I have totally reinitialized the system with new certs created by
easy-rsa v.3 and the results, though not successful are definately
better. No more auth failure, Now I have a client error
"sitnl_send: rtnl: generic error (-22): Invalid argument"
whatever that means
and on the server
WARNING: 'keysize' is used inconsistently, local='keysize 256',
remote='keysize 128'
Server Config
[rrc@Priddwifi ~]$ cat server.conf
local 187.251.133.222
port 1194
proto udp
dev tun
ca ca.crt
cert narciso.moov.com.mx.crt
key narciso.moov.com.mx.key # This file should be kept secret
crl-verify crl.pem
dh dh2048.pem
server 10.34.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
topology subnet
keepalive 10 120
max-clients 50
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
mute 20
#data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM
explicit-exit-notify 1
push "route 192.168.51.0 255.255.255.0"
Client Conf
client
dev tun
proto udp
remote 187.251.133.222 1194
persist-key
persist-tun
route-delay 5
ping-restart 10
ping 60
persist-tun
verb 5
ca ca.crt
cert rrc.crt
key rrc.key
remote-cert-tls server
data-ciphers AES-256-GCM
data-ciphers-fallback AES-128-GCM
status openvpn-status.log
log openvpn.log
log-append openvpn.log
mute 20
Server log
2023-12-29 13:33:31 OpenVPN 2.5.9 x86_64-mageia-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb
21 2023
2023-12-29 13:33:31 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
2023-12-29 13:33:31 CRL: loaded 1 CRLs from file crl.pem
2023-12-29 13:33:31 TUN/TAP device tun0 opened
2023-12-29 13:33:31 net_iface_mtu_set: mtu 1500 for tun0
2023-12-29 13:33:31 net_iface_up: set tun0 up
2023-12-29 13:33:31 net_addr_v4_add: 10.34.0.1/24 dev tun0
2023-12-29 13:33:31 Could not determine IPv4/IPv6 protocol. Using AF_INET
2023-12-29 13:33:31 UDPv4 link local (bound): [AF_INET]187.251.133.222:1194
2023-12-29 13:33:31 UDPv4 link remote: [AF_UNSPEC]
2023-12-29 13:33:31 GID set to openvpn
2023-12-29 13:33:31 UID set to openvpn
2023-12-29 13:33:31 Initialization Sequence Completed
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_VER=2.5.0
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_PLAT=linux
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_PROTO=6
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_CIPHERS=AES-256-GCM
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_LZ4=1
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_LZ4v2=1
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_LZO=1
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_COMP_STUB=1
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_COMP_STUBv2=1
2023-12-29 13:35:04 187.251.133.221:1194 peer info: IV_TCPNL=1
2023-12-29 13:35:04 187.251.133.221:1194 WARNING: 'keysize' is used
inconsistently, local='keysize 256', remote='keysize 128'
2023-12-29 13:35:04 187.251.133.221:1194 [rrc] Peer Connection Initiated
with [AF_INET]187.251.133.221:1194
2023-12-29 13:35:04 rrc/187.251.133.221:1194 MULTI_sva: pool returned
IPv4=10.34.0.2, IPv6=(Not enabled)
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_VER=2.5.0
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_PLAT=linux
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_PROTO=6
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info:
IV_CIPHERS=AES-256-GCM
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_LZ4=1
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_LZ4v2=1
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_LZO=1
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_COMP_STUB=1
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_COMP_STUBv2=1
2023-12-29 13:37:49 rrc/187.251.133.221:1194 peer info: IV_TCPNL=1
2023-12-29 13:37:49 rrc/187.251.133.221:1194 WARNING: 'keysize' is used
inconsistently, local='keysize 256', remote='keysize 128'
2023-12-29 13:41:50 rrc/187.251.133.221:1194 [rrc] Inactivity timeout
(--ping-restart), restarting
[rrc@Priddwifi ~]$
Client Log
[rrc@narciso ~]$ cat openvpn.log
2023-12-29 13:37:46 us=148033 Current Parameter Settings:
2023-12-29 13:37:46 us=148082 config = 'rrc.ovpn'
2023-12-29 13:37:46 us=148089 mode = 0
2023-12-29 13:37:46 us=148095 persist_config = DISABLED
2023-12-29 13:37:46 us=148101 persist_mode = 1
2023-12-29 13:37:46 us=148107 show_ciphers = DISABLED
2023-12-29 13:37:46 us=148113 show_digests = DISABLED
2023-12-29 13:37:46 us=148119 show_engines = DISABLED
2023-12-29 13:37:46 us=148125 genkey = DISABLED
2023-12-29 13:37:46 us=148131 genkey_filename = '[UNDEF]'
2023-12-29 13:37:46 us=148137 key_pass_file = '[UNDEF]'
2023-12-29 13:37:46 us=148143 show_tls_ciphers = DISABLED
2023-12-29 13:37:46 us=148149 connect_retry_max = 0
2023-12-29 13:37:46 us=148155 Connection profiles [0]:
2023-12-29 13:37:46 us=148161 proto = udp
2023-12-29 13:37:46 us=148167 local = '[UNDEF]'
2023-12-29 13:37:46 us=148173 local_port = '1194'
2023-12-29 13:37:46 us=148179 remote = '187.251.133.222'
2023-12-29 13:37:46 us=148185 remote_port = '1194'
2023-12-29 13:37:46 us=148191 remote_float = DISABLED
2023-12-29 13:37:46 us=148196 NOTE: --mute triggered...
2023-12-29 13:37:46 us=148206 268 variation(s) on previous 20 message(s)
suppressed by --mute
2023-12-29 13:37:46 us=148213 OpenVPN 2.5.0 x86_64-mageia-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul
5 2022
2023-12-29 13:37:46 us=148224 library versions: OpenSSL 1.1.1v 1 Aug
2023, LZO 2.10
2023-12-29 13:37:46 us=149011 Control Channel MTU parms [ L:1621 D:1212
EF:38 EB:0 ET:0 EL:3 ]
2023-12-29 13:37:46 us=152706 Data Channel MTU parms [ L:1621 D:1450
EF:121 EB:406 ET:0 EL:3 ]
2023-12-29 13:37:46 us=152797 Local Options String (VER=V4):
'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,auth
[null-digest],keysize 128,key-method 2,tls-client'
2023-12-29 13:37:46 us=152818 Expected Remote Options String (VER=V4):
'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,auth
[null-digest],keysize 128,key-method 2,tls-server'
2023-12-29 13:37:46 us=152843 TCP/UDP: Preserving recently used remote
address: [AF_INET]187.251.133.222:1194
2023-12-29 13:37:46 us=152880 Socket Buffers: R=[212992->212992]
S=[212992->212992]
2023-12-29 13:37:46 us=152905 UDP link local (bound): [AF_INET][undef]:1194
2023-12-29 13:37:46 us=152922 UDP link remote: [AF_INET]187.251.133.222:1194
WR2023-12-29 13:37:46 us=153517 TLS: Initial packet from
[AF_INET]187.251.133.222:1194, sid=0d0a5d18 467f0c4a
WWRWRWR2023-12-29 13:37:46 us=157720 VERIFY OK: depth=1, C=MX,
ST=Jalisco, L=Tlaquepaque, O=Vame Vehiculos, OU=My Organizational Unit,
CN=narciso.moov.com.mx, emailAddress=salvador.ba...@moov.com.mx
2023-12-29 13:37:46 us=157991 VERIFY KU OK
2023-12-29 13:37:46 us=158013 Validating certificate extended key usage
2023-12-29 13:37:46 us=158032 ++ Certificate has EKU (str) TLS Web
Server Authentication, expects TLS Web Server Authentication
2023-12-29 13:37:46 us=158047 VERIFY EKU OK
2023-12-29 13:37:46 us=158062 VERIFY OK: depth=0, C=MX, ST=Jalisco,
L=Tlaquepaque, O=Vame Vehiculos, OU=My Organizational Unit,
CN=narciso.moov.com.mx, emailAddress=salvador.ba...@moov.com.mx
WRWWWWRRRWR2023-12-29 13:37:46 us=163410 WARNING: 'keysize' is used
inconsistently, local='keysize 128', remote='keysize 256'
W2023-12-29 13:37:46 us=163498 Control Channel: TLSv1.3, cipher TLSv1.3
TLS_AES_256_GCM_SHA384, 2048 bit RSA
2023-12-29 13:37:46 us=163527 [narciso.moov.com.mx] Peer Connection
Initiated with [AF_INET]187.251.133.222:1194
2023-12-29 13:37:47 us=315147 SENT CONTROL [narciso.moov.com.mx]:
'PUSH_REQUEST' (status=1)
WRR2023-12-29 13:37:47 us=315820 PUSH: Received control message:
'PUSH_REPLY,route 192.168.51.0 255.255.255.0,route-gateway
10.34.0.1,topology subnet,ping 10,ping-restart 120,route 192.168.51.0
255.255.255.0,ifconfig 10.34.0.249 10.34.0.250,peer-id 0,cipher AES-256-GCM'
2023-12-29 13:37:47 us=315959 OPTIONS IMPORT: timers and/or timeouts
modified
