[Bug 203146] OpenVPN server fails to reply to TLS handshake
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Sep 16 04:44:29 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203146
Bug ID: 203146
Summary: OpenVPN server fails to reply to TLS handshake
Product: Ports & Packages
Version: Latest
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: Individual Port(s)
Assignee: freebsd-ports-bugs at FreeBSD.org
Reporter: brads at nyctelecomm.com
I am trying to configure a new VPN server but the TLS handshake fails. I worked
with #openvpn for some time and we narrowed it down to a failure at the server.
All firewalls are completely down for both server and client and the testing
client 'can' connect to OpenBook free Openvpn servers just fine. Just not my
own that are hosted on FreeBSD.
I jumped on a second brand new freebsd server and applied the config, same
error. someone sent me a working config from one of their non freebsd servers
and, same error.
What ever it is, it appears to be very FreeBSD specific.
FreeBSD client was also tried, same error.
server config:
[\u at vader:/usr/local/etc] # cat openvpn/openvpn.conf
local 108.61.175.20
mode server
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca /usr/local/etc/easy-rsa/keys/ca.crt
cert /usr/local/etc/easy-rsa/keys/serverP.crt
key /usr/local/etc/easy-rsa/keys/serverP.key
dh /usr/local/etc/easy-rsa/keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 4.2.2.2"
;client-to-client
;duplicate-cn
keepalive 10 120
tls-server
tls-timeout 120
tls-auth /usr/local/etc/openvpn/ta.key 0 # This file is secret
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
auth SHA256
;cipher AES-128-CBC # AES
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 9
;mute 20
client config:
client
dev tun0
dev-type tun
proto udp
remote 108.61.175.20 1194
resolv-retry infinite
remote-cert-tls server
tls-auth C:\\Program\ Files\\OpenVPN\\config\\ta.key 1
tls-client
auth SHA256
dev-node {D1F4080E-CD73-4F64-9213-CBF0FB3C3D71}
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
;cipher AES-128-CBC
;route-delay 2
;redirect-gateway
inactive 3600
comp-lzo
ca [inline]
cert [inline]
key [inline]
<ca>
-----BEGIN CERTIFICATE-----
MIIE7jCCA9agAwIBAgIJAMDi1PIJghxnMA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCEJyb29rbHluMRQwEgYDVQQK
EwtOWUNUZWxlY29tbTEUMBIGA1UECxMLTllDVGVsZWNvbW0xFzAVBgNVBAMTDk5Z
Q1RlbGVjb21tIENBMRAwDgYDVQQpEwdFYXN5UlNBMSQwIgYJKoZIhvcNAQkBFhVh
ZG1pbkBueWN0ZWxlY29tbS5jb20wHhcNMTUwOTE0MTEyNDU0WhcNMjUwOTExMTEy
NDU0WjCBqjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhCcm9v
a2x5bjEUMBIGA1UEChMLTllDVGVsZWNvbW0xFDASBgNVBAsTC05ZQ1RlbGVjb21t
MRcwFQYDVQQDEw5OWUNUZWxlY29tbSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEkMCIG
CSqGSIb3DQEJARYVYWRtaW5AbnljdGVsZWNvbW0uY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA4UdREqvqO4SShs54q/m6hHxcm2Bc5jONAtk2I64p
vbDbFmkpyLpibPI+rENgi4o1jfvQJJECpsU8ycvVJ2dPb2k0OmWldmxjHO2GuIc2
LzhqbnycPH2zW1NOO1XmwxIi4USJBvUewHkxclefVh9VFzFxel37RV7rdeeizaeR
3T7udjCP2887RSh5ZQ/TG7P1GbEEeiD56kwM/NVOoUZonxGTaK8JulYZAEAAjmYk
