OpenVPN with ipfire (connection problem)

All about WTware on Raspberry. Wtware works with Raspberry Pi 3 Model B and Pi 2 Model B devices
http://www.winterminal.com
Post Reply
chris
Posts: 7
Joined: Fri Oct 27, 2017 8:15 pm

OpenVPN with ipfire (connection problem)

Post by chris » Mon Nov 13, 2017 10:42 pm

I use an open source OpenVPN/Router solution (ipFire) to connect clients to a remote network. When I take a working profile to connect to the openVPN server, the connection to the Windows TS cannot be established.

The RPI gets gets an IP address (road warrior) and connects to the vpn server, but cannot get pinged from the vpn server.
The same config works with regular Windows/Mac clients.

IP config of the RPI

Code: Select all

eth0      Link encap:Ethernet  HWaddr B8:27:EB:6F:C0:A4  
          inet addr:192.168.188.33  Bcast:192.168.188.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:882 errors:0 dropped:0 overruns:0 frame:0
          TX packets:841 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:230421 (225.0 KiB)  TX bytes:100397 (98.0 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.65.58.22  P-t-P:10.65.58.21  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
The log list, that there is a problem with the encryption.

Code: Select all

Send broadcast WTCU discover.
[        initrd] [   13.372328] Run OpenVPN with user config configs/openvpn.cfg.
[        initrd] [   13.376828] Unpack /bootmedia/packages/pi2-dbus.
[        initrd] [   13.651154] +--- Executing "/usr/bin/dbus-daemon --system"
[        initrd] [   13.694850] +- Errorlevel: 0, output:
File is empty.
[        initrd] [   13.695525] +------------------------
[        initrd] [   13.695612] Unpack /bootmedia/packages/pi2-xnet.
[        initrd] [   14.822597] +--- Executing "/sbin/modprobe tun"
[        KERNEL] [   14.830361] tun: Universal TUN/TAP device driver, 1.6
[        KERNEL] [   14.830369] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[        initrd] [   14.830714] +- Errorlevel: 0, output:
File is empty.
[        initrd] [   14.831333] +------------------------
[        initrd] [   14.831456] +--- Executing "/usr/sbin/openvpn /etc/client.conf"
[SYSLOG] <29>Sep 30 00:00:11 openvpn[653]: OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
[SYSLOG] <29>Sep 30 00:00:11 openvpn[653]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
[        initrd] [   14.858972] +- Errorlevel: 0, output:
File is empty.
[        initrd] [   14.859426] +------------------------
[SYSLOG] <28>Sep 30 00:00:11 openvpn[654]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
[SYSLOG] <29>Sep 30 00:00:11 openvpn[654]: TCP/UDP: Preserving recently used remote address: [AF_INET]*******:1194
[SYSLOG] <29>Sep 30 00:00:11 openvpn[654]: UDP link local: (not bound)
[SYSLOG] <29>Sep 30 00:00:11 openvpn[654]: UDP link remote: [AF_INET]*******:1194
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1442', remote='link-mtu 1469'
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA256'
[SYSLOG] <28>Sep 30 00:00:12 openvpn[654]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
[SYSLOG] <29>Sep 30 00:00:12 openvpn[654]: [*******] Peer Connection Initiated with [AF_INET]*******:1194
[SYSLOG] <28>Sep 30 00:00:13 openvpn[654]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
[SYSLOG] <28>Sep 30 00:00:13 openvpn[654]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
[SYSLOG] <28>Sep 30 00:00:13 openvpn[654]: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: TUN/TAP device tun0 opened
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: /sbin/ip link set dev tun0 up mtu 1400
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: /sbin/ip addr add dev tun0 local 10.65.58.22 peer 10.65.58.21
[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: Initialization Sequence Completed
The vpn config looks like this:

Code: Select all

tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
ns-cert-type server
comp-lzo
daemon
remote ******* 1194

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>

aka
SUPPORT
SUPPORT
Posts: 573
Joined: Fri Dec 03, 2004 2:05 pm
Contact:

Re: OpenVPN with ipfire (connection problem)

Post by aka » Tue Nov 14, 2017 11:10 am

[SYSLOG] <29>Sep 30 00:00:13 openvpn[654]: Initialization Sequence Completed
OpenVPN link established. Problem is somewhere outside OpenVPN.

chris
Posts: 7
Joined: Fri Oct 27, 2017 8:15 pm

Re: OpenVPN with ipfire (connection problem)

Post by chris » Wed Nov 15, 2017 12:23 pm

Problem solved.

Connection was successfully established, but transmission did not work.
The most important thing is to add "tls-client" to the config for a proper encrypted transmission. MTU and cipher has to be adjusted according to the servers preferences.

It has to look like this:

Code: Select all

tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote 111.111.111.1 1194
cipher AES-256-CBC
auth SHA256
verb 3
ns-cert-type server
verify-x509-name 111.111.111.1 name
daemon

Post Reply