LINUX.ORG.RU
ФорумAdmin

OpenVPN, ошибки TLS

 ,


0

2

Есть рабочий сервер OpenVPN на debian, на котором я случайно удалил ca.key, пришлось заново генерировать все ключи и сертификаты. Конфиги не менялись. До удаления всё работало: весь трафик от клиента уходил в тоннель, доступ к локальным ресурсам был, инет работал. Теперь же ошибки (*** — это я затёр):

Fri Dec  4 09:37:02 2015 us=451600 MULTI: multi_create_instance called
Fri Dec  4 09:37:02 2015 us=451653 80.83.239.3:19993 Re-using SSL/TLS context
Fri Dec  4 09:37:02 2015 us=451679 80.83.239.3:19993 LZO compression initialized
Fri Dec  4 09:37:02 2015 us=451797 80.83.239.3:19993 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec  4 09:37:02 2015 us=451807 80.83.239.3:19993 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Dec  4 09:37:02 2015 us=451832 80.83.239.3:19993 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Dec  4 09:37:02 2015 us=451840 80.83.239.3:19993 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Dec  4 09:37:02 2015 us=451860 80.83.239.3:19993 Local Options hash (VER=V4): '14168603'
Fri Dec  4 09:37:02 2015 us=451870 80.83.239.3:19993 Expected Remote Options hash (VER=V4): '504e774e'
Fri Dec  4 09:37:02 2015 us=451903 80.83.239.3:19993 TLS: Initial packet from [AF_INET]80.83.239.3:19993, sid=75cc9312 4169b740
Fri Dec  4 09:37:02 2015 us=939147 80.83.239.3:19993 Replay-window backtrack occurred [1]
Fri Dec  4 09:37:03 2015 us=467729 80.83.239.3:19993 CRL CHECK OK: /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***_CA/emailAddress=***
Fri Dec  4 09:37:03 2015 us=467764 80.83.239.3:19993 VERIFY OK: depth=1, /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***_CA/emailAddress=***
Fri Dec  4 09:37:03 2015 us=467977 80.83.239.3:19993 CRL CHECK OK: /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***/emailAddress=***
Fri Dec  4 09:37:03 2015 us=468002 80.83.239.3:19993 VERIFY OK: depth=0, /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***/emailAddress=***
Fri Dec  4 09:37:03 2015 us=644990 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec  4 09:37:03 2015 us=645032 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:52870
Fri Dec  4 09:37:03 2015 us=875912 80.83.239.3:19993 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Dec  4 09:37:03 2015 us=875931 80.83.239.3:19993 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec  4 09:37:03 2015 us=875975 80.83.239.3:19993 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Dec  4 09:37:03 2015 us=875982 80.83.239.3:19993 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec  4 09:37:03 2015 us=996430 80.83.239.3:19993 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Dec  4 09:37:03 2015 us=996454 80.83.239.3:19993 [***] Peer Connection Initiated with [AF_INET]80.83.239.3:19993
Fri Dec  4 09:37:03 2015 us=996491 ***/80.83.239.3:19993 MULTI: Learn: 10.8.0.6 -> ***/80.83.239.3:19993
Fri Dec  4 09:37:03 2015 us=996500 ***/80.83.239.3:19993 MULTI: primary virtual IP for ***/80.83.239.3:19993: 10.8.0.6
Fri Dec  4 09:37:03 2015 us=996534 ***/80.83.239.3:19993 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec  4 09:37:03 2015 us=996559 ***/80.83.239.3:19993 SENT CONTROL [***]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 192.168.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Fri Dec  4 09:37:04 2015 us=958542 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec  4 09:37:04 2015 us=958587 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:56645
Fri Dec  4 09:37:06 2015 us=948582 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec  4 09:37:06 2015 us=948632 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:56645
Fri Dec  4 09:37:09 2015 us=42578 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec  4 09:37:09 2015 us=42623 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:56645
Fri Dec  4 09:37:10 2015 us=952470 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec  4 09:37:10 2015 us=952521 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:56645
Fri Dec  4 09:37:13 2015 us=40570 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec  4 09:37:13 2015 us=40618 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:56645
Fri Dec  4 09:37:14 2015 us=956498 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec  4 09:37:14 2015 us=956545 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:38505
Fri Dec  4 09:37:15 2015 us=893514 ***/80.83.239.3:19993 Replay-window backtrack occurred [2]
Fri Dec  4 09:37:17 2015 us=36547 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec  4 09:37:17 2015 us=36592 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:38505
Fri Dec  4 09:37:18 2015 us=954559 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec  4 09:37:18 2015 us=954605 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:38505
Или так (по тему же сертификату, не меняя настройки, просто переподключился):
Fri Dec  4 09:52:43 2015 us=280758 MULTI: multi_create_instance called
Fri Dec  4 09:52:43 2015 us=280820 141.105.52.211:57131 Re-using SSL/TLS context
Fri Dec  4 09:52:43 2015 us=280831 141.105.52.211:57131 LZO compression initialized
Fri Dec  4 09:52:43 2015 us=280880 141.105.52.211:57131 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec  4 09:52:43 2015 us=280889 141.105.52.211:57131 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Dec  4 09:52:43 2015 us=280911 141.105.52.211:57131 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Dec  4 09:52:43 2015 us=280917 141.105.52.211:57131 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Dec  4 09:52:43 2015 us=280929 141.105.52.211:57131 Local Options hash (VER=V4): '14168603'
Fri Dec  4 09:52:43 2015 us=280939 141.105.52.211:57131 Expected Remote Options hash (VER=V4): '504e774e'
Fri Dec  4 09:52:43 2015 us=280957 141.105.52.211:57131 TLS: Initial packet from [AF_INET]141.105.52.211:57131, sid=df89b666 812af5c9
Fri Dec  4 09:52:44 2015 us=711086 141.105.52.211:57131 CRL CHECK OK: /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***_CA/emailAddress=***
Fri Dec  4 09:52:44 2015 us=711119 141.105.52.211:57131 VERIFY OK: depth=1, /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***d_CA/emailAddress=***
Fri Dec  4 09:52:44 2015 us=711283 141.105.52.211:57131 CRL CHECK OK: /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***/emailAddress=***
Fri Dec  4 09:52:44 2015 us=711302 141.105.52.211:57131 VERIFY OK: depth=0, /C=RU/ST=Irkutskaya/L=Irkutsk/O=**/CN=***/emailAddress=***
Fri Dec  4 09:52:44 2015 us=863804 141.105.52.211:57131 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Dec  4 09:52:44 2015 us=863823 141.105.52.211:57131 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec  4 09:52:44 2015 us=863867 141.105.52.211:57131 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Dec  4 09:52:44 2015 us=863881 141.105.52.211:57131 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec  4 09:52:45 2015 us=16141 141.105.52.211:57131 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Dec  4 09:52:45 2015 us=16183 141.105.52.211:57131 [***] Peer Connection Initiated with [AF_INET]141.105.52.211:57131
Fri Dec  4 09:52:45 2015 us=16266 MULTI: new connection by client '***' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Fri Dec  4 09:52:45 2015 us=16298 MULTI: Learn: 10.8.0.6 -> ***/141.105.52.211:57131
Fri Dec  4 09:52:45 2015 us=16307 MULTI: primary virtual IP for ***/141.105.52.211:57131: 10.8.0.6
Fri Dec  4 09:52:45 2015 us=19702 ***/141.105.52.211:57131 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec  4 09:52:45 2015 us=19732 ***/141.105.52.211:57131 SENT CONTROL [***]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 192.168.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Fri Dec  4 09:52:46 2015 us=559266 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec  4 09:52:47 2015 us=842681 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec  4 09:52:48 2015 us=25371 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec  4 09:52:48 2015 us=183303 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec  4 09:52:48 2015 us=856514 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec  4 09:52:50 2015 us=212621 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec  4 09:52:50 2015 us=970231 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec  4 09:52:52 2015 us=912591 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped

С мобильных устройств работает RDP, доступ к шаре (через es explorer), инет не работает, не работает доступ к шаре через приложение (synology), с компа всё работает без проблем. Конфиги iptables и OpenVPN не менялись ни у клиента, ни на сервере.

