Configuration Iptables Openvpn Client Fermé

Question

Bonjour, 

J'essaye de connecter un serveur linux à un serveur OpenVpn, mais j'ai quelques difficultés : 


Sat Apr 9 16:58:39 2022 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
Sat Apr 9 16:58:39 2022 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Sat Apr 9 16:58:39 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Apr 9 16:58:39 2022 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Apr 9 16:58:39 2022 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Apr 9 16:58:39 2022 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Apr 9 16:58:39 2022 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Apr 9 16:58:39 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
Sat Apr 9 16:58:39 2022 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Apr 9 16:58:39 2022 UDP link local: (not bound)
Sat Apr 9 16:58:39 2022 UDP link remote: [AF_INET]X.X.X.X:1194
Sat Apr 9 16:58:39 2022 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Apr 9 16:58:39 2022 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=babe05dd 7d9eb535
Sat Apr 9 16:58:39 2022 VERIFY OK: depth=1, CN=Easy-RSA CA
Sat Apr 9 16:58:39 2022 VERIFY KU OK
Sat Apr 9 16:58:39 2022 Validating certificate extended key usage
Sat Apr 9 16:58:39 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Apr 9 16:58:39 2022 VERIFY EKU OK
Sat Apr 9 16:58:39 2022 VERIFY OK: depth=0, CN=server
Sat Apr 9 16:59:39 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Apr 9 16:59:39 2022 TLS Error: TLS handshake failed
Sat Apr 9 16:59:39 2022 SIGUSR1[soft,tls-error] received, process restarting
Sat Apr 9 16:59:39 2022 Restart pause, 5 second(s)

Pourriez vous m'aider ?

Si dessous mes configs :

iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT ACCEPT iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT#openvpn   iptables -t filter -A INPUT -p tcp --dport 1194 -j ACCEPT   iptables -A INPUT -i ens3 -m state --state NEW -p udp --dport 1194 -j ACCEPT   iptables -A INPUT -i tun+ -j ACCEPT   iptables -A FORWARD -i tun+ -j ACCEPT   iptables -A FORWARD -i tun+ -o ens3 -m state --state RELATED,ESTABLISHED -j ACCEPT   iptables -A FORWARD -i ens3 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT   iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE   iptables -A OUTPUT -o tun+ -j ACCEPT



Configuration: Windows / Chrome 100.0.4896.88

avion-f16 · Answer

Bonjour,

Sat Apr 9 16:59:39 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)Sat Apr 9 16:59:39 2022 TLS Error: TLS handshake failed 

Cela indique un problème de connexion réseau, le handshake TLS ne peut pas se faire.
Il ne s'agit donc même pas d'un problème de certificat ou d'algorithme, ça plante bien avant.

Si on regarde à tes règles pare-feu sur la table "filter" en INPUT :

iptables -t filter -P INPUT DROP 
iptables -t filter -A INPUT -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -i ens3 -m state --state NEW -p udp --dport 1194 -j ACCEPT

Tu autorises les connexions entrantes :
1) sur 1194/tcp
2) sur 1194/udp mais uniquement avec l'état NEW

Cependant, tu n'autorises pas les trafic entrant sur 1194/udp pour les autres états.

Je t'invite à réessayer avec :

iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT ACCEPT iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT#openvpn   iptables -A INPUT -i ens3 -p tcp --dport 1194 -j ACCEPT   iptables -A INPUT -i ens3 -p udp --dport 1194 -j ACCEPT   iptables -A INPUT -i tun+ -j ACCEPT   iptables -A FORWARD -i tun+ -j ACCEPT   iptables -A FORWARD -i tun+ -o ens3 -m state --state RELATED,ESTABLISHED -j ACCEPT   iptables -A FORWARD -i ens3 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT   iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE   iptables -A OUTPUT -o tun+ -j ACCEPT

J'ai retiré "-t filter" car c'est la table filter qui est utilisée par défaut.

