Freebox Server (Pop V8/ Delta V7 / Revolution V6 / Server Mini 4K)

  • État Nouveau
  • Type de tâche Anomalie
  • Catégorie Services locaux → Serveur VPN
  • Assignée à Personne
  • Système d'exploitation Tous
  • Sévérité Moyenne
  • Priorité Normale
  • Basée sur la version 3.1.4
  • Due pour la version Non décidé
  • Date d'échéance Non décidé

FS#18505 - "Bad local IP" en tentant de connecter deux Freebox Server via Bridge OpenVPN

Bonjour,

Je tente de raccorder deux freebox server (une Révolution et un Mini, j’utiliserai ces noms pour distinguer le server et le client OpenVPN) dans l’optique de fusionner les deux LAN sur le même subnet (192.168.0.*) en utilisant OpenVPN en mode Bridge.

Je configure donc le Mini en tant que server, créé un utilisateur spécifique pour cette connexion et charge le fichier de configuration généré par le Mini dans le client VPN de la Révolution. Première erreur : il faut commenter la ligne dev-type tap qui empêche au client de la Révolution de charger le fichier le configuration (et aussi tls-remote qui n’est plus nécessaire et génère un warning dans les logs).

Une fois le fichier de configuration corrigé et chargé, toute tentative de connection retourne une erreur Bad local IP dont ne je n’ai pu trouver aucune référence sur le net (autre qu’une erreur de pppd). Le log indique aussi que le client tente la requête avec dev-type tun (puisque je l’ai commenté dans le fichier de config).

Log complet :

