Closed PennyLook closed 10 months ago
Hi @PennyLook, It is a matter of server/clients configuration. Please share your server.conf and client.ovpn I'll have a look on it.
@d3vilh
server.conf
:
management 0.0.0.0 2080
port 1194
proto udp
dev tun
tls-version-min 1.0
ca pki/ca.crt
cert pki/issued/server.crt
key pki/private/server.key
cipher AES-256-CBC
auth SHA512
dh pki/dh.pem
server 10.0.0.0 255.255.255.0
route 10.0.1.0 255.255.255.0
ifconfig-pool-persist pki/ipp.txt
push "route 10.0.60.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
max-clients 100
persist-key
persist-tun
log /var/log/openvpn/openvpn.log
verb 3
topology subnet
client-config-dir /etc/openvpn/staticclients
push "redirect-gateway def1 bypass-dhcp"
ncp-ciphers AES-256-GCM:AES-192-GCM:AES-128-GCM
user nobody
group nogroup
status /var/log/openvpn/openvpn-status.log
explicit-exit-notify 1
crl-verify pki/crl.pem
#auto generated by OpenVPN-UI
I added an additional: tls-version-min 1.0
because such a solution I found somewhere, however, it does not help anything
client config:
client
dev tun
proto udp
remote <PUBLIC_SERVER_IP> 1194 udp
resolv-retry infinite
user nobody
group nogroup
persist-tun
persist-key
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-client
redirect-gateway def1
verb 3
<ca>
<GENERATED_CA_VALUE_HERE>
</ca>
<cert>
<GENERATED_CERT_VALUE_HERE>
</cert>
<key>
<GENERATED_PRIVATE_KEY_VALUE_HERE>
</key>
Client output from openvpn --version
:
OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010
@PennyLook any chance you can extract working server config from kylemann image?
@d3vilh sure
config from container level /etc/openvpn
server 192.168.0.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/<SERVER_PUBLIC_IP>.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/<SERVER_PUBLIC_IP>.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log
user nobody
group nogroup
comp-lzo no
### Route Configurations Below
route 192.168.254.0 255.255.255.0
### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"
maybe tls-auth
is required to work with OpenVPN version 2.1.3
client?
and I store the static ip for clients in configuration under /ccd
dir - as default
client config from kylemann image:
client
nobind
dev tun
remote-cert-tls server
remote <SERVER_PUBLIC_IP> 1194 udp
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
redirect-gateway def1
@d3vilh
I tried to somehow check the discrepancies between TLS and on the client where the problem is the command openssl ciphers -v | awk '{print $2}' | sort | uniq
returns :
openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv2
SSLv3
On a client that has no connection problem:
openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
server from container level:
openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3
Is it possible to install another version of openvpn via docker-compose? because currently it is like this:
build: ./openvpn-docker
#image: d3vilh/openvpn-server:latest
As per the output, your problematic client does not support TLS and it will not be able to connect to the OpenVPN server. This is because TLS is required for secure communication between the client and the server.
You could try configuring the OpenVPN server to support SSLv2 or SSLv3, but this is not recommended as these protocols are also considered insecure and have been deprecated.
Try to update easyrsa on that client if it won't support newer version, you better to give-up on it, as I strongly not recommend to go without TLS.
However if you still would like to, you would need to modify the openssl.cnf
file and regenerate the server certificate and all the clients certificates with the new settings.
Again, this is not recommended as it would weaken the security of your VPN.
Hello, I noticed problems on the client wit hOpenVPN version 2.1.x Example:
OpenVPN version 2.1.3 i486-pc-linux-gnu [SSL] [ILO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010
The solution could be to update the OpenVPN client, but this is not always possible.
In the case of using OpenVPN
kylemann/openvpn
it works without problems, even on version 2.1.3logs from OpvenVPN server: