Debian 10 OpenVPN [RESOLVIDO]

zeljunior
(usa Debian)

Enviado em 09/01/2020 - 14:17h

Pessoal boa tarde.

Tenho um servidor OpenVPN In cloud com Debian 8 e diversos client (linux e windows) conectados a ele. Acabei de instalar um novo client com Debian 10, porém o mesmo não conecta na VPN de jeito nenhum, ele está tentando se autenticar e fica gerando os erros abaixo no Servidor In cloud, e nessa máquina client com Debian 10, segue os erros abaixo:

Client Debian 10:

Thu Jan 9 14:12:58 2020 us=387001 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Thu Jan 9 14:12:58 2020 us=387031 library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.10
Thu Jan 9 14:12:58 2020 us=387354 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Jan 9 14:12:58 2020 us=453596 LZO compression initializing
Thu Jan 9 14:12:58 2020 us=454463 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Jan 9 14:12:58 2020 us=492918 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Jan 9 14:12:58 2020 us=493682 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-client'
Thu Jan 9 14:12:58 2020 us=493974 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-server'
Thu Jan 9 14:12:58 2020 us=494751 TCP/UDP: Preserving recently used remote address: [AF_INET]167.114.56.170:3560
Thu Jan 9 14:12:58 2020 us=495110 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Jan 9 14:12:58 2020 us=495452 UDP link local (bound): [AF_INET][undef]:3560
Thu Jan 9 14:12:58 2020 us=495806 UDP link remote: [AF_INET]167.114.56.170:3560
Thu Jan 9 14:12:58 2020 us=496133 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Jan 9 14:12:58 2020 us=652380 TLS: Initial packet from [AF_INET]167.114.56.170:3560, sid=f7c1423d 87ee3353
Thu Jan 9 14:12:58 2020 us=820413 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
Thu Jan 9 14:12:58 2020 us=821274 OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Thu Jan 9 14:12:58 2020 us=822257 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jan 9 14:12:58 2020 us=823106 TLS Error: TLS object -> incoming plaintext read error
Thu Jan 9 14:12:58 2020 us=823892 TLS Error: TLS handshake failed
Thu Jan 9 14:12:58 2020 us=824163 TCP/UDP: Closing socket
Thu Jan 9 14:12:58 2020 us=824621 SIGUSR1[soft,tls-error] received, process restarting
Thu Jan 9 14:12:58 2020 us=824701 Restart pause, 5 second(s)
Thu Jan 9 14:13:03 2020 us=824983 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Jan 9 14:13:03 2020 us=825121 Re-using SSL/TLS context
Thu Jan 9 14:13:03 2020 us=825169 LZO compression initializing
Thu Jan 9 14:13:03 2020 us=825481 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Jan 9 14:13:03 2020 us=825837 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Jan 9 14:13:03 2020 us=825981 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-client'
Thu Jan 9 14:13:03 2020 us=826034 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-server'
Thu Jan 9 14:13:03 2020 us=826085 TCP/UDP: Preserving recently used remote address: [AF_INET]167.114.56.170:3560
Thu Jan 9 14:13:03 2020 us=826162 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Jan 9 14:13:03 2020 us=826215 UDP link local (bound): [AF_INET][undef]:3560
Thu Jan 9 14:13:03 2020 us=826252 UDP link remote: [AF_INET]167.114.56.170:3560
Thu Jan 9 14:13:03 2020 us=982554 TLS Error: Unroutable control packet received from [AF_INET]167.114.56.170:3560 (si=3 op=P_CONTROL_V1)
Thu Jan 9 14:13:03 2020 us=982740 TLS: Initial packet from [AF_INET]167.114.56.170:3560, sid=8085462a 261235a9
Thu Jan 9 14:13:04 2020 us=136696 TLS Error: Unroutable control packet received from [AF_INET]167.114.56.170:3560 (si=3 op=P_CONTROL_V1)
Thu Jan 9 14:13:04 2020 us=141921 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
Thu Jan 9 14:13:04 2020 us=142071 OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Thu Jan 9 14:13:04 2020 us=142117 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jan 9 14:13:04 2020 us=142151 TLS Error: TLS object -> incoming plaintext read error
Thu Jan 9 14:13:04 2020 us=142183 TLS Error: TLS handshake failed
Thu Jan 9 14:13:04 2020 us=142358 TCP/UDP: Closing socket
Thu Jan 9 14:13:04 2020 us=142449 SIGUSR1[soft,tls-error] received, process restarting
Thu Jan 9 14:13:04 2020 us=142984 Restart pause, 5 second(s)


Servidor In cloud:

Thu Jan 9 14:01:01 2020 us=964316 177.42.216.69:2048 TLS: Initial packet from [AF_INET]177.42.216.69:2048, sid=cf889152 cd659bc2
Thu Jan 9 14:02:01 2020 us=624382 177.42.216.69:2048 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jan 9 14:02:01 2020 us=624501 177.42.216.69:2048 TLS Error: TLS handshake failed
Thu Jan 9 14:02:01 2020 us=624556 177.42.216.69:2048 SIGUSR1[soft,tls-error] received, client-instance restarting


OBS.: Outra Distribuição linux (debian 7, 8), funciona perfeitamente.

Alguém já passou por isso e pode dar uma ajuda?

StanislausK
(usa FreeBSD)

Enviado em 10/01/2020 - 09:52h

Ola,

de uma lida:

Debian Bug report logs - #933177
network-manager-openvpn: unable to connect after upgrade to buster due to new OpenSSL minimum TLS version

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933177

renato_pacheco
(usa Debian)

Enviado em 10/01/2020 - 09:53h

Olhe o tamanho do erro na sua cara e vc não percebeu:

Thu Jan  9 14:12:58 2020 us=820413 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only

 

Como vc atualizou a máquina, o seu OpenSSL tá mais atual e não tá aceitando TLSv1.0. Ou vc habilita manualmente no seu cliente (algo q não recomendo) ou vc atualiza o SO do servidor OpenVPN.

--
http://br.linkedin.com/in/renatocarneirop
http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh

zeljunior
(usa Debian)

Enviado em 11/01/2020 - 18:28h

Conseguir resolver, fiz o seguinte:

Coloquei a máquina client Debian 10 para usar o TLS1, alterando as configurações conforme abaixo:

vim /etc/ssl/openssl.conf

[system_default_sect]
-MinProtocol = TLSv1.2
+MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=2

Isso altera o protocolo ativado mínimo padrão do sistema de TLS 1.2 para 1.0.

renato_pacheco
(usa Debian)

Enviado em 14/01/2020 - 17:00h

Vc "resolveu", mas trouxe uma insegurança para a sua VPN. O recomendado era atualizar tudo e manter o protocolo TLSv1.2.





--
http://br.linkedin.com/in/renatocarneirop
http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh