Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)

  • État Nouveau
  • Pourcentage achevé
    0%
  • Type Évolution
  • Catégorie Services locaux → Client VPN
  • Assignée à Personne
  • Système d'exploitation Freebox Server V6 (Révolution)
  • Sévérité Moyenne
  • Priorité Très Basse
  • Basée sur la version 4.0.2
  • Due pour la version Non décidée
  • Échéance Non décidée
  • Votes 1
  • Privée
Concerne le projet: Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)
Ouverte par gouge_re - 01/01/2019
Dernière modification par mbizon - 02/01/2019

FS#23827 - OpenVPN : version dépassée

Bonsoir,

Je souhaite utiliser ma Freebox en tant que client OpenVPN (pour l’application Téléchargements, entre autres).
Mon serveur OpenVPN étant installé et fonctionnel sur mon ordinateur et ma tablette (j’utilise un fichier .ovpn).

Voici mon ovpn (j’ai remplacé les balises tls-crypt par tls-auth pour que mon fichier soit accepté par Freebox OS)

client
proto udp
remote {redacted} 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_rKPVIfiQfZNFnVaE name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
verb 3
<ca>
-----BEGIN CERTIFICATE-----
{redacted}
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
{redacted}
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
{redacted}
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
{redacted}
-----END OpenVPN Static key V1-----
</tls-auth>

Ma Freebox ne se connecte pas à mon VPN, pour cause: Le cipher AES-128-GCM n’est pas surtout par OpenVPN... 2.3!

Certes la version d’OpenVPN peut être considérée comme stable, mais étant donné que Freebox OS 4.0 est sorti récemment et que cela concerne peut-être également la FBX Delta, cela ne vaudrait-il pas le coup de mettre la version d’OpenVPN à jour vers la branche 2.4?

Merci,
Cordialement.

Je me suis trompé dans le dernier lien, il s'agit de celui-ci : https://dev.freebox.fr/bugs/task/22518.

Actuellement en 4.2.3 :
- OpenVPN : 2.4.7
- OpenSSL : 1.1.1d

Version stable :
- OpenVPN : 2.4.9
- OpenSSL : 1.1.1f

OpenVPN 2.5.0 Beta 1 (2020-08-14)
- http://openvpn.net/

Bonjour Neustradamus,

Etes-vous certain que la version Open VPN 2.4.7 soit bien chargée ?

En effet, dans les logs de connections, cette information est bien présente :

OpenVPN 2.4.7 arm-unknown-linux-muslgnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2020

.

Cependant, impossible dans mon fichier .ovpn de faire reconnaitre la balise

<tls-crypt>

ou encore la commande

pull-filter ignore

!

J'obtiens dans l'interface de la Freebox : "Erreur lors de la mise à jour de la configuration VPN : Configuration OpenVPN non supporté"

Je fais tous ces tests car impossible de faire fonctionner mon client VPN sur la Freebox en raison d'une erreur obscure d'IPV6 non supportée (alors que mon client VPN fonctionne très bien et que la box semble fonctionner correctement) :

