Date: Wed, 16 Sep 2015 04:44:28 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 203146] OpenVPN server fails to reply to TLS handshake Message-ID: <bug-203146-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203146 Bug ID: 203146 Summary: OpenVPN server fails to reply to TLS handshake Product: Ports & Packages Version: Latest Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: brads@nyctelecomm.com I am trying to configure a new VPN server but the TLS handshake fails. I worked with #openvpn for some time and we narrowed it down to a failure at the server. All firewalls are completely down for both server and client and the testing client 'can' connect to OpenBook free Openvpn servers just fine. Just not my own that are hosted on FreeBSD. I jumped on a second brand new freebsd server and applied the config, same error. someone sent me a working config from one of their non freebsd servers and, same error. What ever it is, it appears to be very FreeBSD specific. FreeBSD client was also tried, same error. server config: [\u@vader:/usr/local/etc] # cat openvpn/openvpn.conf local 108.61.175.20 mode server port 1194 ;proto tcp proto udp ;dev tap dev tun ;dev-node MyTap ca /usr/local/etc/easy-rsa/keys/ca.crt cert /usr/local/etc/easy-rsa/keys/serverP.crt key /usr/local/etc/easy-rsa/keys/serverP.key dh /usr/local/etc/easy-rsa/keys/dh2048.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 4.2.2.2" ;client-to-client ;duplicate-cn keepalive 10 120 tls-server tls-timeout 120 tls-auth /usr/local/etc/openvpn/ta.key 0 # This file is secret tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA auth SHA256 ;cipher AES-128-CBC # AES comp-lzo max-clients 100 user nobody group nobody persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log log-append /var/log/openvpn.log verb 9 ;mute 20 client config: client dev tun0 dev-type tun proto udp remote 108.61.175.20 1194 resolv-retry infinite remote-cert-tls server tls-auth C:\\Program\ Files\\OpenVPN\\config\\ta.key 1 tls-client auth SHA256 dev-node {D1F4080E-CD73-4F64-9213-CBF0FB3C3D71} resolv-retry infinite nobind persist-key persist-tun verb 3 ;cipher AES-128-CBC ;route-delay 2 ;redirect-gateway inactive 3600 comp-lzo ca [inline] cert [inline] key [inline] <ca> -----BEGIN CERTIFICATE----- MIIE7jCCA9agAwIBAgIJAMDi1PIJghxnMA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD VQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCEJyb29rbHluMRQwEgYDVQQK EwtOWUNUZWxlY29tbTEUMBIGA1UECxMLTllDVGVsZWNvbW0xFzAVBgNVBAMTDk5Z Q1RlbGVjb21tIENBMRAwDgYDVQQpEwdFYXN5UlNBMSQwIgYJKoZIhvcNAQkBFhVh ZG1pbkBueWN0ZWxlY29tbS5jb20wHhcNMTUwOTE0MTEyNDU0WhcNMjUwOTExMTEy NDU0WjCBqjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhCcm9v a2x5bjEUMBIGA1UEChMLTllDVGVsZWNvbW0xFDASBgNVBAsTC05ZQ1RlbGVjb21t MRcwFQYDVQQDEw5OWUNUZWxlY29tbSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEkMCIG CSqGSIb3DQEJARYVYWRtaW5AbnljdGVsZWNvbW0uY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA4UdREqvqO4SShs54q/m6hHxcm2Bc5jONAtk2I64p vbDbFmkpyLpibPI+rENgi4o1jfvQJJECpsU8ycvVJ2dPb2k0OmWldmxjHO2GuIc2 LzhqbnycPH2zW1NOO1XmwxIi4USJBvUewHkxclefVh9VFzFxel37RV7rdeeizaeR 