7kzl98GL/RgqE3SKqyXtHSl5GWcSnGHIBoypRt0CALS4t/qQ2Dyr1SW2PJeFkOaP
ddEwjK/We8NiyDamLpahAq9Cj6ZRN+D2rr89z9MQXOH5DQIDAQABo4IBEzCCAQ8w
HQYDVR0OBBYEFCdr+IAjZA59H9EegFpZa5wwniR9MIHfBgNVHSMEgdcwgdSAFCdr
+IAjZA59H9EegFpZa5wwniR9oYGwpIGtMIGqMQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCTlkxETAPBgNVBAcTCEJyb29rbHluMRQwEgYDVQQKEwtOWUNUZWxlY29tbTEU
MBIGA1UECxMLTllDVGVsZWNvbW0xFzAVBgNVBAMTDk5ZQ1RlbGVjb21tIENBMRAw
DgYDVQQpEwdFYXN5UlNBMSQwIgYJKoZIhvcNAQkBFhVhZG1pbkBueWN0ZWxlY29t
bS5jb22CCQDA4tTyCYIcZzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQBMtUC9Q5u6o9IyOayC3v+pIhmZncYGrxk03G6Odf3mU2ZeyCYja2qTlQOPB22V
XQEJ856KiOqOj0yyTyBJSG6UvpjD5iixf85WE/vBENOSDfzjhydmy8BgLWcRe0Dx
cFbEYv+qZr456s2W8Dt7+AI8VJauEQ5SPhf2WUK4XSH+7lLq2CDLN1qAHblyNks0
dxGaStTe38Pxb6FD0UpjFhSgoJqNZKuGjp5eeWdo0pAWu6T7QQ/9c/RYuTaz5/Kt
RSFUrJ/t0cYVz5sxUVR4KNR26QbVAI5J42n/BL00K5+xB5bP9yGUb5MzwRgFX2nI
J94Euf1q8OXN+kYa53Ca3W/J
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=NY, L=Brooklyn, O=NYCTelecomm, OU=NYCTelecomm,
CN=NYCTelecomm CA/name=EasyRSA/emailAddress=admin at nyctelecomm.com
Validity
Not Before: Sep 14 11:26:00 2015 GMT
Not After : Sep 11 11:26:00 2025 GMT
Subject: C=US, ST=NY, L=Brooklyn, O=NYCTelecomm, OU=NYCTelecomm,
CN=client1P/name=EasyRSA/emailAddress=admin at nyctelecomm.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:6f:5d:dc:14:b6:72:d1:80:42:34:4d:14:7d:
14:b0:c6:da:50:e0:e8:7f:bd:b4:28:b2:98:33:9f:
cd:d0:c1:a9:7c:6f:31:d5:17:cd:18:cf:50:d1:eb:
ef:ea:9b:c9:54:0d:03:c2:78:3f:2d:66:8b:a5:1b:
ba:39:28:f1:a8:9e:e6:0a:de:56:bc:c0:1a:ab:71:
92:ed:77:2d:6f:5d:1e:13:13:60:2a:08:94:76:49:
d0:b0:f7:a8:3c:6e:f0:a3:4a:95:25:0a:15:f4:63:
87:64:5d:70:0d:a3:89:08:f8:e1:88:72:d4:7c:6b:
b7:cb:68:55:ed:bb:23:73:f2:54:9c:7c:03:7f:c5:
24:20:ba:d2:de:eb:9f:e7:2c:6c:45:e6:09:f9:af:
6d:b5:e3:9d:6f:a5:37:7e:f7:f6:c3:d8:fc:91:dd:
7e:0c:c1:10:23:44:23:1c:6a:ee:05:cd:bd:6a:d4:
14:3e:71:f4:40:12:85:0d:6f:33:09:21:35:ba:26:
42:c1:f0:89:dd:1e:83:4e:e4:31:73:e3:1b:7b:68:
af:6d:5f:fd:a0:5f:64:24:6b:51:19:bd:ca:60:47:
f2:0f:a6:f5:3e:9d:94:90:f1:83:5a:21:02:8e:eb:
ee:45:8e:93:f0:cc:c2:da:6c:32:51:30:98:b3:0c:
5d:d9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
3D:94:5E:09:B3:6F:E0:EF:B0:3D:3E:40:4D:AD:2F:DC:3C:52:86:90
X509v3 Authority Key Identifier:
keyid:27:6B:F8:80:23:64:0E:7D:1F:D1:1E:80:5A:59:6B:9C:30:9E:24:7D
DirName:/C=US/ST=NY/L=Brooklyn/O=NYCTelecomm/OU=NYCTelecomm/CN=NYCTelecomm
CA/name=EasyRSA/emailAddress=admin at nyctelecomm.com
serial:C0:E2:D4:F2:09:82:1C:67
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
dd:15:70:12:67:c6:88:fa:c6:f6:01:16:54:df:c7:e1:ee:74:
ee:00:75:11:fc:70:76:16:90:54:5a:1b:4f:8e:69:c5:c3:44:
7f:79:9b:9f:98:01:71:2a:ec:59:15:3f:3d:27:b9:9d:0f:ce:
cc:d1:05:1b:a1:f7:30:f3:e9:cc:37:bb:93:48:e7:14:ce:37:
03:ee:c5:d8:cd:bb:ef:b2:b9:f3:94:a6:7b:23:49:16:c7:8f:
73:ef:85:f9:8a:d5:98:24:bf:af:33:f0:19:4c:0c:a7:44:3b:
c2:b8:43:10:d9:9a:65:6c:7c:50:00:9a:e3:69:21:d6:23:e0:
66:80:a1:18:50:ef:58:a5:49:90:fc:27:41:f7:4a:39:c4:0b:
5b:a4:8f:b6:d3:a1:6c:69:56:d9:13:96:0a:2a:32:48:fd:24:
