Clark's Home page

Tecnicismi vari di un Sysadmin Linux ma anche qualcosa della sua vita

Un altra openvpn su Devuan —

Per varie ragioni (principalmente faciloneria da parte mia) nell’ultima settiman mi sono trovato a dover rifare due macchine la mia WS in ufficio e il mio portatile da combattimento sentiti pareri poco lusinghieri su Debian 13 e quindi su Devuan 6 son rimasto con Devuan 5.
Naturalmente mi son salvato tutte le configurazioni e i files importanti quindi rifatti i due PC ho banalmente copiato il copiabile se funzionava prima funzionerà anche adesso ma Mr. Murphy mi ha messo una mano sulla spalla e con un sorriso maligno mi ha detto: “no mio caro, non funziona così”

Infatti reinizializzata easi-rsa rigenerati i certificati etc etc etc copio le configurazioni server/client e non va un bel niente.
Il fatto sconvolgente è che invece la VPN ufficiale funziona perfettamente, la mia personale invece no, con poca calma e ancor meno pazienza mi metto a cercare di capire perché tutto funzionava e adesso non funziona più,il problema è neanche a farlo apposta tls che è non poco cambiato quindi cercando in Internet e andando un po per tentativi perché l’inerzia mentale è un fatto (ma per quale motivo adesso non vai?) ho trovato questa soluzione e già che c’ero ho sistemato anche un paio di warnng che ho sempre avuto, lato server avevo questo errore:

2026-05-19 11:45:59 Note: cipher ‘AES-256-CBC’ in –data-ciphers is not supported by ovpn-dco, disabling data channel offload.
2026-05-19 11:45:59 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2026-05-19 11:45:59 library versions: OpenSSL 3.0.20 7 Apr 2026, LZO 2.10
2026-05-19 11:45:59 DCO version: N/A
2026-05-19 11:45:59 net_route_v4_best_gw query: dst 0.0.0.0
2026-05-19 11:45:59 net_route_v4_best_gw result: via 192.168.2.224 dev eth0
2026-05-19 11:45:59 Diffie-Hellman initialized with 2048 bit key
2026-05-19 11:45:59 TUN/TAP device tun0 opened
2026-05-19 11:45:59 net_iface_mtu_set: mtu 1500 for tun0
2026-05-19 11:45:59 net_iface_up: set tun0 up
2026-05-19 11:45:59 net_addr_v4_add: 172.27.120.1/24 dev tun0
2026-05-19 11:45:59 Could not determine IPv4/IPv6 protocol. Using AF_INET
2026-05-19 11:45:59 Socket Buffers: R=[131072->131072] S=[16384->16384]
2026-05-19 11:45:59 Listening for incoming TCP connection on [AF_INET][undef]:777
2026-05-19 11:45:59 TCPv4_SERVER link local (bound): [AF_INET][undef]:777
2026-05-19 11:45:59 TCPv4_SERVER link remote: [AF_UNSPEC]
2026-05-19 11:45:59 MULTI: multi_init called, r=256 v=256
2026-05-19 11:45:59 IFCONFIG POOL IPv4: base=172.27.120.2 size=253
2026-05-19 11:45:59 IFCONFIG POOL LIST
2026-05-19 11:45:59 MULTI: TCP INIT maxclients=1024 maxevents=1029
2026-05-19 11:45:59 Initialization Sequence Completed
2026-05-19 11:48:19 TCP connection established with [AF_INET]2.xxx.yyy.3:41644
2026-05-19 11:48:19 2.233.119.3:41644 Authenticate/Decrypt packet error: packet HMAC authentication failed
2026-05-19 11:48:19 2.xxx.yyy.3:41644 TLS Error: incoming packet authentication failed from [AF_INET]2.xxx.yyy.3:41644
2026-05-19 11:48:19 2.xxx.yyy:41644 Fatal TLS error (check_tls_errors_co), restarting
2026-05-19 11:48:19 2.xxx.yyy.3:41644 SIGUSR1[soft,tls-error] received, client-instance restarting

lato client quest’altro:
2026-03-25 20:06:56 WARNING: –ping should normally be used with –ping-restart or –ping-exit
2026-03-25 20:06:57 TCP/UDP: Preserving recently used remote address: [AF_INET]62.97.44.211:777
2026-03-25 20:06:57 Socket Buffers: R=[131072->131072] S=[16384->16384]
2026-03-25 20:06:57 Attempting to establish TCP connection with [AF_INET]62.97.44.211:777
2026-03-25 20:06:57 TCP connection established with [AF_INET]62.97.44.211:777
2026-03-25 20:06:57 Socket flags: TCP_NODELAY=1 succeeded
2026-03-25 20:06:57 TCPv4_CLIENT link local: (not bound)
2026-03-25 20:06:57 TCPv4_CLIENT link remote: [AF_INET]62.97.44.211:777
2026-03-25 20:07:57 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2026-03-25 20:07:57 TLS Error: TLS handshake failed
2026-03-25 20:07:57 Fatal TLS error (check_tls_errors_co), restarting
2026-03-25 20:07:57 SIGUSR1[soft,tls-error] received, process restarting
2026-03-25 20:07:57 Restart pause, 1 second(s)

configurazione server :
port 777
proto tcp
dev tun
ca      /etc/openvpn/easy-rsa/pki/ca.crt
cert    /etc/openvpn/easy-rsa/pki/issued/server.crt
key     /etc/openvpn/easy-rsa/pki/private/server.key
dh      /etc/openvpn/easy-rsa/pki/dh.pem
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
topology subnet
server 172.27.120.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
data-ciphers AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
persist-key
persist-tun
keepalive 10 120
tcp-nodelay
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/server.log
verb 3

i cambiamenti sono stati topology subnet che era un warning che avevo lato client e che però ha generato un altro problema che vedremo poco più avanti e

tls-cryp al posto di tls-auth

l’aggiunta di

data-ciphers AES-256-CBC
data-ciphers-fallback AES-256-CBC

per onestamente non ho capito bene il perché ma funziona e quindi non mi faccio troppe domande.

