This forum is for admins who are looking to build or expand their OpenVPN setup.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Post
by dazo » Thu Feb 10, 2022 5:53 pm
mangoo wrote: ↑Wed Feb 09, 2022 11:40 pm
dazo wrote: ↑Tue Feb 08, 2022 5:44 pm
Code: Select all
$ openvpn2 --config CONFIG_FILE --verb 6
Did you mean openvpn3 client above? openvpn 2.x client works just fine with a 2.x server.
No, I meant
openvpn2 -
https://github.com/OpenVPN/openvpn3-lin ... vpn2.1.rst
It's important to distinguish between the
openvpn executable which is the "classical" OpenVPN 2.x generation and
openvpn2 and
openvpn3 executables which are part of the OpenVPN 3 Linux project.
Code: Select all
$ file /usr/bin/openvpn[23] /usr/sbin/openvpn | cut -d, -f1
/usr/bin/openvpn2: Python script
/usr/bin/openvpn3: ELF 64-bit LSB executable
/usr/sbin/openvpn: ELF 64-bit LSB shared object
mangoo wrote: ↑Wed Feb 09, 2022 11:40 pm
It seems to use different syntax:
Code: Select all
openvpn3 session-start --config CONFIG_FILE
As openvpn3 doesn't accept "--verb 6" argument, I've added "verb 6" to the config file.
However, the amount of data logged to /var/log/syslog does not seem to change and is minimal.
Correct, because
openvpn3 session-start does not support
--verb (maybe I should add support for
--log-level, though - but that's a different topic). While the
openvpn2 front-end will support
--verb because it tries to simulate the classical OpenVPN 2.x command line interface.
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1332
- Joined: Tue Feb 16, 2021 10:41 am
Post
by openvpn_inc » Thu Feb 10, 2022 6:00 pm
Hey mangoo,
Are you still getting the logged errors about bad source address? If so, select one of those
destination addresses and show:
Also, you did not show the iptables/nft output I requested.
regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
mangoo
- OpenVpn Newbie
- Posts: 17
- Joined: Fri Jun 09, 2017 10:32 pm
Post
by mangoo » Thu Feb 10, 2022 9:29 pm
openvpn_inc wrote: ↑Thu Feb 10, 2022 6:00 pm
Also, you did not show the iptables/nft output I requested.
Traffic is not blocked by iptables in any way. Please remember - it behaves the same on Windows (openvpn 2.x client works; openvpn 3 client - no internet).
Code: Select all
# iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.1.0.0/16 anywhere /* generated for MicroK8s pods */
ACCEPT all -- anywhere 10.1.0.0/16 /* generated for MicroK8s pods */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-
mangoo
- OpenVpn Newbie
- Posts: 17
- Joined: Fri Jun 09, 2017 10:32 pm
Post
by mangoo » Thu Feb 10, 2022 9:35 pm
Well:
Code: Select all
# openvpn2 --config CONFIG_FILE --verb 6
** ERROR ** /usr/bin/openvpn2: error: unrecognized arguments: --auth-nocache
#
After commenting out the "auth-nocache" option from the config file - it connects, but there is no internet:
Code: Select all
$ sudo openvpn2 --config CONFIG_FILE --verb 6
Press CTRL-C to stop the connection
2022-02-10 22:39:18.638264 [STATUS] (StatusMajor.CONNECTION, StatusMinor.CFG_OK) config_path=/net/openvpn/v3/configuration/80d80d90x07b4x4c9ax91c1xf898214ae44d
2022-02-10 22:39:18.638324 [LOG] Starting connection
2022-02-10 22:39:18.638350 [LOG] Using DNS resolver scope: global
2022-02-10 22:39:18.638371 [LOG] [Connect] DCO flag: disabled
2022-02-10 22:39:18.638391 [STATUS] (StatusMajor.CONNECTION, StatusMinor.CONN_CONNECTING)
2022-02-10 22:39:18.638413 [LOG] OpenVPN core 3.git:HEAD:7765540e linux x86_64 64-bit OVPN-DCO
2022-02-10 22:39:18.638431 [LOG] Frame=512/2048/512 mssfix-ctrl=1250
2022-02-10 22:39:18.638449 [LOG] UNUSED OPTIONS
8 [persist-tun]
14 [verb] [6]
2022-02-10 22:39:18.638471 [LOG] Resolving
2022-02-10 22:39:18.638942 [LOG] Contacting aaa.bbb.ccc.ddd:1194 via UDP
2022-02-10 22:39:18.639113 [LOG] Waiting for server response
2022-02-10 22:39:18.643586 [LOG] Connecting to [aaa.bbb.ccc.ddd]:1194 (aaa.bbb.ccc.ddd) via UDPv4
2022-02-10 22:39:18.728414 [LOG] Connecting
2022-02-10 22:39:18.728631 [STATUS] (StatusMajor.CONNECTION, StatusMinor.CONN_CONNECTING)
2022-02-10 22:39:18.728802 [LOG] Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1440,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client
2022-02-10 22:39:18.728933 [LOG] Creds: UsernameEmpty/PasswordEmpty
2022-02-10 22:39:18.729295 [LOG] Peer Info:
IV_VER=3.git:HEAD:7765540e
IV_PLAT=linux
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
IV_GUI_VER=OpenVPN 3/Linux v17_beta/3.git:HEAD:7765540e linux x86_64 64-bit
IV_SSO=openurl,webauth
2022-02-10 22:39:18.789667 [LOG] VERIFY OK: depth=1, /CN=Easy-RSA CA, signature: RSA-SHA256
2022-02-10 22:39:18.790338 [LOG] VERIFY OK: depth=0, /CN=server, signature: RSA-SHA256
2022-02-10 22:39:18.861722 [LOG] SSL Handshake: peer certificate: CN=server, 4096 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
2022-02-10 22:39:18.861921 [LOG] Session is ACTIVE
2022-02-10 22:39:18.862308 [LOG] Retrieving configuration from server
2022-02-10 22:39:18.862489 [LOG] Sending PUSH_REQUEST to server...
2022-02-10 22:39:18.948344 [LOG] OPTIONS:
0 [redirect-gateway] [def1] [bypass-dhcp]
1 [dhcp-option] [DNS] [8.8.8.8]
2 [dhcp-option] [DNS] [1.1.1.1]
3 [redirect-gateway] [ipv6] [bypass-dhcp]
4 [tun-ipv6]
5 [route-gateway] [10.121.0.1]
6 [topology] [subnet]
7 [ping] [10]
8 [ping-restart] [120]
9 [ifconfig-ipv6] [fd42:feed:feed:feed::1003/64] [fd42:feed:feed:feed::1]
10 [ifconfig] [10.121.0.5] [255.255.255.0]
11 [peer-id] [3]
12 [cipher] [AES-256-GCM]
2022-02-10 22:39:18.948694 [LOG] PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
key-derivation: OpenVPN PRF
compress: COMP_STUB
peer ID: 3
control channel: tls-crypt enabled
2022-02-10 22:39:18.976565 [LOG] Session name: 'aaa.bbb.ccc.ddd'
2022-02-10 22:39:19.038839 [LOG] TunPersist: saving tun context:
Session Name: aaa.bbb.ccc.ddd
Layer: OSI_LAYER_3
MTU: 1440
Remote Address: aaa.bbb.ccc.ddd
Tunnel Addresses:
10.121.0.5/24 -> 10.121.0.1
fd42:feed:feed:feed::1003/64 -> fd42:feed:feed:feed::1 [IPv6]
Reroute Gateway: IPv4=1 IPv6=1 flags=[ ENABLE REROUTE_GW DEF1 BYPASS_DHCP IPv4 IPv6 ]
Block IPv4: no
Block IPv6: no
Add Routes:
Exclude Routes:
DNS Servers:
8.8.8.8
1.1.1.1
Search Domains:
2022-02-10 22:39:19.038969 [LOG] Connected via tun
2022-02-10 22:39:19.039463 [LOG] LZO-ASYM init swap=0 asym=1
2022-02-10 22:39:19.039634 [LOG] Comp-stub init swap=1
2022-02-10 22:39:19.039710 [LOG] Connected: aaa.bbb.ccc.ddd:1194 (aaa.bbb.ccc.ddd) via /UDPv4 on tun/10.121.0.5/fd42:feed:feed:feed::1003 gw=[10.121.0.1/fd42:feed:feed:feed::1]
2022-02-10 22:39:19.039782 [STATUS] (StatusMajor.CONNECTION, StatusMinor.CONN_CONNECTED)
^C
Disconnecting...
Connection statistics:
BYTES_IN: 196285
BYTES_OUT: 245803
PACKETS_IN: 740
PACKETS_OUT: 1167
TUN_BYTES_IN: 211891
TUN_BYTES_OUT: 55460
TUN_PACKETS_IN: 1154
TUN_PACKETS_OUT: 350
COMPRESS_ERROR: 378
^C
** ERROR ** local variable 'connected' referenced before assignment
#
-
mangoo
- OpenVpn Newbie
- Posts: 17
- Joined: Fri Jun 09, 2017 10:32 pm
Post
by mangoo » Thu Feb 10, 2022 9:44 pm
openvpn_inc wrote: ↑Thu Feb 10, 2022 6:00 pm
Hey mangoo,
Are you still getting the logged errors about bad source address? If so, select one of those
destination addresses and show:
Yes - with openvpn2 and openvpn3 AND openvpn 2.5.1 client (I previously did not check the server with verb 6 and openvpn 2.5.1 client). However, with openvpn 2.5.1 client, internet just works.
On the server (aaa.bbb.ccc.ddd - public IP of the server):
Code: Select all
# ip route get 192.168.1.19
192.168.1.19 via aaa.bbb.ccc.ddd dev enp35s0 src aaa.bbb.ccc.ddd uid 0
cache
On the client:
Code: Select all
# ip route get 192.168.1.19
local 192.168.1.19 dev lo table local src 192.168.1.19 uid 1000
cache <local>
Interesting is, while the server keeps showing "MULTI: bad source address from client [192.168.1.19], packet dropped" - tcpdump run on the server does not show anything at all:
Code: Select all
# tcpdump -i any -v -n host 192.168.1.19
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
^C
0 packets captured
3 packets received by filter
0 packets dropped by kernel
Either way - that's some other minor issue probably, and maybe not related to my original issue (no internet with openvpn3 clients).
-
mangoo
- OpenVpn Newbie
- Posts: 17
- Joined: Fri Jun 09, 2017 10:32 pm
Post
by mangoo » Thu Feb 10, 2022 10:15 pm
dazo wrote: ↑Tue Feb 08, 2022 5:44 pm
I see you're using AES-256-CBC here. This is actually considered a legacy cipher these days. Please use AES-256-GCM instead. Using that also removes the need to use "auth SHA512" (SHA512 is also not advisable, it adds an additional 32 bytes overhead with no security gain over SHA256 - Using SHA512 eats your tunnel performance). IIRC, using AES-256-GCM, the authentication overhead which is built into AES-GCM is just 12 bytes per packet all in all while SHA512 spends 64 bytes per packet.
"auth SHA512" was the problem here! Without it, all connectivity with openvpn3 client works just fine! Not sure if it's a bug or a feature though!
I've modified other parameters according to your suggestions - thanks for your help!
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1332
- Joined: Tue Feb 16, 2021 10:41 am
Post
by openvpn_inc » Thu Feb 10, 2022 11:44 pm
Hi mangoo,
Thanks for the update. That will give dazo and ordex something to puzzle over tomorrow.
regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Post
by dazo » Fri Feb 11, 2022 8:35 pm
mangoo wrote: ↑Thu Feb 10, 2022 9:35 pm
Well:
Code: Select all
# openvpn2 --config CONFIG_FILE --verb 6
** ERROR ** /usr/bin/openvpn2: error: unrecognized arguments: --auth-nocache
#
After commenting out the "auth-nocache" option from the config file - it connects, but there is no internet:
Good catch. I'll add that option to the "option ignore list" in the
openvpn2 option parser. This option makes isn't really useful in OpenVPN 3 context.
mangoo wrote: ↑Thu Feb 10, 2022 9:35 pm
Code: Select all
$ sudo openvpn2 --config CONFIG_FILE --verb 6
Press CTRL-C to stop the connection
With OpenVPN 3 Linux, you don't need to run the
openvpn2 and
openvpn3 commands as root (like via
sudo). OpenVPN 3 Linux is designed to allow unprivileged users start and manage their own VPN configuration profiles and sessions. Only the
openvpn3-admin management tool requires
root privileges on several of the operations.
mangoo wrote: ↑Thu Feb 10, 2022 9:35 pm
Code: Select all
** ERROR ** local variable 'connected' referenced before assignment
This is an interesting error. I'll try to get that fixed as well. This shouldn't appear.
-
dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Post
by dazo » Fri Feb 11, 2022 8:53 pm
mangoo wrote: ↑Thu Feb 10, 2022 10:15 pm
"auth SHA512" was the problem here! Without it, all connectivity with openvpn3 client works just fine! Not sure if it's a bug or a feature though!
I've modified other parameters according to your suggestions - thanks for your help!
Okay, it's good that this fixed it. It is however a bit surprising though. We will see if this is an issue in the OpenVPN 3 Core library. Thanks for the report.