angel_reborn · Answer

Hello, Merci pour ton retour. Malheureusement j'ai encore le meme resultat : Sat Apr 16 06:19:36 2022 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021 Sat Apr 16 06:19:36 2022 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Sat Apr 16 06:19:36 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sat Apr 16 06:19:36 2022 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sat Apr 16 06:19:36 2022 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sat Apr 16 06:19:36 2022 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sat Apr 16 06:19:36 2022 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sat Apr 16 06:19:36 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194 Sat Apr 16 06:19:36 2022 Socket Buffers: R=[212992->212992] S=[212992->212992] Sat Apr 16 06:19:36 2022 UDP link local: (not bound) Sat Apr 16 06:19:36 2022 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194 Sat Apr 16 06:19:36 2022 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Sat Apr 16 06:19:36 2022 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=f52b39eb 9ffa7792 Sat Apr 16 06:19:36 2022 VERIFY OK: depth=1, CN=Easy-RSA CA Sat Apr 16 06:19:36 2022 VERIFY KU OK Sat Apr 16 06:19:36 2022 Validating certificate extended key usage Sat Apr 16 06:19:36 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sat Apr 16 06:19:36 2022 VERIFY EKU OK Sat Apr 16 06:19:36 2022 VERIFY OK: depth=0, CN=server Sat Apr 16 06:20:36 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sat Apr 16 06:20:36 2022 TLS Error: TLS handshake failed Sat Apr 16 06:20:36 2022 SIGUSR1[soft,tls-error] received, process restarting Sat Apr 16 06:20:36 2022 Restart pause, 5 second(s) Sat Apr 16 06:20:41 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sat Apr 16 06:20:41 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194 Sat Apr 16 06:20:41 2022 Socket Buffers: R=[212992->212992] S=[212992->212992] Sat Apr 16 06:20:41 2022 UDP link local: (not bound) Sat Apr 16 06:20:41 2022 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194 Sat Apr 16 06:20:41 2022 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=3824c6ba 8ea04fee Sat Apr 16 06:20:41 2022 VERIFY OK: depth=1, CN=Easy-RSA CA Sat Apr 16 06:20:41 2022 VERIFY KU OK Sat Apr 16 06:20:41 2022 Validating certificate extended key usage Sat Apr 16 06:20:41 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sat Apr 16 06:20:41 2022 VERIFY EKU OK Sat Apr 16 06:20:41 2022 VERIFY OK: depth=0, CN=server Sat Apr 16 06:21:41 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sat Apr 16 06:21:41 2022 TLS Error: TLS handshake failed Sat Apr 16 06:21:41 2022 SIGUSR1[soft,tls-error] received, process restarting Sat Apr 16 06:21:41 2022 Restart pause, 5 second(s) J'arrive à connecter les appareils sous windows et android à ce vpn, mais pas ce serveur Linux. Ce serveur utilise systemd-resolved pour traiter la résolution DNS : # This file is managed by man:systemd-resolved(8). Do not edit. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search openstacklocal J'ai essayé d'en tenir dans le certificat. Ci-dessous le contenu du fichier : # Specify that we are a client and that we# will be pulling certain config file directives# from the server.client# Use the same setting as you are using on# the server.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.dev tun# Are we connecting to a TCP or# UDP server? Use the same setting as# on the server.proto udp# The hostname/IP and port of the server.# You can have multiple remote entries# to load balance between the servers.remote XXX.XXX.XXX.XXX 1194# Keep trying indefinitely to resolve the# host name of the OpenVPN server. Very useful# on machines which are not permanently connected# to the internet such as laptops.resolv-retry infinite# Most clients don't need to bind to# a specific local port number.nobind# Downgrade privileges after initialization (non-Windows only)user nobodygroup nogroup# Try to preserve some state across restarts.persist-keypersist-tun# Verify server certificate by checking that the# certicate has the correct key usage set.remote-cert-tls server# Select a cryptographic cipher.cipher AES-256-GCMauth SHA256# Set log file verbosity.verb 3#key direction directivekey-direction 1#systemd-resolved configscript-security 2up /etc/openvpn/update-systemd-resolveddown /etc/openvpn/update-systemd-resolveddown-predhcp-option DOMAIN-ROUTE .-----BEGIN CERTIFICATE-----.....................

......................

angel_reborn · Answer

Hello,
Merci pour ton retour. Malheureusement j'ai encore le meme resultat :

Sat Apr 16 06:19:36 2022 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
Sat Apr 16 06:19:36 2022 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Sat Apr 16 06:19:36 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Apr 16 06:19:36 2022 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Apr 16 06:19:36 2022 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

