Per varie ragioni (principalmente faciloneria da parte mia) nell’ultima settiman mi sono trovato a dover rifare due macchine la mia WS in ufficio e il mio portatile da combattimento sentiti pareri poco lusinghieri su Debian 13 e quindi su Devuan 6 son rimasto con Devuan 5.
\nNaturalmente mi son salvato tutte le configurazioni e i files importanti quindi rifatti i due PC ho banalmente copiato il copiabile se funzionava prima funzioner\u00e0 anche adesso ma Mr. Murphy mi ha messo una mano sulla spalla e con un sorriso maligno mi ha detto: “no mio caro, non funziona cos\u00ec”<\/p>\n
Infatti reinizializzata easi-rsa rigenerati i certificati etc etc etc copio le configurazioni server\/client e non va un bel niente.
\nIl fatto sconvolgente \u00e8 che invece la VPN ufficiale funziona perfettamente, la mia personale invece no, con poca calma e ancor meno pazienza mi metto a cercare di capire perch\u00e9 tutto funzionava e adesso non funziona pi\u00f9,il problema \u00e8 neanche a farlo apposta tls che \u00e8 non poco cambiato quindi cercando in Internet e andando un po per tentativi perch\u00e9 l’inerzia mentale \u00e8 un fatto (ma per quale motivo adesso non vai?) ho trovato questa soluzione e gi\u00e0 che c’ero ho sistemato anche un paio di warnng che ho sempre avuto, lato server avevo questo errore:<\/p>\n
2026-05-19 11:45:59 Note: cipher ‘AES-256-CBC’ in –data-ciphers is not supported by ovpn-dco, disabling data channel offload.
\n2026-05-19 11:45:59 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH\/PKTINFO] [AEAD] [DCO]
\n2026-05-19 11:45:59 library versions: OpenSSL 3.0.20 7 Apr 2026, LZO 2.10
\n2026-05-19 11:45:59 DCO version: N\/A
\n2026-05-19 11:45:59 net_route_v4_best_gw query: dst 0.0.0.0
\n2026-05-19 11:45:59 net_route_v4_best_gw result: via 192.168.2.224 dev eth0
\n2026-05-19 11:45:59 Diffie-Hellman initialized with 2048 bit key
\n2026-05-19 11:45:59 TUN\/TAP device tun0 opened
\n2026-05-19 11:45:59 net_iface_mtu_set: mtu 1500 for tun0
\n2026-05-19 11:45:59 net_iface_up: set tun0 up
\n2026-05-19 11:45:59 net_addr_v4_add: 172.27.120.1\/24 dev tun0
\n2026-05-19 11:45:59 Could not determine IPv4\/IPv6 protocol. Using AF_INET
\n2026-05-19 11:45:59 Socket Buffers: R=[131072->131072] S=[16384->16384]
\n2026-05-19 11:45:59 Listening for incoming TCP connection on [AF_INET][undef]:777
\n2026-05-19 11:45:59 TCPv4_SERVER link local (bound): [AF_INET][undef]:777
\n2026-05-19 11:45:59 TCPv4_SERVER link remote: [AF_UNSPEC]
\n2026-05-19 11:45:59 MULTI: multi_init called, r=256 v=256
\n2026-05-19 11:45:59 IFCONFIG POOL IPv4: base=172.27.120.2 size=253
\n2026-05-19 11:45:59 IFCONFIG POOL LIST
\n2026-05-19 11:45:59 MULTI: TCP INIT maxclients=1024 maxevents=1029
\n2026-05-19 11:45:59 Initialization Sequence Completed
\n2026-05-19 11:48:19 TCP connection established with [AF_INET]2.xxx.yyy.3:41644
\n2026-05-19 11:48:19 2.233.119.3:41644 Authenticate\/Decrypt packet error: packet HMAC authentication failed
\n2026-05-19 11:48:19 2.xxx.yyy.3:41644 TLS Error: incoming packet authentication failed from [AF_INET]2.xxx.yyy.3:41644
\n2026-05-19 11:48:19 2.xxx.yyy:41644 Fatal TLS error (check_tls_errors_co), restarting
\n2026-05-19 11:48:19 2.xxx.yyy.3:41644 SIGUSR1[soft,tls-error] received, client-instance restarting<\/p>\n
lato client quest’altro:
\n2026-03-25 20:06:56 WARNING: –ping should normally be used with –ping-restart or –ping-exit
\n2026-03-25 20:06:57 TCP\/UDP: Preserving recently used remote address: [AF_INET]62.97.44.211:777
\n2026-03-25 20:06:57 Socket Buffers: R=[131072->131072] S=[16384->16384]
\n2026-03-25 20:06:57 Attempting to establish TCP connection with [AF_INET]62.97.44.211:777
\n2026-03-25 20:06:57 TCP connection established with [AF_INET]62.97.44.211:777
\n2026-03-25 20:06:57 Socket flags: TCP_NODELAY=1 succeeded
\n2026-03-25 20:06:57 TCPv4_CLIENT link local: (not bound)
\n2026-03-25 20:06:57 TCPv4_CLIENT link remote: [AF_INET]62.97.44.211:777
\n2026-03-25 20:07:57 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
\n2026-03-25 20:07:57 TLS Error: TLS handshake failed
\n2026-03-25 20:07:57 Fatal TLS error (check_tls_errors_co), restarting
\n2026-03-25 20:07:57 SIGUSR1[soft,tls-error] received, process restarting
\n2026-03-25 20:07:57 Restart pause, 1 second(s)<\/p>\n
configurazione server :
\nport 777
\nproto tcp
\ndev tun
\nca \u00a0\u00a0\u00a0\u00a0\u00a0\/etc\/openvpn\/easy-rsa\/pki\/ca.crt
\ncert \u00a0\u00a0\u00a0\/etc\/openvpn\/easy-rsa\/pki\/issued\/server.crt
\nkey \u00a0\u00a0\u00a0\u00a0\/etc\/openvpn\/easy-rsa\/pki\/private\/server.key
\ndh \u00a0\u00a0\u00a0\u00a0\u00a0\/etc\/openvpn\/easy-rsa\/pki\/dh.pem
\ncrl-verify \/etc\/openvpn\/easy-rsa\/pki\/crl.pem
\ntopology subnet
\nserver 172.27.120.0 255.255.255.0
\nifconfig-pool-persist ipp.txt
\nclient-config-dir \/etc\/openvpn\/ccd
\ntls-crypt \/etc\/openvpn\/easy-rsa\/pki\/ta.key 0
\ncipher AES-256-CBC
\ndata-ciphers AES-256-CBC
\ndata-ciphers-fallback AES-256-CBC
\nauth SHA256
\npersist-key
\npersist-tun
\nkeepalive 10 120
\ntcp-nodelay
\nstatus \/var\/log\/openvpn\/openvpn-status.log
\nlog-append \u00a0\/var\/log\/openvpn\/server.log
\nverb 3<\/p>\n
i cambiamenti sono stati topology subnet che era un warning che avevo lato client e che per\u00f2 ha generato un altro problema che vedremo poco pi\u00f9 avanti e<\/p>\n
tls-cryp al posto di tls-auth<\/p>\n
l’aggiunta di<\/p>\n
data-ciphers AES-256-CBC
\ndata-ciphers-fallback AES-256-CBC<\/p>\n
per onestamente non ho capito bene il perch\u00e9 ma funziona e quindi non mi faccio troppe domande.<\/p>\n
configurazione client:<\/p>\n
client
\ndev tun
\nproto tcp<\/p>\n
remote vpn.myfirm.com 777
\nremote vpn1.myfirm.com 777
\nresolv-retry 60
\nnobind
\npersist-key
\npersist-tun<\/p>\n
cipher AES-256-CBC
\ndata-ciphers AES-256-CBC
\ndata-ciphers-fallback AES-256-CBC
\nremote-cert-tls server
\nverb 3
\nauth SHA256
\nkey-direction 1
\nauth-nocache
\nping 10
\nverb 3
\nmute 10
\nsndbuf 0
\nrcvbuf 0<\/p>\n
tcp-nodelay
\nlog-append \/var\/log\/openvpn\/client.log
\nstatus \/var\/log\/openvpn\/status.log<\/p>\n
<ca><\/p>\n
—–BEGIN CERTIFICATE—–<\/p>\n
il certificato ca
\n—–END CERTIFICATE—–<\/p>\n
<\/ca><\/p>\n
<tls-crypt>
\n#
\n# 2048 bit OpenVPN static key
\n#
\n—–BEGIN OpenVPN Static key V1—–
\nla chiave ta
\n—–<\/p>\n
—–END OpenVPN Static key V1—–<\/p>\n
<\/tls-crypt><\/p>\n
<cert>
\nil certificato del client<\/p>\n
<\/cert><\/p>\n
<key><\/p>\n
la chiave del client<\/p>\n
<\/key><\/p>\n
rilancio lato client e come dicevo sopra mi trovo questo errore:<\/p>\n
2026-05-20 11:51:01 WARNING: –ping should normally be used with –ping-restart or –ping-exit
\n2026-05-20 11:51:01 TCP\/UDP: Preserving recently used remote address: [AF_INET]212.xxx.zzz.86:777
\n2026-05-20 11:51:01 Socket Buffers: R=[131072->131072] S=[16384->16384]
\n2026-05-20 11:51:01 Attempting to establish TCP connection with [AF_INET]212.xxx.zzz.86:777
\n2026-05-20 11:51:01 TCP connection established with [AF_INET]212.xxx.zzz.86:777
\n2026-05-20 11:51:01 TCPv4_CLIENT link local: (not bound)
\n2026-05-20 11:51:01 TCPv4_CLIENT link remote: [AF_INET]212.xxx.zzz.86:777
\n2026-05-20 11:51:01 TLS: Initial packet from [AF_INET]212.xxx.zzz.86:777, sid=dd347a15 a1f068ca
\n2026-05-20 11:51:01 VERIFY OK: depth=1, CN=Easy-RSA CA
\n2026-05-20 11:51:01 VERIFY KU OK
\n2026-05-20 11:51:01 Validating certificate extended key usage
