OpenVPN import mit Inline-Zertifikat

[sanny]

Moin Leute,

ich verwende im Heimnetzwerk ein Raspberry Pi als OpenVPN-Server und nutze dafür PiVPN.

PiVPN erstellt mir folgende .ovpn Datei:

Code: [Auswählen]

client
dev tun
proto tcp6
remote HOST PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name DietPi_Home name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
XXX
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXX
-----END OpenVPN Static key V1-----
</tls-crypt>

Beim Versuch diese Datei zu importieren erhalte ich die im Anhang beigefügte Meldung. Ich habe etwas recherchiert und das Problem soll wohl an den Inline-Zertifikaten legen.

Beim Versuch sich über die Konsole zu verbinden erhalte ich folgendes:

Code: [Auswählen]

Sat Jan 11 20:56:10 2020 OpenVPN 2.4.8 [git:makepkg/3976acda9bf10b5e+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
Sat Jan 11 20:56:10 2020 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Enter Private Key Password: ***********
Sat Jan 11 20:56:15 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Jan 11 20:56:15 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jan 11 20:56:15 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Jan 11 20:56:15 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jan 11 20:56:15 2020 RESOLVE: Cannot resolve host address: HOST:PORT (Name or service not known)
Sat Jan 11 20:56:15 2020 RESOLVE: Cannot resolve host address: HOST:PORT (Name or service not known)
Sat Jan 11 20:56:15 2020 Could not determine IPv4/IPv6 protocol
Sat Jan 11 20:56:15 2020 SIGUSR1[soft,init_instance] received, process restarting
Sat Jan 11 20:56:15 2020 Restart pause, 5 second(s)
Sat Jan 11 20:56:20 2020 RESOLVE: Cannot resolve host address: HOST:PORT (Name or service not known)
Sat Jan 11 20:56:20 2020 RESOLVE: Cannot resolve host address: HOST:PORT (Name or service not known)
Sat Jan 11 20:56:20 2020 Could not determine IPv4/IPv6 protocol
Sat Jan 11 20:56:20 2020 SIGUSR1[soft,init_instance] received, process restarting

Dieselbe .ovpn Datei kann ich jedoch ohne Probleme an meinem Android verwenden...

GIbt es eine Lösung um die ovpn-Datei dennoch zu importieren oder zumindest zu nutzen?

[sanny]

Okay, habe herausgefunden das Import und Verbindung klappt, sobald "proto tcp6" in "proto tcp" geändert wird...

[gecko99]

Hi,
ich hänge hier am selben Problem.
Allerdings steht in der besagten Zeile ein "udp"

Die Verbindung kommt nicht zustande mit der Fehlermeldung "Zeitüberschreitung"
PiVPN funktioniert (Login Androidhandy)

Bin seit 2 Tagen von Ubuntu auf Manjaro - bislang hat alles gut (besser) geklappt,
bis auf dieses Problem. Ich bin für jeden Ratschlag dankbar.

Anbei die .ovpn Datei (mit XXXX anonymisiert)

Code: [Auswählen]

client
dev tun
proto udp
remote xxxxxxx.xxxxx.com 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name raspberrypi_68fe57b8-b72d-4375-b6f9-e969529e2088 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
XXXXXXX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
XXXXXXXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
XXXXXXX
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXXXXX
-----END OpenVPN Static key V1-----
</tls-crypt>



[gecko99]

Anbei noch der Output beim Versuch die ovpn Datei via Kommandozeile zu laden:

Code: [Auswählen]

