- État Nouveau
- Pourcentage achevé
- Type Anomalie
- Catégorie Services locaux → Serveur VPN
- Assignée à Personne
- Système d'exploitation Tous
- Sévérité Critique
- Priorité Très Basse
- Basée sur la version 4.0.4
- Due pour la version Non décidée
-
Échéance
Non décidée
-
Votes
1
- kalon33 (24/09/2019)
- Privée
Concerne le projet: Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)
Ouverte par cedric78 - 02/05/2019
Ouverte par cedric78 - 02/05/2019
FS#27167 - OpenVPN Bridgé impossible entre 2 Freebox (erreur interne, bad local ip)
Bonjour,
J’essai de faire un lien OpenVPN Bridgé entre deux Freebox (Mini 4K en ADSL et One en FTTH AMI Orange).
Serveur créé sur la One, client sur la mini 4K.
Déja j’ai du effacer la ligne dev-type tap du fichier sinon impossible de l’importer sur Freebox OS.
Ensuite j’ai une erreur interne, avec bad local ip, comme si le client n’arrive pas à obtenir une adresse IP.
Merci pour votre aide, ci joint le log
2019-05-02 14:14:42 starting 2019-05-02 14:14:42 calling helper script at '/etc/fbxconnman/conn.pre-up' 2019-05-02 14:14:42 l3 state change 'l3_start' => 'l3_wait_preup_helper' 2019-05-02 14:14:42 l3 state change 'l3_wait_preup_helper' => 'l3_wait_stable' 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 OpenVPN 2.3.17 arm-unknown-linux-muslgnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 26 2019 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.09 2019-05-02 14:14:42 openvpn: connected to management interface 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 MANAGEMENT: Connected to management server at unix_mgt.sock 2019-05-02 14:14:42 openvpn: rx: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info 2019-05-02 14:14:42 openvpn: rx: >HOLD:Waiting for hold release 2019-05-02 14:14:42 openvpn: tx: hold release 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 MANAGEMENT: CMD 'hold release' 2019-05-02 14:14:42 openvpn: rx: SUCCESS: hold release succeeded 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 MANAGEMENT: CMD 'state on' 2019-05-02 14:14:42 openvpn: rx: SUCCESS: real-time state notification set to ON 2019-05-02 14:14:42 openvpn: rx: >PASSWORD:Need 'Auth' username/password 2019-05-02 14:14:42 openvpn: tx: username "Auth" "FBX78340" 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 MANAGEMENT: CMD 'username "Auth" "FBX78340"' 2019-05-02 14:14:42 openvpn: rx: SUCCESS: 'Auth' username entered, but not yet verified 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 MANAGEMENT: CMD 'password [...]' 2019-05-02 14:14:42 openvpn: rx: SUCCESS: 'Auth' password entered, but not yet verified 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 MANAGEMENT: >STATE:1556799282,WILL_CONNECT,91.166.145.220,,,,,0 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 Socket Buffers: R=[163840->163840] S=[163840->163840] 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 UDPv4 link local: [undef] 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 UDPv4 link remote: [AF_INET]91.166.145.220:40992 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 MANAGEMENT: >STATE:1556799282,WAIT,,,,,,0 2019-05-02 14:14:42 openvpn: rx: >STATE:1556799282,WILL_CONNECT,91.166.145.220,,,,,0 2019-05-02 14:14:42 openvpn: rx: >STATE:1556799282,WAIT,,,,,,0 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 MANAGEMENT: >STATE:1556799282,AUTH,,,,,,0 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 TLS: Initial packet from [AF_INET]91.166.145.220:40992, sid=38ca0eec 073b41c0 2019-05-02 14:14:42 openvpn: rx: >STATE:1556799282,AUTH,,,,,,0 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 VERIFY OK: depth=1, C=FR, O=Freebox SA, CN=Freebox OpenVPN server CA for 5e7ece4c6892237fe51085bd58810180 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 Validating certificate key usage 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 ++ Certificate has key usage 00a0, expects 00a0 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 VERIFY KU OK 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 Validating certificate extended key usage 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 VERIFY EKU OK 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 VERIFY X509NAME OK: C=FR, O=Freebox SA, CN=Freebox OpenVPN server 