2015-08-13 14:26:18 l2 state change ‘l2_down’ ⇒ ‘l2_down’
2015-08-13 14:26:18 l3 state change ‘l3_down’ ⇒ ‘l3_down’
2015-08-13 14:26:18 state change ‘down’ ⇒ ‘down’
2015-08-13 14:26:18 enabling connection
2015-08-13 14:26:18 state change ‘down’ ⇒ ‘wait_l2_up’
2015-08-13 14:26:18 l2 state change ‘l2_down’ ⇒ ‘l2_up’
2015-08-13 14:26:18 state change ‘wait_l2_up’ ⇒ ‘l2_up’
2015-08-13 14:26:18 state change ‘l2_up’ ⇒ ‘wait_l3_up’
2015-08-13 14:26:18 l3 state change ‘l3_down’ ⇒ ‘l3_start’
2015-08-13 14:26:18 starting
2015-08-13 14:26:18 calling helper script at ‘/etc/fbxconnman/conn.pre-up’
2015-08-13 14:26:18 l3 state change ‘l3_start’ ⇒ ‘l3_wait_preup_helper’
2015-08-13 14:26:18 l3 state change ‘l3_wait_preup_helper’ ⇒ ‘l3_wait_stable’
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 24 2015
2015-08-13 14:26:18 openvpn: connected to management interface
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 MANAGEMENT: Connected to management server at unix_mgt.sock
2015-08-13 14:26:18 openvpn: rx: >INFO:OpenVPN Management Interface Version 1 – type ‘help’ for more info
2015-08-13 14:26:18 openvpn: rx: >HOLD:Waiting for hold release
2015-08-13 14:26:18 openvpn: tx: hold release
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 MANAGEMENT: CMD ‘hold release’
2015-08-13 14:26:18 openvpn: rx: SUCCESS: hold release succeeded
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 MANAGEMENT: CMD ‘state on’
2015-08-13 14:26:18 openvpn: rx: SUCCESS: real-time state notification set to ON
2015-08-13 14:26:18 openvpn: rx: >PASSWORD:Need ‘Auth’ username/password
2015-08-13 14:26:18 openvpn: tx: username “Auth” “[user]”
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 MANAGEMENT: CMD ‘username “Auth” “[user]”’
2015-08-13 14:26:18 openvpn: rx: SUCCESS: ‘Auth’ username entered, but not yet verified
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 MANAGEMENT: CMD ‘password [...]’
2015-08-13 14:26:18 openvpn: rx: SUCCESS: ‘Auth’ password entered, but not yet verified
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 MANAGEMENT: >STATE:1439468778,WILL_CONNECT,[IP],,,,,0
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 Socket Buffers: R=[172032→131072] S=[172032→131072]
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 UDPv4 link local: [undef]
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 UDPv4 link remote: [AF_INET][IP]:[PORT]
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 MANAGEMENT: >STATE:1439468778,WAIT,,,,,,0
2015-08-13 14:26:18 openvpn: rx: >STATE:1439468778,WILL_CONNECT,[IP],,,,,0
2015-08-13 14:26:18 openvpn: rx: >STATE:1439468778,WAIT,,,,,,0
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 MANAGEMENT: >STATE:1439468778,AUTH,,,,,,0
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 TLS: Initial packet from [AF_INET][IP]:[PORT], sid=7f32f5b5 869df738
2015-08-13 14:26:18 openvpn: rx: >STATE:1439468778,AUTH,,,,,,0
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 VERIFY OK: depth=1, C=FR, O=Freebox SA, CN=Freebox OpenVPN server CA for […]
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 Validating certificate key usage
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 ++ Certificate has key usage 00a0, expects 00a0
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 VERIFY KU OK
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 Validating certificate extended key usage
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 VERIFY EKU OK
2015-08-13 14:26:18 openvpn: output: Thu Aug 13 14:26:18 2015 VERIFY OK: depth=0, C=FR, O=Freebox SA, CN=Freebox OpenVPN server […]
2015-08-13 14:26:19 openvpn: output: Thu Aug 13 14:26:19 2015 WARNING: ‘dev-type’ is used inconsistently, local=’dev-type tun’, remote=’dev-type tap’
2015-08-13 14:26:19 openvpn: output: Thu Aug 13 14:26:19 2015 WARNING: ‘link-mtu’ is used inconsistently, local=’link-mtu 1557’, remote=’link-mtu 1589’
2015-08-13 14:26:19 openvpn: output: Thu Aug 13 14:26:19 2015 WARNING: ‘tun-mtu’ is used inconsistently, local=’tun-mtu 1500’, remote=’tun-mtu 1532’
2015-08-13 14:26:19 openvpn: output: Thu Aug 13 14:26:19 2015 Data Channel Encrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
2015-08-13 14:26:19 openvpn: output: Thu Aug 13 14:26:19 2015 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2015-08-13 14:26:19 openvpn: output: Thu Aug 13 14:26:19 2015 Data Channel Decrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
2015-08-13 14:26:19 openvpn: output: Thu Aug 13 14:26:19 2015 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2015-08-13 14:26:19 openvpn: output: Thu Aug 13 14:26:19 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2015-08-13 14:26:19 openvpn: output: Thu Aug 13 14:26:19 2015 [Freebox OpenVPN server […]] Peer Connection Initiated with [AF_INET][IP]:[PORT]
2015-08-13 14:26:20 openvpn: rx: >STATE:1439468780,GET_CONFIG,,,,,,0
2015-08-13 14:26:20 openvpn: output: Thu Aug 13 14:26:20 2015 MANAGEMENT: >STATE:1439468780,GET_CONFIG,,,,,,0
2015-08-13 14:26:21 openvpn: output: Thu Aug 13 14:26:21 2015 SENT CONTROL [Freebox OpenVPN server […]]: ‘PUSH_REQUEST’ (status=1)
2015-08-13 14:26:21 openvpn: rx: >STATE:1439468781,CONNECTED,SUCCESS,,[IP],,,1500
2015-08-13 14:26:21 openvpn: bad local ip
2015-08-13 14:26:21 l3 is now stable
2015-08-13 14:26:21 l3 does not fulfil config requirement
2015-08-13 14:26:21 l3 state change ‘l3_wait_stable’ ⇒ ‘l3_bring_down’
2015-08-13 14:26:21 waiting for l3 providers to go down
2015-08-13 14:26:21 l3 state change ‘l3_bring_down’ ⇒ ‘l3_wait_down’
2015-08-13 14:26:21 l3 state change ‘l3_wait_down’ ⇒ ‘l3_cleanup_start’
2015-08-13 14:26:21 calling helper script at ‘/etc/fbxconnman/conn.post-down’
2015-08-13 14:26:21 l3 state change ‘l3_cleanup_start’ ⇒ ‘l3_wait_postdown_helper’
2015-08-13 14:26:21 openvpn: output: Thu Aug 13 14:26:21 2015 PUSH: Received control message: ‘PUSH_REPLY,ping 30,ping-restart 120’
2015-08-13 14:26:21 openvpn: output: Thu Aug 13 14:26:21 2015 OPTIONS IMPORT: timers and/or timeouts modified
2015-08-13 14:26:21 openvpn: output: Thu Aug 13 14:26:21 2015 Initialization Sequence Completed
2015-08-13 14:26:21 openvpn: output: Thu Aug 13 14:26:21 2015 MANAGEMENT: >STATE:1439468781,CONNECTED,SUCCESS,,[IP],,,1500
2015-08-13 14:26:21 l3 state change ‘l3_wait_postdown_helper’ ⇒ ‘l3_cleanup_finish’
2015-08-13 14:26:21 l3 state change ‘l3_cleanup_finish’ ⇒ ‘l3_finished’
2015-08-13 14:26:21 state change ‘wait_l3_up’ ⇒ ‘wait_l3_down’
2015-08-13 14:26:21 l3 state change ‘l3_finished’ ⇒ ‘l3_down’
2015-08-13 14:26:21 state is now DOWN
2015-08-13 14:26:21 state change ‘wait_l3_down’ ⇒ ‘l3_finished’
2015-08-13 14:26:21 state change ‘l3_finished’ ⇒ ‘wait_l2_down’
2015-08-13 14:26:21 l2 state change ‘l2_up’ ⇒ ‘l2_cleanup’
2015-08-13 14:26:21 l2 state change ‘l2_cleanup’ ⇒ ‘l2_down’
2015-08-13 14:26:21 state change ‘wait_l2_down’ ⇒ ‘down’

