Serveur OpenVPN

To: Debian user french <debian-user-french@lists.debian.org>
Subject: Serveur OpenVPN
From: BERTRAND Joël <joel.bertrand@systella.fr>
Date: Fri, 25 Aug 2023 17:13:11 +0200
Message-id: <[🔎] 9844f93e-5f1f-97a6-6aa7-f92b0bd07868@systella.fr>
	Bonjour à tous,

	J'ai un petit souci avec un serveur OpenVPN (qui fonctionnait
parfaitement jusqu'ici). Les clients se connectent bien sur le serveur
mais rien ne passe sur l'interface tap0. Je n'ai rien de particulier
dans les sorties d'OpenVPN (même avec verb=10).

	Le serveur est sur une machine régulièrement mise à jour. Les clients
vivent leur vie et sont mis à jour nettement moins souvent (ça ne dépend
pas de moi).

	Lorsque je lance le serveur, je trouve ceci :

2023-08-25 16:58:39 86.212.205.101:58146 TLS: Initial packet from
[AF_INET]86.212.205.101:58146, sid=b28dac4a 65656374
2023-08-25 16:58:40 86.212.205.101:58146 VERIFY OK: depth=1, C=FR,
ST=FR, L=Paris, O=Systella, CN=Systella CA,
emailAddress=joel.bertrand@systella.fr
2023-08-25 16:58:40 86.212.205.101:58146 VERIFY OK: depth=0, C=FR,
ST=FR, L=Paris, O=Systella, CN=cervantes,
emailAddress=joel.bertrand@systella.fr
2023-08-25 16:58:40 86.212.205.101:58146 peer info: IV_VER=2.4.6
2023-08-25 16:58:40 86.212.205.101:58146 peer info: IV_PLAT=linux
2023-08-25 16:58:40 86.212.205.101:58146 peer info: IV_PROTO=2
2023-08-25 16:58:40 86.212.205.101:58146 peer info: IV_NCP=2
2023-08-25 16:58:40 86.212.205.101:58146 peer info: IV_LZ4=1
2023-08-25 16:58:40 86.212.205.101:58146 peer info: IV_LZ4v2=1
2023-08-25 16:58:40 86.212.205.101:58146 peer info: IV_LZO=1
2023-08-25 16:58:40 86.212.205.101:58146 peer info: IV_COMP_STUB=1
2023-08-25 16:58:40 86.212.205.101:58146 peer info: IV_COMP_STUBv2=1
2023-08-25 16:58:40 86.212.205.101:58146 peer info: IV_TCPNL=1
2023-08-25 16:58:40 86.212.205.101:58146 TLS: move_session:
dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-08-25 16:58:40 86.212.205.101:58146 TLS: tls_multi_process: initial
untrusted session promoted to trusted
2023-08-25 16:58:40 86.212.205.101:58146 Control Channel: TLSv1.3,
cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA,
signature: RSA-SHA1
2023-08-25 16:58:40 86.212.205.101:58146 [cervantes] Peer Connection
Initiated with [AF_INET]86.212.205.101:58146
2023-08-25 16:58:40 cervantes/86.212.205.101:58146 MULTI_sva: pool
returned IPv4=192.168.2.2, IPv6=(Not enabled)
2023-08-25 16:58:40 cervantes/86.212.205.101:58146 OPTIONS IMPORT:
reading client specific options from: /etc/openvpn/ccd/cervantes
2023-08-25 16:58:41 cervantes/86.212.205.101:58146 Data Channel: cipher
'AES-256-GCM', peer-id: 0
2023-08-25 16:58:41 cervantes/86.212.205.101:58146 Timers: ping 10,
ping-restart 240
2023-08-25 16:58:41 cervantes/86.212.205.101:58146 PUSH: Received
control message: 'PUSH_REQUEST'
2023-08-25 16:58:41 cervantes/86.212.205.101:58146 SENT CONTROL
[cervantes]: 'PUSH_REPLY,route-gateway 192.168.2.1,ping 10,ping-restart
120,ifconfig 192.168.2.5 255.255.255.0,peer-id 1,cipher AES-256-GCM'
(status=1)
2023-08-25 16:58:51 cervantes/86.212.205.101:58146 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> cervantes/86.212.205.101:58146
2023-08-25 16:58:56 nietzsche/92.184.124.63:50216 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> nietzsche/92.184.124.63:50216
2023-08-25 16:59:00 cervantes/86.212.205.101:58146 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> cervantes/86.212.205.101:58146
2023-08-25 16:59:06 nietzsche/92.184.124.63:50216 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> nietzsche/92.184.124.63:50216
2023-08-25 16:59:10 cervantes/86.212.205.101:58146 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> cervantes/86.212.205.101:58146
2023-08-25 16:59:17 nietzsche/92.184.124.63:50216 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> nietzsche/92.184.124.63:50216
2023-08-25 16:59:21 cervantes/86.212.205.101:58146 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> cervantes/86.212.205.101:58146
2023-08-25 16:59:26 nietzsche/92.184.124.63:50216 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> nietzsche/92.184.124.63:50216
2023-08-25 16:59:31 cervantes/86.212.205.101:58146 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> cervantes/86.212.205.101:58146
2023-08-25 16:59:36 nietzsche/92.184.124.63:50216 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> nietzsche/92.184.124.63:50216
2023-08-25 16:59:41 cervantes/86.212.205.101:58146 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> cervantes/86.212.205.101:58146
2023-08-25 16:59:46 nietzsche/92.184.124.63:50216 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> nietzsche/92.184.124.63:50216
2023-08-25 16:59:50 cervantes/86.212.205.101:58146 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> cervantes/86.212.205.101:58146
2023-08-25 16:59:57 nietzsche/92.184.124.63:50216 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> nietzsche/92.184.124.63:50216
2023-08-25 17:00:00 cervantes/86.212.205.101:58146 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> cervantes/86.212.205.101:58146
2023-08-25 17:00:07 nietzsche/92.184.124.63:50216 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> nietzsche/92.184.124.63:50216
2023-08-25 17:00:11 cervantes/86.212.205.101:58146 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> cervantes/86.212.205.101:58146
2023-08-25 17:00:17 nietzsche/92.184.124.63:50216 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> nietzsche/92.184.124.63:50216
2023-08-25 17:00:21 cervantes/86.212.205.101:58146 MULTI: Learn:
1e:b4:cb:07:ed:2d@0 -> cervantes/86.212.205.101:58146
2023-08-25 17:00:26 nietzsche/92.184.124.63:50216 Connection reset,
restarting [0]
2023-08-25 17:00:26 nietzsche/92.184.124.63:50216
SIGUSR1[soft,connection-reset] received, client-instance restarting


