Notebook

これは日々の作業を通して学んだことや毎日の生活で気づいたことをを記録しておく備忘録である。

HTML ファイル生成日時: 2024/11/23 14:01:49.216 (台灣標準時)

OpenVPN 2.6 を使い VPN Gate に接続するときの注意点

pkgsrc の net/openvpn のバージョ ンが 2.6.3 になっていて、その openvpn 2.6.3 を使って VPN Gate に接続しようとすると失敗 してしまうことがわかったでござる。

例えば、以下のようなコマンドを実行すると、接続を試み、そして、失敗しては、また接続を試み、という状況が続くでござる。

#  openvpn vpngate_vpn331140917.opengw.net_tcp_1676.ovpn
2023-05-16 13:09:51 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2023-05-16 13:09:51 OpenVPN 2.6.3 x86_64--netbsd [SSL (OpenSSL)] [LZO] [LZ4] [MH/PKTINFO] [AEAD]
2023-05-16 13:09:51 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-05-16 13:09:51 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-05-16 13:09:51 TCP/UDP: Preserving recently used remote address: [AF_INET]157.147.36.14:1676
2023-05-16 13:09:51 Socket Buffers: R=[32768->32768] S=[32768->32768]
2023-05-16 13:09:51 Attempting to establish TCP connection with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:51 TCP connection established with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:51 TCPv4_CLIENT link local: (not bound)
2023-05-16 13:09:51 TCPv4_CLIENT link remote: [AF_INET]157.147.36.14:1676
2023-05-16 13:09:52 TLS: Initial packet from [AF_INET]157.147.36.14:1676, sid=27515d25 bee02717
2023-05-16 13:09:52 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2023-05-16 13:09:52 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2023-05-16 13:09:52 VERIFY OK: depth=0, CN=opengw.net
2023-05-16 13:09:52 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-05-16 13:09:52 [opengw.net] Peer Connection Initiated with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:52 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-05-16 13:09:52 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-05-16 13:09:54 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1)
2023-05-16 13:09:54 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.69 10.211.1.70,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.70,redirect-gateway def1'
2023-05-16 13:09:54 OPTIONS IMPORT: --ifconfig/up options modified
2023-05-16 13:09:54 OPTIONS IMPORT: route options modified
2023-05-16 13:09:54 OPTIONS IMPORT: route-related options modified
2023-05-16 13:09:54 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-05-16 13:09:54 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2023-05-16 13:09:54 ERROR: Failed to apply push options
2023-05-16 13:09:54 Failed to open tun/tap interface
2023-05-16 13:09:54 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2023-05-16 13:09:54 Restart pause, 1 second(s)
2023-05-16 13:09:55 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-05-16 13:09:55 TCP/UDP: Preserving recently used remote address: [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 Socket Buffers: R=[32768->32768] S=[32768->32768]
2023-05-16 13:09:55 Attempting to establish TCP connection with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 TCP connection established with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 TCPv4_CLIENT link local: (not bound)
2023-05-16 13:09:55 TCPv4_CLIENT link remote: [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 TLS: Initial packet from [AF_INET]157.147.36.14:1676, sid=a983c662 f61b004c
2023-05-16 13:09:55 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2023-05-16 13:09:55 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2023-05-16 13:09:55 VERIFY OK: depth=0, CN=opengw.net
2023-05-16 13:09:55 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-05-16 13:09:55 [opengw.net] Peer Connection Initiated with [AF_INET]157.147.36.14:1676
2023-05-16 13:09:55 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-05-16 13:09:55 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-05-16 13:09:56 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1)
2023-05-16 13:09:56 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.69 10.211.1.70,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.70,redirect-gateway def1'
2023-05-16 13:09:56 OPTIONS IMPORT: --ifconfig/up options modified
2023-05-16 13:09:56 OPTIONS IMPORT: route options modified
2023-05-16 13:09:56 OPTIONS IMPORT: route-related options modified
2023-05-16 13:09:56 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-05-16 13:09:56 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2023-05-16 13:09:56 ERROR: Failed to apply push options
2023-05-16 13:09:56 Failed to open tun/tap interface
2023-05-16 13:09:56 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2023-05-16 13:09:56 Restart pause, 1 second(s)

.....

