Fórum Root.cz
Hlavní témata => Server => Téma založeno: tuxmartin 22. 10. 2016, 18:34:04
-
Ahoj, mam problem s OpenVPN. Asi pul roku jsem ji nepouzival a ted se nespojim. Nevim, jestli jsem za tu dobu neco nemenil.
Nespojim se ani z Android klienta, ani z Ubuntu 16.04. Driv ochodily oba.
Config serveru:
mode server
tls-server
port 1194
proto udp
dev tun1
server 10.123.2.0 255.255.255.0
topology subnet
client-to-client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
log-append /var/log/openvpn_UDP1194
status /var/run/vpn_UDP1194.status 10
user nobody
group nogroup
keepalive 10 120
comp-lzo
verb 5
persist-key
persist-tun
push "route 10.123.1.0 255.255.255.0 10.123.2.1"
push "route 10.123.2.0 255.255.255.0 10.123.2.1"
push "dhcp-option DNS 10.123.2.1"
push "route-gateway 10.123.2.1"
push "redirect-gateway def1"
ifconfig-pool-persist ip_pool_UDP1194.txt
max-clients 5
Config klienta:
client
remote example.net 1194
ca /etc/openvpn/ca.crt
cert /etc/openvpn/martin.crt
key /etc/openvpn/martin.key
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
persist-key
persist-tun
verb 5
Log ze serveru:
Sat Oct 22 18:05:38 2016 us=683954 MULTI: multi_create_instance called
Sat Oct 22 18:05:38 2016 us=684334 37.188.132.120:61613 Re-using SSL/TLS context
Sat Oct 22 18:05:38 2016 us=684562 37.188.132.120:61613 LZO compression initialized
Sat Oct 22 18:05:38 2016 us=685062 37.188.132.120:61613 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Oct 22 18:05:38 2016 us=685173 37.188.132.120:61613 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct 22 18:05:38 2016 us=685355 37.188.132.120:61613 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Oct 22 18:05:38 2016 us=685430 37.188.132.120:61613 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Oct 22 18:05:38 2016 us=685553 37.188.132.120:61613 Local Options hash (VER=V4): '530fdded'
Sat Oct 22 18:05:38 2016 us=685666 37.188.132.120:61613 Expected Remote Options hash (VER=V4): '41690919'
RSat Oct 22 18:05:38 2016 us=685858 37.188.132.120:61613 TLS: Initial packet from [AF_INET]37.188.132.120:61613, sid=6e5f88fc eacadaa1
WWRWRWSat Oct 22 18:05:52 2016 us=246304 37.188.132.120:61607 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 22 18:05:52 2016 us=246487 37.188.132.120:61607 TLS Error: TLS handshake failed
Sat Oct 22 18:05:52 2016 us=246962 37.188.132.120:61607 SIGUSR1[soft,tls-error] received, client-instance restarting
WRWWRWSat Oct 22 18:06:38 2016 us=680194 37.188.132.120:61613 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 22 18:06:38 2016 us=680370 37.188.132.120:61613 TLS Error: TLS handshake failed
Sat Oct 22 18:06:38 2016 us=680801 37.188.132.120:61613 SIGUSR1[soft,tls-error] received, client-instance restarting
Sat Oct 22 18:06:40 2016 us=849236 MULTI: multi_create_instance called
Sat Oct 22 18:06:40 2016 us=849411 37.188.132.120:61616 Re-using SSL/TLS context
Sat Oct 22 18:06:40 2016 us=849504 37.188.132.120:61616 LZO compression initialized
Sat Oct 22 18:06:40 2016 us=849734 37.188.132.120:61616 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Oct 22 18:06:40 2016 us=849809 37.188.132.120:61616 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct 22 18:06:40 2016 us=849936 37.188.132.120:61616 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Oct 22 18:06:40 2016 us=849991 37.188.132.120:61616 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Oct 22 18:06:40 2016 us=850070 37.188.132.120:61616 Local Options hash (VER=V4): '530fdded'
Sat Oct 22 18:06:40 2016 us=850139 37.188.132.120:61616 Expected Remote Options hash (VER=V4): '41690919'
RSat Oct 22 18:06:40 2016 us=850262 37.188.132.120:61616 TLS: Initial packet from [AF_INET]37.188.132.120:61616, sid=0d9fa230 6813bc97
WRWWRWWRW^C
Log z klienta:
client # openvpn --config client.conf
...
