Closed francio87 closed 4 years ago
Test case 1
Test case 2
Test case 3
Test case 4
[root@rt01 ~]# rpm -qa |grep vpn
nethserver-vpn-ui-1.2.10-1.1.gc3c4aa0.ns7.noarch
nethserver-openvpn-1.9.2-1.ns7.noarch
openvpn-2.4.8-1.el7.x86_64
Test Case 1 : OK
Fri Apr 3 08:33:18 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Apr 3 08:33:18 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Apr 3 08:33:18 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Apr 3 08:33:18 2020 MANAGEMENT: unix domain socket listening on /var/spool/openvpn/n2n-test-case-1
Fri Apr 3 08:33:18 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 3 08:33:18 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr 3 08:33:18 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 3 08:33:18 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 3 08:33:18 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr 3 08:33:18 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 3 08:33:18 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr 3 08:33:18 2020 TUN/TAP device tuntest-case-1 opened
Fri Apr 3 08:33:18 2020 TUN/TAP TX queue length set to 100
Fri Apr 3 08:33:18 2020 /sbin/ip link set dev tuntest-case-1 up mtu 1500
Fri Apr 3 08:33:18 2020 /sbin/ip addr add dev tuntest-case-1 local 10.212.156.1 peer 10.212.156.2
Fri Apr 3 08:33:18 2020 /sbin/ip route add 192.168.44.0/24 via 10.212.156.2
Fri Apr 3 08:33:18 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Apr 3 08:33:18 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr 3 08:33:18 2020 UDPv4 link local (bound): [AF_INET][undef]:1204
Fri Apr 3 08:33:18 2020 UDPv4 link remote: [AF_UNSPEC]
Fri Apr 3 08:33:23 2020 MANAGEMENT: Client connected from /var/spool/openvpn/n2n-test-case-1
Fri Apr 3 08:33:23 2020 MANAGEMENT: CMD 'status 3'
Test Case 2 : OK
Fri Apr 3 08:40:18 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Apr 3 08:40:18 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Apr 3 08:40:18 2020 MANAGEMENT: unix domain socket listening on /var/spool/openvpn/n2n-test-c-2
Fri Apr 3 08:40:18 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 3 08:40:18 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr 3 08:40:18 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 3 08:40:18 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 3 08:40:18 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr 3 08:40:18 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 3 08:40:18 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr 3 08:40:18 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr 3 08:40:18 2020 TUN/TAP device tuntest-c-2 opened
Fri Apr 3 08:40:18 2020 TUN/TAP TX queue length set to 100
Fri Apr 3 08:40:18 2020 /sbin/ip link set dev tuntest-c-2 up mtu 1500
Fri Apr 3 08:40:18 2020 /sbin/ip addr add dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr 3 08:40:18 2020 /sbin/ip route add 192.168.165.0/24 via 10.23.221.2
Fri Apr 3 08:40:18 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr 3 08:40:18 2020 Could not determine IPv4/IPv6 protocol
Fri Apr 3 08:40:18 2020 /sbin/ip route del 192.168.165.0/24
Fri Apr 3 08:40:18 2020 Closing TUN/TAP interface
Fri Apr 3 08:40:18 2020 /sbin/ip addr del dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr 3 08:40:18 2020 SIGUSR1[soft,init_instance] received, process restarting
Fri Apr 3 08:40:18 2020 Restart pause, 5 second(s)
Fri Apr 3 08:40:23 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 3 08:40:23 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr 3 08:40:23 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 3 08:40:23 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 3 08:40:23 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr 3 08:40:23 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 3 08:40:23 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr 3 08:40:23 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr 3 08:40:23 2020 TUN/TAP device tuntest-c-2 opened
Fri Apr 3 08:40:23 2020 TUN/TAP TX queue length set to 100
Fri Apr 3 08:40:23 2020 /sbin/ip link set dev tuntest-c-2 up mtu 1500
Fri Apr 3 08:40:23 2020 /sbin/ip addr add dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr 3 08:40:23 2020 /sbin/ip route add 192.168.165.0/24 via 10.23.221.2
Fri Apr 3 08:40:23 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr 3 08:40:23 2020 Could not determine IPv4/IPv6 protocol
Fri Apr 3 08:40:23 2020 /sbin/ip route del 192.168.165.0/24
Fri Apr 3 08:40:23 2020 Closing TUN/TAP interface
Fri Apr 3 08:40:23 2020 /sbin/ip addr del dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr 3 08:40:23 2020 SIGUSR1[soft,init_instance] received, process restarting
Fri Apr 3 08:40:23 2020 Restart pause, 5 second(s)
Fri Apr 3 08:40:23 2020 MANAGEMENT: Client connected from /var/spool/openvpn/n2n-test-c-2
Fri Apr 3 08:40:23 2020 MANAGEMENT: CMD 'state'
Fri Apr 3 08:40:23 2020 MANAGEMENT: CMD 'state'
Fri Apr 3 08:40:23 2020 MANAGEMENT: CMD 'state'
Fri Apr 3 08:40:23 2020 MANAGEMENT: TCP recv error: Connection reset by peer
Fri Apr 3 08:40:23 2020 MANAGEMENT: Client disconnected
Fri Apr 3 08:40:28 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 3 08:40:28 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr 3 08:40:28 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 3 08:40:28 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 3 08:40:28 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr 3 08:40:28 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 3 08:40:28 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr 3 08:40:28 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr 3 08:40:28 2020 TUN/TAP device tuntest-c-2 opened
Fri Apr 3 08:40:28 2020 TUN/TAP TX queue length set to 100
Fri Apr 3 08:40:28 2020 /sbin/ip link set dev tuntest-c-2 up mtu 1500
Fri Apr 3 08:40:28 2020 /sbin/ip addr add dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr 3 08:40:28 2020 /sbin/ip route add 192.168.165.0/24 via 10.23.221.2
Fri Apr 3 08:40:28 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr 3 08:40:28 2020 Could not determine IPv4/IPv6 protocol
Fri Apr 3 08:40:28 2020 /sbin/ip route del 192.168.165.0/24
Fri Apr 3 08:40:28 2020 Closing TUN/TAP interface
Fri Apr 3 08:40:28 2020 /sbin/ip addr del dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr 3 08:40:28 2020 SIGUSR1[soft,init_instance] received, process restarting
Fri Apr 3 08:40:28 2020 Restart pause, 5 second(s)
Fri Apr 3 08:40:33 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 3 08:40:33 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr 3 08:40:33 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 3 08:40:33 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 3 08:40:33 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr 3 08:40:33 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 3 08:40:33 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr 3 08:40:33 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr 3 08:40:33 2020 TUN/TAP device tuntest-c-2 opened
Fri Apr 3 08:40:33 2020 TUN/TAP TX queue length set to 100
Fri Apr 3 08:40:33 2020 /sbin/ip link set dev tuntest-c-2 up mtu 1500
Fri Apr 3 08:40:33 2020 /sbin/ip addr add dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr 3 08:40:33 2020 /sbin/ip route add 192.168.165.0/24 via 10.23.221.2
Fri Apr 3 08:40:33 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr 3 08:40:33 2020 Could not determine IPv4/IPv6 protocol
Fri Apr 3 08:40:33 2020 /sbin/ip route del 192.168.165.0/24
Fri Apr 3 08:40:33 2020 Closing TUN/TAP interface
Fri Apr 3 08:40:33 2020 /sbin/ip addr del dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr 3 08:40:33 2020 SIGUSR1[soft,init_instance] received, process restarting
Fri Apr 3 08:40:33 2020 Restart pause, 5 second(s)
Test Case 3: OK
Fri Apr 3 08:50:06 2020 WARNING: file '/var/lib/nethserver/certs/clients/test-c3-c.pem' is group or others accessible
Fri Apr 3 08:50:06 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Apr 3 08:50:06 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Apr 3 08:50:06 2020 MANAGEMENT: unix domain socket listening on /var/spool/openvpn/n2n-test-c3-c
Fri Apr 3 08:50:06 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 3 08:50:06 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]8.8.8.8:12342
Fri Apr 3 08:50:06 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr 3 08:50:06 2020 UDP link local: (not bound)
Fri Apr 3 08:50:06 2020 UDP link remote: [AF_INET]8.8.8.8:12342
Fri Apr 3 08:50:12 2020 MANAGEMENT: Client connected from /var/spool/openvpn/n2n-test-c3-c
Fri Apr 3 08:50:12 2020 MANAGEMENT: CMD 'state'
Fri Apr 3 08:50:12 2020 MANAGEMENT: CMD 'state'
Fri Apr 3 08:50:12 2020 MANAGEMENT: CMD 'state'
Fri Apr 3 08:50:12 2020 MANAGEMENT: TCP recv error: Connection reset by peer
Fri Apr 3 08:50:12 2020 MANAGEMENT: Client disconnected
Test Case 4: OK Can confirm, even pasting psk or cert without a newline at the end of it, NS add it by itself, if i edit the vpn tunnel/client the New Line at the end of the PSK / Cert it's auto added
Creating a new OVPN Server Tunnel (P2P) via Cockpit, pasting the PSK generated elsewhere, the configuration get applied but the tunnel won't start if you don't add a newline at the end of the key.
Nethserver: Static Public ip Other Side rt: Dinamyc Public ip
Other Side rt
generate the PSK, for easy connection NS will be the Server Side, since it has a Static Public IPSteps to reproduce
Expected behavior
OVPN Server Tunnel start
Actual behavior
The VPN get created on the GUI, but logs reports:
ERROR: Endtag </secret> missing
Checking the cfg file
[root@fw ~]# cat /etc/openvpn/s2svpn.conf
:The
</secret>
ending tag it's on the same line of the psk, adding few newline allow the tunnel to get up without issue.Components
nethserver-vpn-ui-1.2.10-1.ns7.noarch