2023-12-29 13:37:47 us=315977 OPTIONS IMPORT: --ifconfig/up options modified
2023-12-29 13:37:47 us=315992 OPTIONS IMPORT: route options modified
2023-12-29 13:37:47 us=316007 OPTIONS IMPORT: route-related options modified
2023-12-29 13:37:47 us=316050 OPTIONS IMPORT: peer-id set
2023-12-29 13:37:47 us=316065 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-12-29 13:37:47 us=316081 OPTIONS IMPORT: data channel crypto
options modified
2023-12-29 13:37:47 us=316099 Data Channel: using negotiated cipher
'AES-256-GCM'
2023-12-29 13:37:47 us=316130 Data Channel MTU parms [ L:1552 D:1450
EF:52 EB:406 ET:0 EL:3 ]
2023-12-29 13:37:47 us=316276 Outgoing Data Channel: Cipher
'AES-256-GCM' initialized with 256 bit key
2023-12-29 13:37:47 us=316297 Incoming Data Channel: Cipher
'AES-256-GCM' initialized with 256 bit key
2023-12-29 13:37:47 us=316348 net_route_v4_best_gw query: dst 0.0.0.0
2023-12-29 13:37:47 us=316491 net_route_v4_best_gw result: via 0.0.0.0 dev
2023-12-29 13:37:47 us=316557 ROUTE_GATEWAY 0.0.0.0
2023-12-29 13:37:47 us=317003 TUN/TAP device tun0 opened
2023-12-29 13:37:47 us=317032 do_ifconfig, ipv4=1, ipv6=0
2023-12-29 13:37:47 us=317126 net_iface_mtu_set: mtu 1500 for tun0
2023-12-29 13:37:47 us=317196 net_iface_up: set tun0 up
2023-12-29 13:37:47 us=317300 net_addr_v4_add: 10.34.0.249/-1 dev tun0
2023-12-29 13:37:47 us=317325 sitnl_send: rtnl: generic error (-22):
Invalid argument
2023-12-29 13:37:47 us=317335 Linux can't add IP to interface tun0
2023-12-29 13:37:47 us=317341 Exiting due to fatal error
[rrc@narciso ~]$ ip add sh
6: ens2f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 7c:c2:55:64:0f:87 brd ff:ff:ff:ff:ff:ff
altname enp81s0f3
inet 192.168.51.100/24 brd 192.168.51.255 scope global ens2f3
valid_lft forever preferred_lft forever
inet6 2806:103e:19:4782:7ec2:55ff:fe64:f87/64 scope global dynamic
mngtmpaddr
valid_lft 2591825sec preferred_lft 2591825sec
inet6 fe80::7ec2:55ff:fe64:f87/64 scope link
valid_lft forever preferred_lft forever
7: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 7c:c2:55:27:9e:2c brd ff:ff:ff:ff:ff:ff
altname enp1s0f0
inet 187.251.133.222/30 brd 187.251.133.223 scope global eno1
valid_lft forever preferred_lft forever
inet6 fe80::7ec2:55ff:fe27:9e2c/64 scope link
valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.34.0.1/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::8723:a327:57ee:193a/64 scope link stable-privacy
valid_lft forever preferred_lft forever
THANKS
Richard
On 12/28/23 20:02, Richard Couture wrote:
I'm in the process of reconfiguring the new server with new certs
created by easy-rsa ver 3, downloaded from Git-Hub, which I hope will be
more enthusiastic about using openssl ver 3.x
Will advise tomorrow when I get to try things out anew.
Thanks
Richard
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users