	La ligne :

SENT CONTROL [cervantes]: 'PUSH_REPLY,route-gateway 192.168.2.1,ping
10,ping-restart 120,ifconfig 192.168.2.5 255.255.255.0,peer-id 1,cipher
AES-256-GCM' (status=1)

me pose problème. Je ne sais pas si (status=1) est normal.

	Un arp sur le serveur m'indique (incomplete) pour les adresses de
nietzsche et de cervantes (les deux clients).

	Un tcpdump sur tap0 renvoie :

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:08:20.455170 1e:b4:cb:07:ed:2d (oui Unknown) > fa:2a:18:7b:f3:64 (oui
Unknown), ethertype Unknown (0x0a98), length 17:
        0x0000:  1fc7 48                                  ..H
17:08:29.558340 1e:b4:cb:07:ed:2d (oui Unknown) > fa:2a:18:7b:f3:64 (oui
Unknown), ethertype Unknown (0x0a98), length 17:
        0x0000:  1fc7 48                                  ..H
17:08:30.581835 1e:b4:cb:07:ed:2d (oui Unknown) > fa:2a:18:7b:f3:64 (oui
Unknown), ethertype Unknown (0x0a98), length 17:
        0x0000:  1fc7 48                                  ..H


	Il n'y a pas de problème de firewall. Tout est autorisé sur tap0
(entrée et sortie) et OpenVPN établit bien le lien.

	Quelle est encore cette diablerie ? Je sens bien un coup du passage
d'OpenSSL 1.1 à 3.x, mais je n'ai rien trouvé de probant.

	À toutes fins utiles, mon fichier de conf est le suivant :

local <adresse WAN publique>
port 1194
proto tcp-server
dev tap0
tls-server
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/rayleigh.crt
key /etc/openvpn/easy-rsa/2.0/keys/rayleigh.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 192.168.2.0 255.255.255.0
ifconfig 192.168.2.1 255.255.255.0
keepalive 10 120
max-clients 5
persist-key
persist-tun
status openvpn-status-tcp.log
verb 3
client-config-dir /etc/openvpn/ccd
tls-cipher "DEFAULT:@SECLEVEL=0"

	Ce fichier de configuration fonctionnait encore la semaine passée.

	Bien cordialement,

	JB
Reply to:
Follow-Ups:
- Re: Serveur OpenVPN
  - From: BERTRAND Joël <joel.bertrand@systella.fr>
Prev by Date: Re: Monitorer la connectivité WAN en vue du re-routage
Next by Date: Re: Serveur OpenVPN
Previous by thread: Re: Monitorer la connectivité WAN en vue du re-routage
Next by thread: Re: Serveur OpenVPN
Index(es):
- Date
- Thread