3T7udjCP2887RSh5ZQ/TG7P1GbEEeiD56kwM/NVOoUZonxGTaK8JulYZAEAAjmYk 7kzl98GL/RgqE3SKqyXtHSl5GWcSnGHIBoypRt0CALS4t/qQ2Dyr1SW2PJeFkOaP ddEwjK/We8NiyDamLpahAq9Cj6ZRN+D2rr89z9MQXOH5DQIDAQABo4IBEzCCAQ8w HQYDVR0OBBYEFCdr+IAjZA59H9EegFpZa5wwniR9MIHfBgNVHSMEgdcwgdSAFCdr +IAjZA59H9EegFpZa5wwniR9oYGwpIGtMIGqMQswCQYDVQQGEwJVUzELMAkGA1UE CBMCTlkxETAPBgNVBAcTCEJyb29rbHluMRQwEgYDVQQKEwtOWUNUZWxlY29tbTEU MBIGA1UECxMLTllDVGVsZWNvbW0xFzAVBgNVBAMTDk5ZQ1RlbGVjb21tIENBMRAw DgYDVQQpEwdFYXN5UlNBMSQwIgYJKoZIhvcNAQkBFhVhZG1pbkBueWN0ZWxlY29t bS5jb22CCQDA4tTyCYIcZzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB AQBMtUC9Q5u6o9IyOayC3v+pIhmZncYGrxk03G6Odf3mU2ZeyCYja2qTlQOPB22V XQEJ856KiOqOj0yyTyBJSG6UvpjD5iixf85WE/vBENOSDfzjhydmy8BgLWcRe0Dx cFbEYv+qZr456s2W8Dt7+AI8VJauEQ5SPhf2WUK4XSH+7lLq2CDLN1qAHblyNks0 dxGaStTe38Pxb6FD0UpjFhSgoJqNZKuGjp5eeWdo0pAWu6T7QQ/9c/RYuTaz5/Kt RSFUrJ/t0cYVz5sxUVR4KNR26QbVAI5J42n/BL00K5+xB5bP9yGUb5MzwRgFX2nI J94Euf1q8OXN+kYa53Ca3W/J -----END CERTIFICATE----- </ca> <cert> Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=NY, L=Brooklyn, O=NYCTelecomm, OU=NYCTelecomm, CN=NYCTelecomm CA/name=EasyRSA/emailAddress=admin@nyctelecomm.com Validity Not Before: Sep 14 11:26:00 2015 GMT Not After : Sep 11 11:26:00 2025 GMT Subject: C=US, ST=NY, L=Brooklyn, O=NYCTelecomm, OU=NYCTelecomm, CN=client1P/name=EasyRSA/emailAddress=admin@nyctelecomm.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b2:6f:5d:dc:14:b6:72:d1:80:42:34:4d:14:7d: 14:b0:c6:da:50:e0:e8:7f:bd:b4:28:b2:98:33:9f: cd:d0:c1:a9:7c:6f:31:d5:17:cd:18:cf:50:d1:eb: ef:ea:9b:c9:54:0d:03:c2:78:3f:2d:66:8b:a5:1b: ba:39:28:f1:a8:9e:e6:0a:de:56:bc:c0:1a:ab:71: 92:ed:77:2d:6f:5d:1e:13:13:60:2a:08:94:76:49: d0:b0:f7:a8:3c:6e:f0:a3:4a:95:25:0a:15:f4:63: 87:64:5d:70:0d:a3:89:08:f8:e1:88:72:d4:7c:6b: b7:cb:68:55:ed:bb:23:73:f2:54:9c:7c:03:7f:c5: 24:20:ba:d2:de:eb:9f:e7:2c:6c:45:e6:09:f9:af: 6d:b5:e3:9d:6f:a5:37:7e:f7:f6:c3:d8:fc:91:dd: 7e:0c:c1:10:23:44:23:1c:6a:ee:05:cd:bd:6a:d4: 14:3e:71:f4:40:12:85:0d:6f:33:09:21:35:ba:26: 42:c1:f0:89:dd:1e:83:4e:e4:31:73:e3:1b:7b:68: af:6d:5f:fd:a0:5f:64:24:6b:51:19:bd:ca:60:47: f2:0f:a6:f5:3e:9d:94:90:f1:83:5a:21:02:8e:eb: ee:45:8e:93:f0:cc:c2:da:6c:32:51:30:98:b3:0c: 5d:d9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: Easy-RSA Generated Certificate X509v3 Subject Key Identifier: 3D:94:5E:09:B3:6F:E0:EF:B0:3D:3E:40:4D:AD:2F:DC:3C:52:86:90 X509v3 Authority Key Identifier: keyid:27:6B:F8:80:23:64:0E:7D:1F:D1:1E:80:5A:59:6B:9C:30:9E:24:7D DirName:/C=US/ST=NY/L=Brooklyn/O=NYCTelecomm/OU=NYCTelecomm/CN=NYCTelecomm CA/name=EasyRSA/emailAddress=admin@nyctelecomm.com serial:C0:E2:D4:F2:09:82:1C:67 X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Signature Algorithm: sha256WithRSAEncryption dd:15:70:12:67:c6:88:fa:c6:f6:01:16:54:df:c7:e1:ee:74: ee:00:75:11:fc:70:76:16:90:54:5a:1b:4f:8e:69:c5:c3:44: 7f:79:9b:9f:98:01:71:2a:ec:59:15:3f:3d:27:b9:9d:0f:ce: cc:d1:05:1b:a1:f7:30:f3:e9:cc:37:bb:93:48:e7:14:ce:37: 03:ee:c5:d8:cd:bb:ef:b2:b9:f3:94:a6:7b:23:49:16:c7:8f: 73:ef:85:f9:8a:d5:98:24:bf:af:33:f0:19:4c:0c:a7:44:3b: c2:b8:43:10:d9:9a:65:6c:7c:50:00:9a:e3:69:21:d6:23:e0: 66:80:a1:18:50:ef:58:a5:49:90:fc:27:41:f7:4a:39:c4:0b: 