これは日々の作業を通して学んだことや毎日の生活で気づいたことをを記録しておく備忘録である。
HTML ファイル生成日時: 2024/12/23 15:49:04.419 (台灣標準時)
pkgsrc の net/openvpn のバージョ ンが 2.6.3 になっていて、その openvpn 2.6.3 を使って VPN Gate に接続しようとすると失敗 してしまうことがわかったでござる。
例えば、以下のようなコマンドを実行すると、接続を試み、そして、失敗しては、また接続を試み、という状況が続くでござる。
# openvpn vpngate_vpn331140917.opengw.net_tcp_1676.ovpn 2023-05-16 13:09:51 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 2023-05-16 13:09:51 OpenVPN 2.6.3 x86_64--netbsd [SSL (OpenSSL)] [LZO] [LZ4] [MH/PKTINFO] [AEAD] 2023-05-16 13:09:51 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10 2023-05-16 13:09:51 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 2023-05-16 13:09:51 TCP/UDP: Preserving recently used remote address: [AF_INET]157.147.36.14:1676 2023-05-16 13:09:51 Socket Buffers: R=[32768->32768] S=[32768->32768] 2023-05-16 13:09:51 Attempting to establish TCP connection with [AF_INET]157.147.36.14:1676 2023-05-16 13:09:51 TCP connection established with [AF_INET]157.147.36.14:1676 2023-05-16 13:09:51 TCPv4_CLIENT link local: (not bound) 2023-05-16 13:09:51 TCPv4_CLIENT link remote: [AF_INET]157.147.36.14:1676 2023-05-16 13:09:52 TLS: Initial packet from [AF_INET]157.147.36.14:1676, sid=27515d25 bee02717 2023-05-16 13:09:52 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1 2023-05-16 13:09:52 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3 2023-05-16 13:09:52 VERIFY OK: depth=0, CN=opengw.net 2023-05-16 13:09:52 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2023-05-16 13:09:52 [opengw.net] Peer Connection Initiated with [AF_INET]157.147.36.14:1676 2023-05-16 13:09:52 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 2023-05-16 13:09:52 TLS: tls_multi_process: initial untrusted session promoted to trusted 2023-05-16 13:09:54 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1) 2023-05-16 13:09:54 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.69 10.211.1.70,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.70,redirect-gateway def1' 2023-05-16 13:09:54 OPTIONS IMPORT: --ifconfig/up options modified 2023-05-16 13:09:54 OPTIONS IMPORT: route options modified 2023-05-16 13:09:54 OPTIONS IMPORT: route-related options modified 2023-05-16 13:09:54 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2023-05-16 13:09:54 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server. 2023-05-16 13:09:54 ERROR: Failed to apply push options 2023-05-16 13:09:54 Failed to open tun/tap interface 2023-05-16 13:09:54 SIGUSR1[soft,process-push-msg-failed] received, process restarting 2023-05-16 13:09:54 Restart pause, 1 second(s) 2023-05-16 13:09:55 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 2023-05-16 13:09:55 TCP/UDP: Preserving recently used remote address: [AF_INET]157.147.36.14:1676 2023-05-16 13:09:55 Socket Buffers: R=[32768->32768] S=[32768->32768] 2023-05-16 13:09:55 Attempting to establish TCP connection with [AF_INET]157.147.36.14:1676 2023-05-16 13:09:55 TCP connection established with [AF_INET]157.147.36.14:1676 2023-05-16 13:09:55 TCPv4_CLIENT link local: (not bound) 2023-05-16 13:09:55 TCPv4_CLIENT link remote: [AF_INET]157.147.36.14:1676 2023-05-16 13:09:55 TLS: Initial packet from [AF_INET]157.147.36.14:1676, sid=a983c662 f61b004c 2023-05-16 13:09:55 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1 2023-05-16 13:09:55 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3 2023-05-16 13:09:55 VERIFY OK: depth=0, CN=opengw.net 2023-05-16 13:09:55 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2023-05-16 13:09:55 [opengw.net] Peer Connection Initiated with [AF_INET]157.147.36.14:1676 2023-05-16 13:09:55 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 2023-05-16 13:09:55 TLS: tls_multi_process: initial untrusted session promoted to trusted 2023-05-16 13:09:56 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1) 2023-05-16 13:09:56 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.69 10.211.1.70,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.70,redirect-gateway def1' 2023-05-16 13:09:56 OPTIONS IMPORT: --ifconfig/up options modified 2023-05-16 13:09:56 OPTIONS IMPORT: route options modified 2023-05-16 13:09:56 OPTIONS IMPORT: route-related options modified 2023-05-16 13:09:56 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2023-05-16 13:09:56 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server. 2023-05-16 13:09:56 ERROR: Failed to apply push options 2023-05-16 13:09:56 Failed to open tun/tap interface 2023-05-16 13:09:56 SIGUSR1[soft,process-push-msg-failed] received, process restarting 2023-05-16 13:09:56 Restart pause, 1 second(s) .....
ERROR とあるところを見てみると、以下のような記述があるでござる。
2023-05-16 13:09:54 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server. 2023-05-16 13:09:54 ERROR: Failed to apply push options
--data-ciphers オプションに AES-128-CBC を指定しないといけないようでござる。
以下のようなコマンドを実行してみるでござる。
# openvpn --data-ciphers AES-128-CBC vpngate_vpn331140917.opengw.net_tcp_1676.ovpn Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: data-ciphers (2.6.3) Use --help for more information.
書式に問題があるようでござる。 man openvpn を実行してみると、以下のよ うに書いてあるでござる。
% man openvpn OPENVPN(8) System Manager's Manual OPENVPN(8) NAME openvpn - Secure IP tunnel daemon SYNOPSIS openvpn [ options ... ] openvpn --help INTRODUCTION OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN tries to be a universal VPN tool offering a great deal of flexibility, there are a lot of options on this manual page. If you're new to OpenVPN, you might want to skip ahead to the examples section where you will see how to construct simple VPNs on the command line without even needing a configuration file. Also note that there's more documentation and examples on the OpenVPN web site: https://openvpn.net/ And if you would like to see a shorter version of this manual, see the openvpn usage message which can be obtained by running openvpn without any parameters. DESCRIPTION OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms. OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. OpenVPN supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels. OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms. Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint. OPTIONS OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file. Generic Options This section covers generic options which are accessible regardless of which mode OpenVPN is configured as. --help Show options. ..... --config file Load additional config options from file where each line corresponds to one command line option, but with the leading -- removed. If --config file is the only option to the openvpn command, the --config can be removed, and the command can be given as openvpn file ..... NOTES This product includes software developed by the OpenSSL Project (https://www.openssl.org/) For more information on the TLS protocol, see http://www.ietf.org/rfc/rfc2246.txt For more information on the LZO real-time compression library see https://www.oberhumer.com/opensource/lzo/ COPYRIGHT Copyright (C) 2002-2020 OpenVPN Inc This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. AUTHORS James Yonan james@openvpn.net OPENVPN(8)
--config オプションのところに、 "If --config file is the only option to the openvpn command, the --config can be removed, and the command can be given as openvpn file" とあるので、設定ファイルの 指定以外のオプションを使う場合には、 --config を省略できないようでござ る。つまり、 --data-ciphers を使う場合には、 --config オプションを使っ て設定ファイルを指定しないといけないようでござる。
以下のようにすると、問題が解決したでござる。
# openvpn --data-ciphers AES-128-CBC --config vpngate_vpn331140917.opengw.net_tcp_1676.ovpn 2023-05-16 13:21:41 OpenVPN 2.6.3 x86_64--netbsd [SSL (OpenSSL)] [LZO] [LZ4] [MH/PKTINFO] [AEAD] 2023-05-16 13:21:41 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10 2023-05-16 13:21:41 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 2023-05-16 13:21:41 TCP/UDP: Preserving recently used remote address: [AF_INET]157.147.36.14:1676 2023-05-16 13:21:41 Socket Buffers: R=[32768->32768] S=[32768->32768] 2023-05-16 13:21:41 Attempting to establish TCP connection with [AF_INET]157.147.36.14:1676 2023-05-16 13:21:41 TCP connection established with [AF_INET]157.147.36.14:1676 2023-05-16 13:21:41 TCPv4_CLIENT link local: (not bound) 2023-05-16 13:21:41 TCPv4_CLIENT link remote: [AF_INET]157.147.36.14:1676 2023-05-16 13:21:42 TLS: Initial packet from [AF_INET]157.147.36.14:1676, sid=dd2be52d 37043016 2023-05-16 13:21:42 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1 2023-05-16 13:21:42 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3 2023-05-16 13:21:42 VERIFY OK: depth=0, CN=opengw.net 2023-05-16 13:21:42 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2023-05-16 13:21:42 [opengw.net] Peer Connection Initiated with [AF_INET]157.147.36.14:1676 2023-05-16 13:21:42 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 2023-05-16 13:21:42 TLS: tls_multi_process: initial untrusted session promoted to trusted 2023-05-16 13:21:44 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1) 2023-05-16 13:21:44 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.85 10.211.1.86,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.86,redirect-gateway def1' 2023-05-16 13:21:44 OPTIONS IMPORT: --ifconfig/up options modified 2023-05-16 13:21:44 OPTIONS IMPORT: route options modified 2023-05-16 13:21:44 OPTIONS IMPORT: route-related options modified 2023-05-16 13:21:44 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2023-05-16 13:21:44 Using peer cipher 'AES-128-CBC' 2023-05-16 13:21:44 TUN/TAP device /dev/tun0 opened 2023-05-16 13:21:44 /sbin/ifconfig tun0 10.211.1.85 10.211.1.86 mtu 1500 netmask 255.255.255.255 up 2023-05-16 13:21:44 /sbin/route add -net 157.147.36.14 10.20.30.1 -netmask 255.255.255.255 add net 157.147.36.14: gateway 10.20.30.1 2023-05-16 13:21:44 /sbin/route add -net 0.0.0.0 10.211.1.86 -netmask 128.0.0.0 add net 0.0.0.0: gateway 10.211.1.86 2023-05-16 13:21:44 /sbin/route add -net 128.0.0.0 10.211.1.86 -netmask 128.0.0.0 add net 128.0.0.0: gateway 10.211.1.86 2023-05-16 13:21:44 Initialization Sequence Completed 2023-05-16 13:21:44 Data Channel: cipher 'AES-128-CBC', auth 'SHA1' 2023-05-16 13:21:44 Timers: ping 3, ping-restart 10
また、 "library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10" とあるので、 OpenVPN 2.6 になってから、 OpenSSL 3.0 が使わ れるようになったようでござる。どうやら、 OpenSSL 3.0 が使われるように なって、幾つかの cipher がデフォルトの設定では使えないようになったよう でござる。