configurazione client:

client
dev tun
proto tcp

remote vpn.myfirm.com 777
remote vpn1.myfirm.com 777
resolv-retry 60
nobind
persist-key
persist-tun

cipher AES-256-CBC
data-ciphers AES-256-CBC
data-ciphers-fallback AES-256-CBC
remote-cert-tls server
verb 3
auth SHA256
key-direction 1
auth-nocache
ping 10
verb 3
mute 10
sndbuf 0
rcvbuf 0

tcp-nodelay
log-append /var/log/openvpn/client.log
status /var/log/openvpn/status.log

<ca>

—–BEGIN CERTIFICATE—–

il certificato ca
—–END CERTIFICATE—–

</ca>

<tls-crypt>
#
# 2048 bit OpenVPN static key
#
—–BEGIN OpenVPN Static key V1—–
la chiave ta
—–

—–END OpenVPN Static key V1—–

</tls-crypt>

<cert>
il certificato del client

</cert>

<key>

la chiave del client

</key>

rilancio lato client e come dicevo sopra mi trovo questo errore:

2026-05-20 11:51:01 WARNING: –ping should normally be used with –ping-restart or –ping-exit
2026-05-20 11:51:01 TCP/UDP: Preserving recently used remote address: [AF_INET]212.xxx.zzz.86:777
2026-05-20 11:51:01 Socket Buffers: R=[131072->131072] S=[16384->16384]
2026-05-20 11:51:01 Attempting to establish TCP connection with [AF_INET]212.xxx.zzz.86:777
2026-05-20 11:51:01 TCP connection established with [AF_INET]212.xxx.zzz.86:777
2026-05-20 11:51:01 TCPv4_CLIENT link local: (not bound)
2026-05-20 11:51:01 TCPv4_CLIENT link remote: [AF_INET]212.xxx.zzz.86:777
2026-05-20 11:51:01 TLS: Initial packet from [AF_INET]212.xxx.zzz.86:777, sid=dd347a15 a1f068ca
2026-05-20 11:51:01 VERIFY OK: depth=1, CN=Easy-RSA CA
2026-05-20 11:51:01 VERIFY KU OK
2026-05-20 11:51:01 Validating certificate extended key usage
2026-05-20 11:51:01 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2026-05-20 11:51:01 VERIFY EKU OK
2026-05-20 11:51:01 VERIFY OK: depth=0, CN=server
2026-05-20 11:51:01 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2026-05-20 11:51:01 [server] Peer Connection Initiated with [AF_INET]212.xxx.zzz.86:777
2026-05-20 11:51:01 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2026-05-20 11:51:01 TLS: tls_multi_process: initial untrusted session promoted to trusted
2026-05-20 11:51:01 PUSH: Received control message: ‘PUSH_REPLY,route-gateway 172.27.120.1,topology subnet,ping 10,ping-restart 120,route 192.168.2.0 255.255.254.0,dhcp-option DOMAIN INTRANET.LAN,dhcp-option DNS 192.168.2.254,dhcp-option DNS 192.168.2.224,ifconfig 172.27.120.10 172.27.120.11,
peer-id 0,cipher AES-256-CBC,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500’
2026-05-20 11:51:01 OPTIONS IMPORT: –ifconfig/up options modified
2026-05-20 11:51:01 OPTIONS IMPORT: route options modified
2026-05-20 11:51:01 OPTIONS IMPORT: route-related options modified
2026-05-20 11:51:01 OPTIONS IMPORT: –ip-win32 and/or –dhcp-option options modified
2026-05-20 11:51:01 OPTIONS IMPORT: tun-mtu set to 1500
2026-05-20 11:51:01 net_route_v4_best_gw query: dst 0.0.0.0
2026-05-20 11:51:01 net_route_v4_best_gw result: via 192.168.20.10 dev eth0
2026-05-20 11:51:01 ROUTE_GATEWAY 192.168.20.10/255.255.255.0 IFACE=eth0 HWADDR=44:8a:5b:84:84:0e
2026-05-20 11:51:01 TUN/TAP device tun0 opened
2026-05-20 11:51:01 net_iface_mtu_set: mtu 1500 for tun0
2026-05-20 11:51:01 net_iface_up: set tun0 up
2026-05-20 11:51:01 net_addr_v4_add: 172.27.120.10/-1 dev tun0
2026-05-20 11:51:01 sitnl_send: rtnl: generic error (-22): Invalid argument
2026-05-20 11:51:01 Linux can’t add IP to interface tun0
2026-05-20 11:51:01 Exiting due to fatal error

Ma come Linux non può aggiungere l’ip a tun0????

Anche qui la documentazione non è chiarissima ma in un forum ho trovato una spiegazione semplice del fatto, dato che nelle nuove versioni openvpn ha hardcoded topology subnet invece di net30 bisogna cambiare i file nella direcotry ccd

#ifconfig-push 172.27.120.10 172.27.120.11
ifconfig-push 172.27.120.10 255.255.255.0
push “route 192.168.2.0 255.255.254.0”
push “dhcp-option DOMAIN INTRANET.LAN”
push “dhcp-option DNS 192.168.2.254”
push “dhcp-option DNS 192.168.2.224”

topology subnet si aspetta IP/SUBNET non IP/IP cambiato questo e rilanciato la vpn è salita senza problemi.

 

 

Tagged with: | |

Categorised as: Linux | Networking | Openvpn

Comments are disabled on this post

Comments are closed.

Hide picture