ERROR とあるところを見てみると、以下のような記述があるでござる。

2023-05-16 13:09:54 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2023-05-16 13:09:54 ERROR: Failed to apply push options

--data-ciphers オプションに AES-128-CBC を指定しないといけないようでござる。

以下のようなコマンドを実行してみるでござる。

# openvpn --data-ciphers AES-128-CBC vpngate_vpn331140917.opengw.net_tcp_1676.ovpn
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: data-ciphers (2.6.3)
Use --help for more information.

書式に問題があるようでござる。 man openvpn を実行してみると、以下のよ うに書いてあるでござる。

% man openvpn
OPENVPN(8)                  System Manager's Manual                 OPENVPN(8)

NAME
       openvpn - Secure IP tunnel daemon

SYNOPSIS
       openvpn [ options ... ]
       openvpn  --help

INTRODUCTION
       OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN
       tries to be a universal VPN tool offering a great deal of flexibility,
       there are a lot of options on this manual page. If you're new to
       OpenVPN, you might want to skip ahead to the examples section where you
       will see how to construct simple VPNs on the command line without even
       needing a configuration file.

       Also note that there's more documentation and examples on the OpenVPN
       web site: https://openvpn.net/

       And if you would like to see a shorter version of this manual, see the
       openvpn usage message which can be obtained by running openvpn without
       any parameters.

DESCRIPTION
       OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports
       SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport
       through proxies or NAT, support for dynamic IP addresses and DHCP,
       scalability to hundreds or thousands of users, and portability to most
       major OS platforms.

       OpenVPN is tightly bound to the OpenSSL library, and derives much of
       its crypto capabilities from it.

       OpenVPN supports conventional encryption using a pre-shared secret key
       (Static Key mode) or public key security (SSL/TLS mode) using client &
       server certificates. OpenVPN also supports non-encrypted TCP/UDP
       tunnels.

       OpenVPN is designed to work with the TUN/TAP virtual networking
       interface that exists on most platforms.

       Overall, OpenVPN aims to offer many of the key features of IPSec but
       with a relatively lightweight footprint.

OPTIONS
       OpenVPN allows any option to be placed either on the command line or in
       a configuration file. Though all command line options are preceded by a
       double-leading-dash ("--"), this prefix can be removed when an option
       is placed in a configuration file.

   Generic Options
       This section covers generic options which are accessible regardless of
       which mode OpenVPN is configured as.

       --help Show options.

.....

       --config file
              Load additional config options from file where each line
              corresponds to one command line option, but with the leading --
              removed.

              If --config file is the only option to the openvpn command, the
              --config can be removed, and the command can be given as openvpn
              file

.....

NOTES
       This product includes software developed by the OpenSSL Project
       (https://www.openssl.org/)

       For more information on the TLS protocol, see
       http://www.ietf.org/rfc/rfc2246.txt

       For more information on the LZO real-time compression library see
       https://www.oberhumer.com/opensource/lzo/

COPYRIGHT
       Copyright (C) 2002-2020 OpenVPN Inc This program is free software; you
       can redistribute it and/or modify it under the terms of the GNU General
       Public License version 2 as published by the Free Software Foundation.