9c:94:20:5b:74:d6:54:b6:18:ea:f1:6c:bc:ee:bf:f8:86:ac:
52:17:74:19:ce:f6:ae:ce:4d:84:a1:4f:99:06:ad:e7:29:a3:
09:96:e7:e7:81:3f:7f:59:2a:83:bb:f1:0b:a5:d5:0b:36:86:
4b:4d:d8:0c:67:1a:2a:5c:d1:a4:a1:4f:30:4f:c6:7b:7d:87:
39:f3:93:05:5e:69:24:e8:81:e0:18:82:9e:7c:18:9d:6d:10:
01:7a:08:e3
-----BEGIN CERTIFICATE-----
MIIFLjCCBBagAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBqjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhCcm9va2x5bjEUMBIGA1UEChMLTllDVGVs
ZWNvbW0xFDASBgNVBAsTC05ZQ1RlbGVjb21tMRcwFQYDVQQDEw5OWUNUZWxlY29t
bSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEkMCIGCSqGSIb3DQEJARYVYWRtaW5Abnlj
dGVsZWNvbW0uY29tMB4XDTE1MDkxNDExMjYwMFoXDTI1MDkxMTExMjYwMFowgaQx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMIQnJvb2tseW4xFDAS
BgNVBAoTC05ZQ1RlbGVjb21tMRQwEgYDVQQLEwtOWUNUZWxlY29tbTERMA8GA1UE
AxMIY2xpZW50MVAxEDAOBgNVBCkTB0Vhc3lSU0ExJDAiBgkqhkiG9w0BCQEWFWFk
bWluQG55Y3RlbGVjb21tLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALJvXdwUtnLRgEI0TRR9FLDG2lDg6H+9tCiymDOfzdDBqXxvMdUXzRjPUNHr
7+qbyVQNA8J4Py1mi6Ubujko8aie5greVrzAGqtxku13LW9dHhMTYCoIlHZJ0LD3
qDxu8KNKlSUKFfRjh2RdcA2jiQj44Yhy1Hxrt8toVe27I3PyVJx8A3/FJCC60t7r
n+csbEXmCfmvbbXjnW+lN3739sPY/JHdfgzBECNEIxxq7gXNvWrUFD5x9EAShQ1v
MwkhNbomQsHwid0eg07kMXPjG3tor21f/aBfZCRrURm9ymBH8g+m9T6dlJDxg1oh
Ao7r7kWOk/DMwtpsMlEwmLMMXdkCAwEAAaOCAWEwggFdMAkGA1UdEwQCMAAwLQYJ
YIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQUPZReCbNv4O+wPT5ATa0v3DxShpAwgd8GA1UdIwSB1zCB1IAUJ2v4gCNk
Dn0f0R6AWllrnDCeJH2hgbCkga0wgaoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJO
WTERMA8GA1UEBxMIQnJvb2tseW4xFDASBgNVBAoTC05ZQ1RlbGVjb21tMRQwEgYD
VQQLEwtOWUNUZWxlY29tbTEXMBUGA1UEAxMOTllDVGVsZWNvbW0gQ0ExEDAOBgNV
BCkTB0Vhc3lSU0ExJDAiBgkqhkiG9w0BCQEWFWFkbWluQG55Y3RlbGVjb21tLmNv
bYIJAMDi1PIJghxnMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAN
BgkqhkiG9w0BAQsFAAOCAQEA3RVwEmfGiPrG9gEWVN/H4e507gB1EfxwdhaQVFob
T45pxcNEf3mbn5gBcSrsWRU/PSe5nQ/OzNEFG6H3MPPpzDe7k0jnFM43A+7F2M27
77K585SmeyNJFsePc++F+YrVmCS/rzPwGUwMp0Q7wrhDENmaZWx8UACa42kh1iPg
ZoChGFDvWKVJkPwnQfdKOcQLW6SPttOhbGlW2ROWCioySP0knJQgW3TWVLYY6vFs
vO6/+IasUhd0Gc72rs5NhKFPmQat5ymjCZbn54E/f1kqg7vxC6XVCzaGS03YDGca
KlzRpKFPME/Ge32HOfOTBV5pJOiB4BiCnnwYnW0QAXoI4w==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
mmmmmyyyyy ppppprrrriiiivvvaaatttteeee kkkkeeeeyyyy
yyyyyooouuuurrrr nnnnooootttt ssuuuuppppoossseeeddd
tttttooo ssseeeeee
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
86ba44e5a40fb955687e62db59b7c747
6f71fc10c8a72eec1be7f4785d7700ee
cd88530490853a441666dcf1423d52c2
b22ff5d7f9abc4cfad581e8c4e5537da
3fd2d20901e5388efb7c4c9898ae1b42
3a74dcfb77352bd2d711a01d1d8e8382
ebc267eaec22ae0c027bd0f25ae6f0a6
b66a514c96078fc8f4437e98b778b202
9fbc3cda8325130370959bb729cdf325
307df71569aa4a1ef91a9c15ed2dc67f
c0491568e0c20f1e64b79f774fe7764f
b9f56aa05b69f21cd2b5bc343c6ab645
8e4dd75a122c5418c3f005440f6de858
0dba19cc250a8f6da7c1302c8944f2b6
4b909dce9b8bf4721272e93f50573f4d
97517e2ec05d227a6a73f81292d866ce
-----END OpenVPN Static key V1-----
</tls-auth>
my rc.conf