\n2026-05-20 11:51:01 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
\n2026-05-20 11:51:01 VERIFY EKU OK
\n2026-05-20 11:51:01 VERIFY OK: depth=0, CN=server
\n2026-05-20 11:51:01 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
\n2026-05-20 11:51:01 [server] Peer Connection Initiated with [AF_INET]212.xxx.zzz.86:777
\n2026-05-20 11:51:01 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
\n2026-05-20 11:51:01 TLS: tls_multi_process: initial untrusted session promoted to trusted
\n2026-05-20 11:51:01 PUSH: Received control message: ‘PUSH_REPLY,route-gateway 172.27.120.1,topology subnet,ping 10,ping-restart 120,route 192.168.2.0 255.255.254.0,dhcp-option DOMAIN INTRANET.LAN,dhcp-option DNS 192.168.2.254,dhcp-option DNS 192.168.2.224,ifconfig 172.27.120.10 172.27.120.11,
\npeer-id 0,cipher AES-256-CBC,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500’
\n2026-05-20 11:51:01 OPTIONS IMPORT: –ifconfig\/up options modified
\n2026-05-20 11:51:01 OPTIONS IMPORT: route options modified
\n2026-05-20 11:51:01 OPTIONS IMPORT: route-related options modified
\n2026-05-20 11:51:01 OPTIONS IMPORT: –ip-win32 and\/or –dhcp-option options modified
\n2026-05-20 11:51:01 OPTIONS IMPORT: tun-mtu set to 1500
\n2026-05-20 11:51:01 net_route_v4_best_gw query: dst 0.0.0.0
\n2026-05-20 11:51:01 net_route_v4_best_gw result: via 192.168.20.10 dev eth0
\n2026-05-20 11:51:01 ROUTE_GATEWAY 192.168.20.10\/255.255.255.0 IFACE=eth0 HWADDR=44:8a:5b:84:84:0e
\n2026-05-20 11:51:01 TUN\/TAP device tun0 opened
\n2026-05-20 11:51:01 net_iface_mtu_set: mtu 1500 for tun0
\n2026-05-20 11:51:01 net_iface_up: set tun0 up
\n2026-05-20 11:51:01 net_addr_v4_add: 172.27.120.10\/-1 dev tun0
\n2026-05-20 11:51:01 sitnl_send: rtnl: generic error (-22): Invalid argument
\n2026-05-20 11:51:01 Linux can’t add IP to interface tun0
\n2026-05-20 11:51:01 Exiting due to fatal error<\/p>\n
Ma come Linux non pu\u00f2 aggiungere l’ip a tun0????<\/p>\n
Anche qui la documentazione non \u00e8 chiarissima ma in un forum ho trovato una spiegazione semplice del fatto, dato che nelle nuove versioni openvpn ha hardcoded topology subnet invece di net30 bisogna cambiare i file nella direcotry ccd<\/p>\n
#ifconfig-push 172.27.120.10 172.27.120.11
\nifconfig-push 172.27.120.10 255.255.255.0
\npush “route 192.168.2.0 255.255.254.0”
\npush “dhcp-option DOMAIN INTRANET.LAN”
\npush “dhcp-option DNS 192.168.2.254”
\npush “dhcp-option DNS 192.168.2.224”<\/p>\n
topology subnet si aspetta IP\/SUBNET non IP\/IP cambiato questo e rilanciato la vpn \u00e8 salita senza problemi.<\/p>\n
<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Per varie ragioni (principalmente faciloneria da parte mia) nell’ultima settiman mi sono trovato a dover rifare due macchine la mia WS in ufficio e il mio portatile da combattimento sentiti pareri poco lusinghieri su Debian 13 e quindi su Devuan 6 son rimasto con Devuan 5. Naturalmente mi son salvato tutte le configurazioni e i […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,14,284],"tags":[136,78,315],"class_list":["post-2744","post","type-post","status-publish","format-standard","hentry","category-linux","category-networking","category-openvpn","tag-devuan","tag-openvpn","tag-tls"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/2744","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2744"}],"version-history":[{"count":1,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/2744\/revisions"}],"predecessor-version":[{"id":2745,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/2744\/revisions\/2745"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2744"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}