Cette tache ne dépend pas d'autre tache

Maxime Bizon (mbizon)
lundi 30 novembre, 2015 16:23:54

vous pourriez poster la ligne avec [IP] sans modification svp ?

Clovis (owintwist)
mardi 1 décembre, 2015 15:17:31

[IP] correspond à l'IP public de la box cible.

Maxime Bizon (mbizon)
mardi 1 décembre, 2015 15:39:04

non cette ligne là:

2015-08-13 14:26:21 openvpn: rx: >STATE:1439468781,CONNECTED,SUCCESS,,[IP],,,1500

ça devrait êtes l'ip assignée par le VPN

Clovis (owintwist)
dimanche 7 février, 2016 03:18:21

Pardon pour le temps d'attente…
Je viens de réessayer avec les deux box en v3.3, le problème est toujours là et c'est bien l'IP public qui est retourné à cette ligne.

Clovis (owintwist)
samedi 13 février, 2016 03:16:36

Bonjour,

Pour moi, le problème est le suivant :
Comme le client refuse de charger le fichier de configuration tant que la ligne `dev-type tap` n'est pas commenté, il tente de se connecter en mode Route (tun) et non Bridge (tap)*. Faire sauter ce filtre, qui empêche de charger le fichier correctement configuré, pourrait-il résoudre ce problème ?

* voir log : `2015-08-13 14:26:19 openvpn: output: Thu Aug 13 14:26:19 2015 WARNING: ‘dev-type’ is used inconsistently, local=’dev-type tun’, remote=’dev-type tap’`

Clovis (owintwist)
mardi 7 juin, 2016 10:42:05

Bonjour,

Toujours pas d'évolution dans cette panne ?

D'avance

Neustradamus (Neustradamus)
vendredi 4 janvier, 2019 08:31:20

Avez-vous du nouveau depuis l'ouverture du ticket ?

Neustradamus (Neustradamus_)
vendredi 7 août, 2020 05:34:24

Avec Freebox OS 4.2.3 ou 4.2.4 (uniquement sur Pop), est-ce toujours pareil ?

Neustradamus (Neustradamus_)
mercredi 30 septembre, 2020 17:03:56

@owintwist: Du neuf ?

Neustradamus (Neustradamus_)
lundi 19 octobre, 2020 22:21:01
Neustradamus (Neustradamus_)
mercredi 28 octobre, 2020 16:41:13

@mbizon, ça devrait évoluer avec ça non ?

Suite à votre commentaire du "Tuesday 1 December, 2015 16:39:04"
- https://dev.freebox.fr/bugs/task/18505#comment79072
[IP] → IP publique (voir les logs des 2 tickets)

Le ticket FS#18505 = FS#27167


OpenVPN 2.5.0 (2020-10-27) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases

Email d'annonce de la sortie d'OpenVPN 2.5.0 :
- https://sourceforge.net/p/openvpn/mailman/message/37138737/