2020-12-21 21:05:19 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2020-12-21 21:05:19 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  6 2020
2020-12-21 21:05:19 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
🔐 Enter Private Key Password: ********               
2020-12-21 21:05:24 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-12-21 21:05:24 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-12-21 21:05:24 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-12-21 21:05:24 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-12-21 21:05:24 TCP/UDP: Preserving recently used remote address: [AF_INET]80.109.58.248:1194
2020-12-21 21:05:24 Socket Buffers: R=[212992->212992] S=[212992->212992]
2020-12-21 21:05:24 UDP link local: (not bound)
2020-12-21 21:05:24 UDP link remote: [AF_INET]80.109.58.248:1194
2020-12-21 21:05:24 TLS: Initial packet from [AF_INET]80.109.58.248:1194, sid=47faa116 166515db
2020-12-21 21:05:24 VERIFY KU OK
2020-12-21 21:05:24 Validating certificate extended key usage
2020-12-21 21:05:24 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-12-21 21:05:24 VERIFY EKU OK
2020-12-21 21:05:24 VERIFY X509NAME OK: CN=raspberrypi_68fe57b8-b72d-4375-b6f9-e969529e2088
2020-12-21 21:05:24 VERIFY OK: depth=0, CN=raspberrypi_68fe57b8-b72d-4375-b6f9-e969529e2088
2020-12-21 21:05:24 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
2020-12-21 21:05:24 [raspberrypi_68fe57b8-b72d-4375-b6f9-e969529e2088] Peer Connection Initiated with [AF_INET]80.109.58.248:1194
2020-12-21 21:05:25 SENT CONTROL [raspberrypi_68fe57b8-b72d-4375-b6f9-e969529e2088]: 'PUSH_REQUEST' (status=1)
2020-12-21 21:05:25 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.8.0.6 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2020-12-21 21:05:25 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:2: block-outside-dns (2.5.0)
2020-12-21 21:05:25 OPTIONS IMPORT: timers and/or timeouts modified
2020-12-21 21:05:25 OPTIONS IMPORT: --ifconfig/up options modified
2020-12-21 21:05:25 OPTIONS IMPORT: route options modified
2020-12-21 21:05:25 OPTIONS IMPORT: route-related options modified
2020-12-21 21:05:25 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-12-21 21:05:25 OPTIONS IMPORT: peer-id set
2020-12-21 21:05:25 OPTIONS IMPORT: adjusting link_mtu to 1624
2020-12-21 21:05:25 OPTIONS IMPORT: data channel crypto options modified
2020-12-21 21:05:25 Data Channel: using negotiated cipher 'AES-256-GCM'
2020-12-21 21:05:25 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-12-21 21:05:25 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-12-21 21:05:25 net_route_v4_best_gw query: dst 0.0.0.0
2020-12-21 21:05:25 net_route_v4_best_gw result: via 192.168.99.1 dev wlp4s0
2020-12-21 21:05:25 ROUTE_GATEWAY 192.168.99.1/255.255.255.0 IFACE=wlp4s0 HWADDR=44:85:00:81:51:e6
2020-12-21 21:05:25 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
2020-12-21 21:05:25 Exiting due to fatal error


[gecko99]

Es scheint ein Berechtigungsproblem zu sein.
mit

Code: [Auswählen]

sudo openvpn Thinkpad.ovpnwird die Konfigurationsdatei zumindest anstandslos geladen.
Allerdings zeigt PiVPN/ Pihole keine Zugriffe von Thinkpad an...
Offenbar geht die Verbindung dennoch an Pihole vorbei.

[gecko99]

Anbei das Verbindungsprotokoll:

Code: [Auswählen]

