From ea440ad4a693b1630a431295b2d0e7478e992dac Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Sat, 14 Mar 2026 11:34:59 +0100
Subject: [PATCH 1/2] chore(deps): update dependency openvpn/easy-rsa to v3.2.6
(#1480)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [OpenVPN/easy-rsa](https://redirect.github.com/OpenVPN/easy-rsa) |
patch | `3.2.5` → `3.2.6` |
---
### Release Notes
OpenVPN/easy-rsa (OpenVPN/easy-rsa)
###
[`v3.2.6`](https://redirect.github.com/OpenVPN/easy-rsa/releases/tag/v3.2.6):
3.2.6
[Compare
Source](https://redirect.github.com/OpenVPN/easy-rsa/compare/v3.2.5...v3.2.6)
#### What's Changed
- CI: Enable shell switch errexit by
[@TinCanTech](https://redirect.github.com/TinCanTech) in
[#1417](https://redirect.github.com/OpenVPN/easy-rsa/pull/1417)
- V325 326 minor touches by
[@TinCanTech](https://redirect.github.com/TinCanTech) in
[#1421](https://redirect.github.com/OpenVPN/easy-rsa/pull/1421)
- Inline sub ca v1 by
[@TinCanTech](https://redirect.github.com/TinCanTech) in
[#1423](https://redirect.github.com/OpenVPN/easy-rsa/pull/1423)
- X509-Type ca: Enable 'basicConstraints = critical' for CA/subCA
certificates by
[@TinCanTech](https://redirect.github.com/TinCanTech) in
[#1428](https://redirect.github.com/OpenVPN/easy-rsa/pull/1428)
- Import tls key v1 by
[@TinCanTech](https://redirect.github.com/TinCanTech) in
[#1429](https://redirect.github.com/OpenVPN/easy-rsa/pull/1429)
- import\_tls\_key(): Use set\_no\_clobber() to preserve existing key
file by [@TinCanTech](https://redirect.github.com/TinCanTech) in
[#1430](https://redirect.github.com/OpenVPN/easy-rsa/pull/1430)
**Full Changelog**:
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/angristan/openvpn-install).
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot]
---
openvpn-install.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/openvpn-install.sh b/openvpn-install.sh
index a59c90db0..e0b34c865 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -9,8 +9,8 @@
# Configuration constants
readonly DEFAULT_CERT_VALIDITY_DURATION_DAYS=3650 # 10 years
readonly DEFAULT_CRL_VALIDITY_DURATION_DAYS=5475 # 15 years
-readonly EASYRSA_VERSION="3.2.5"
-readonly EASYRSA_SHA256="662ee3b453155aeb1dff7096ec052cd83176c460cfa82ac130ef8568ec4df490"
+readonly EASYRSA_VERSION="3.2.6"
+readonly EASYRSA_SHA256="c2572990ce91112eef8d1b8e4a3b58790da95b68501785c621f69121dfbd22d7"
# =============================================================================
# Logging Configuration
From 63448d542defa86c6c687bd320deff36a78cdaee Mon Sep 17 00:00:00 2001
From: Stanislas
Date: Sat, 14 Mar 2026 14:42:06 +0100
Subject: [PATCH 2/2] fix: test client connectivity both before and after cert
renewal (#1481)
- Fix fingerprint CI test that started consistently failing after the
EasyRSA 3.2.6 update
- The client config was copied to `/shared/` before server cert renewal
changed the fingerprint, causing a TLS handshake failure race condition
- Instead of just fixing the race, add proper two-phase connectivity
testing: client connects before renewal, server renews certs, client
reconnects with the updated config
---
test/client-entrypoint.sh | 89 ++++++++++++++++++++++++++++++---------
test/server-entrypoint.sh | 44 ++++++++++---------
2 files changed, 93 insertions(+), 40 deletions(-)
diff --git a/test/client-entrypoint.sh b/test/client-entrypoint.sh
index a7406eed2..de23a13ee 100755
--- a/test/client-entrypoint.sh
+++ b/test/client-entrypoint.sh
@@ -12,6 +12,29 @@ fi
echo "TUN device ready"
+test_dns_resolution() {
+ local label="$1"
+ local success=false
+ echo "$label: Testing DNS resolution via Unbound ($VPN_GATEWAY)..."
+ for i in $(seq 1 10); do
+ DIG_OUTPUT=$(dig @"$VPN_GATEWAY" example.com +short +time=5 2>&1)
+ if [ -n "$DIG_OUTPUT" ] && ! echo "$DIG_OUTPUT" | grep -qi "timed out\|SERVFAIL\|connection refused"; then
+ success=true
+ break
+ fi
+ echo "DNS attempt $i failed:"
+ echo "$DIG_OUTPUT"
+ sleep 2
+ done
+ if [ "$success" = true ]; then
+ echo "PASS: DNS resolution through Unbound works"
+ else
+ echo "FAIL: DNS resolution through Unbound failed after 10 attempts"
+ dig @"$VPN_GATEWAY" example.com +time=5 || true
+ exit 1
+ fi
+}
+
# Wait for client config to be available
echo "Waiting for client config..."
while [ ! -f /shared/client.ovpn ]; do
@@ -110,27 +133,7 @@ if [ "${CLIENT_IPV6:-n}" = "y" ]; then
fi
# Test 3: DNS resolution through Unbound
-echo "Test 3: Testing DNS resolution via Unbound ($VPN_GATEWAY)..."
-DNS_SUCCESS=false
-DNS_MAX_RETRIES=10
-for i in $(seq 1 $DNS_MAX_RETRIES); do
- DIG_OUTPUT=$(dig @"$VPN_GATEWAY" example.com +short +time=5 2>&1)
- if [ -n "$DIG_OUTPUT" ] && ! echo "$DIG_OUTPUT" | grep -qi "timed out\|SERVFAIL\|connection refused"; then
- DNS_SUCCESS=true
- break
- fi
- echo "DNS attempt $i failed:"
- echo "$DIG_OUTPUT"
- sleep 2
-done
-if [ "$DNS_SUCCESS" = true ]; then
- echo "PASS: DNS resolution through Unbound works"
- echo "Resolved example.com to: $(dig @"$VPN_GATEWAY" example.com +short +time=5)"
-else
- echo "FAIL: DNS resolution through Unbound failed after $DNS_MAX_RETRIES attempts"
- dig @"$VPN_GATEWAY" example.com +time=5 || true
- exit 1
-fi
+test_dns_resolution "Test 3"
echo ""
echo "=== Initial connectivity tests PASSED ==="
@@ -138,6 +141,50 @@ echo "=== Initial connectivity tests PASSED ==="
# Signal server that initial tests passed
touch /shared/initial-tests-passed
+# =====================================================
+# Post-renewal connectivity tests
+# =====================================================
+echo ""
+echo "=== Waiting for post-renewal config ==="
+while [ ! -f /shared/renewal-config-ready ]; do
+ sleep 2
+ echo "Waiting for renewal config..."
+done
+
+echo "Renewal config ready, reconnecting..."
+pkill openvpn || true
+sleep 2
+
+openvpn --config /shared/client.ovpn --daemon --log /var/log/openvpn-renewal.log
+
+echo "Waiting for VPN connection after renewal..."
+while ! ip addr show tun0 2>/dev/null | grep -q "inet "; do
+ sleep 2
+ echo "Waiting for tun0..."
+ if [ -f /var/log/openvpn-renewal.log ]; then
+ tail -3 /var/log/openvpn-renewal.log
+ fi
+done
+
+echo "=== VPN Connected after renewal! ==="
+ip addr show tun0
+
+echo "Waiting for routing to stabilize..."
+sleep 5
+
+echo "Test: Pinging VPN gateway after renewal ($VPN_GATEWAY)..."
+while ! ping -c 3 -W 2 "$VPN_GATEWAY" >/dev/null 2>&1; do
+ echo "Ping failed, retrying..."
+ sleep 3
+done
+echo "PASS: Can ping VPN gateway after renewal"
+
+test_dns_resolution "Test: Post-renewal DNS"
+
+echo ""
+echo "=== Post-renewal connectivity tests PASSED ==="
+touch /shared/renewal-tests-passed
+
# =====================================================
# Certificate Revocation E2E Tests
# =====================================================
diff --git a/test/server-entrypoint.sh b/test/server-entrypoint.sh
index 58e5e429e..edf54c014 100755
--- a/test/server-entrypoint.sh
+++ b/test/server-entrypoint.sh
@@ -211,7 +211,7 @@ else
exit 1
fi
-# Copy client config to shared volume for the client container
+# Copy client config to shared volume for initial connectivity tests
cp /root/testclient.ovpn /shared/client.ovpn
sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
echo "Client config copied to /shared/client.ovpn"
@@ -356,6 +356,17 @@ fi
echo "=== TLS 1.3 Configuration Verified ==="
+# =====================================================
+# Wait for initial client tests to complete
+# =====================================================
+echo ""
+echo "=== Waiting for initial client connectivity tests ==="
+while [ ! -f /shared/initial-tests-passed ]; do
+ sleep 2
+ echo "Waiting for initial tests..."
+done
+echo "Initial client tests passed, proceeding with renewal tests"
+
# =====================================================
# Test certificate renewal functionality
# =====================================================
@@ -429,11 +440,6 @@ if [ "$AUTH_MODE" = "pki" ]; then
fi
fi
-# Update shared client config with renewed certificate
-cp /root/testclient.ovpn /shared/client.ovpn
-sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
-echo "Updated client config with renewed certificate"
-
echo "=== Client Certificate Renewal Tests PASSED ==="
# =====================================================
@@ -538,10 +544,21 @@ done
# Allow routing to stabilize after renewal restart
sleep 3
-# Update shared client config after server renewal (fingerprint changed)
cp /root/testclient.ovpn /shared/client.ovpn
sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
-echo "Updated client config with new server fingerprint"
+touch /shared/renewal-config-ready
+echo "Updated client config with renewed certificates"
+
+# =====================================================
+# Wait for post-renewal client connectivity tests
+# =====================================================
+echo ""
+echo "=== Waiting for post-renewal client connectivity tests ==="
+while [ ! -f /shared/renewal-tests-passed ]; do
+ sleep 2
+ echo "Waiting for renewal tests..."
+done
+echo "Post-renewal client tests passed"
# =====================================================
# Verify Unbound DNS resolver (started by systemd via install script)
@@ -749,17 +766,6 @@ fi
echo "Allowing routing to stabilize..."
sleep 3
-# =====================================================
-# Wait for initial client tests to complete
-# =====================================================
-echo ""
-echo "=== Waiting for initial client connectivity tests ==="
-while [ ! -f /shared/initial-tests-passed ]; do
- sleep 2
- echo "Waiting for initial tests..."
-done
-echo "Initial client tests passed, proceeding with revocation tests"
-
# =====================================================
# Test certificate revocation functionality
# =====================================================