Notebook

これは日々の作業を通して学んだことや毎日の生活で気づいたことをを記録しておく備忘録である。

HTML ファイル生成日時: 2024/05/08 09:31:52.302 (台灣標準時)

OpenVPN 2.6 を使い VPN Gate に接続するときの注意点

pkgsrc の net/openvpn のバージョ ンが 2.6.3 になっていて、その openvpn 2.6.3 を使って VPN Gate に接続しようとすると失敗 してしまうことがわかったでござる。

例えば、以下のようなコマンドを実行すると、接続を試み、そして、失敗しては、また接続を試み、という状況が続くでござる。

#  openvpn vpngate_vpn331140917.opengw.net_tcp_1676.ovpn
2023-05-16 13:09:51 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2023-05-16 13:09:51 OpenVPN 2.6.3 x86_64--netbsd [SSL (OpenSSL)] [LZO] [LZ4] [MH/PKTINFO] [AEAD]
2023-05-16 13:09:51 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-05-16 13:09:51 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-05-16 13:09:51 TCP/UDP: Preserving recently used remote address: [AF_INET]157.147.36.14:1676
2023-05-16 13:09:51 Socket Buffers: R=[32768->32768] S=[32768->32768]
2023-05-16 13:09:51 Attempting to establish TCP connection with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:51 TCP connection established with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:51 TCPv4_CLIENT link local: (not bound)
2023-05-16 13:09:51 TCPv4_CLIENT link remote: [AF_INET]157.147.36.14:1676
2023-05-16 13:09:52 TLS: Initial packet from [AF_INET]157.147.36.14:1676, sid=27515d25 bee02717
2023-05-16 13:09:52 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2023-05-16 13:09:52 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2023-05-16 13:09:52 VERIFY OK: depth=0, CN=opengw.net
2023-05-16 13:09:52 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-05-16 13:09:52 [opengw.net] Peer Connection Initiated with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:52 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-05-16 13:09:52 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-05-16 13:09:54 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1)
2023-05-16 13:09:54 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.69 10.211.1.70,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.70,redirect-gateway def1'
2023-05-16 13:09:54 OPTIONS IMPORT: --ifconfig/up options modified
2023-05-16 13:09:54 OPTIONS IMPORT: route options modified
2023-05-16 13:09:54 OPTIONS IMPORT: route-related options modified
2023-05-16 13:09:54 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-05-16 13:09:54 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2023-05-16 13:09:54 ERROR: Failed to apply push options
2023-05-16 13:09:54 Failed to open tun/tap interface
2023-05-16 13:09:54 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2023-05-16 13:09:54 Restart pause, 1 second(s)
2023-05-16 13:09:55 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-05-16 13:09:55 TCP/UDP: Preserving recently used remote address: [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 Socket Buffers: R=[32768->32768] S=[32768->32768]
2023-05-16 13:09:55 Attempting to establish TCP connection with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 TCP connection established with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 TCPv4_CLIENT link local: (not bound)
2023-05-16 13:09:55 TCPv4_CLIENT link remote: [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 TLS: Initial packet from [AF_INET]157.147.36.14:1676, sid=a983c662 f61b004c
2023-05-16 13:09:55 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2023-05-16 13:09:55 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2023-05-16 13:09:55 VERIFY OK: depth=0, CN=opengw.net
2023-05-16 13:09:55 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-05-16 13:09:55 [opengw.net] Peer Connection Initiated with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-05-16 13:09:55 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-05-16 13:09:56 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1)
2023-05-16 13:09:56 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.69 10.211.1.70,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.70,redirect-gateway def1'
2023-05-16 13:09:56 OPTIONS IMPORT: --ifconfig/up options modified
2023-05-16 13:09:56 OPTIONS IMPORT: route options modified
2023-05-16 13:09:56 OPTIONS IMPORT: route-related options modified
2023-05-16 13:09:56 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-05-16 13:09:56 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2023-05-16 13:09:56 ERROR: Failed to apply push options
2023-05-16 13:09:56 Failed to open tun/tap interface
2023-05-16 13:09:56 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2023-05-16 13:09:56 Restart pause, 1 second(s)

.....

ERROR とあるところを見てみると、以下のような記述があるでござる。

2023-05-16 13:09:54 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2023-05-16 13:09:54 ERROR: Failed to apply push options

--data-ciphers オプションに AES-128-CBC を指定しないといけないようでござる。

以下のようなコマンドを実行してみるでござる。

# openvpn --data-ciphers AES-128-CBC vpngate_vpn331140917.opengw.net_tcp_1676.ovpn
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: data-ciphers (2.6.3)
Use --help for more information.

書式に問題があるようでござる。 man openvpn を実行してみると、以下のよ うに書いてあるでござる。

% man openvpn
OPENVPN(8)                  System Manager's Manual                 OPENVPN(8)

NAME
       openvpn - Secure IP tunnel daemon

SYNOPSIS
       openvpn [ options ... ]
       openvpn  --help

INTRODUCTION
       OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN
       tries to be a universal VPN tool offering a great deal of flexibility,
       there are a lot of options on this manual page. If you're new to
       OpenVPN, you might want to skip ahead to the examples section where you
       will see how to construct simple VPNs on the command line without even
       needing a configuration file.