[sudo] Passwort für manjaro:
Das hat nicht funktioniert, bitte nochmal probieren.
[sudo] Passwort für manjaro:
2020-12-23 16:30:06 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2020-12-23 16:30:06 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  6 2020
2020-12-23 16:30:06 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
🔐 Enter Private Key Password: ********               
2020-12-23 16:30:11 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-12-23 16:30:11 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-12-23 16:30:11 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-12-23 16:30:11 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-12-23 16:30:13 TCP/UDP: Preserving recently used remote address: [AF_INET]80.109.58.248:1194
2020-12-23 16:30:13 Socket Buffers: R=[212992->212992] S=[212992->212992]
2020-12-23 16:30:13 UDP link local: (not bound)
2020-12-23 16:30:13 UDP link remote: [AF_INET]80.109.58.248:1194
2020-12-23 16:30:13 TLS: Initial packet from [AF_INET]80.109.58.248:1194, sid=d889afcf e629a269
2020-12-23 16:30:13 VERIFY KU OK
2020-12-23 16:30:13 Validating certificate extended key usage
2020-12-23 16:30:13 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-12-23 16:30:13 VERIFY EKU OK
2020-12-23 16:30:13 VERIFY X509NAME OK: CN=raspberrypi_68fe57b8-b72d-4375-b6f9-e969529e2088
2020-12-23 16:30:13 VERIFY OK: depth=0, CN=raspberrypi_68fe57b8-b72d-4375-b6f9-e969529e2088
2020-12-23 16:30:13 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
2020-12-23 16:30:13 [raspberrypi_68fe57b8-b72d-4375-b6f9-e969529e2088] Peer Connection Initiated with [AF_INET]80.109.58.248:1194
2020-12-23 16:30:14 SENT CONTROL [raspberrypi_68fe57b8-b72d-4375-b6f9-e969529e2088]: 'PUSH_REQUEST' (status=1)
2020-12-23 16:30:14 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.8.0.6 255.255.255.0,peer-id 2,cipher AES-256-GCM'
2020-12-23 16:30:14 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:2: block-outside-dns (2.5.0)
2020-12-23 16:30:14 OPTIONS IMPORT: timers and/or timeouts modified
2020-12-23 16:30:14 OPTIONS IMPORT: --ifconfig/up options modified
2020-12-23 16:30:14 OPTIONS IMPORT: route options modified
2020-12-23 16:30:14 OPTIONS IMPORT: route-related options modified
2020-12-23 16:30:14 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-12-23 16:30:14 OPTIONS IMPORT: peer-id set
2020-12-23 16:30:14 OPTIONS IMPORT: adjusting link_mtu to 1624
2020-12-23 16:30:14 OPTIONS IMPORT: data channel crypto options modified
2020-12-23 16:30:14 Data Channel: using negotiated cipher 'AES-256-GCM'
2020-12-23 16:30:14 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-12-23 16:30:14 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-12-23 16:30:14 net_route_v4_best_gw query: dst 0.0.0.0
2020-12-23 16:30:14 net_route_v4_best_gw result: via 192.168.99.1 dev wlp4s0
2020-12-23 16:30:14 ROUTE_GATEWAY 192.168.99.1/255.255.255.0 IFACE=wlp4s0 HWADDR=44:85:00:81:51:e6
2020-12-23 16:30:14 TUN/TAP device tun0 opened
2020-12-23 16:30:14 net_iface_mtu_set: mtu 1500 for tun0
2020-12-23 16:30:14 net_iface_up: set tun0 up
2020-12-23 16:30:14 net_addr_v4_add: 10.8.0.6/24 dev tun0
2020-12-23 16:30:14 net_route_v4_add: 80.109.58.248/32 via 192.168.99.1 dev [NULL] table 0 metric -1
2020-12-23 16:30:14 net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2020-12-23 16:30:14 net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2020-12-23 16:30:14 Initialization Sequence Completed


[gecko99]

Lösung:
Das Problem ist Arch und somit Manjarospezifisch.
Die resolv.conf wird beim Verbindungsaufbau nicht geändert.
Das nachfolgende Prozedere ändert dies:

Vielleicht hilft es ja, dem einen oder anderen.
Die Verbindung kann nur manuell mit sudo openvpn xxxx.ovpn aufgebaut werden.
Mit den Netzwerkmanager klappt es aus unerfindlichen Gründen nicht.

Problem gelöst

Download the update-resolv-conf script:

$ sudo wget -O /etc/openvpn/update-resolv-conf https://raw.githubusercontent.com/masterkorp/openvpn-update-resolv-conf/master/update-resolv-conf.sh

(in Debian/Ubuntu its created during the openvpn package installation)

Set execution attribute:

$ sudo chmod +x /etc/openvpn/update-resolv-conf

Update your client.ovpn (/etc/openvpn/client/setevoy-ovnas.conf in my current case) – add script execution during connection start and stop:

...
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
...

DNS to be set are configured in an OpenVPN AS: the first IP is the VPN’s from its local network, the second one – CloudFlare, just in case: