Re: [Openvpn-users] easy-rsa

[Richard Couture]

I have totally reinitialized the system with new certs created by 
easy-rsa v.3 and the results, though not successful are definately 
better. No more auth failure, Now I have a client error
"sitnl_send: rtnl: generic error (-22): Invalid argument"
whatever that means
and on the server

WARNING: 'keysize' is used inconsistently, local='keysize 256', 
remote='keysize 128'


Server Config

[rrc@Priddwifi ~]$ cat server.conf
local 187.251.133.222
port 1194
proto udp
dev tun
ca ca.crt
cert narciso.moov.com.mx.crt
key narciso.moov.com.mx.key  # This file should be kept secret
crl-verify crl.pem
dh dh2048.pem
server 10.34.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
topology subnet
keepalive 10 120
max-clients 50
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
mute 20
#data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM
explicit-exit-notify 1
push "route 192.168.51.0 255.255.255.0"

Client Conf

client
dev tun
proto udp
remote 187.251.133.222 1194
persist-key
persist-tun
route-delay 5
ping-restart 10
ping 60
persist-tun
verb 5
ca ca.crt
cert rrc.crt
key rrc.key
remote-cert-tls server
data-ciphers AES-256-GCM
data-ciphers-fallback AES-128-GCM
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
mute 20

Server log

2023-12-29 13:33:31 OpenVPN 2.5.9 x86_64-mageia-linux-gnu [SSL 
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 
21 2023
2023-12-29 13:33:31 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
2023-12-29 13:33:31 CRL: loaded 1 CRLs from file crl.pem
2023-12-29 13:33:31 TUN/TAP device tun0 opened
2023-12-29 13:33:31 net_iface_mtu_set: mtu 1500 for tun0
2023-12-29 13:33:31 net_iface_up: set tun0 up
2023-12-29 13:33:31 net_addr_v4_add: 10.34.0.1/24 dev tun0
2023-12-29 13:33:31 Could not determine IPv4/IPv6 protocol. Using AF_INET
2023-12-29 13:33:31 UDPv4 link local (bound): [AF_INET]187.251.133.222:1194
2023-12-29 13:33:31 UDPv4 link remote: [AF_UNSPEC]
2023-12-29 13:33:31 GID set to openvpn
2023-12-29 13:33:31 UID set to openvpn
2023-12-29 13:33:31 Initialization Sequence Completed
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_VER=2.5.0
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_PLAT=linux
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_PROTO=6
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_CIPHERS=AES-256-GCM
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_LZ4=1
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_LZ4v2=1
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_LZO=1
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_COMP_STUB=1
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_COMP_STUBv2=1
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_TCPNL=1
2023-12-29 13:35:04 187.251.133.221:1194 WARNING: 'keysize' is used 
inconsistently, local='keysize 256', remote='keysize 128'
2023-12-29 13:35:04 187.251.133.221:1194 [rrc] Peer Connection Initiated 
with [AF_INET]187.251.133.221:1194
2023-12-29 13:35:04 rrc/187.251.133.221:1194 MULTI_sva: pool returned 
IPv4=10.34.0.2, IPv6=(Not enabled)
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_VER=2.5.0
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_PLAT=linux
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_PROTO=6
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: 
IV_CIPHERS=AES-256-GCM
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_LZ4=1
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_LZ4v2=1
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_LZO=1
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_COMP_STUB=1
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_COMP_STUBv2=1
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_TCPNL=1
2023-12-29 13:37:49 rrc/187.251.133.221:1194 WARNING: 'keysize' is used 
inconsistently, local='keysize 256', remote='keysize 128'
2023-12-29 13:41:50 rrc/187.251.133.221:1194 [rrc] Inactivity timeout 
(--ping-restart), restarting
[rrc@Priddwifi ~]$


Client Log
[rrc@narciso ~]$ cat openvpn.log
2023-12-29 13:37:46 us=148033 Current Parameter Settings:
2023-12-29 13:37:46 us=148082   config = 'rrc.ovpn'
2023-12-29 13:37:46 us=148089   mode = 0
2023-12-29 13:37:46 us=148095   persist_config = DISABLED
2023-12-29 13:37:46 us=148101   persist_mode = 1
2023-12-29 13:37:46 us=148107   show_ciphers = DISABLED
2023-12-29 13:37:46 us=148113   show_digests = DISABLED
2023-12-29 13:37:46 us=148119   show_engines = DISABLED
2023-12-29 13:37:46 us=148125   genkey = DISABLED
2023-12-29 13:37:46 us=148131   genkey_filename = '[UNDEF]'
2023-12-29 13:37:46 us=148137   key_pass_file = '[UNDEF]'
2023-12-29 13:37:46 us=148143   show_tls_ciphers = DISABLED
2023-12-29 13:37:46 us=148149   connect_retry_max = 0
2023-12-29 13:37:46 us=148155 Connection profiles [0]:
2023-12-29 13:37:46 us=148161   proto = udp
2023-12-29 13:37:46 us=148167   local = '[UNDEF]'
2023-12-29 13:37:46 us=148173   local_port = '1194'
2023-12-29 13:37:46 us=148179   remote = '187.251.133.222'
2023-12-29 13:37:46 us=148185   remote_port = '1194'
2023-12-29 13:37:46 us=148191   remote_float = DISABLED
2023-12-29 13:37:46 us=148196 NOTE: --mute triggered...
2023-12-29 13:37:46 us=148206 268 variation(s) on previous 20 message(s) 
suppressed by --mute
2023-12-29 13:37:46 us=148213 OpenVPN 2.5.0 x86_64-mageia-linux-gnu [SSL 
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 
 5 2022
2023-12-29 13:37:46 us=148224 library versions: OpenSSL 1.1.1v  1 Aug 
2023, LZO 2.10
2023-12-29 13:37:46 us=149011 Control Channel MTU parms [ L:1621 D:1212 
EF:38 EB:0 ET:0 EL:3 ]
2023-12-29 13:37:46 us=152706 Data Channel MTU parms [ L:1621 D:1450 
EF:121 EB:406 ET:0 EL:3 ]
2023-12-29 13:37:46 us=152797 Local Options String (VER=V4): 
'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,auth 
[null-digest],keysize 128,key-method 2,tls-client'
2023-12-29 13:37:46 us=152818 Expected Remote Options String (VER=V4): 
'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,auth 
[null-digest],keysize 128,key-method 2,tls-server'
2023-12-29 13:37:46 us=152843 TCP/UDP: Preserving recently used remote 
address: [AF_INET]187.251.133.222:1194
2023-12-29 13:37:46 us=152880 Socket Buffers: R=[212992->212992] 
S=[212992->212992]
2023-12-29 13:37:46 us=152905 UDP link local (bound): [AF_INET][undef]:1194
2023-12-29 13:37:46 us=152922 UDP link remote: [AF_INET]187.251.133.222:1194
WR2023-12-29 13:37:46 us=153517 TLS: Initial packet from 
[AF_INET]187.251.133.222:1194, sid=0d0a5d18 467f0c4a
WWRWRWR2023-12-29 13:37:46 us=157720 VERIFY OK: depth=1, C=MX, 
ST=Jalisco, L=Tlaquepaque, O=Vame Vehiculos, OU=My Organizational Unit, 
CN=narciso.moov.com.mx, emailAddress=salvador.ba...@moov.com.mx
2023-12-29 13:37:46 us=157991 VERIFY KU OK
2023-12-29 13:37:46 us=158013 Validating certificate extended key usage
2023-12-29 13:37:46 us=158032 ++ Certificate has EKU (str) TLS Web 
Server Authentication, expects TLS Web Server Authentication
2023-12-29 13:37:46 us=158047 VERIFY EKU OK
2023-12-29 13:37:46 us=158062 VERIFY OK: depth=0, C=MX, ST=Jalisco, 
L=Tlaquepaque, O=Vame Vehiculos, OU=My Organizational Unit, 
CN=narciso.moov.com.mx, emailAddress=salvador.ba...@moov.com.mx
WRWWWWRRRWR2023-12-29 13:37:46 us=163410 WARNING: 'keysize' is used 
inconsistently, local='keysize 128', remote='keysize 256'
W2023-12-29 13:37:46 us=163498 Control Channel: TLSv1.3, cipher TLSv1.3 
TLS_AES_256_GCM_SHA384, 2048 bit RSA
2023-12-29 13:37:46 us=163527 [narciso.moov.com.mx] Peer Connection 
Initiated with [AF_INET]187.251.133.222:1194
2023-12-29 13:37:47 us=315147 SENT CONTROL [narciso.moov.com.mx]: 
'PUSH_REQUEST' (status=1)
WRR2023-12-29 13:37:47 us=315820 PUSH: Received control message: 
'PUSH_REPLY,route 192.168.51.0 255.255.255.0,route-gateway 
10.34.0.1,topology subnet,ping 10,ping-restart 120,route 192.168.51.0 
255.255.255.0,ifconfig 10.34.0.249 10.34.0.250,peer-id 0,cipher AES-256-GCM'
2023-12-29 13:37:47 us=315959 OPTIONS IMPORT: timers and/or timeouts 
modified
2023-12-29 13:37:47 us=315977 OPTIONS IMPORT: --ifconfig/up options modified
2023-12-29 13:37:47 us=315992 OPTIONS IMPORT: route options modified
2023-12-29 13:37:47 us=316007 OPTIONS IMPORT: route-related options modified
2023-12-29 13:37:47 us=316050 OPTIONS IMPORT: peer-id set
2023-12-29 13:37:47 us=316065 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-12-29 13:37:47 us=316081 OPTIONS IMPORT: data channel crypto 
options modified
2023-12-29 13:37:47 us=316099 Data Channel: using negotiated cipher 
'AES-256-GCM'
2023-12-29 13:37:47 us=316130 Data Channel MTU parms [ L:1552 D:1450 
EF:52 EB:406 ET:0 EL:3 ]
2023-12-29 13:37:47 us=316276 Outgoing Data Channel: Cipher 
'AES-256-GCM' initialized with 256 bit key
2023-12-29 13:37:47 us=316297 Incoming Data Channel: Cipher 
'AES-256-GCM' initialized with 256 bit key
2023-12-29 13:37:47 us=316348 net_route_v4_best_gw query: dst 0.0.0.0
2023-12-29 13:37:47 us=316491 net_route_v4_best_gw result: via 0.0.0.0 dev
2023-12-29 13:37:47 us=316557 ROUTE_GATEWAY 0.0.0.0
2023-12-29 13:37:47 us=317003 TUN/TAP device tun0 opened
2023-12-29 13:37:47 us=317032 do_ifconfig, ipv4=1, ipv6=0
2023-12-29 13:37:47 us=317126 net_iface_mtu_set: mtu 1500 for tun0
2023-12-29 13:37:47 us=317196 net_iface_up: set tun0 up
2023-12-29 13:37:47 us=317300 net_addr_v4_add: 10.34.0.249/-1 dev tun0
2023-12-29 13:37:47 us=317325 sitnl_send: rtnl: generic error (-22): 
Invalid argument
2023-12-29 13:37:47 us=317335 Linux can't add IP to interface tun0
2023-12-29 13:37:47 us=317341 Exiting due to fatal error