Sat Oct 22 18:05:35 2016 us=372594 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016
Sat Oct 22 18:05:35 2016 us=372624 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Sat Oct 22 18:05:35 2016 us=372803 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Enter Private Key Password: *********
Sat Oct 22 18:05:38 2016 us=215609 LZO compression initialized
Sat Oct 22 18:05:38 2016 us=215803 Control Channel MTU parms [ L:1542 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Oct 22 18:05:38 2016 us=215869 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Oct 22 18:05:38 2016 us=672864 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Sat Oct 22 18:05:38 2016 us=672980 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Oct 22 18:05:38 2016 us=673012 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Oct 22 18:05:38 2016 us=673080 Local Options hash (VER=V4): '41690919'
Sat Oct 22 18:05:38 2016 us=673128 Expected Remote Options hash (VER=V4): '530fdded'
Sat Oct 22 18:05:38 2016 us=673170 UDPv4 link local: [undef]
Sat Oct 22 18:05:38 2016 us=673206 UDPv4 link remote: [AF_INET]1.2.3.4:1194
WWWWWSat Oct 22 18:06:38 2016 us=342885 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 22 18:06:38 2016 us=342958 TLS Error: TLS handshake failed
Sat Oct 22 18:06:38 2016 us=343195 TCP/UDP: Closing socket
Sat Oct 22 18:06:38 2016 us=343263 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct 22 18:06:38 2016 us=343313 Restart pause, 2 second(s)
Sat Oct 22 18:06:40 2016 us=343439 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Oct 22 18:06:40 2016 us=343503 Re-using SSL/TLS context
Sat Oct 22 18:06:40 2016 us=343534 LZO compression initialized
Sat Oct 22 18:06:40 2016 us=343587 Control Channel MTU parms [ L:1542 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Oct 22 18:06:40 2016 us=343616 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Oct 22 18:06:40 2016 us=844549 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Sat Oct 22 18:06:40 2016 us=844657 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Oct 22 18:06:40 2016 us=844692 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Oct 22 18:06:40 2016 us=844753 Local Options hash (VER=V4): '41690919'
Sat Oct 22 18:06:40 2016 us=844804 Expected Remote Options hash (VER=V4): '530fdded'
Sat Oct 22 18:06:40 2016 us=844847 UDPv4 link local: [undef]
Sat Oct 22 18:06:40 2016 us=844886 UDPv4 link remote: [AF_INET]1.2.3.4:1194
WWWW^CSat Oct 22 18:07:00 2016 us=52421 event_wait : Interrupted system call (code=4)
Sat Oct 22 18:07:00 2016 us=52709 TCP/UDP: Closing socket
Sat Oct 22 18:07:00 2016 us=52789 SIGINT[hard,] received, process exiting
Cely log z klienta, protoze tady je limit na 20k znaku. http://pastebin.com/MngR0ynw
Napada vas nekoho, co delam spatne?
-
Nevypršela platnost certifikátu?
-
Nevypršela platnost certifikátu?
Ne, vsechny plati do 28.6.2020.
-
Nevypršela platnost certifikátu?
Ne, vsechny plati do 28.6.2020.
I certifikát autority, která je vydala?
-
I certifikát autority, která je vydala?
Ano, vsechno ok.
-
Zkus nastavit čas na klientovi i na serveru na UTC.
-
Zkus nastavit čas na klientovi i na serveru na UTC.