OpenVPN 2.5 is a new major release with many new features:
- Client-specific tls-crypt keys (–tls-crypt-v2)
- Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data channel
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration
- Asynchronous (deferred) authentication support for auth-pam plugin
- Deferred client-connect
- Faster connection setup
- Netlink support
- Wintun support
- IPv6-only operation
- Improved Windows 10 detection
- Linux VRF support
- TLS 1.3 support
- Support setting DHCP search domain
- Handle setting of tun/tap interface MTU on Windows
- HMAC based auth-token support
- VLAN support
- Support building of .msi installers for Windows
- Allow unicode search string in –cryptoapicert option (Windows)
- Support IPv4 configs with /31 netmasks now
- New option –block-ipv6 to reject all IPv6 packets (ICMPv6)
- MSI installer (Windows)
- The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA management

Overview of changes in OpenVPN v2.5:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25

Rappel pour la 2.4.x (il manque toujours des options dans Freebox OS) :
Overview of changes in OpenVPN v2.4:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

Neustradamus (Neustradamus_)
jeudi 25 février, 2021 12:08:07

OpenVPN 2.5.1 (2021-02-24) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases
- https://sourceforge.net/p/openvpn/mailman/message/37226597/

[Openvpn-announce] OpenVPN 2.5.1 released
From: Samuli Seppänen <samuli@op...> - 2021-02-24 13:50:33

The OpenVPN community project team is proud to release OpenVPN 2.5.1. It
includes several bug fixes and improvements as well as updated OpenSSL
and OpenVPN GUI for Windows.

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>;

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>;

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/>;

---

Overview of changes since OpenVPN 2.4

  Faster connections

    Connections setup is now much faster

  Crypto specific changes

    ChaCha20-Poly1305 cipher in the OpenVPN data channel
      Requires OpenSSL 1.1.0 or newer)
    Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
    Client-specific tls-crypt keys (--tls-crypt-v2)
    Improved Data channel cipher negotiation
    Removal of BF-CBC support in default configuration (see below for
possible incompatibilities)

  Server-side improvements

    HMAC based auth-token support for seamless reconnects to standalone
      servers or a group of servers.
    Asynchronous (deferred) authentication support for auth-pam plugin
    Asynchronous (deferred) support for client-connect scripts and
      plugins

  Network-related changes

    Support IPv4 configs with /31 netmasks now
    802.1q VLAN support on TAP servers
    IPv6-only tunnels
    New option --block-ipv6 to reject all IPv6 packets (ICMPv6)

  Linux-specific features

    VRF support
    Netlink integration (OpenVPN no longer needs to execute
      ifconfig/route or ip commands)

Windows-specific features

    Wintun driver support, a faster alternative to tap-windows6
    Setting tun/tap interface MTU
    Setting DHCP search domain
    Allow unicode search string in --cryptoapicert option
    EasyRSA3, a modern take on OpenVPN CA management
    MSI installer

---

Important notices

BF-CBC cipher is no longer the default

Cipher handling for the data channel cipher has been significantly
changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no
"default cipher BF-CBC" anymore because it is no longer considered a
reasonable default. BF-CBC is still available, but it needs to be
explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both
ends will be able  to negotiate a better cipher than BF-CBC. By default
they will select one of the AES-GCM ciphers, but this can be influenced
using the --data-ciphers setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting
in the config (= defaulting to BF-CBC and not being negotiation-capable)
must be updated. Unless BF-CBC is included in --data-ciphers or there is
a "--cipher BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server
will refuse to talk to a v2.3 server or client, because it has no common
data channel cipher and negotiating a cipher is not possible. Generally,
we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading
is not possible we recommend adding data-ciphers
AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC
(v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older)
release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5
based client will need a config file change to re-enable BF-CBC.  But be
warned that BF-CBC and other related weak ciphers will be removed in
coming OpenVPN major releases.

For full details see the Data channel cipher negotiation section on the
man page.

Connectivity to some VPN service provider may break

Connecting with an OpenVPN 2.5 client to at least one commercial VPN
service that
implemented their own cipher negotiation method that always reports back
that it is using BF-CBC to the client is broken in v2.5. This has always
caused warning about mismatch ciphers. We have been in contact with some
service providers and they are looking into it.  This is not something
the OpenVPN community can fix. If your commercial VPN does not work with
a v2.5 client, complain to the VPN service provider.

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:

<https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>;

---
Neustradamus (Neustradamus_)
mercredi 28 avril, 2021 21:25:38

Freebox OS 4.3.1 a OpenVPN 2.5.0, est-ce qu'il y a une amélioration ?

Sasuke2690 (Sasuke2690)
vendredi 22 juillet, 2022 07:28:25

There is a lot of helpful information in this post. It's incredibly challenging to win at Spider Solitaire 2 Suit, but if you're competitive, challenge yourself. Believe in yourself and do your best

Chargement...