Сервер

port 9194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
crl-verify crl.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.0.1"
keepalive 10 120
tls-auth ta.key 0
cipher BF-CBC
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 4
mute 10

Клиент

client
dev tun
proto udp
remote xx.xx.xx.xx 9194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert support.crt
key support.key
ns-cert-type server
tls-client
tls-timeout 120
tls-auth ta.key 1
cipher BF-CBC
comp-lzo
verb 3

iptables

iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -s 10.8.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source xx.xx.xx.xx

route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
gateway.irkcity *               255.255.255.255 UH    0      0        0 ppp0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
default         *               0.0.0.0         U     0      0        0 ppp0


Ответ на: комментарий от kravzo

Без изменений

Fri Dec  4 11:57:22 2015 us=873073 MULTI: multi_create_instance called
Fri Dec  4 11:57:22 2015 us=873128 141.105.52.211:59885 Re-using SSL/TLS context
Fri Dec  4 11:57:22 2015 us=873148 141.105.52.211:59885 LZO compression initialized
Fri Dec  4 11:57:22 2015 us=873207 141.105.52.211:59885 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec  4 11:57:22 2015 us=873222 141.105.52.211:59885 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Dec  4 11:57:22 2015 us=873244 141.105.52.211:59885 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Dec  4 11:57:22 2015 us=873250 141.105.52.211:59885 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Dec  4 11:57:22 2015 us=873262 141.105.52.211:59885 Local Options hash (VER=V4): '14168603'
Fri Dec  4 11:57:22 2015 us=873271 141.105.52.211:59885 Expected Remote Options hash (VER=V4): '504e774e'
Fri Dec  4 11:57:22 2015 us=873292 141.105.52.211:59885 TLS: Initial packet from [AF_INET]141.105.52.211:59885, sid=fa6800d4 a333318a
Fri Dec  4 11:57:27 2015 us=431001 141.105.52.211:59885 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2 / time = (1449201441) Fri Dec  4 11:57:21 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Fri Dec  4 11:57:27 2015 us=431020 141.105.52.211:59885 TLS Error: incoming packet authentication failed from [AF_INET]141.105.52.211:59885
Fri Dec  4 11:57:27 2015 us=431370 141.105.52.211:59885 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1449201441) Fri Dec  4 11:57:21 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Fri Dec  4 11:57:27 2015 us=431395 141.105.52.211:59885 TLS Error: incoming packet authentication failed from [AF_INET]141.105.52.211:59885
Fri Dec  4 11:57:29 2015 us=940 141.105.52.211:59885 Replay-window backtrack occurred [4]
Fri Dec  4 11:57:29 2015 us=997 141.105.52.211:59885 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2 / time = (1449201441) Fri Dec  4 11:57:21 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Fri Dec  4 11:57:29 2015 us=1008 141.105.52.211:59885 TLS Error: incoming packet authentication failed from [AF_INET]141.105.52.211:59885
Fri Dec  4 11:57:29 2015 us=1468 141.105.52.211:59885 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1449201441) Fri Dec  4 11:57:21 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Fri Dec  4 11:57:29 2015 us=1487 141.105.52.211:59885 TLS Error: incoming packet authentication failed from [AF_INET]141.105.52.211:59885
Fri Dec  4 11:57:30 2015 us=245458 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Dec  4 11:57:30 2015 us=938689 141.105.52.211:59885 Replay-window backtrack occurred [8]
Fri Dec  4 11:57:30 2015 us=938747 141.105.52.211:59885 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2 / time = (1449201441) Fri Dec  4 11:57:21 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

deptk ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.