls client
server 10.10.10.0 255.255.255.192
status /var/log/openvpn/openvpn-status.log
tls-auth /usr/local/etc/openvpn/easy-rsa/pki/ta.key 0
tls-server
topology subnet
user openvpn
verb 3

Here's client config file:
auth SHA512
auth-nocache
block-ipv6
ca ca.crt
cert debian-notebook.crt
cipher AES-256-GCM
client
comp-lzo no
data-ciphers-fallback AES-256-GCM
dev tun
group openvpn
key debian-notebook.key
key-direction 1
mssfix 1300
nobind
persist-key
persist-tun
proto udp
pull
remote xxx.xxx.xxx.xxx yyyy
remote-cert-tls server
resolv-retry infinite
tls-auth ta.key 1
tls-client
tun-mtu 1400
user openvpn

$ openvpn --cd /home/gorgo34/OpenVPN/debian-notebook --config 
/home/gorgo34/OpenVPN/debian-notebook/debian-notebook.ovpn --user 
nm-openvpn --group nm-openvpn --verb 7

[...]
2023-12-12 07:03:20 us=871299 PID packet_id_init seq_backtrack=64 
time_backtrack=15
2023-12-12 07:03:20 us=871358 Control Channel MTU parms [ mss_fix:0 
max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 
tailroom:126 ET:0 ]
2023-12-12 07:03:20 us=871441 RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 
sig=-1 status=0
2023-12-12 07:03:20 us=871468 Data Channel MTU parms [ mss_fix:0 
max_frag:0 tun_mtu:1400 tun_max_mtu:1600 headroom:136 payload:1768 
tailroom:562 ET:0 ]
2023-12-12 07:03:20 us=871638 Local Options String (VER=V4): 
'V4,dev-type tun,link-mtu 1450,tun-mtu 1400,proto UDPv4,comp-lzo,keydir 
1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 
2,tls-client'
2023-12-12 07:03:20 us=871664 Expected Remote Options String (VER=V4): 
'V4,dev-type tun,link-mtu 1450,tun-mtu 1400,proto UDPv4,comp-lzo,keydir 
0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 
2,tls-server'
2023-12-12 07:03:20 us=872128 TCP/UDP: Preserving recently used remote 
address: [AF_INET]xxx.xxx.xxx.xxx:yyyy
2023-12-12 07:03:20 us=872192 Socket Buffers: R=[212992->212992] 
S=[212992->212992]
2023-12-12 07:03:20 us=872225 UDPv4 link local: (not bound)
2023-12-12 07:03:20 us=872250 UDPv4 link remote: 
[AF_INET]xxx.xxx.xxx.xxx:yyyy
2023-12-12 07:03:20 us=872291 NOTE: UID/GID downgrade will be delayed 
because of --client, --pull, or --up-delay
2023-12-12 07:03:20 us=872436 UDPv4 WRITE [86] to 
[AF_INET]xxx.xxx.xxx.xxx:yyyy: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 
2841816366 2747393343 3149774151 2247557595 79918646 222246832 
2279635438 2210223064 1110919018 4038725619 2597812489 4061187237 
1572602542 2849809962 1023269392 2723005440 357 2007189504 ] pid=0 DATA 
len=0
2023-12-12 07:03:23 us=124080 UDPv4 WRITE [86] to 
[AF_INET]xxx.xxx.xxx.xxx:yyyy: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 
2687882917 2515430512 3146129724 2740581522 2576673828 509356166 
2814162362 3931692693 2748318109 2158624646 4185598108 2496273228 
3952469924 611125254 2606796327 738870016 613 2007189504 0 ]
^C2023-12-12 07:03:26 us=549481 event_wait : Interrupted system call 
(fd=-1,code=4)
2023-12-12 07:03:26 us=549557 PID packet_id_free
2023-12-12 07:03:26 us=549644 PID packet_id_free
2023-12-12 07:03:26 us=549687 PID packet_id_free
2023-12-12 07:03:26 us=549718 PID packet_id_free
2023-12-12 07:03:26 us=549808 PID packet_id_free
2023-12-12 07:03:26 us=549855 PID packet_id_free
2023-12-12 07:03:26 us=549891 PID packet_id_free
2023-12-12 07:03:26 us=549922 PID packet_id_free
2023-12-12 07:03:26 us=550145 TCP/UDP: Closing socket
2023-12-12 07:03:26 us=550223 PID packet_id_free
2023-12-12 07:03:26 us=550268 SIGINT[hard,] received, process exiting
2023-12-12 07:03:26 us=550320 PKCS#11: Terminating openssl
2023-12-12 07:03:26 us=550371 PKCS#11: Removing providers
2023-12-12 07:03:26 us=550404 PKCS#11: Releasing sessions
2023-12-12 07:03:26 us=550434 PKCS#11: Terminating slotevent
2023-12-12 07:03:26 us=550466 PKCS#11: Marking as uninitialized
[...]

Anyone have clue to resolve this issue? -- Thanks.

-- 
Regards,
Budi Janto