OpenVPN - Negociação de chave TLS falhou em Raspbian

0

A execução do cliente OpenVPN no Raspbian falha com uma falha de negociação de chave TLS:

Tue Jan 16 17:21:58 2018 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Tue Jan 16 17:21:58 2018 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Tue Jan 16 17:21:58 2018 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Tue Jan 16 17:21:58 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 16 17:21:58 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 16 17:21:58 2018 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue Jan 16 17:21:58 2018 UDPv4 link local: [undef]
Tue Jan 16 17:21:58 2018 UDPv4 link remote: [AF_INET]~hidden~:7799
Tue Jan 16 17:21:58 2018 TLS: Initial packet from [AF_INET]~hidden~:7799, sid=95132897 59367d19
Tue Jan 16 17:22:58 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jan 16 17:22:58 2018 TLS Error: TLS handshake failed
Tue Jan 16 17:22:58 2018 SIGUSR1[soft,tls-error] received, process restarting
Tue Jan 16 17:22:58 2018 Restart pause, 2 second(s)

Embora eu possa me conectar ao servidor sem problemas de outros computadores 'normais' (não-framboesa-pi). Por exemplo, logs do Ubuntu:

Jan 16 17:17:15 elara ovpn-client[8741]: OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  3 2017
Jan 16 17:17:15 elara ovpn-client[8741]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Jan 16 17:17:15 elara systemd[1]: Started OpenVPN connection to client.
Jan 16 17:17:15 elara ovpn-client[8741]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 16 17:17:15 elara ovpn-client[8741]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 16 17:17:15 elara ovpn-client[8741]: TCP/UDP: Preserving recently used remote address: [AF_INET]~hidden~:7799
Jan 16 17:17:15 elara ovpn-client[8741]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jan 16 17:17:15 elara ovpn-client[8741]: UDP link local: (not bound)
Jan 16 17:17:15 elara ovpn-client[8741]: UDP link remote: [AF_INET]~hidden~:7799
Jan 16 17:17:15 elara ovpn-client[8741]: TLS: Initial packet from [AF_INET]~hidden~:7799, sid=ca91bf02 d006bf9d
Jan 16 17:17:15 elara ovpn-client[8741]: VERIFY OK: ~hidden~
Jan 16 17:17:15 elara ovpn-client[8741]: VERIFY KU OK
Jan 16 17:17:15 elara ovpn-client[8741]: Validating certificate extended key usage
Jan 16 17:17:15 elara ovpn-client[8741]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 16 17:17:15 elara ovpn-client[8741]: VERIFY EKU OK
Jan 16 17:17:15 elara ovpn-client[8741]: VERIFY OK: ~hidden~
Jan 16 17:17:16 elara ovpn-client[8741]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558'
Jan 16 17:17:16 elara ovpn-client[8741]: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Jan 16 17:17:16 elara ovpn-client[8741]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Jan 16 17:17:16 elara ovpn-client[8741]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES128-GCM-SHA256, 2048 bit RSA
Jan 16 17:17:16 elara ovpn-client[8741]: [server] Peer Connection Initiated with [AF_INET]~hidden~:7799
Jan 16 17:17:17 elara ovpn-client[8741]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jan 16 17:17:17 elara ovpn-client[8741]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,compress lz4-v2,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: compression parms modified
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: route-related options modified
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: peer-id set
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: adjusting link_mtu to 1625
Jan 16 17:17:17 elara systemd-udevd[8757]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: data channel crypto options modified
Jan 16 17:17:17 elara ovpn-client[8741]: Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 16 17:17:17 elara ovpn-client[8741]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 16 17:17:17 elara ovpn-client[8741]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 16 17:17:17 elara ovpn-client[8741]: TUN/TAP device tun0 opened
Jan 16 17:17:17 elara ovpn-client[8741]: TUN/TAP TX queue length set to 100
Jan 16 17:17:17 elara ovpn-client[8741]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 16 17:17:17 elara ovpn-client[8741]: /sbin/ip link set dev tun0 up mtu 1500
Jan 16 17:17:17 elara NetworkManager[778]: <info>  [1516119437.2038] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/8)
Jan 16 17:17:17 elara ovpn-client[8741]: /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255

Funciona também em computadores com Windows. Todos os computadores (e raspberry pi) estão atrás do mesmo roteador e o servidor VPN é remoto.

tcpdump em pi:

root@raspberrypi:/etc/openvpn# tcpdump -ni wlan0 udp and port 7799
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:41:08.458713 IP 192.168.2.43.56835 > 163.~hidden~.7799: UDP, length 42
17:41:08.494048 IP 163.~hidden~.7799 > 192.168.2.43.56835: UDP, length 54
17:41:08.494813 IP 192.168.2.43.56835 > 163.~hidden~.7799: UDP, length 50
17:41:08.495279 IP 192.168.2.43.56835 > 163.~hidden~.7799: UDP, length 142
17:41:08.495596 IP 192.168.2.43.56835 > 163.~hidden~.7799: UDP, length 135
17:41:08.535574 IP 163.~hidden~.7799 > 192.168.2.43.56835: UDP, length 50
17:41:11.548510 IP 192.168.2.43.56835 > 163.~hidden~.7799: UDP, length 135
17:41:15.565617 IP 192.168.2.43.56835 > 163.~hidden~.7799: UDP, length 135

Nenhum firewall está sendo executado em Raspbian, até onde eu posso ver. Eu tentei vincular o servidor OpenVPN ao endereço inet conforme recomendado em algumas outras respostas para perguntas semelhantes aqui.

O servidor tem a seguinte configuração de firewalld:

firewall-cmd --permanent --add-service openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0
firewall-cmd --permanent --zone=trusted --add-masquerade
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s  10.8.0.0/24 -o eth0 -j MASQUERADE
firewall-cmd --reload

(o xml do serviço openvpn foi modificado para refletir a porta personalizada 7799)

    
por Shreyas 16.01.2018 / 18:30

1 resposta

1

O problema foi a incapacidade do (velho) Raspbian Jessie rodando no Raspberry Pi de não ser capaz de negociar um tls-cipher devido às configurações estritas no lado do servidor. Remover as instruções tls-cipher da configuração do servidor corrige o problema.

Caso você ainda esteja tendo problemas, eu recomendo ativar o arquivo log na configuração do servidor e definir uma configuração verb relativamente alta, além de analisar os registros do servidor e do cliente.

    
por 22.01.2018 / 13:50