by chris » Mon Nov 13, 2017 10:42 pm
I use an open source OpenVPN/Router solution (ipFire) to connect clients to a remote network. When I take a working profile to connect to the openVPN server, the connection to the Windows TS cannot be established.
The RPI gets gets an IP address (road warrior) and connects to the vpn server, but cannot get pinged from the vpn server.
The same config works with regular Windows/Mac clients.
IP config of the RPI
Code: Select all
eth0 Link encap:Ethernet HWaddr B8:27:EB:6F:C0:A4
inet addr:192.168.188.33 Bcast:192.168.188.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:882 errors:0 dropped:0 overruns:0 frame:0
TX packets:841 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:230421 (225.0 KiB) TX bytes:100397 (98.0 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.65.58.22 P-t-P:10.65.58.21 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
The log list, that there is a problem with the encryption.
Code: Select all
Send broadcast WTCU discover.
[ initrd] [ 13.372328] Run OpenVPN with user config configs/openvpn.cfg.
[ initrd] [ 13.376828] Unpack /bootmedia/packages/pi2-dbus.
[ initrd] [ 13.651154] +--- Executing "/usr/bin/dbus-daemon --system"
[ initrd] [ 13.694850] +- Errorlevel: 0, output:
File is empty.
[ initrd] [ 13.695525] +------------------------
[ initrd] [ 13.695612] Unpack /bootmedia/packages/pi2-xnet.
[ initrd] [ 14.822597] +--- Executing "/sbin/modprobe tun"
[ KERNEL] [ 14.830361] tun: Universal TUN/TAP device driver, 1.6
[ KERNEL] [ 14.830369] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[ initrd] [ 14.830714] +- Errorlevel: 0, output:
File is empty.
[ initrd] [ 14.831333] +------------------------
[ initrd] [ 14.831456] +--- Executing "/usr/sbin/openvpn /etc/client.conf"
[SYSLOG] <29>Sep 30 00:00:11 openvpn[653]: OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
[SYSLOG] <29>Sep 30 00:00:11 openvpn[653]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
[ initrd] [ 14.858972] +- Errorlevel: 0, output:
File is empty.
[ initrd] [ 14.859426] +------------------------
[SYSLOG] <28>Sep 30 00:00:11 openvpn[654]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
[SYSLOG] <29>Sep 30 00:00:11 openvpn[654]: TCP/UDP: Preserving recently used remote address: [AF_INET]*******:1194
[SYSLOG] <29>Sep 30 00:00:11 openvpn[654]: UDP link local: (not bound)
[SYSLOG] <29>Sep 30 00:00:11 openvpn[654]: UDP link remote: [AF_INET]*******:1194
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1442', remote='link-mtu 1469'
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA256'
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
[SYSLOG] <29>Sep 30 00:00:12 openvpn[654]: [*******] Peer Connection Initiated with [AF_INET]*******:1194
[SYSLOG] <28>Sep 30 00:00:13 openvpn[654]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
[SYSLOG] <28>Sep 30 00:00:13 openvpn[654]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
[SYSLOG] <28>Sep 30 00:00:13 openvpn[654]: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: TUN/TAP device tun0 opened
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: /sbin/ip link set dev tun0 up mtu 1400
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: /sbin/ip addr add dev tun0 local 10.65.58.22 peer 10.65.58.21
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: Initialization Sequence Completed
The vpn config looks like this:
Code: Select all
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
ns-cert-type server
comp-lzo
daemon
remote ******* 1194
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
I use an open source OpenVPN/Router solution (ipFire) to connect clients to a remote network. When I take a working profile to connect to the openVPN server, the connection to the Windows TS cannot be established.
The RPI gets gets an IP address (road warrior) and connects to the vpn server, but cannot get pinged from the vpn server.
The same config works with regular Windows/Mac clients.
IP config of the RPI
[code]eth0 Link encap:Ethernet HWaddr B8:27:EB:6F:C0:A4
inet addr:192.168.188.33 Bcast:192.168.188.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:882 errors:0 dropped:0 overruns:0 frame:0
TX packets:841 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:230421 (225.0 KiB) TX bytes:100397 (98.0 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.65.58.22 P-t-P:10.65.58.21 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
[/code]
The log list, that there is a problem with the encryption.
[code]
Send broadcast WTCU discover.
[ initrd] [ 13.372328] Run OpenVPN with user config configs/openvpn.cfg.
[ initrd] [ 13.376828] Unpack /bootmedia/packages/pi2-dbus.
[ initrd] [ 13.651154] +--- Executing "/usr/bin/dbus-daemon --system"
[ initrd] [ 13.694850] +- Errorlevel: 0, output:
File is empty.
[ initrd] [ 13.695525] +------------------------
[ initrd] [ 13.695612] Unpack /bootmedia/packages/pi2-xnet.
[ initrd] [ 14.822597] +--- Executing "/sbin/modprobe tun"
[ KERNEL] [ 14.830361] tun: Universal TUN/TAP device driver, 1.6
[ KERNEL] [ 14.830369] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[ initrd] [ 14.830714] +- Errorlevel: 0, output:
File is empty.
[ initrd] [ 14.831333] +------------------------
[ initrd] [ 14.831456] +--- Executing "/usr/sbin/openvpn /etc/client.conf"
[SYSLOG] <29>Sep 30 00:00:11 openvpn[653]: OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
[SYSLOG] <29>Sep 30 00:00:11 openvpn[653]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
[ initrd] [ 14.858972] +- Errorlevel: 0, output:
File is empty.
[ initrd] [ 14.859426] +------------------------
[SYSLOG] <28>Sep 30 00:00:11 openvpn[654]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
[SYSLOG] <29>Sep 30 00:00:11 openvpn[654]: TCP/UDP: Preserving recently used remote address: [AF_INET]*******:1194
[SYSLOG] <29>Sep 30 00:00:11 openvpn[654]: UDP link local: (not bound)
[SYSLOG] <29>Sep 30 00:00:11 openvpn[654]: UDP link remote: [AF_INET]*******:1194
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1442', remote='link-mtu 1469'
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA256'
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
[SYSLOG] <29>Sep 30 00:00:12 openvpn[654]: [*******] Peer Connection Initiated with [AF_INET]*******:1194
[SYSLOG] <28>Sep 30 00:00:13 openvpn[654]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
[SYSLOG] <28>Sep 30 00:00:13 openvpn[654]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
[SYSLOG] <28>Sep 30 00:00:13 openvpn[654]: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: TUN/TAP device tun0 opened
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: /sbin/ip link set dev tun0 up mtu 1400
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: /sbin/ip addr add dev tun0 local 10.65.58.22 peer 10.65.58.21
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: Initialization Sequence Completed
[/code]
The vpn config looks like this:
[code]
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
ns-cert-type server
comp-lzo
daemon
remote ******* 1194
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
[/code]