[\u at vader:/root] # cat /etc/rc.conf
hostname="vader.ex-mailer.com"
ifconfig_vtnet0="dhcp"
sshd_enable="YES"
static_routes=linklocal
route_linklocal="-net 169.254.0.0/16 -interface vtnet0"
crypto_load=YES
cryptodev_load=YES
aesni_load=YES
virtio_random_load=YES
rtsold_enable=YES
ipv6_activate_all_interfaces=YES
rtsold_flags="-aF"
linux_enable="YES"
accf_data_load="YES"
pf_enable="YES"
pf_rules="/home/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
firewall_enable="YES"
firewall_type="open"
gateway_enable="YES"
natd_enable="YES"
natd_interface="vtnet0"
natd_flags="-dynamic -m"
openvpn_enable="YES"
openvpn_config="/usr/local/etc/openvpn.conf"
openvpn_if="tun"
openvpn_if="tap"
interfaces:
[\u at vader:/usr/local/etc/openvpn] # service openvpn restart
Stopping openvpn.
Starting openvpn.
[\u at vader:/usr/local/etc/openvpn] # ifconfig -a
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
ether 56:00:00:05:72:d5
inet6 2001:19f0:7400:84c6::64 prefixlen 64
inet6 fe80::5400:ff:fe05:72d5%vtnet0 prefixlen 64 scopeid 0x1
inet 108.61.175.20 netmask 0xffffff00 broadcast 108.61.175.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T <full-duplex>
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
tap0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
ether 00:bd:1c:5d:00:00
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::2bd:1cff:fe5d:0%tun0 prefixlen 64 scopeid 0x5
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffff00
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 6786
my pf.conf (almost all testing with 'service ipfw stop'):
[\u at vader:/usr/local/etc/openvpn] # cat /home/pf.conf
### Variables and Macro ###
icmp_types="echoreq"
SSH_CUSTOM = 2222
#ext_if="ix0"
ext_if="vtnet0"
ext_if_in_tcp="domain, http, https, smtp, 53, 465, 587, 995, 993, 1194"
ext_if_in_udp="domain, 53"
ext_if_out_tcp="domain, http, https, 53, whois, 22, 1194, 2222, 22222"
ext_if_out_udp="domain, 53, 1194, ntp"
table <blockedips> persist file "/etc/blocked_ips.conf"
### Global Policy ###
set loginterface $ext_if
set skip on lo0
scrub in on $ext_if all fragment reassemble
### Traffic Normalization ###
antispoof for $ext_if
### Packet Filtering ### Block is ALWAYS first
block log quick on $ext_if from <blockedips> to any
block log all
### Incoming traffic ###
pass in quick on $ext_if inet proto tcp from any to $ext_if port {
$ext_if_in_tcp, $SSH_CUSTOM }
#pass in quick on $ext_if inet proto udp from any to $ext_if port {
$ext_if_in_udp }
pass in quick on $ext_if inet proto icmp from any to $ext_if icmp-type
$icmp_types
### Outgoing traffic ###
anchor TMP
pass out quick log on $ext_if inet proto tcp from $ext_if to any port smtp
pass out quick on $ext_if inet proto tcp from $ext_if to any port {
$ext_if_out_tcp, $SSH_CUSTOM }
pass out quick on $ext_if inet proto udp from $ext_if to any port {
$ext_if_out_udp }
# --- ICMP
pass out quick on $ext_if inet proto icmp from $ext_if to any
detailed logging:
https://bpaste.net/show/b0aa403199cb
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list