Notebook

これは日々の作業を通して学んだことや毎日の生活で気づいたことをを記録しておく備忘録である。

HTML ファイル生成日時: 2024/12/23 15:49:04.419 (台灣標準時)

OpenVPN 2.6 を使い VPN Gate に接続するときの注意点

pkgsrc の net/openvpn のバージョ ンが 2.6.3 になっていて、その openvpn 2.6.3 を使って VPN Gate に接続しようとすると失敗 してしまうことがわかったでござる。

例えば、以下のようなコマンドを実行すると、接続を試み、そして、失敗しては、また接続を試み、という状況が続くでござる。


#  openvpn vpngate_vpn331140917.opengw.net_tcp_1676.ovpn
2023-05-16 13:09:51 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2023-05-16 13:09:51 OpenVPN 2.6.3 x86_64--netbsd [SSL (OpenSSL)] [LZO] [LZ4] [MH/PKTINFO] [AEAD]
2023-05-16 13:09:51 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-05-16 13:09:51 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-05-16 13:09:51 TCP/UDP: Preserving recently used remote address: [AF_INET]157.147.36.14:1676
2023-05-16 13:09:51 Socket Buffers: R=[32768->32768] S=[32768->32768]
2023-05-16 13:09:51 Attempting to establish TCP connection with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:51 TCP connection established with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:51 TCPv4_CLIENT link local: (not bound)
2023-05-16 13:09:51 TCPv4_CLIENT link remote: [AF_INET]157.147.36.14:1676
2023-05-16 13:09:52 TLS: Initial packet from [AF_INET]157.147.36.14:1676, sid=27515d25 bee02717
2023-05-16 13:09:52 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2023-05-16 13:09:52 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2023-05-16 13:09:52 VERIFY OK: depth=0, CN=opengw.net
2023-05-16 13:09:52 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-05-16 13:09:52 [opengw.net] Peer Connection Initiated with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:52 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-05-16 13:09:52 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-05-16 13:09:54 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1)
2023-05-16 13:09:54 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.69 10.211.1.70,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.70,redirect-gateway def1'
2023-05-16 13:09:54 OPTIONS IMPORT: --ifconfig/up options modified
2023-05-16 13:09:54 OPTIONS IMPORT: route options modified
2023-05-16 13:09:54 OPTIONS IMPORT: route-related options modified
2023-05-16 13:09:54 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-05-16 13:09:54 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2023-05-16 13:09:54 ERROR: Failed to apply push options
2023-05-16 13:09:54 Failed to open tun/tap interface
2023-05-16 13:09:54 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2023-05-16 13:09:54 Restart pause, 1 second(s)
2023-05-16 13:09:55 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-05-16 13:09:55 TCP/UDP: Preserving recently used remote address: [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 Socket Buffers: R=[32768->32768] S=[32768->32768]
2023-05-16 13:09:55 Attempting to establish TCP connection with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 TCP connection established with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 TCPv4_CLIENT link local: (not bound)
2023-05-16 13:09:55 TCPv4_CLIENT link remote: [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 TLS: Initial packet from [AF_INET]157.147.36.14:1676, sid=a983c662 f61b004c
2023-05-16 13:09:55 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2023-05-16 13:09:55 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2023-05-16 13:09:55 VERIFY OK: depth=0, CN=opengw.net
2023-05-16 13:09:55 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-05-16 13:09:55 [opengw.net] Peer Connection Initiated with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-05-16 13:09:55 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-05-16 13:09:56 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1)
2023-05-16 13:09:56 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.69 10.211.1.70,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.70,redirect-gateway def1'
2023-05-16 13:09:56 OPTIONS IMPORT: --ifconfig/up options modified
2023-05-16 13:09:56 OPTIONS IMPORT: route options modified
2023-05-16 13:09:56 OPTIONS IMPORT: route-related options modified
2023-05-16 13:09:56 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-05-16 13:09:56 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2023-05-16 13:09:56 ERROR: Failed to apply push options
2023-05-16 13:09:56 Failed to open tun/tap interface
2023-05-16 13:09:56 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2023-05-16 13:09:56 Restart pause, 1 second(s)

.....