Sat Apr 16 06:19:36 2022 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Apr 16 06:19:36 2022 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Apr 16 06:19:36 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Apr 16 06:19:36 2022 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Apr 16 06:19:36 2022 UDP link local: (not bound)
Sat Apr 16 06:19:36 2022 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Apr 16 06:19:36 2022 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Apr 16 06:19:36 2022 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=f52b39eb 9ffa7792
Sat Apr 16 06:19:36 2022 VERIFY OK: depth=1, CN=Easy-RSA CA
Sat Apr 16 06:19:36 2022 VERIFY KU OK
Sat Apr 16 06:19:36 2022 Validating certificate extended key usage
Sat Apr 16 06:19:36 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Apr 16 06:19:36 2022 VERIFY EKU OK
Sat Apr 16 06:19:36 2022 VERIFY OK: depth=0, CN=server
Sat Apr 16 06:20:36 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Apr 16 06:20:36 2022 TLS Error: TLS handshake failed
Sat Apr 16 06:20:36 2022 SIGUSR1[soft,tls-error] received, process restarting
Sat Apr 16 06:20:36 2022 Restart pause, 5 second(s)
Sat Apr 16 06:20:41 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Apr 16 06:20:41 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Apr 16 06:20:41 2022 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Apr 16 06:20:41 2022 UDP link local: (not bound)
Sat Apr 16 06:20:41 2022 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Apr 16 06:20:41 2022 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=3824c6ba 8ea04fee
Sat Apr 16 06:20:41 2022 VERIFY OK: depth=1, CN=Easy-RSA CA
Sat Apr 16 06:20:41 2022 VERIFY KU OK
Sat Apr 16 06:20:41 2022 Validating certificate extended key usage
Sat Apr 16 06:20:41 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Apr 16 06:20:41 2022 VERIFY EKU OK
Sat Apr 16 06:20:41 2022 VERIFY OK: depth=0, CN=server
Sat Apr 16 06:21:41 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Apr 16 06:21:41 2022 TLS Error: TLS handshake failed
Sat Apr 16 06:21:41 2022 SIGUSR1[soft,tls-error] received, process restarting
Sat Apr 16 06:21:41 2022 Restart pause, 5 second(s)

angel_reborn · Answer

J'arrive à connecter les appareils sous windows et android à ce vpn, mais pas ce serveur Linux. Ce serveur utilise systemd-resolved pour traiter la résolution DNS :

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search openstacklocal

angel_reborn · Answer

J'ai essayé d'en tenir dans le certificat. Ci-dessous le contenu du fichier :

clientdev tunproto udpremote XXX.XXX.XXX.XXX 1194resolv-retry infinitenobinduser nobodygroup nogrouppersist-keypersist-tunremote-cert-tls servercipher AES-256-GCMauth SHA256verb 3key-direction 1#systemd-resolved configscript-security 2up /etc/openvpn/update-systemd-resolveddown /etc/openvpn/update-systemd-resolveddown-predhcp-option DOMAIN-ROUTE .

avion-f16 · Answer

Bonjour,

Le problème rencontré concerne un problème de communication au niveau TCP ou UDP et indique donc un problème de firewall, il n'est pas nécessaire de regarder du côté des certifications et encore moins des DNS.
https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/

Confirmes-tu que les règles iptables données, sont celles que tu appliques sur le serveur ?
Par ailleurs, en INPUT, tu autorises les connexions NEW mais les autres (ESTABLISHED, RELATED) restent bloquées.

Peux-tu essayer en désactivant les filtres iptables et en conservant uniquement les règles NAT ?

angel_reborn · Answer

Bonjour,
j'ai fait le test en desactivant les filtres iptables et j'obtiens la meme erreur. Ci-dessous, mes configurations iptables après avoir tenu compte de tes premières remarques : 

iptables -t filter -F    iptables -t filter -X    iptables -t nat -F    iptables -t nat -X    iptables -t mangle -F    iptables -t mangle -X    # strategie (-P) par defaut : bloc tout l'entrant le forward et autorise le sortant    iptables -t filter -P INPUT DROP    iptables -t filter -P FORWARD DROP    iptables -t filter -P OUTPUT ACCEPT # Loopback    iptables -t filter -A INPUT -i lo -j ACCEPT    iptables -t filter -A OUTPUT -o lo -j ACCEPT    # Permettre a une connexion ouverte de recevoir du trafic en entree    iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT    # ICMP    iptables -t filter -A INPUT -p icmp -j DROP    # DNS:53    iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT    iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT  #openvpn   iptables -A INPUT -i ens3 -p tcp --dport 1194 -j ACCEPT   iptables -A INPUT -i ens3 -p udp --dport 1194 -j ACCEPT   iptables -A INPUT -i tun0 -j ACCEPT   iptables -A FORWARD -i tun0 -j ACCEPT   iptables -A FORWARD -i tun0 -o ens3 -m state --state RELATED,ESTABLISHED -j ACCEPT   iptables -A FORWARD -i ens3 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT   iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE   iptables -A OUTPUT -o tun0 -j ACCEPT

Configuration Iptables Openvpn Client

7 réponses

Discussions similaires