5e7ece4c6892237fe51085bd58810180 2019-05-02 14:14:42 openvpn: output: Thu May 2 14:14:42 2019 VERIFY OK: depth=0, C=FR, O=Freebox SA, CN=Freebox OpenVPN server 5e7ece4c6892237fe51085bd58810180 2019-05-02 14:14:43 openvpn: output: Thu May 2 14:14:43 2019 WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap' 2019-05-02 14:14:43 openvpn: output: Thu May 2 14:14:43 2019 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1561', remote='link-mtu 1593' 2019-05-02 14:14:43 openvpn: output: Thu May 2 14:14:43 2019 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532' 2019-05-02 14:14:43 openvpn: output: Thu May 2 14:14:43 2019 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2019-05-02 14:14:43 openvpn: output: Thu May 2 14:14:43 2019 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 2019-05-02 14:14:43 openvpn: output: Thu May 2 14:14:43 2019 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2019-05-02 14:14:43 openvpn: output: Thu May 2 14:14:43 2019 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 2019-05-02 14:14:43 openvpn: output: Thu May 2 14:14:43 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA 2019-05-02 14:14:43 openvpn: output: Thu May 2 14:14:43 2019 [Freebox OpenVPN server 5e7ece4c6892237fe51085bd58810180] Peer Connection Initiated with [AF_INET]91.166.145.220:40992 2019-05-02 14:14:44 openvpn: rx: >STATE:1556799284,GET_CONFIG,,,,,,0 2019-05-02 14:14:44 openvpn: output: Thu May 2 14:14:44 2019 MANAGEMENT: >STATE:1556799284,GET_CONFIG,,,,,,0 2019-05-02 14:14:45 openvpn: output: Thu May 2 14:14:45 2019 SENT CONTROL [Freebox OpenVPN server 5e7ece4c6892237fe51085bd58810180]: 'PUSH_REQUEST' (status=1) 2019-05-02 14:14:46 openvpn: output: Thu May 2 14:14:46 2019 PUSH: Received control message: 'PUSH_REPLY,ping 30,ping-restart 120' 2019-05-02 14:14:46 openvpn: output: Thu May 2 14:14:46 2019 OPTIONS IMPORT: timers and/or timeouts modified 2019-05-02 14:14:46 openvpn: output: Thu May 2 14:14:46 2019 Initialization Sequence Completed 2019-05-02 14:14:46 openvpn: output: Thu May 2 14:14:46 2019 MANAGEMENT: >STATE:1556799286,CONNECTED,SUCCESS,,91.166.145.220,,,1500 2019-05-02 14:14:46 openvpn: rx: >STATE:1556799286,CONNECTED,SUCCESS,,91.166.145.220,,,1500 2019-05-02 14:14:46 openvpn: bad local ip 2019-05-02 14:14:46 l3 is now stable 2019-05-02 14:14:46 l3 does not fulfil config requirement 2019-05-02 14:14:46 l3 state change 'l3_wait_stable' => 'l3_bring_down' 2019-05-02 14:14:46 waiting for l3 providers to go down 2019-05-02 14:14:46 l3 state change 'l3_bring_down' => 'l3_wait_down' 2019-05-02 14:14:46 l3 state change 'l3_wait_down' => 'l3_cleanup_start' 2019-05-02 14:14:46 calling helper script at '/etc/fbxconnman/conn.post-down' 2019-05-02 14:14:46 l3 state change 'l3_cleanup_start' => 'l3_wait_postdown_helper' 2019-05-02 14:14:46 l3 state change 'l3_wait_postdown_helper' => 'l3_cleanup_finish' 2019-05-02 14:14:46 l3 state change 'l3_cleanup_finish' => 'l3_finished' 2019-05-02 14:14:46 state change 'wait_l3_up' => 'wait_l3_down' 2019-05-02 14:14:46 l3 state change 'l3_finished' => 'l3_down' 2019-05-02 14:14:46 state is now DOWN 2019-05-02 14:14:46 state change 'wait_l3_down' => 'l3_finished' 2019-05-02 14:14:46 state change 'l3_finished' => 'wait_l2_down' 2019-05-02 14:14:46 l2 state change 'l2_up' => 'l2_cleanup' 2019-05-02 14:14:46 l2 state change 'l2_cleanup' => 'l2_down' 2019-05-02 14:14:46 state change 'wait_l2_down' => 'down'
Chargement...
Activer les raccourcis clavier
- Alt + ⇧ Shift + l Se connecter/Se déconnecter
- Alt + ⇧ Shift + a Ouvrir une tâche
- Alt + ⇧ Shift + m Mes recherches
- Alt + ⇧ Shift + t Rechercher par ID de tâche
Liste des tâches
- o Ouvrir la tâche sélectionnée
- j Déplacer le curseur vers le bas
- k Déplacer le curseur vers le haut
Détails de la tâche
- n Tâche suivante
- p Tâche précédente
- Alt + ⇧ Shift + e ↵ Enter Modifier cette tâche
- Alt + ⇧ Shift + w Surveiller
- Alt + ⇧ Shift + y Fermer cette tâche
Édition de la tâche
- Alt + ⇧ Shift + s Enregistrer la tâche
beaucoup de problème avec le vpn chez free je sais quand il vont régler ce soucis
Up !
cedric78: Du neuf à ce propos ?
Problème persistant en 4.2.1
@cedric78: Pourriez-vous faire publier de nouveau logs ?
Etant donné l'évolution d'OpenVPN/OpenSSL...