[rrc@narciso ~]$ ip add sh

6: ens2f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP 
group default qlen 1000
    link/ether 7c:c2:55:64:0f:87 brd ff:ff:ff:ff:ff:ff
    altname enp81s0f3
    inet 192.168.51.100/24 brd 192.168.51.255 scope global ens2f3
       valid_lft forever preferred_lft forever
    inet6 2806:103e:19:4782:7ec2:55ff:fe64:f87/64 scope global dynamic 
mngtmpaddr
       valid_lft 2591825sec preferred_lft 2591825sec
    inet6 fe80::7ec2:55ff:fe64:f87/64 scope link
       valid_lft forever preferred_lft forever
7: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP 
group default qlen 1000
    link/ether 7c:c2:55:27:9e:2c brd ff:ff:ff:ff:ff:ff
    altname enp1s0f0
    inet 187.251.133.222/30 brd 187.251.133.223 scope global eno1
       valid_lft forever preferred_lft forever
    inet6 fe80::7ec2:55ff:fe27:9e2c/64 scope link
       valid_lft forever preferred_lft forever

12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc 
fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 10.34.0.1/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::8723:a327:57ee:193a/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

THANKS


Richard


On 12/28/23 20:02, Richard Couture wrote:

I'm in the process of reconfiguring the new server with new certs 
created by easy-rsa ver 3, downloaded from Git-Hub, which I hope will be 
more enthusiastic about using openssl ver 3.x

Will advise tomorrow when I get to try things out anew.

Thanks


Richard



_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users