ERROR とあるところを見てみると、以下のような記述があるでござる。


2023-05-16 13:09:54 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2023-05-16 13:09:54 ERROR: Failed to apply push options

--data-ciphers オプションに AES-128-CBC を指定しないといけないようでござる。

以下のようなコマンドを実行してみるでござる。


# openvpn --data-ciphers AES-128-CBC vpngate_vpn331140917.opengw.net_tcp_1676.ovpn
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: data-ciphers (2.6.3)
Use --help for more information.

書式に問題があるようでござる。 man openvpn を実行してみると、以下のよ うに書いてあるでござる。


% man openvpn
OPENVPN(8)                  System Manager's Manual                 OPENVPN(8)

NAME
       openvpn - Secure IP tunnel daemon

SYNOPSIS
       openvpn [ options ... ]
       openvpn  --help

INTRODUCTION
       OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN
       tries to be a universal VPN tool offering a great deal of flexibility,
       there are a lot of options on this manual page. If you're new to
       OpenVPN, you might want to skip ahead to the examples section where you
       will see how to construct simple VPNs on the command line without even
       needing a configuration file.

       Also note that there's more documentation and examples on the OpenVPN
       web site: https://openvpn.net/

       And if you would like to see a shorter version of this manual, see the
       openvpn usage message which can be obtained by running openvpn without
       any parameters.

DESCRIPTION
       OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports
       SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport
       through proxies or NAT, support for dynamic IP addresses and DHCP,
       scalability to hundreds or thousands of users, and portability to most
       major OS platforms.

       OpenVPN is tightly bound to the OpenSSL library, and derives much of
       its crypto capabilities from it.

       OpenVPN supports conventional encryption using a pre-shared secret key
       (Static Key mode) or public key security (SSL/TLS mode) using client &
       server certificates. OpenVPN also supports non-encrypted TCP/UDP
       tunnels.

       OpenVPN is designed to work with the TUN/TAP virtual networking
       interface that exists on most platforms.

       Overall, OpenVPN aims to offer many of the key features of IPSec but
       with a relatively lightweight footprint.

OPTIONS
       OpenVPN allows any option to be placed either on the command line or in
       a configuration file. Though all command line options are preceded by a
       double-leading-dash ("--"), this prefix can be removed when an option
       is placed in a configuration file.

   Generic Options
       This section covers generic options which are accessible regardless of
       which mode OpenVPN is configured as.

       --help Show options.

.....

       --config file
              Load additional config options from file where each line
              corresponds to one command line option, but with the leading --
              removed.

              If --config file is the only option to the openvpn command, the
              --config can be removed, and the command can be given as openvpn
              file

.....

NOTES
       This product includes software developed by the OpenSSL Project
       (https://www.openssl.org/)

       For more information on the TLS protocol, see
       http://www.ietf.org/rfc/rfc2246.txt

       For more information on the LZO real-time compression library see
       https://www.oberhumer.com/opensource/lzo/

COPYRIGHT
       Copyright (C) 2002-2020 OpenVPN Inc This program is free software; you
       can redistribute it and/or modify it under the terms of the GNU General
       Public License version 2 as published by the Free Software Foundation.

AUTHORS
       James Yonan james@openvpn.net

                                                                    OPENVPN(8)

--config オプションのところに、 "If --config file is the only option to the openvpn command, the --config can be removed, and the command can be given as openvpn file" とあるので、設定ファイルの 指定以外のオプションを使う場合には、 --config を省略できないようでござ る。つまり、 --data-ciphers を使う場合には、 --config オプションを使っ て設定ファイルを指定しないといけないようでござる。

