- État Fermée
- Pourcentage achevé
- Type Anomalie
- Catégorie Non trié
-
Assignée à
mbizon - Système d'exploitation Tous
- Sévérité Critique
- Priorité Très Basse
- Basée sur la version 4.0.6
- Due pour la version Non décidée
-
Échéance
Non décidée
- Votes
- Privée
Concerne le projet: Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)
Ouverte par mimile - 01/06/2020
Dernière modification par mbizon - 14/04/2021
Ouverte par mimile - 01/06/2020
Dernière modification par mbizon - 14/04/2021
FS#30669 - client openvpn: tls-crypt non supporté
Freebox Revolution firmware Version 4.0.7
Erreur de connexion VPN Client à cause de: “Cipher algorithm ‘AES-256-GCM’ not found”
LOGS:
2020-06-01 10:05:24 calling helper script at ‘/etc/fbxconnman/conn.post-down’
2020-06-01 10:05:24 l3 state change ‘l3_cleanup_start’ ⇒ ‘l3_wait_postdown_helper’
2020-06-01 10:05:24 openvpn: output: Mon Jun 1 10:05:24 2020 Cipher algorithm ‘AES-256-GCM’ not found
2020-06-01 10:05:24 openvpn: output: Mon Jun 1 10:05:24 2020 Exiting due to fatal error
2020-06-01 10:05:24 openvpn: openvpn process died (1)
Y’aura-t-il une mise à jour du protocole OpenVPN pour le type de cryptage dans toutes les versions de Freebox server ?
Fermée par mbizon
14.04.2021 20:35
Raison de la fermeture : Résolu
Commentaires de fermeture :
14.04.2021 20:35
Raison de la fermeture : Résolu
Commentaires de fermeture :
depuis qq firmwares deja
Chargement...
Activer les raccourcis clavier
- Alt + ⇧ Shift + l Se connecter/Se déconnecter
- Alt + ⇧ Shift + a Ouvrir une tâche
- Alt + ⇧ Shift + m Mes recherches
- Alt + ⇧ Shift + t Rechercher par ID de tâche
Liste des tâches
- o Ouvrir la tâche sélectionnée
- j Déplacer le curseur vers le bas
- k Déplacer le curseur vers le haut
Détails de la tâche
- n Tâche suivante
- p Tâche précédente
- Alt + ⇧ Shift + e ↵ Enter Modifier cette tâche
- Alt + ⇧ Shift + w Surveiller
- Alt + ⇧ Shift + y Fermer cette tâche
Édition de la tâche
- Alt + ⇧ Shift + s Enregistrer la tâche
Oui ce problème n'est pas nouveau, plusieurs demandes ont été faites pour informer des problèmes de sécurité dont la mise à jour d'OpenVPN (etc.).
corrigé en 4.2, pouvez vous confirmer ?
Négatif en firmware 4.2.1.
Impossible de connecter sur vpn.asia car nouvelle erreur sur tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
remote-cert-eku "TLS Web Server Authentication"
Logs—>
2020-07-18 07:54:16 openvpn: output: Sat Jul 18 07:54:16 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2020-07-18 07:54:16 openvpn: output: Sat Jul 18 07:54:16 2020 TLS Error: TLS handshake failed
2020-07-18 07:54:16 openvpn: output: Sat Jul 18 07:54:16 2020 SIGTERM[soft,tls-error] received, process exiting
2020-07-18 07:54:16 openvpn: output: Sat Jul 18 07:54:16 2020 MANAGEMENT: >STATE:1595051656,EXITING,tls-error,,,,,
2020-07-18 07:54:16 l3 is now stable
2020-07-18 07:54:16 l3 does not fulfil config requirement
2020-07-18 07:54:16 l3 state change 'l3_wait_stable' ⇒ 'l3_bring_down'
2020-07-18 07:54:16 waiting for l3 providers to go down
2020-07-18 07:54:16 l3 state change 'l3_bring_down' ⇒ 'l3_wait_down'
2020-07-18 07:54:16 l3 state change 'l3_wait_down' ⇒ 'l3_cleanup_start'
2020-07-18 07:54:16 calling helper script at '/etc/fbxconnman/conn.post-down'
2020-07-18 07:54:16 l3 state change 'l3_cleanup_start' ⇒ 'l3_wait_postdown_helper'
2020-07-18 07:54:16 openvpn: openvpn process died (0)
2020-07-18 07:54:16 l3 state change 'l3_wait_postdown_helper' ⇒ 'l3_cleanup_finish'
2020-07-18 07:54:16 l3 state change 'l3_cleanup_finish' ⇒ 'l3_finished'
2020-07-18 07:54:16 state change 'wait_l3_up' ⇒ 'wait_l3_down'
2020-07-18 07:54:16 l3 state change 'l3_finished' ⇒ 'l3_down'
2020-07-18 07:54:16 state is now DOWN
2020-07-18 07:54:16 state change 'wait_l3_down' ⇒ 'l3_finished'
2020-07-18 07:54:16 state change 'l3_finished' ⇒ 'wait_l2_down'
2020-07-18 07:54:16 l2 state change 'l2_up' ⇒ 'l2_cleanup'
2020-07-18 07:54:16 l2 state change 'l2_cleanup' ⇒ 'l2_down'
2020-07-18 07:54:16 state change 'wait_l2_down' ⇒ 'down'
La section de cryptage <tls-crypt> n'est prise en charge dans le fichier de config openvpn !