2020-09-04 21:42:16 openvpn: rx: >STATE:1599248536,WAIT,,,,,,
2020-09-04 21:42:16 openvpn: output: Fri Sep  4 21:42:16 2020 MANAGEMENT: >STATE:1599248536,AUTH,,,,,,
2020-09-04 21:42:16 openvpn: output: Fri Sep  4 21:42:16 2020 TLS: Initial packet from [AF_INET]109.201.143.35:4000, sid=8f1345bf 5ff61226
2020-09-04 21:42:16 openvpn: rx: >STATE:1599248536,AUTH,,,,,,
2020-09-04 21:42:16 openvpn: output: Fri Sep  4 21:42:16 2020 VERIFY OK: depth=2, C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, OU=Certificate Authority, CN=Hide.Me Root CA
2020-09-04 21:42:16 openvpn: output: Fri Sep  4 21:42:16 2020 VERIFY OK: depth=1, C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, OU=Certificate Authority, CN=Hide.Me Server CA #1
2020-09-04 21:42:16 openvpn: output: Fri Sep  4 21:42:16 2020 VERIFY KU OK
2020-09-04 21:42:16 openvpn: output: Fri Sep  4 21:42:16 2020 Validating certificate extended key usage
2020-09-04 21:42:16 openvpn: output: Fri Sep  4 21:42:16 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-09-04 21:42:16 openvpn: output: Fri Sep  4 21:42:16 2020 VERIFY EKU OK
2020-09-04 21:42:16 openvpn: output: Fri Sep  4 21:42:16 2020 VERIFY X509NAME OK: C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, OU=Certificate Authority, CN=*.hide.me
2020-09-04 21:42:16 openvpn: output: Fri Sep  4 21:42:16 2020 VERIFY OK: depth=0, C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, OU=Certificate Authority, CN=*.hide.me
2020-09-04 21:42:16 openvpn: output: Fri Sep  4 21:42:16 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 8192 bit RSA
2020-09-04 21:42:16 openvpn: output: Fri Sep  4 21:42:16 2020 [*.hide.me] Peer Connection Initiated with [AF_INET]109.201.143.35:4000
2020-09-04 21:42:17 openvpn: rx: >STATE:1599248537,GET_CONFIG,,,,,,
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 MANAGEMENT: >STATE:1599248537,GET_CONFIG,,,,,,
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 SENT CONTROL [*.hide.me]: 'PUSH_REQUEST' (status=1)
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 PUSH: Received control message: 'PUSH_REPLY,topology subnet,ping 15,ping-restart 60,explicit-exit-notify,tun-ipv6,sndbuf 16777216,rcvbuf 16777216,route-gateway 10.129.58.1,redirect-gateway,dhcp-option DNS 10.129.58.1,dhcp-renew,dhcp-release,register-dns,block-outside-dns,redirect-gateway ipv6,dhcp-option DNS6 fd00:6968:6564:9d::1,ifconfig-ipv6 fd00:6968:6564:9d:c11e:37bc:e263:549d/64 fd00:6968:6564:9d::1,ifconfig 10.129.58.44 255.255.254.0,peer-id 0,cipher AES-256-GCM'
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:11: dhcp-renew (2.4.7)
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:12: dhcp-release (2.4.7)
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:13: register-dns (2.4.7)
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:14: block-outside-dns (2.4.7)
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 OPTIONS IMPORT: timers and/or timeouts modified
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 OPTIONS IMPORT: explicit notify parm(s) modified
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 Socket Buffers: R=[180224->8388608] S=[180224->10485760]
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 OPTIONS IMPORT: --ifconfig/up options modified
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 OPTIONS IMPORT: route options modified
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 OPTIONS IMPORT: route-related options modified
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 OPTIONS IMPORT: peer-id set
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 OPTIONS IMPORT: adjusting link_mtu to 1624
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 OPTIONS IMPORT: data channel crypto options modified
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 ROUTE: default_gateway=UNDEF
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 GDG6: remote_host_ipv6=n/a
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 GDG6: socket() failed: Address family not supported by protocol (errno=97)
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 ROUTE6: default_gateway=UNDEF
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 Initialization Sequence Completed
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 MANAGEMENT: >STATE:0,CONN_PARAMS,local4-10.129.58.44|netmask4-255.255.254.0|gateway4-10.129.58.1|local6-fd00:6968:6564:9d:c11e:37bc:e263:549d|peer6-fd00:6968:6564:9d::1|onlink6-fd00:6968:6564:9d:c11e:37bc:e263:549d-64|route6--3-fd00:6968:6564:9d::1|route6-2000::-4-fd00:6968:6564:9d::1|route6-3000::-4-fd00:6968:6564:9d::1|route6-fc00::-7-fd00:6968:6564:9d::1|dns6-fd00:6968:6564:9d::1|dns4-10.129.58.1|mtu-1500
2020-09-04 21:42:17 openvpn: output: 
2020-09-04 21:42:17 openvpn: output: Fri Sep  4 21:42:17 2020 MANAGEMENT: >STATE:1599248537,CONNECTED,SUCCESS,10.129.58.44,109.201.143.35,4000,,,fd00:6968:6564:9d:c11e:37bc:e263:549d
2020-09-04 21:42:17 openvpn: rx: >STATE:0,CONN_PARAMS,local4-10.129.58.44|netmask4-255.255.254.0|gateway4-10.129.58.1|local6-fd00:6968:6564:9d:c11e:37bc:e263:549d|peer6-fd00:6968:6564:9d::1|onlink6-fd00:6968:6564:9d:c11e:37bc:e263:549d-64|route6--3-fd00:6968:6564:9d::1|route6-2000::-4-fd00:6968:6564:9d::1|route6-3000::-4-fd00:6968:6564:9d::1|route6-fc00::-7-fd00:6968:6564:9d::1|dns6-fd00:6968:6564:9d::1|dns4-10.129.58.1|mtu-1500
2020-09-04 21:42:17 openvpn: invalid route6 dest 
2020-09-04 21:42:17 openvpn: failed to parse conn params
2020-09-04 21:42:17 l3 is now stable
2020-09-04 21:42:17 l3 does not fulfil config requirement
2020-09-04 21:42:17 l3 state change 'l3_wait_stable' => 'l3_bring_down'
2020-09-04 21:42:17 waiting for l3 providers to go down
2020-09-04 21:42:17 l3 state change 'l3_bring_down' => 'l3_wait_down'
2020-09-04 21:42:17 l3 state change 'l3_wait_down' => 'l3_cleanup_start'
2020-09-04 21:42:17 calling helper script at '/etc/fbxconnman/conn.post-down'
2020-09-04 21:42:17 l3 state change 'l3_cleanup_start' => 'l3_wait_postdown_helper'
2020-09-04 21:42:17 l3 state change 'l3_wait_postdown_helper' => 'l3_cleanup_finish'
2020-09-04 21:42:17 l3 state change 'l3_cleanup_finish' => 'l3_finished'
2020-09-04 21:42:17 state change 'wait_l3_up' => 'wait_l3_down'
2020-09-04 21:42:17 l3 state change 'l3_finished' => 'l3_down'
2020-09-04 21:42:17 state is now DOWN
2020-09-04 21:42:17 state change 'wait_l3_down' => 'l3_finished'
2020-09-04 21:42:17 state change 'l3_finished' => 'wait_l2_down'
2020-09-04 21:42:17 l2 state change 'l2_up' => 'l2_cleanup'
2020-09-04 21:42:17 l2 state change 'l2_cleanup' => 'l2_down'
2020-09-04 21:42:17 state change 'wait_l2_down' => 'down'

Merci de votre retour rapide.

@mbizon : Qu'en pensez-vous ?

Rappel, il y a OpenVPN 2.4.9 depuis le 16 avril 2020, la 2.4.7 date du 18 février 2019 et la 2.5.0 arrive très bientôt.

tls-crypt existe depuis OpenVPN 2.4.x en 2016...

Ce n'est donc pas logique que ça ne fonctionne pas correctement de nos jours.

@kaisernet : Il faut suivre et voter :
- https://dev.freebox.fr/bugs/task/22839

- https://dev.freebox.fr/bugs/task/30669

Malgré le passage ce midi à la 4.2.5, je n'arrive toujours pas à me connecter à mon VPN.

Les logs sont identiques. Ils ne reconnaîtraient les options :

dhcp-renew, dhcp-release, register-dns, block-outside-dns

ce qui créé un problème avec les VPN en ipV6. Quand j'essaye de rajouter les lignes suivantes pour contourner ce problème, les lignes ne sont pas reconnues :

pull-filter ignore "dhcp-option DNS6"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "redirect-gateway ipv6"

Pourtant il s'agit bien de commande openVPN 2.4.

Actuellement dans Freebox OS 4.2.5 :
- OpenVPN : 2.4.7
- OpenSSL : 1.1.1d

Versions stables :
- OpenVPN : 2.4.9
- OpenSSL : 1.1.1f

OpenVPN 2.5.0 Beta 3 (2020-08-31)
- http://openvpn.net/

Lié à :
- https://dev.freebox.fr/bugs/task/25817

OpenVPN 2.5.0 RC3 (2020-10-15) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases

Voir toutes les améliorations de la 2.5.0 presque finale "RC3" dans l'email d'annonce :
- https://sourceforge.net/p/openvpn/mailman/message/37132033/

Overview of changes in OpenVPN v2.5:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25

Rappel pour la 2.4.x (il manque toujours des options) :
Overview of changes in OpenVPN v2.4:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

@mbizon, ça devrait évoluer avec ça non ?


OpenVPN 2.5.0 (2020-10-27) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases

Email d'annonce de la sortie d'OpenVPN 2.5.0 :
- https://sourceforge.net/p/openvpn/mailman/message/37138737/

OpenVPN 2.5 is a new major release with many new features:
- Client-specific tls-crypt keys (–tls-crypt-v2)
- Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data channel
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration
- Asynchronous (deferred) authentication support for auth-pam plugin
- Deferred client-connect
- Faster connection setup
- Netlink support
- Wintun support
- IPv6-only operation
- Improved Windows 10 detection
- Linux VRF support
- TLS 1.3 support
- Support setting DHCP search domain
- Handle setting of tun/tap interface MTU on Windows
- HMAC based auth-token support
- VLAN support
- Support building of .msi installers for Windows
- Allow unicode search string in –cryptoapicert option (Windows)
- Support IPv4 configs with /31 netmasks now
- New option –block-ipv6 to reject all IPv6 packets (ICMPv6)
- MSI installer (Windows)
- The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA management

Overview of changes in OpenVPN v2.5:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25

Rappel pour la 2.4.x (il manque toujours des options dans Freebox OS) :
Overview of changes in OpenVPN v2.4:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

OpenVPN 2.5.1 (2021-02-24) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases
- https://sourceforge.net/p/openvpn/mailman/message/37226597/

[Openvpn-announce] OpenVPN 2.5.1 released
From: Samuli Seppänen <samuli@op...> - 2021-02-24 13:50:33

The OpenVPN community project team is proud to release OpenVPN 2.5.1. It
includes several bug fixes and improvements as well as updated OpenSSL
and OpenVPN GUI for Windows.

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>;

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>;

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/>;

---

Overview of changes since OpenVPN 2.4

  Faster connections

    Connections setup is now much faster

  Crypto specific changes

    ChaCha20-Poly1305 cipher in the OpenVPN data channel
      Requires OpenSSL 1.1.0 or newer)
    Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
    Client-specific tls-crypt keys (--tls-crypt-v2)
    Improved Data channel cipher negotiation
    Removal of BF-CBC support in default configuration (see below for
possible incompatibilities)

  Server-side improvements

    HMAC based auth-token support for seamless reconnects to standalone
      servers or a group of servers.
    Asynchronous (deferred) authentication support for auth-pam plugin
    Asynchronous (deferred) support for client-connect scripts and
      plugins

  Network-related changes

    Support IPv4 configs with /31 netmasks now
    802.1q VLAN support on TAP servers
    IPv6-only tunnels
    New option --block-ipv6 to reject all IPv6 packets (ICMPv6)

  Linux-specific features

    VRF support
    Netlink integration (OpenVPN no longer needs to execute
      ifconfig/route or ip commands)

Windows-specific features

    Wintun driver support, a faster alternative to tap-windows6
    Setting tun/tap interface MTU
    Setting DHCP search domain
    Allow unicode search string in --cryptoapicert option
    EasyRSA3, a modern take on OpenVPN CA management
    MSI installer

---

Important notices

BF-CBC cipher is no longer the default

Cipher handling for the data channel cipher has been significantly
changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no
"default cipher BF-CBC" anymore because it is no longer considered a
reasonable default. BF-CBC is still available, but it needs to be
explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both
ends will be able  to negotiate a better cipher than BF-CBC. By default
they will select one of the AES-GCM ciphers, but this can be influenced
using the --data-ciphers setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting
in the config (= defaulting to BF-CBC and not being negotiation-capable)
must be updated. Unless BF-CBC is included in --data-ciphers or there is
a "--cipher BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server
will refuse to talk to a v2.3 server or client, because it has no common
data channel cipher and negotiating a cipher is not possible. Generally,
we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading
is not possible we recommend adding data-ciphers
AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC
(v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older)
release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5
based client will need a config file change to re-enable BF-CBC.  But be
warned that BF-CBC and other related weak ciphers will be removed in
coming OpenVPN major releases.

For full details see the Data channel cipher negotiation section on the
man page.

Connectivity to some VPN service provider may break

Connecting with an OpenVPN 2.5 client to at least one commercial VPN
service that
implemented their own cipher negotiation method that always reports back
that it is using BF-CBC to the client is broken in v2.5. This has always
caused warning about mismatch ciphers. We have been in contact with some
service providers and they are looking into it.  This is not something
the OpenVPN community can fix. If your commercial VPN does not work with
a v2.5 client, complain to the VPN service provider.

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:

<https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>;

---

Freebox OS 4.3.1 a OpenVPN 2.5.0, est-ce qu'il y a une amélioration ?

Chargement...

Activer les raccourcis clavier

Liste des tâches

Détails de la tâche

Édition de la tâche