以下のようにすると、問題が解決したでござる。


# openvpn --data-ciphers AES-128-CBC --config vpngate_vpn331140917.opengw.net_tcp_1676.ovpn
2023-05-16 13:21:41 OpenVPN 2.6.3 x86_64--netbsd [SSL (OpenSSL)] [LZO] [LZ4] [MH/PKTINFO] [AEAD]
2023-05-16 13:21:41 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-05-16 13:21:41 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-05-16 13:21:41 TCP/UDP: Preserving recently used remote address: [AF_INET]157.147.36.14:1676
2023-05-16 13:21:41 Socket Buffers: R=[32768->32768] S=[32768->32768]
2023-05-16 13:21:41 Attempting to establish TCP connection with [AF_INET]157.147.36.14:1676
2023-05-16 13:21:41 TCP connection established with [AF_INET]157.147.36.14:1676
2023-05-16 13:21:41 TCPv4_CLIENT link local: (not bound)
2023-05-16 13:21:41 TCPv4_CLIENT link remote: [AF_INET]157.147.36.14:1676
2023-05-16 13:21:42 TLS: Initial packet from [AF_INET]157.147.36.14:1676, sid=dd2be52d 37043016
2023-05-16 13:21:42 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2023-05-16 13:21:42 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2023-05-16 13:21:42 VERIFY OK: depth=0, CN=opengw.net
2023-05-16 13:21:42 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-05-16 13:21:42 [opengw.net] Peer Connection Initiated with [AF_INET]157.147.36.14:1676
2023-05-16 13:21:42 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-05-16 13:21:42 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-05-16 13:21:44 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1)
2023-05-16 13:21:44 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.85 10.211.1.86,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.86,redirect-gateway def1'
2023-05-16 13:21:44 OPTIONS IMPORT: --ifconfig/up options modified
2023-05-16 13:21:44 OPTIONS IMPORT: route options modified
2023-05-16 13:21:44 OPTIONS IMPORT: route-related options modified
2023-05-16 13:21:44 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-05-16 13:21:44 Using peer cipher 'AES-128-CBC'
2023-05-16 13:21:44 TUN/TAP device /dev/tun0 opened
2023-05-16 13:21:44 /sbin/ifconfig tun0 10.211.1.85 10.211.1.86 mtu 1500 netmask 255.255.255.255 up
2023-05-16 13:21:44 /sbin/route add -net 157.147.36.14 10.20.30.1 -netmask 255.255.255.255
add net 157.147.36.14: gateway 10.20.30.1
2023-05-16 13:21:44 /sbin/route add -net 0.0.0.0 10.211.1.86 -netmask 128.0.0.0
add net 0.0.0.0: gateway 10.211.1.86
2023-05-16 13:21:44 /sbin/route add -net 128.0.0.0 10.211.1.86 -netmask 128.0.0.0
add net 128.0.0.0: gateway 10.211.1.86
2023-05-16 13:21:44 Initialization Sequence Completed
2023-05-16 13:21:44 Data Channel: cipher 'AES-128-CBC', auth 'SHA1'
2023-05-16 13:21:44 Timers: ping 3, ping-restart 10

また、 "library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10" とあるので、 OpenVPN 2.6 になってから、 OpenSSL 3.0 が使わ れるようになったようでござる。どうやら、 OpenSSL 3.0 が使われるように なって、幾つかの cipher がデフォルトの設定では使えないようになったよう でござる。

参考文献



Frequently accessed files

  1. Computer___Python/20220518_0.html
  2. Computer___Network/20230726_00.html
  3. Misc___Taiwan/20240207_00.html
  4. Computer___Network/20230516_00.html
  5. Computer___FreeBSD/20220621_0.html
  6. Computer___Python/20220715_0.html
  7. Computer___Network/20230508_00.html
  8. Food___Taiwan/20220429_0.html
  9. Computer___Network/20240130_00.html
  10. Computer___Python/20220410_0.html
  11. Computer___NetBSD/20220817_3.html
  12. Computer___Network/20240416_00.html
  13. Computer___NetBSD/20230119_00.html
  14. Computer___Debian/20210223_1.html
  15. Computer___Python/20221013_0.html
  16. Computer___Python/20210124_0.html
  17. Computer___NetBSD/20220428_0.html
  18. Computer___NetBSD/20220818_1.html
  19. Computer___NetBSD/20240101_02.html
  20. Computer___Python/20240101_00.html
  21. Science___Math/20220420_0.html
  22. Computer___NetBSD/20220808_0.html
  23. Computer___TeX/20230503_00.html
  24. Computer___Network/20220413_1.html
  25. Science___Astronomy/20220503_0.html
  26. Computer___NetBSD/20230515_00.html
  27. Computer___NetBSD/20210127_0.html
  28. Computer___TeX/20231107_00.html
  29. Computer___Python/20220816_1.html
  30. Computer___Python/20230717_01.html


HTML file generated by Kinoshita Daisuke.