AUTHORS
       James Yonan james@openvpn.net

                                                                    OPENVPN(8)

--config オプションのところに、 "If --config file is the only option to the openvpn command, the --config can be removed, and the command can be given as openvpn file" とあるので、設定ファイルの 指定以外のオプションを使う場合には、 --config を省略できないようでござ る。つまり、 --data-ciphers を使う場合には、 --config オプションを使っ て設定ファイルを指定しないといけないようでござる。

以下のようにすると、問題が解決したでござる。

# openvpn --data-ciphers AES-128-CBC --config vpngate_vpn331140917.opengw.net_tcp_1676.ovpn
2023-05-16 13:21:41 OpenVPN 2.6.3 x86_64--netbsd [SSL (OpenSSL)] [LZO] [LZ4] [MH/PKTINFO] [AEAD]
2023-05-16 13:21:41 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-05-16 13:21:41 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-05-16 13:21:41 TCP/UDP: Preserving recently used remote address: [AF_INET]157.147.36.14:1676
2023-05-16 13:21:41 Socket Buffers: R=[32768->32768] S=[32768->32768]
2023-05-16 13:21:41 Attempting to establish TCP connection with [AF_INET]157.147.36.14:1676
2023-05-16 13:21:41 TCP connection established with [AF_INET]157.147.36.14:1676
2023-05-16 13:21:41 TCPv4_CLIENT link local: (not bound)
2023-05-16 13:21:41 TCPv4_CLIENT link remote: [AF_INET]157.147.36.14:1676
2023-05-16 13:21:42 TLS: Initial packet from [AF_INET]157.147.36.14:1676, sid=dd2be52d 37043016
2023-05-16 13:21:42 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2023-05-16 13:21:42 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2023-05-16 13:21:42 VERIFY OK: depth=0, CN=opengw.net
2023-05-16 13:21:42 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-05-16 13:21:42 [opengw.net] Peer Connection Initiated with [AF_INET]157.147.36.14:1676
2023-05-16 13:21:42 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-05-16 13:21:42 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-05-16 13:21:44 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1)
2023-05-16 13:21:44 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.85 10.211.1.86,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.86,redirect-gateway def1'
2023-05-16 13:21:44 OPTIONS IMPORT: --ifconfig/up options modified
2023-05-16 13:21:44 OPTIONS IMPORT: route options modified
2023-05-16 13:21:44 OPTIONS IMPORT: route-related options modified
2023-05-16 13:21:44 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-05-16 13:21:44 Using peer cipher 'AES-128-CBC'
2023-05-16 13:21:44 TUN/TAP device /dev/tun0 opened
2023-05-16 13:21:44 /sbin/ifconfig tun0 10.211.1.85 10.211.1.86 mtu 1500 netmask 255.255.255.255 up
2023-05-16 13:21:44 /sbin/route add -net 157.147.36.14 10.20.30.1 -netmask 255.255.255.255
add net 157.147.36.14: gateway 10.20.30.1
2023-05-16 13:21:44 /sbin/route add -net 0.0.0.0 10.211.1.86 -netmask 128.0.0.0
add net 0.0.0.0: gateway 10.211.1.86
2023-05-16 13:21:44 /sbin/route add -net 128.0.0.0 10.211.1.86 -netmask 128.0.0.0
add net 128.0.0.0: gateway 10.211.1.86
2023-05-16 13:21:44 Initialization Sequence Completed
2023-05-16 13:21:44 Data Channel: cipher 'AES-128-CBC', auth 'SHA1'
2023-05-16 13:21:44 Timers: ping 3, ping-restart 10

また、 "library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10" とあるので、 OpenVPN 2.6 になってから、 OpenSSL 3.0 が使わ れるようになったようでござる。どうやら、 OpenSSL 3.0 が使われるように なって、幾つかの cipher がデフォルトの設定では使えないようになったよう でござる。

参考文献

• OpenVPN 2.6＋OpenSSL 3.0へのアップグレードで発生する可能性があるエラー

• About this article:
• author: daisuke
• file: 20230516_00.html
• category: Computer___Network
• title: OpenVPN 2.6 を使い VPN Gate に接続するときの注意点
• mode: public
• last modified: 2023/07/11 17:28:06 (Taiwan Standard Time)
• html generated: 2024/11/23 14:01:49.216 (Taiwan Standard Time)