       Also note that there's more documentation and examples on the OpenVPN
       web site: https://openvpn.net/

       And if you would like to see a shorter version of this manual, see the
       openvpn usage message which can be obtained by running openvpn without
       any parameters.

DESCRIPTION
       OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports
       SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport
       through proxies or NAT, support for dynamic IP addresses and DHCP,
       scalability to hundreds or thousands of users, and portability to most
       major OS platforms.

       OpenVPN is tightly bound to the OpenSSL library, and derives much of
       its crypto capabilities from it.

       OpenVPN supports conventional encryption using a pre-shared secret key
       (Static Key mode) or public key security (SSL/TLS mode) using client &
       server certificates. OpenVPN also supports non-encrypted TCP/UDP
       tunnels.

       OpenVPN is designed to work with the TUN/TAP virtual networking
       interface that exists on most platforms.

       Overall, OpenVPN aims to offer many of the key features of IPSec but
       with a relatively lightweight footprint.

OPTIONS
       OpenVPN allows any option to be placed either on the command line or in
       a configuration file. Though all command line options are preceded by a
       double-leading-dash ("--"), this prefix can be removed when an option
       is placed in a configuration file.

   Generic Options
       This section covers generic options which are accessible regardless of
       which mode OpenVPN is configured as.

       --help Show options.

.....

       --config file
              Load additional config options from file where each line
              corresponds to one command line option, but with the leading --
              removed.

              If --config file is the only option to the openvpn command, the
              --config can be removed, and the command can be given as openvpn
              file

.....

NOTES
       This product includes software developed by the OpenSSL Project
       (https://www.openssl.org/)

       For more information on the TLS protocol, see
       http://www.ietf.org/rfc/rfc2246.txt

       For more information on the LZO real-time compression library see
       https://www.oberhumer.com/opensource/lzo/

COPYRIGHT
       Copyright (C) 2002-2020 OpenVPN Inc This program is free software; you
       can redistribute it and/or modify it under the terms of the GNU General
       Public License version 2 as published by the Free Software Foundation.

AUTHORS
       James Yonan james@openvpn.net

                                                                    OPENVPN(8)

--config オプションのところに、 "If --config file is the only option to the openvpn command, the --config can be removed, and the command can be given as openvpn file" とあるので、設定ファイルの 指定以外のオプションを使う場合には、 --config を省略できないようでござ る。つまり、 --data-ciphers を使う場合には、 --config オプションを使っ て設定ファイルを指定しないといけないようでござる。

以下のようにすると、問題が解決したでござる。

# openvpn --data-ciphers AES-128-CBC --config vpngate_vpn331140917.opengw.net_tcp_1676.ovpn
2023-05-16 13:21:41 OpenVPN 2.6.3 x86_64--netbsd [SSL (OpenSSL)] [LZO] [LZ4] [MH/PKTINFO] [AEAD]
2023-05-16 13:21:41 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-05-16 13:21:41 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-05-16 13:21:41 TCP/UDP: Preserving recently used remote address: [AF_INET]157.147.36.14:1676
2023-05-16 13:21:41 Socket Buffers: R=[32768->32768] S=[32768->32768]
2023-05-16 13:21:41 Attempting to establish TCP connection with [AF_INET]157.147.36.14:1676
2023-05-16 13:21:41 TCP connection established with [AF_INET]157.147.36.14:1676
2023-05-16 13:21:41 TCPv4_CLIENT link local: (not bound)
2023-05-16 13:21:41 TCPv4_CLIENT link remote: [AF_INET]157.147.36.14:1676
2023-05-16 13:21:42 TLS: Initial packet from [AF_INET]157.147.36.14:1676, sid=dd2be52d 37043016
2023-05-16 13:21:42 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2023-05-16 13:21:42 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2023-05-16 13:21:42 VERIFY OK: depth=0, CN=opengw.net
2023-05-16 13:21:42 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-05-16 13:21:42 [opengw.net] Peer Connection Initiated with [AF_INET]157.147.36.14:1676
2023-05-16 13:21:42 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-05-16 13:21:42 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-05-16 13:21:44 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1)
2023-05-16 13:21:44 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.85 10.211.1.86,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.86,redirect-gateway def1'
2023-05-16 13:21:44 OPTIONS IMPORT: --ifconfig/up options modified
2023-05-16 13:21:44 OPTIONS IMPORT: route options modified
2023-05-16 13:21:44 OPTIONS IMPORT: route-related options modified
2023-05-16 13:21:44 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-05-16 13:21:44 Using peer cipher 'AES-128-CBC'
2023-05-16 13:21:44 TUN/TAP device /dev/tun0 opened
2023-05-16 13:21:44 /sbin/ifconfig tun0 10.211.1.85 10.211.1.86 mtu 1500 netmask 255.255.255.255 up
2023-05-16 13:21:44 /sbin/route add -net 157.147.36.14 10.20.30.1 -netmask 255.255.255.255
add net 157.147.36.14: gateway 10.20.30.1
2023-05-16 13:21:44 /sbin/route add -net 0.0.0.0 10.211.1.86 -netmask 128.0.0.0
add net 0.0.0.0: gateway 10.211.1.86
2023-05-16 13:21:44 /sbin/route add -net 128.0.0.0 10.211.1.86 -netmask 128.0.0.0
add net 128.0.0.0: gateway 10.211.1.86
2023-05-16 13:21:44 Initialization Sequence Completed
2023-05-16 13:21:44 Data Channel: cipher 'AES-128-CBC', auth 'SHA1'
2023-05-16 13:21:44 Timers: ping 3, ping-restart 10