Et voici le fichier complet .ovpn qui n'est pas reconnu par la freebox server 4.2.1
client
dev tun
remote eu-nl-ams.321inter.net 53 udp
auth-user-pass
auth-nocache
nobind
auth SHA256
cipher AES-256-GCM
tls-client
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
remote-cert-eku "TLS Web Server Authentication"
persist-key
persist-tun
compress lz4-v2
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
—–BEGIN OpenVPN Static key V1—– 5a406c73bc41f6765ee9f7e082155b66
c7cff844c57e04528166f3b5b3c20330
36ab9a3ef4b8734b938e1e2650be9656
8ec1b72cf32bbe67cc3cf6b87be007b4
10f49fae4266bdbb23925edc725995bc
eaebd017b072738dac55c3309c735a43
7b05c64f4ffcb214ecb4b5ed470f768c
e667f3f678c5da89be34917be1324fde
d515c0ca61762b8a60846ae8939452ec
c9b0dd4bc28df79e8dd9ac975f9098c3
7140c326deee3ed61ce5402cc2ae0293
3a56f68ac2b1148ba661af4970f2c654
791e7cbbf13da7b5819355bd6f43e1b9
93cafbf035d4a187bc9ee3175e706563
3f5ae8f6356b3d33f18dd831235a03d7
a6eea38085fed6927e9a604b82c3ccc1
—–END OpenVPN Static key V1—–
</tls-crypt>
<ca>
—–BEGIN CERTIFICATE—– MIIB6TCCAW+gAwIBAgIJAO7HEvJxfUUCMAoGCCqGSM49BAMCMBcxFTATBgNVBAMM
DDMyMWludGVyLm5ldDAeFw0xOTA1MjExMzI3NDlaFw0yOTA1MTgxMzI3NDlaMBcx
FTATBgNVBAMMDDMyMWludGVyLm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABGja
TAidcTxY9ud7w3Jr1y6BSS7trkeu3kZqDg/TDCxE4k0Ay6AXVkooORyidfco+SGx
zR8oxcit7JGjCf5+JCufjKjl3s/yULt7gYfQnfBYN4ULcr1gpKCZQMIlORnvHaOB
hjCBgzAdBgNVHQ4EFgQUThoKRpgMcQwcQwlfjfzf5vE2mOUwRwYDVR0jBEAwPoAU
ThoKRpgMcQwcQwlfjfzf5vE2mOWhG6QZMBcxFTATBgNVBAMMDDMyMWludGVyLm5l
dIIJAO7HEvJxfUUCMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49
BAMCA2gAMGUCMCL6jOfO1j5lC6q0DN5Z8Aw0GQ5SAFlmlvyAkk1/dGSgA1gzV5/T
4c53qemB1vz4SQIxAN7onHBiSvGwnCePjDSoonHA9CUlWUX9hurwIdFFqLWyRQHn
Nqxoy1tXLIfKApc8CQ==
—–END CERTIFICATE—–
</ca>
Du neuf en 4.2.3 ?
Toujours non-résolu en 4.2.3 !
Pas de nouvelles de l'équipe R&D pour ce bug critique: le vpn client des Freebox est inopérant !
En vacances ?
ce sera implémenté dans la prochaine version
Bonne nouvelle pour cette rentrée. Une date pour la "prochaine version" ?
Petite précision: le fichier complet .ovpn que j'ai cité plus haut vient du site https://vpn.asia/support en choisissant Amsterdam
Je suis impatient de valider le vpn client de la "prochaine version" ;)
et je ne suis pas le seul... Bon debug !
version 4.2.5 donne les erreurs suivantes:
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.4.7)
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:8: register-dns (2.4.7)
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:9: dhcp-renew (2.4.7)
puis ensuite les erreurs fatales (affichées en rouge):
2020-09-08 06:00:42 openvpn: invalid route6 dest
2020-09-08 06:00:42 openvpn: failed to parse conn params
et en fin de compte boucle de tentatives d’établissement de connexion.