Frequently accessed files

1. Computer___Python/20220518_0.html
• 11284 page views
• title: Matplotlib で作る図の縦横比
2. Computer___Network/20230726_00.html
• 4825 page views
• title: git の SSL certificate problem の解決方法
3. Misc___Taiwan/20240207_00.html
• 3553 page views
• title: 台灣から台灣の外に EMS で荷物を発送する方法
4. Computer___Network/20230516_00.html
• 3514 page views
• title: OpenVPN 2.6 を使い VPN Gate に接続するときの注意点
5. Computer___FreeBSD/20220621_0.html
• 2875 page views
• title: FreeBSD での X.org の設定の仕方
6. Computer___Python/20220715_0.html
• 2199 page views
• title: SciPy による最小二乗法
7. Computer___Network/20230508_00.html
• 2025 page views
• title: git push するときにパスワードの入力を省略する方法
8. Food___Taiwan/20220429_0.html
• 1939 page views
• title: 「楊滇風」の滇味辣炒豬
9. Computer___NetBSD/20220817_3.html
• 1666 page views
• title: JupyterLab のインストール直後に行うべきこと
10. Computer___Python/20220410_0.html
• 1662 page views
• title: Pint モジュールを使った単位を含む数値の取り扱い
11. Computer___Network/20240416_00.html
• 1617 page views
• title: git push としたときの error: RPC failed
12. Computer___Network/20240130_00.html
• 1611 page views
• title: Google Colaboratory で Python 3.12 を使う方法
13. Computer___Debian/20210223_1.html
• 1556 page views
• title: Debian で autofs を使い自動で NFS マウントする方法
14. Computer___NetBSD/20230119_00.html
• 1521 page views
• title: NetBSD でバイナリーパッケージを利用する方法
15. Computer___Python/20210124_0.html
• 1479 page views
• title: Python での argparse を使ったコマンドライン引数の取り扱い方法
16. Computer___Python/20221013_0.html
• 1474 page views
• title: Matplotlib での作図において順番を決めて点や線を描画する方法
17. Computer___NetBSD/20220818_1.html
• 1432 page views
• title: Emacs の markdown-mode について
18. Computer___NetBSD/20220428_0.html
• 1431 page views
• title: Beamer で verbatim 環境を使う方法
19. Science___Math/20220420_0.html
• 1306 page views
• title: ラプラシアンの三次元極座標表示
20. Computer___NetBSD/20240101_02.html
• 1300 page views
• title: ffmpeg を使って動画に音声を追加する方法
21. Computer___NetBSD/20220808_0.html
• 1271 page views
• title: 端末エミュレーターで使うフォントを指定する方法
22. Computer___TeX/20230503_00.html
• 1264 page views
• title: LaTeX CJK で日本語や中国語を取り扱うための準備について
23. Computer___NetBSD/20230515_00.html
• 1260 page views
• title: pkgsrc の fetch phase で問題
24. Science___Astronomy/20220503_0.html
• 1257 page views
• title: Lane-Emden 方程式を数値的に解く
25. Computer___NetBSD/20210127_0.html
• 1236 page views
• title: NetBSD 上で Apache により HTTPS サーバを立ち上げる方法
26. Computer___Python/20240101_00.html
• 1227 page views
• title: Matplotlib の 3D plot においての注意点
27. Computer___Network/20220413_1.html
• 1199 page views
• title: HTML 文書の中の一部の文字を点滅させる方法
28. Computer___Python/20220816_1.html
• 1146 page views
• title: Binder を使って Python スクリプトを実行する
29. Computer___NetBSD/20210204_0.html
• 1137 page views
• title: Raspberry Pi 4 への NetBSD のインストール
30. Travel___Taiwan/20220809_2.html
• 1127 page views
• title: 老鷹溪生態親子步道

• back to category index page.
• back to list of all the articles.
• list of frequenly accessed articles.
• back to main index page.