Server i klient maji cas synchronizovany pres ntp. Ted jsem to kontroloval a oba maji presny cas.
-
co firewall?
https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html
-
co firewall?
https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html
To se mi nezda. Ihned po zacatku pripojovani klienta se zacnou objevovat zpravy v logu serveru - musi projit.
Podle iptables:
# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
...
9621K 7666M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7680 456K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
7962 463K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
38 1596 ACCEPT udp -- wan0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
...
-
Nedávno jsem řešil stejný problém, na jedné pobočce se OpenVPN na Mikrotiku odmítala spojit s OpenVPN na Linuxu. Pomohlo snížení MTU na WAN portu Mikrotiku.
J.
-
Nedávno jsem řešil stejný problém, na jedné pobočce se OpenVPN na Mikrotiku odmítala spojit s OpenVPN na Linuxu. Pomohlo snížení MTU na WAN portu Mikrotiku.
J.
Zkusil jsem nastavit MTU wan sitovky na 1400. Nepomohlo.
Divne je, ze kdyz se zkusim pripojit z Androidu pres O2 LTE tak server do configu vypisuje chyby (viz muj dotaz).
Klient ale ukazuje prijato 0 bajtu (viz obrazek v priloze).
-
osobne bych problem zminil i sem:
https://forums.openvpn.net/
-
Divne je, ze kdyz se zkusim pripojit z Androidu pres O2 LTE tak server do configu vypisuje chyby (viz muj dotaz).
Klient ale ukazuje prijato 0 bajtu (viz obrazek v priloze).
A co je na tom divného? Že se s věcí za několikero (CG)NATy špatně komunikuje? :o
-
A co je na tom divného? Že se s věcí za několikero (CG)NATy špatně komunikuje? :o
Ostatni sluzby jsou pres stejne LTE na stejnem serveru dostupne.
A neni problem jen s pristupem z O2 site.
-
SSL interception v O2? podla logov aj spravania ktore popisujes, to tak vyzera....
Skus z inej siete. Mne sa rovnaka vec stala v Monaku u Monaco Telecom na LTE, ked som skusil spojenie priamo bez OpenVPN, tak vsetky SSL certifikaty boli fake....
-
Nebo zkus jiný port, 443 třeba.
-
SSL interception v O2? podla logov aj spravania ktore popisujes, to tak vyzera....
Skus z inej siete. Mne sa rovnaka vec stala v Monaku u Monaco Telecom na LTE, ked som skusil spojenie priamo bez OpenVPN, tak vsetky SSL certifikaty boli fake....
To si O2 nesmi dovolit. Problem je urcite jinde.
Nebo zkus jiný port, 443 třeba.
Tam mi bezi webserver. A sdileni portu nechci.
A hlavne - ja chci OpenVPN na UDP, ne TCP.
-
To si O2 nesmi dovolit.
ROFL. Pobavilo. ;D ;D ;D
Nebo zkus jiný port, 443 třeba.
Tam mi bezi webserver. A sdileni portu nechci.
A hlavne - ja chci OpenVPN na UDP, ne TCP.
[/quote]
OMG, to by byl asi obrovský problém ho na chvíli vypnout. Ale hlavně, zkus jakýkoliv jiný port krom těch "well known", které O2 zcela jasně omezuje a šmíruje přinejmenším kvůli FUPu (VPNky zejména).
-
No tak v prvom rade by som asi skusil tcpdump - port 1194, ci prebieha komunikacia z obidvoch stran - hlavne ci chodia naspat pakety od servera.
Off topic - zapni si tls-auth na obidvoch stranach.
-
nevim jestli problem autora vlakna jeste trapi, ale ja narazil na stejny problem a postupne jsem zjistil ze za to muze NAT:
zde je to hezky popsane:
https://serverfault.com/questions/765521/openvpn-issue-tls-key-negotiation-failed-to-occur-within-60-seconds