Je peux vous télécharger la capture des logs.
le serveur pousse des options IPv6, alors que le client de la freebox ne supporte que l'ipv4 (pour l'instant)
Bien compris.
Comment je peux faire alors ? un contournement (pourquoi ne pas ignorer les push options ipv6 et continuer sans erreur en ipv4) ? ou il faut attendre la prochaine version firmware qui implémente ces options openvpn pour ipv6 ?
Voici la partie du journal des logs pour votre debug:
—→» 2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 MANAGEMENT: >STATE:1599537642,GET_CONFIG,,,,,,
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 SENT CONTROL [321inter.net]: 'PUSH_REQUEST' (status=1)
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 PUSH: Received control message: 'PUSH_REPLY,sndbuf 393216,rcvbuf 393216,redirect-gateway def1 ipv6,dhcp-option DNS 172.16.0.1,dhcp-option DNS fd00:dead:beef:cafe::1,compress lz4-v2,block-outside-dns,register-dns,dhcp-renew,tun-ipv6,route 10.220.0.1,topology net30,ping 10,ping-restart 60,ifconfig-ipv6 fd00:220::1007/64 fd00:220::1,ifconfig 10.220.0.34 10.220.0.33,peer-id 7,cipher AES-256-GCM' 2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.4.7) 2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:8: register-dns (2.4.7) 2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:9: dhcp-renew (2.4.7)
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 OPTIONS IMPORT: timers and/or timeouts modified
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 OPTIONS IMPORT: compression parms modified
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 OPTIONS IMPORT: –sndbuf/–rcvbuf options modified
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 Socket Buffers: R=[180224→786432] S=[180224→786432]
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 OPTIONS IMPORT: –ifconfig/up options modified
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 OPTIONS IMPORT: route options modified
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 OPTIONS IMPORT: –ip-win32 and/or –dhcp-option options modified
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 OPTIONS IMPORT: peer-id set
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 OPTIONS IMPORT: data channel crypto options modified
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 ROUTE: default_gateway=UNDEF
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 GDG6: remote_host_ipv6=n/a
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 GDG6: socket() failed: Address family not supported by protocol (errno=97)
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 ROUTE6: default_gateway=UNDEF
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 Initialization Sequence Completed
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 MANAGEMENT: >STATE:0,CONN_PARAMS,local4-10.220.0.34|peer4-10.220.0.33|route4-10.220.0.1-32-10.220.0.33|local6-fd00:220::1007|peer6-fd00:220::1|onlink6-fd00:220::1007-64|route6–3-fd00:220::1|route6-2000::-4-fd00:220::1|route6-3000::-4-fd00:220::1|route6-fc00::-7-fd00:220::1|dns6-fd00:dead:beef:cafe::1|dns4-172.16.0.1|mtu-1500
2020-09-08 06:00:42 openvpn: output:
2020-09-08 06:00:42 openvpn: output: Tue Sep 8 06:00:42 2020 MANAGEMENT: >STATE:1599537642,CONNECTED,SUCCESS,10.220.0.34,193.176.185.171,53,,,fd00:220::1007
2020-09-08 06:00:42 openvpn: rx: >STATE:0,CONN_PARAMS,local4-10.220.0.34|peer4-10.220.0.33|route4-10.220.0.1-32-10.220.0.33|local6-fd00:220::1007|peer6-fd00:220::1|onlink6-fd00:220::1007-64|route6–3-fd00:220::1|route6-2000::-4-fd00:220::1|route6-3000::-4-fd00:220::1|route6-fc00::-7-fd00:220::1|dns6-fd00:dead:beef:cafe::1|dns4-172.16.0.1|mtu-1500 2020-09-08 06:00:42 openvpn: invalid route6 dest 2020-09-08 06:00:42 openvpn: failed to parse conn params
2020-09-08 06:00:42 l3 is now stable
2020-09-08 06:00:42 l3 does not fulfil config requirement
2020-09-08 06:00:42 l3 state change 'l3_wait_stable' ⇒ 'l3_bring_down'
2020-09-08 06:00:42 waiting for l3 providers to go down
2020-09-08 06:00:42 l3 state change 'l3_bring_down' ⇒ 'l3_wait_down'
2020-09-08 06:00:42 l3 state change 'l3_wait_down' ⇒ 'l3_cleanup_start'
2020-09-08 06:00:42 calling helper script at '/etc/fbxconnman/conn.post-down'
2020-09-08 06:00:42 l3 state change 'l3_cleanup_start' ⇒ 'l3_wait_postdown_helper'
2020-09-08 06:00:42 l3 state change 'l3_wait_postdown_helper' ⇒ 'l3_cleanup_finish'
2020-09-08 06:00:42 l3 state change 'l3_cleanup_finish' ⇒ 'l3_finished'
2020-09-08 06:00:42 state change 'wait_l3_up' ⇒ 'wait_l3_down'
2020-09-08 06:00:43 l3 state change 'l3_finished' ⇒ 'l3_down'
2020-09-08 06:00:43 state is now DOWN
il y a d'autres erreurs, je regarde ce que je peux faire
ok sera corrigé dans le prochain firmware
@mbizon: Quand vous dites "prochain firmware", quel est-il ?