また、 "library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10" とあるので、 OpenVPN 2.6 になってから、 OpenSSL 3.0 が使わ れるようになったようでござる。どうやら、 OpenSSL 3.0 が使われるように なって、幾つかの cipher がデフォルトの設定では使えないようになったよう でござる。

参考文献

• OpenVPN 2.6＋OpenSSL 3.0へのアップグレードで発生する可能性があるエラー

• About this article:
• author: daisuke
• file: 20230516_00.html
• category: Computer___Network
• title: OpenVPN 2.6 を使い VPN Gate に接続するときの注意点
• mode: public
• last modified: 2023/07/11 17:28:06 (Taiwan Standard Time)
• html generated: 2024/05/08 09:31:52.302 (Taiwan Standard Time)

Frequently accessed files

1. Computer___Python/20220518_0.html
• 8327 page views
• title: Matplotlib で作る図の縦横比
2. Computer___FreeBSD/20220621_0.html
• 1625 page views
• title: FreeBSD での X.org の設定の仕方
3. Food___Taiwan/20220429_0.html
• 1566 page views
• title: 「楊滇風」の滇味辣炒豬
4. Computer___Network/20230516_00.html
• 1509 page views
• title: OpenVPN 2.6 を使い VPN Gate に接続するときの注意点
5. Computer___Python/20220715_0.html
• 1040 page views
• title: SciPy による最小二乗法
6. Computer___NetBSD/20220817_3.html
• 959 page views
• title: JupyterLab のインストール直後に行うべきこと
7. Computer___Python/20220410_0.html
• 861 page views
• title: Pint モジュールを使った単位を含む数値の取り扱い
8. Computer___Debian/20210223_1.html
• 790 page views
• title: Debian で autofs を使い自動で NFS マウントする方法
9. Food___Taiwan/20230526_00.html
• 788 page views
• title: 台南の「娟姐牛肉湯」の牛肉湯
10. Food___Taiwan/20210205_5.html
• 768 page views
• title: 「莊記恩典豆漿」での夜食
11. Computer___Python/20210124_0.html
• 667 page views
• title: Python での argparse を使ったコマンドライン引数の取り扱い方法
12. Computer___Network/20230508_00.html
• 648 page views
• title: git push するときにパスワードの入力を省略する方法
13. Computer___NetBSD/20220818_1.html
• 644 page views
• title: Emacs の markdown-mode について
14. Food___Taiwan/20210205_1.html
• 623 page views
• title: 「澳門新濠記燒臘店」の蝦仁炒麵
15. Computer___NetBSD/20220428_0.html
• 618 page views
• title: Beamer で verbatim 環境を使う方法
16. Science___Astronomy/20220503_0.html
• 587 page views
• title: Lane-Emden 方程式を数値的に解く
17. Computer___TeX/20230503_00.html
• 539 page views
• title: LaTeX CJK で日本語や中国語を取り扱うための準備について
18. Travel___Taiwan/20220809_2.html
• 533 page views
• title: 老鷹溪生態親子步道
19. Computer___NetBSD/20210204_0.html
• 521 page views
• title: Raspberry Pi 4 への NetBSD のインストール
20. Computer___Network/20230726_00.html
• 521 page views
• title: git の SSL certificate problem の解決方法
21. Science___Math/20220420_0.html
• 516 page views
• title: ラプラシアンの三次元極座標表示
22. Computer___NetBSD/20230515_00.html
• 483 page views
• title: pkgsrc の fetch phase で問題
23. Science___Astronomy/20220420_1.html
• 477 page views
• title: CFITSIO の使い方についての記録
24. Computer___NetBSD/20220808_0.html
• 477 page views
• title: 端末エミュレーターで使うフォントを指定する方法
25. Computer___NetBSD/20230119_00.html
• 465 page views
• title: NetBSD でバイナリーパッケージを利用する方法
26. Food___Taiwan/20230618_00.html
• 464 page views
• title: 「曼尼食坊」の鮭魚丼飯 (2022 年 12 月下旬)
27. Computer___Python/20220816_1.html
• 441 page views
• title: Binder を使って Python スクリプトを実行する
28. Food___Taiwan/20220424_8.html
• 428 page views
• title: 「壹等品覇王豬腳」の中段飯
29. Food___Taiwan/20220424_1.html
• 417 page views
• title: 「奇聞川菜館」の水煮魚片
30. Computer___NetBSD/20210204_2.html
• 409 page views
• title: NetBSD でのカーネルの再構築

• back to category index page.
• back to list of all the articles.
• back to main index page.