OpenVPN 설치

[Pyohwan]

목표

OpenVPN 을 설치하고 원격으로 개발을 할 수 있는 환경을 만들어 보자

결과물

• https://github.com/JakduK/friendly-gamnamu/pull/9

  참고

• https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-centos-7
• https://phoenixnap.com/kb/openvpn-centos

[Pyohwan]

서버쪽 에러 로그

Sat May 21 22:58:39 2022 us=516871 MULTI: multi_create_instance called
Sat May 21 22:58:39 2022 us=517006 192.168.0.23:1194 Re-using SSL/TLS context
Sat May 21 22:58:39 2022 us=517148 192.168.0.23:1194 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat May 21 22:58:39 2022 us=517177 192.168.0.23:1194 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Sat May 21 22:58:39 2022 us=517243 192.168.0.23:1194 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat May 21 22:58:39 2022 us=517266 192.168.0.23:1194 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
RSat May 21 22:58:39 2022 us=517325 192.168.0.23:1194 TLS: Initial packet from [AF_INET]192.168.0.23:1194, sid=5077711f 4d4e9f15
WRRWWRRSat May 21 22:58:39 2022 us=536134 192.168.0.23:1194 TLS: new session incoming connection from [AF_INET]192.168.0.23:1194
WRRWWRRSat May 21 22:58:39 2022 us=565250 192.168.0.23:1194 PID_ERR replay-window backtrack occurred [3] [TLS_WRAP-0] [0000] 1653141519:4 1653141519:1 t=1653141519[0] r=[0,64,15,3,1] sl=[60,4,64,528]
Sat May 21 22:58:39 2022 us=565302 192.168.0.23:1194 PID_ERR replay [3] [TLS_WRAP-0] [0000] 1653141519:4 1653141519:1 t=1653141519[0] r=[0,64,15,3,1] sl=[60,4,64,528]
Sat May 21 22:58:39 2022 us=565331 192.168.0.23:1194 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1653141519) Sat May 21 22:58:39 2022 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sat May 21 22:58:39 2022 us=565357 192.168.0.23:1194 TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.23:1194
RSat May 21 22:58:42 2022 us=86488 192.168.0.23:1194 PID_ERR replay [2] [TLS_WRAP-0] [3333] 1653141519:4 1653141519:2 t=1653141522[0] r=[-3,64,15,3,1] sl=[60,4,64,528]
Sat May 21 22:58:42 2022 us=86548 192.168.0.23:1194 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2 / time = (1653141519) Sat May 21 22:58:39 2022 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sat May 21 22:58:42 2022 us=86574 192.168.0.23:1194 TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.23:1194
WWRSat May 21 22:58:45 2022 us=898261 192.168.0.23:1194 PID_ERR replay [1] [TLS_WRAP-0] [6666] 1653141519:4 1653141519:3 t=1653141525[0] r=[0,64,15,3,1] sl=[60,4,64,528]
Sat May 21 22:58:45 2022 us=898320 192.168.0.23:1194 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1653141519) Sat May 21 22:58:39 2022 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sat May 21 22:58:45 2022 us=898347 192.168.0.23:1194 TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.23:1194

[Pyohwan]

remote-cert-eku 없애기

client 설정에서 verb 4 로 하고 로그를 보니, VERIFY EKU ERROR 가 떠서 remote-cert-eku 를 지워버리니 잘 된다.

2022-05-21 23:42:34.876183 Validating certificate extended key usage
2022-05-21 23:42:34.876210 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Client Authentication
2022-05-21 23:42:34.876225 ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.1, expects TLS Web Client Authentication
2022-05-21 23:42:34.876237 VERIFY EKU ERROR
2022-05-21 23:42:34.876277 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-05-21 23:42:34.876290 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-21 23:42:34.876302 TLS Error: TLS object -> incoming plaintext read error
2022-05-21 23:42:34.876312 TLS Error: TLS handshake failed

[Pyohwan]

remote 에 IP 를 openvpn.jakduk.dev 로 바꾸니 안된다.

remote 192.168.0.26 1194 를 remote openvpn.jakduk.dev 1194 로 바꿈 클라이언트 에러 로그

2022-05-21 23:45:20.059300 MANAGEMENT: >STATE:1653144320,WAIT,,,,,,
2022-05-21 23:45:27.193540 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.26:1194[2], expected peer address: [AF_INET]59.11.48.103:1194 (allow this incoming source address/port by removing --remote or adding --float)
2022-05-21 23:45:37.433395 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.26:1194[2], expected peer address: [AF_INET]59.11.48.103:1194 (allow this incoming source address/port by removing --remote or adding --float)
2022-05-21 23:45:47.551779 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.26:1194[2], expected peer address: [AF_INET]59.11.48.103:1194 (allow this incoming source address/port by removing --remote or adding --float)
2022-05-21 23:45:57.913359 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.26:1194[2], expected peer address: [AF_INET]59.11.48.103:1194 (allow this incoming source address/port by removing --remote or adding --float)
2022-05-21 23:46:07.846394 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.26:1194[2], expected peer address: [AF_INET]59.11.48.103:1194 (allow this incoming source address/port by removing --remote or adding --float)
2022-05-21 23:46:17.882915 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.26:1194[2], expected peer address: [AF_INET]59.11.48.103:1194 (allow this incoming source address/port by removing --remote or adding --float)
2022-05-21 23:46:20.437171 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2022-05-21 23:46:20.437345 TLS Error: TLS handshake failed

해결

호스트 머신의 포트포워딩에 TCP 를 UDP 로 바꾸니 된다.

[Pyohwan]

Tunnelblick 연결은 됐으나 내부 IP 로 핑이 안된다.

user@AL01992259 jakduk_ssh % ping 192.168.0.10
PING 192.168.0.10 (192.168.0.10): 56 data bytes
Request timeout for icmp_seq 0
^C
--- 192.168.0.10 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

ifconfig 해보면 192.168.10.x 는 없음

pktap0: flags=1<UP> mtu 0
utun5: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
    inet 10.8.0.2 --> 10.8.0.2 netmask 0xffffff00 

[Pyohwan]

Client 네트워크 및 route 설정 확인

Mac 에서는 잘 설정 된것 같다.

ifconfig

utun5: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
    inet 10.8.0.2 --> 10.8.0.2 netmask 0xffffff00 

user@AL01992259 jakduk_ssh % netstat -nr | grep 192.168
192.168.0          10.8.0.1           UGSc            utun5  

[Pyohwan]

Server 에서 tcpdump 해봤다

23:08:58.644560 IP 121.165.65.36.openvpn > localhost.localdomain.openvpn: UDP, length 40

23:08:58.644778 IP localhost.localdomain.openvpn > 121.165.65.36.openvpn: UDP, length 40
23:08:59.232618 IP localhost.localdomain.37304 > kns.kornet.net.domain: 12508+ PTR? 26.0.168.192.in-addr.arpa. (43)
23:08:59.235566 IP kns.kornet.net.domain > localhost.localdomain.37304: 12508 NXDomain* 0/1/0 (93)
23:08:59.237175 IP localhost.localdomain.33446 > kns.kornet.net.domain: 31274+ PTR? 36.65.165.121.in-addr.arpa. (44)
23:08:59.240071 IP kns.kornet.net.domain > localhost.localdomain.33446: 31274 NXDomain 0/1/0 (100)
23:09:00.233994 IP localhost.localdomain.60542 > kns.kornet.net.domain: 59828+ PTR? 1.63.126.168.in-addr.arpa. (43)
23:09:00.237946 IP kns.kornet.net.domain > localhost.localdomain.60542: 59828 1/2/2 PTR kns.kornet.net. (141)
23:09:01.257274 IP 192.168.0.22.mdns > 224.0.0.251.mdns: 0*- [0q] 2/0/1 PTR Jang,Pyohwan's iPhone XR._rdlink._tcp.local., TXT "model=N841AP" (161)
23:09:01.257287 IP6 fe80::89e:85de:45bd:4087.mdns > ff02::fb.mdns: 0*- [0q] 2/0/1 PTR Jang,Pyohwan's iPhone XR._rdlink._tcp.local., TXT "model=N841AP" (161)
23:09:02.237941 IP localhost.localdomain.55908 > kns.kornet.net.domain: 64338+ PTR? 251.0.0.224.in-addr.arpa. (42)
23:09:02.241488 IP kns.kornet.net.domain > localhost.localdomain.55908: 64338 NXDomain 0/1/0 (99)
23:09:02.241862 IP localhost.localdomain.58902 > kns.kornet.net.domain: 62337+ PTR? 22.0.168.192.in-addr.arpa. (43)
23:09:02.244594 IP kns.kornet.net.domain > localhost.localdomain.58902: 62337 NXDomain* 0/1/0 (93)
23:09:02.244936 IP localhost.localdomain.60248 > kns.kornet.net.domain: 3986+ PTR? b.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa. (90)
23:09:02.248202 IP kns.kornet.net.domain > localhost.localdomain.60248: 3986 NXDomain 0/1/0 (154)
23:09:02.248522 IP localhost.localdomain.48369 > kns.kornet.net.domain: 7941+ PTR? 7.8.0.4.d.b.5.4.e.d.5.8.e.9.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
23:09:02.250774 IP kns.kornet.net.domain > localhost.localdomain.48369: 7941 NXDomain* 0/1/0 (139)
23:09:04.081353 IP 121.165.65.36.openvpn > localhost.localdomain.openvpn: UDP, length 108
23:09:04.081569 IP 10.8.0.2 > 192.168.0.10: ICMP echo request, id 49521, seq 0, length 64
23:09:04.241944 IP localhost.localdomain.42106 > kns.kornet.net.domain: 42769+ PTR? 10.0.168.192.in-addr.arpa. (43)
23:09:04.245591 IP kns.kornet.net.domain > localhost.localdomain.42106: 42769 NXDomain* 0/1/0 (93)
23:09:04.245972 IP localhost.localdomain.33755 > kns.kornet.net.domain: 46945+ PTR? 2.0.8.10.in-addr.arpa. (39)
23:09:04.248536 IP kns.kornet.net.domain > localhost.localdomain.33755: 46945 NXDomain* 0/1/0 (89)
23:09:05.088489 IP 121.165.65.36.openvpn > localhost.localdomain.openvpn: UDP, length 108
23:09:05.088659 IP 10.8.0.2 > 192.168.0.10: ICMP echo request, id 49521, seq 1, length 64
23:09:05.520828 ARP, Request who-has 192.168.0.23 tell gateway, length 46
23:09:05.520864 ARP, Request who-has 192.168.0.23 tell gateway, length 46
23:09:06.110613 IP 121.165.65.36.openvpn > localhost.localdomain.openvpn: UDP, length 108
23:09:06.110799 IP 10.8.0.2 > 192.168.0.10: ICMP echo request, id 49521, seq 2, length 64
23:09:06.245991 IP localhost.localdomain.53464 > kns.kornet.net.domain: 1896+ PTR? 23.0.168.192.in-addr.arpa. (43)
23:09:06.248424 IP kns.kornet.net.domain > localhost.localdomain.53464: 1896 ServFail 0/0/0 (43)
23:09:06.248535 IP localhost.localdomain.57624 > kns2.kornet.net.domain: 1896+ PTR? 23.0.168.192.in-addr.arpa. (43)
23:09:06.251482 IP kns2.kornet.net.domain > localhost.localdomain.57624: 1896 NXDomain* 0/1/0 (93)
23:09:06.251970 IP localhost.localdomain.37424 > kns.kornet.net.domain: 29608+ PTR? 1.0.168.192.in-addr.arpa. (42)
23:09:06.254906 IP kns.kornet.net.domain > localhost.localdomain.37424: 29608 ServFail 0/0/0 (42)
23:09:06.255004 IP localhost.localdomain.32828 > kns2.kornet.net.domain: 29608+ PTR? 1.0.168.192.in-addr.arpa. (42)
23:09:06.257896 IP kns2.kornet.net.domain > localhost.localdomain.32828: 29608 NXDomain* 0/1/0 (92)
23:09:06.518952 ARP, Request who-has 192.168.0.23 tell gateway, length 46
23:09:07.089433 IP 121.165.65.36.openvpn > localhost.localdomain.openvpn: UDP, length 108
23:09:07.089613 IP 10.8.0.2 > 192.168.0.10: ICMP echo request, id 49521, seq 3, length 64
23:09:07.247974 IP localhost.localdomain.60395 > kns.kornet.net.domain: 63776+ PTR? 2.63.126.168.in-addr.arpa. (43)
23:09:07.250718 IP kns.kornet.net.domain > localhost.localdomain.60395: 63776 1/2/2 PTR kns2.kornet.net. (142)
23:09:07.517625 ARP, Request who-has 192.168.0.23 tell gateway, length 46
23:09:08.089873 IP 121.165.65.36.openvpn > localhost.localdomain.openvpn: UDP, length 108
23:09:08.090064 IP localhost.localdomain.openvpn > 121.165.65.36.openvpn: UDP, length 40
23:09:08.090105 IP 10.8.0.2 > 192.168.0.10: ICMP echo request, id 49521, seq 4, length 64
23:09:09.089799 ARP, Request who-has 192.168.0.10 tell localhost.localdomain, length 28
23:09:09.090131 ARP, Reply 192.168.0.10 is-at 52:54:00:d3:7b:e9 (oui Unknown), length 28
23:09:09.092183 IP 121.165.65.36.openvpn > localhost.localdomain.openvpn: UDP, length 108
23:09:09.092339 IP 10.8.0.2 > 192.168.0.10: ICMP echo request, id 49521, seq 5, length 64

[Pyohwan]

어째서인지 firewalld 를 enable 하고 나서는 잘 된다.