5b:a4:8f:b6:d3:a1:6c:69:56:d9:13:96:0a:2a:32:48:fd:24: 9c:94:20:5b:74:d6:54:b6:18:ea:f1:6c:bc:ee:bf:f8:86:ac: 52:17:74:19:ce:f6:ae:ce:4d:84:a1:4f:99:06:ad:e7:29:a3: 09:96:e7:e7:81:3f:7f:59:2a:83:bb:f1:0b:a5:d5:0b:36:86: 4b:4d:d8:0c:67:1a:2a:5c:d1:a4:a1:4f:30:4f:c6:7b:7d:87: 39:f3:93:05:5e:69:24:e8:81:e0:18:82:9e:7c:18:9d:6d:10: 01:7a:08:e3 -----BEGIN CERTIFICATE----- MIIFLjCCBBagAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBqjELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhCcm9va2x5bjEUMBIGA1UEChMLTllDVGVs ZWNvbW0xFDASBgNVBAsTC05ZQ1RlbGVjb21tMRcwFQYDVQQDEw5OWUNUZWxlY29t bSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEkMCIGCSqGSIb3DQEJARYVYWRtaW5Abnlj dGVsZWNvbW0uY29tMB4XDTE1MDkxNDExMjYwMFoXDTI1MDkxMTExMjYwMFowgaQx CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMIQnJvb2tseW4xFDAS BgNVBAoTC05ZQ1RlbGVjb21tMRQwEgYDVQQLEwtOWUNUZWxlY29tbTERMA8GA1UE AxMIY2xpZW50MVAxEDAOBgNVBCkTB0Vhc3lSU0ExJDAiBgkqhkiG9w0BCQEWFWFk bWluQG55Y3RlbGVjb21tLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBALJvXdwUtnLRgEI0TRR9FLDG2lDg6H+9tCiymDOfzdDBqXxvMdUXzRjPUNHr 7+qbyVQNA8J4Py1mi6Ubujko8aie5greVrzAGqtxku13LW9dHhMTYCoIlHZJ0LD3 qDxu8KNKlSUKFfRjh2RdcA2jiQj44Yhy1Hxrt8toVe27I3PyVJx8A3/FJCC60t7r n+csbEXmCfmvbbXjnW+lN3739sPY/JHdfgzBECNEIxxq7gXNvWrUFD5x9EAShQ1v MwkhNbomQsHwid0eg07kMXPjG3tor21f/aBfZCRrURm9ymBH8g+m9T6dlJDxg1oh Ao7r7kWOk/DMwtpsMlEwmLMMXdkCAwEAAaOCAWEwggFdMAkGA1UdEwQCMAAwLQYJ YIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV HQ4EFgQUPZReCbNv4O+wPT5ATa0v3DxShpAwgd8GA1UdIwSB1zCB1IAUJ2v4gCNk Dn0f0R6AWllrnDCeJH2hgbCkga0wgaoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJO WTERMA8GA1UEBxMIQnJvb2tseW4xFDASBgNVBAoTC05ZQ1RlbGVjb21tMRQwEgYD VQQLEwtOWUNUZWxlY29tbTEXMBUGA1UEAxMOTllDVGVsZWNvbW0gQ0ExEDAOBgNV BCkTB0Vhc3lSU0ExJDAiBgkqhkiG9w0BCQEWFWFkbWluQG55Y3RlbGVjb21tLmNv bYIJAMDi1PIJghxnMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAN BgkqhkiG9w0BAQsFAAOCAQEA3RVwEmfGiPrG9gEWVN/H4e507gB1EfxwdhaQVFob T45pxcNEf3mbn5gBcSrsWRU/PSe5nQ/OzNEFG6H3MPPpzDe7k0jnFM43A+7F2M27 77K585SmeyNJFsePc++F+YrVmCS/rzPwGUwMp0Q7wrhDENmaZWx8UACa42kh1iPg ZoChGFDvWKVJkPwnQfdKOcQLW6SPttOhbGlW2ROWCioySP0knJQgW3TWVLYY6vFs vO6/+IasUhd0Gc72rs5NhKFPmQat5ymjCZbn54E/f1kqg7vxC6XVCzaGS03YDGca KlzRpKFPME/Ge32HOfOTBV5pJOiB4BiCnnwYnW0QAXoI4w== -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- mmmmmyyyyy ppppprrrriiiivvvaaatttteeee kkkkeeeeyyyy yyyyyooouuuurrrr nnnnooootttt ssuuuuppppoossseeeddd tttttooo ssseeeeee -----END PRIVATE KEY----- </key> <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- 86ba44e5a40fb955687e62db59b7c747 6f71fc10c8a72eec1be7f4785d7700ee cd88530490853a441666dcf1423d52c2 b22ff5d7f9abc4cfad581e8c4e5537da 3fd2d20901e5388efb7c4c9898ae1b42 3a74dcfb77352bd2d711a01d1d8e8382 ebc267eaec22ae0c027bd0f25ae6f0a6 b66a514c96078fc8f4437e98b778b202 9fbc3cda8325130370959bb729cdf325 307df71569aa4a1ef91a9c15ed2dc67f c0491568e0c20f1e64b79f774fe7764f b9f56aa05b69f21cd2b5bc343c6ab645 8e4dd75a122c5418c3f005440f6de858 0dba19cc250a8f6da7c1302c8944f2b6 4b909dce9b8bf4721272e93f50573f4d 97517e2ec05d227a6a73f81292d866ce -----END OpenVPN Static key V1----- </tls-auth> my rc.conf [\u@vader:/root] # cat /etc/rc.conf hostname="vader.ex-mailer.com" ifconfig_vtnet0="dhcp" sshd_enable="YES" static_routes=linklocal route_linklocal="-net 169.254.0.0/16 -interface vtnet0" crypto_load=YES cryptodev_load=YES aesni_load=YES virtio_random_load=YES rtsold_enable=YES ipv6_activate_all_interfaces=YES rtsold_flags="-aF" linux_enable="YES" accf_data_load="YES" pf_enable="YES" pf_rules="/home/pf.