@mbizon: C'est pour vous :)
Avec Freebox OS 4.2.3 ou 4.2.4 (uniquement sur Pop), est-ce toujours pareil ?
Lié à :
- https://dev.freebox.fr/bugs/task/18505
@mbizon, ça devrait évoluer avec ça non ?
Suite à votre commentaire du "Tuesday 1 December, 2015 16:39:04"
- https://dev.freebox.fr/bugs/task/18505#comment79072
[IP] → IP publique (voir les logs des 2 tickets)
Le ticket FS#18505 = FS#27167
OpenVPN 2.5.0 (2020-10-27) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases
Email d'annonce de la sortie d'OpenVPN 2.5.0 :
- https://sourceforge.net/p/openvpn/mailman/message/37138737/
OpenVPN 2.5 is a new major release with many new features:
- Client-specific tls-crypt keys (–tls-crypt-v2)
- Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data channel
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration
- Asynchronous (deferred) authentication support for auth-pam plugin
- Deferred client-connect
- Faster connection setup
- Netlink support
- Wintun support
- IPv6-only operation
- Improved Windows 10 detection
- Linux VRF support
- TLS 1.3 support
- Support setting DHCP search domain
- Handle setting of tun/tap interface MTU on Windows
- HMAC based auth-token support
- VLAN support
- Support building of .msi installers for Windows
- Allow unicode search string in –cryptoapicert option (Windows)
- Support IPv4 configs with /31 netmasks now
- New option –block-ipv6 to reject all IPv6 packets (ICMPv6)
- MSI installer (Windows)
- The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA management
Overview of changes in OpenVPN v2.5:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Rappel pour la 2.4.x (il manque toujours des options dans Freebox OS) :
Overview of changes in OpenVPN v2.4:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
OpenVPN 2.5.1 (2021-02-24) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases
- https://sourceforge.net/p/openvpn/mailman/message/37226597/
[Openvpn-announce] OpenVPN 2.5.1 released From: Samuli Seppänen <samuli@op...> - 2021-02-24 13:50:33 The OpenVPN community project team is proud to release OpenVPN 2.5.1. It includes several bug fixes and improvements as well as updated OpenSSL and OpenVPN GUI for Windows. Source code and Windows installers can be downloaded from our download page: <https://openvpn.net/community-downloads/>; Debian and Ubuntu packages are available in the official apt repositories: <https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>; On Red Hat derivatives we recommend using the Fedora Copr repository. <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/>; --- Overview of changes since OpenVPN 2.4 Faster connections Connections setup is now much faster Crypto specific changes ChaCha20-Poly1305 cipher in the OpenVPN data channel Requires OpenSSL 1.1.0 or newer) Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer Client-specific tls-crypt keys (--tls-crypt-v2) Improved Data channel cipher negotiation Removal of BF-CBC support in default configuration (see below for possible incompatibilities) Server-side improvements HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers. Asynchronous (deferred) authentication support for auth-pam plugin Asynchronous (deferred) support for client-connect scripts and plugins Network-related changes Support IPv4 configs with /31 netmasks now 802.1q VLAN support on TAP servers IPv6-only tunnels New option --block-ipv6 to reject all IPv6 packets (ICMPv6) Linux-specific features VRF support Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands) Windows-specific features Wintun driver support, a faster alternative to tap-windows6 Setting tun/tap interface MTU Setting DHCP search domain Allow unicode search string in --cryptoapicert option EasyRSA3, a modern take on OpenVPN CA management MSI installer --- Important notices BF-CBC cipher is no longer the default Cipher handling for the data channel cipher has been significantly changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC is still available, but it needs to be explicitly configured now. For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will be able to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers setting. Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk to a v2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible. Generally, we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers. If you really need to use an unsupported OpenVPN 2.3 (or even older) release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need a config file change to re-enable BF-CBC. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases. For full details see the Data channel cipher negotiation section on the man page. Connectivity to some VPN service provider may break Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some service providers and they are looking into it. This is not something the OpenVPN community can fix. If your commercial VPN does not work with a v2.5 client, complain to the VPN service provider. More details on these new features as well as a list of deprecated features and user-visible changes are available in Changes.rst: <https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>; ---Freebox OS 4.3.1 a OpenVPN 2.5.0, est-ce qu'il y a une amélioration ?
@julios123, @cedric78: Quelle est la situation de nos jours ?
@owintwist a le même problème ici :
- https://dev.freebox.fr/bugs/task/18505
Il serait bien de se "raccorder".
@julios123, @cedric78: Qu'en est-il de votre ticket ?
J'ai fait une demande il y a fort longtemps de remplacer "bridge-utils" par "iproute2":
- https://dev.freebox.fr/bugs/task/34731
Cela devrait résoudre pas mal de problèmes avec le mode Bridge.
PS : Avant j'avais aussi demandé la mise à jour de "bridge-utils", cela n'a pas été fait.
Note : ce projet n'est plus développé de nos jours d'où iproute2.