OpenVPN 2.5.0 RC3 (2020-10-15) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases
Voir toutes les améliorations de la 2.5.0 presque finale "RC3" dans l'email d'annonce :
- https://sourceforge.net/p/openvpn/mailman/message/37132033/
Overview of changes in OpenVPN v2.5:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Rappel pour la 2.4.x (il manque toujours des options) :
Overview of changes in OpenVPN v2.4:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
Par la même occasion : tls-crypt-v2
OpenVPN 2.5 is a new major release with many new features:
- Client-specific tls-crypt keys (–tls-crypt-v2)
- ...
Lié à :
- https://dev.freebox.fr/bugs/task/22839
@mbizon, ça devrait évoluer avec ça non ?
OpenVPN 2.5.0 (2020-10-27) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases
Email d'annonce de la sortie d'OpenVPN 2.5.0 :
- https://sourceforge.net/p/openvpn/mailman/message/37138737/
OpenVPN 2.5 is a new major release with many new features:
- Client-specific tls-crypt keys (–tls-crypt-v2)
- Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data channel
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration
- Asynchronous (deferred) authentication support for auth-pam plugin
- Deferred client-connect
- Faster connection setup
- Netlink support
- Wintun support
- IPv6-only operation
- Improved Windows 10 detection
- Linux VRF support
- TLS 1.3 support
- Support setting DHCP search domain
- Handle setting of tun/tap interface MTU on Windows
- HMAC based auth-token support
- VLAN support
- Support building of .msi installers for Windows
- Allow unicode search string in –cryptoapicert option (Windows)
- Support IPv4 configs with /31 netmasks now
- New option –block-ipv6 to reject all IPv6 packets (ICMPv6)
- MSI installer (Windows)
- The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA management
Overview of changes in OpenVPN v2.5:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Rappel pour la 2.4.x (il manque toujours des options dans Freebox OS) :
Overview of changes in OpenVPN v2.4:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
OpenVPN 2.5.1 (2021-02-24) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases
- https://sourceforge.net/p/openvpn/mailman/message/37226597/
[Openvpn-announce] OpenVPN 2.5.1 released From: Samuli Seppänen <samuli@op...> - 2021-02-24 13:50:33 The OpenVPN community project team is proud to release OpenVPN 2.5.1. It includes several bug fixes and improvements as well as updated OpenSSL and OpenVPN GUI for Windows. Source code and Windows installers can be downloaded from our download page: <https://openvpn.net/community-downloads/>; Debian and Ubuntu packages are available in the official apt repositories: <https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>; On Red Hat derivatives we recommend using the Fedora Copr repository. <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/>; --- Overview of changes since OpenVPN 2.4 Faster connections Connections setup is now much faster Crypto specific changes ChaCha20-Poly1305 cipher in the OpenVPN data channel Requires OpenSSL 1.1.0 or newer) Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer Client-specific tls-crypt keys (--tls-crypt-v2) Improved Data channel cipher negotiation Removal of BF-CBC support in default configuration (see below for possible incompatibilities) Server-side improvements HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers. Asynchronous (deferred) authentication support for auth-pam plugin Asynchronous (deferred) support for client-connect scripts and plugins Network-related changes Support IPv4 configs with /31 netmasks now 802.1q VLAN support on TAP servers IPv6-only tunnels New option --block-ipv6 to reject all IPv6 packets (ICMPv6) Linux-specific features VRF support Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands) Windows-specific features Wintun driver support, a faster alternative to tap-windows6 Setting tun/tap interface MTU Setting DHCP search domain Allow unicode search string in --cryptoapicert option EasyRSA3, a modern take on OpenVPN CA management MSI installer --- Important notices BF-CBC cipher is no longer the default Cipher handling for the data channel cipher has been significantly changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC is still available, but it needs to be explicitly configured now. For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will be able to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers setting. Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk to a v2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible. Generally, we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers. If you really need to use an unsupported OpenVPN 2.3 (or even older) release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need a config file change to re-enable BF-CBC. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases. For full details see the Data channel cipher negotiation section on the man page. Connectivity to some VPN service provider may break Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some service providers and they are looking into it. This is not something the OpenVPN community can fix. If your commercial VPN does not work with a v2.5 client, complain to the VPN service provider. More details on these new features as well as a list of deprecated features and user-visible changes are available in Changes.rst: <https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>; ---