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog" firewall_enable="YES" firewall_type="open" gateway_enable="YES" natd_enable="YES" natd_interface="vtnet0" natd_flags="-dynamic -m" openvpn_enable="YES" openvpn_config="/usr/local/etc/openvpn.conf" openvpn_if="tun" openvpn_if="tap" interfaces: [\u@vader:/usr/local/etc/openvpn] # service openvpn restart Stopping openvpn. Starting openvpn. [\u@vader:/usr/local/etc/openvpn] # ifconfig -a vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> ether 56:00:00:05:72:d5 inet6 2001:19f0:7400:84c6::64 prefixlen 64 inet6 fe80::5400:ff:fe05:72d5%vtnet0 prefixlen 64 scopeid 0x1 inet 108.61.175.20 netmask 0xffffff00 broadcast 108.61.175.255 nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> media: Ethernet 10Gbase-T <full-duplex> status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160 tap0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> ether 00:bd:1c:5d:00:00 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect status: no carrier tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet6 fe80::2bd:1cff:fe5d:0%tun0 prefixlen 64 scopeid 0x5 inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffff00 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> Opened by PID 6786 my pf.conf (almost all testing with 'service ipfw stop'): [\u@vader:/usr/local/etc/openvpn] # cat /home/pf.conf ### Variables and Macro ### icmp_types="echoreq" SSH_CUSTOM = 2222 #ext_if="ix0" ext_if="vtnet0" ext_if_in_tcp="domain, http, https, smtp, 53, 465, 587, 995, 993, 1194" ext_if_in_udp="domain, 53" ext_if_out_tcp="domain, http, https, 53, whois, 22, 1194, 2222, 22222" ext_if_out_udp="domain, 53, 1194, ntp" table <blockedips> persist file "/etc/blocked_ips.conf" ### Global Policy ### set loginterface $ext_if set skip on lo0 scrub in on $ext_if all fragment reassemble ### Traffic Normalization ### antispoof for $ext_if ### Packet Filtering ### Block is ALWAYS first block log quick on $ext_if from <blockedips> to any block log all ### Incoming traffic ### pass in quick on $ext_if inet proto tcp from any to $ext_if port { $ext_if_in_tcp, $SSH_CUSTOM } #pass in quick on $ext_if inet proto udp from any to $ext_if port { $ext_if_in_udp } pass in quick on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types ### Outgoing traffic ### anchor TMP pass out quick log on $ext_if inet proto tcp from $ext_if to any port smtp pass out quick on $ext_if inet proto tcp from $ext_if to any port { $ext_if_out_tcp, $SSH_CUSTOM } pass out quick on $ext_if inet proto udp from $ext_if to any port { $ext_if_out_udp } # --- ICMP pass out quick on $ext_if inet proto icmp from $ext_if to any detailed logging: https://bpaste.net/show/b0aa403199cb -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-203146-13>