これは日々の作業を通して学んだことや毎日の生活で気づいたことをを記録しておく備忘録である。
HTML ファイル生成日時: 2024/12/21 11:44:57.596 (台灣標準時)
OpenVPN を使ってみたら、以下のようなメッセージが表示されて、 vpngate.net の VPN サーバーに接続できなかったでござる。
# # /usr/pkg/sbin/openvpn --data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC --config vpngate_vpn148949900.opengw.net_tcp_1613.ovpn 2023-07-11 17:24:52 OpenVPN 2.6.5 x86_64--netbsd [SSL (OpenSSL)] [LZO] [LZ4] [MH/PKTINFO] [AEAD] 2023-07-11 17:24:52 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10 2023-07-11 17:24:52 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 2023-07-11 17:24:52 TCP/UDP: Preserving recently used remote address: [AF_INET]153.167.126.44:1613 2023-07-11 17:24:52 Socket Buffers: R=[32768->32768] S=[32768->32768] 2023-07-11 17:24:52 Attempting to establish TCP connection with [AF_INET]153.167.126.44:1613 2023-07-11 17:24:52 TCP connection established with [AF_INET]153.167.126.44:1613 2023-07-11 17:24:52 TCPv4_CLIENT link local: (not bound) 2023-07-11 17:24:52 TCPv4_CLIENT link remote: [AF_INET]153.167.126.44:1613 2023-07-11 17:24:52 TLS: Initial packet from [AF_INET]153.167.126.44:1613, sid=7dec3829 b71b4311 2023-07-11 17:24:53 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only 2023-07-11 17:24:53 OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol 2023-07-11 17:24:53 TLS_ERROR: BIO read tls_read_plaintext error 2023-07-11 17:24:53 TLS Error: TLS object -> incoming plaintext read error 2023-07-11 17:24:53 TLS Error: TLS handshake failed 2023-07-11 17:24:53 Fatal TLS error (check_tls_errors_co), restarting 2023-07-11 17:24:53 SIGUSR1[soft,tls-error] received, process restarting 2023-07-11 17:24:53 Restart pause, 1 second(s)
メッセージを読むと、サーバーとクライアントの両方で使える共通の TLS protocol がないことが問題のようでござる。クライアント側でどの TLS protocol を使うかは、 --tls-version-min と --tls-version-max の二つの オプションで決められるようでござる。 --tls-version-min 1.0 オプション を加えてみるように言われているので、試してみるでござる。
# /usr/pkg/sbin/openvpn --tls-version-min 1.0 --data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC --config vpngate_vpn148949900.opengw.net_tcp_1613.ovpn 2023-07-11 17:25:32 OpenVPN 2.6.5 x86_64--netbsd [SSL (OpenSSL)] [LZO] [LZ4] [MH/PKTINFO] [AEAD] 2023-07-11 17:25:32 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10 2023-07-11 17:25:32 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 2023-07-11 17:25:32 TCP/UDP: Preserving recently used remote address: [AF_INET]153.167.126.44:1613 2023-07-11 17:25:32 Socket Buffers: R=[32768->32768] S=[32768->32768] 2023-07-11 17:25:32 Attempting to establish TCP connection with [AF_INET]153.167.126.44:1613 2023-07-11 17:25:32 TCP connection established with [AF_INET]153.167.126.44:1613 2023-07-11 17:25:32 TCPv4_CLIENT link local: (not bound) 2023-07-11 17:25:32 TCPv4_CLIENT link remote: [AF_INET]153.167.126.44:1613 2023-07-11 17:25:32 TLS: Initial packet from [AF_INET]153.167.126.44:1613, sid=8b232b8e 0e319d46 2023-07-11 17:25:33 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1 2023-07-11 17:25:33 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3 2023-07-11 17:25:33 VERIFY OK: depth=0, CN=opengw.net 2023-07-11 17:25:33 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2023-07-11 17:25:33 [opengw.net] Peer Connection Initiated with [AF_INET]153.167.126.44:1613 2023-07-11 17:25:33 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 2023-07-11 17:25:33 TLS: tls_multi_process: initial untrusted session promoted to trusted 2023-07-11 17:25:35 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1) 2023-07-11 17:25:35 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.85 10.211.1.86,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.86,redirect-gateway def1' 2023-07-11 17:25:35 OPTIONS IMPORT: --ifconfig/up options modified 2023-07-11 17:25:35 OPTIONS IMPORT: route options modified 2023-07-11 17:25:35 OPTIONS IMPORT: route-related options modified 2023-07-11 17:25:35 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2023-07-11 17:25:35 Using peer cipher 'AES-128-CBC' 2023-07-11 17:25:35 TUN/TAP device /dev/tun0 opened 2023-07-11 17:25:35 /sbin/ifconfig tun0 10.211.1.85 10.211.1.86 mtu 1500 netmask 255.255.255.255 up 2023-07-11 17:25:35 /sbin/route add -net 153.167.126.44 10.20.30.1 -netmask 255.255.255.255 add net 153.167.126.44: gateway 10.20.30.1 2023-07-11 17:25:35 /sbin/route add -net 0.0.0.0 10.211.1.86 -netmask 128.0.0.0 add net 0.0.0.0: gateway 10.211.1.86 2023-07-11 17:25:35 /sbin/route add -net 128.0.0.0 10.211.1.86 -netmask 128.0.0.0 add net 128.0.0.0: gateway 10.211.1.86 2023-07-11 17:25:35 Initialization Sequence Completed 2023-07-11 17:25:35 Data Channel: cipher 'AES-128-CBC', auth 'SHA1' 2023-07-11 17:25:35 Timers: ping 3, ping-restart 10
今度は、上手くいったようでござる。