CharlieScene
Lt. Junior Grade
- Registriert
- Juli 2016
- Beiträge
- 382
Moin zusammen!
Ich zerbreche mir jetzt seit ein paar Tagen schon den Kopf wegen eines Kollegen, bei dem sein VPN "plötzlich" nicht mehr funktioniert.
Änderungen gab es keine (zumindest nicht bewusst), was das ganze noch merkwürdiger macht und ich langsam der Meinung bin dass sein Provider zuhause etwas geändert hat sodass der Reconnect beim Ablauf der Session nicht funktioniert. Für andere Funktioniert der VPN nach wie vor einwandfrei.
Genutzt wird OpenVPN auf einer pfSense (2.4.4-RELEASE-p3). Authentifizierung läuft über RADIUS.
Die Logs des Clients melden "recursive routing detected", die pfSense "tls key negotiation failed to occur within 60 seconds tls handshake failed".
(der oben angesprochene TLS Error fehlt in diesem Ausschnitt).
Hat jemand noch ne Idee? Ich hab den Spaß nicht aufgesetzt, diesen lediglich übernommen.
Für jeglichen Input bin ich sehr dankbar!
Beste Grüße,
Charlie
Ich zerbreche mir jetzt seit ein paar Tagen schon den Kopf wegen eines Kollegen, bei dem sein VPN "plötzlich" nicht mehr funktioniert.
Änderungen gab es keine (zumindest nicht bewusst), was das ganze noch merkwürdiger macht und ich langsam der Meinung bin dass sein Provider zuhause etwas geändert hat sodass der Reconnect beim Ablauf der Session nicht funktioniert. Für andere Funktioniert der VPN nach wie vor einwandfrei.
Genutzt wird OpenVPN auf einer pfSense (2.4.4-RELEASE-p3). Authentifizierung läuft über RADIUS.
Die Logs des Clients melden "recursive routing detected", die pfSense "tls key negotiation failed to occur within 60 seconds tls handshake failed".
dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote owa.xxxxxxx.de 1194 udp
auth-user-pass
ca xxxFirewall-UDP4-1194-ca.crt
tls-auth xxxFirewall-UDP4-1194-tls.key 1
remote-cert-tls server
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote owa.xxxxxxx.de 1194 udp
auth-user-pass
ca xxxFirewall-UDP4-1194-ca.crt
tls-auth xxxFirewall-UDP4-1194-tls.key 1
remote-cert-tls server
dev ovpns1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 66.666.66.666
engine rdrand
tls-server
server1.conf: unmodified: line 1
dev ovpns1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 66.666.66.666
engine rdrand
tls-server
server 192.168.10.0 255.255.255.224
client-config-dir /var/etc/openvpn-csc/server1
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user SGFlbmRzY2hrZS1OUFM= fals
e server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'owa.xxxxxxx.de' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 20
push "dhcp-option DOMAIN xxxxxxx.local"
push "dhcp-option DNS 192.168.1.204"
push "dhcp-option DNS 8.8.8.8"
push "block-outside-dns"
dev ovpns1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 66.666.66.666
engine rdrand
tls-server
server 192.168.10.0 255.255.255.224
client-config-dir /var/etc/openvpn-csc/server1
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user SGFlbmRzY2hrZS1OUFM= false server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'owa.xxxxxxx.de' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 20
push "dhcp-option DOMAIN xxxxxxx.local"
push "dhcp-option DNS 192.168.1.204"
push "dhcp-option DNS 8.8.8.8"
push "block-outside-dns"
push "register-dns"
push "dhcp-option NTP 192.168.1.204"
push "redirect-gateway def1"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 66.666.66.666
engine rdrand
tls-server
server1.conf: unmodified: line 1
dev ovpns1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 66.666.66.666
engine rdrand
tls-server
server 192.168.10.0 255.255.255.224
client-config-dir /var/etc/openvpn-csc/server1
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user SGFlbmRzY2hrZS1OUFM= fals
e server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'owa.xxxxxxx.de' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 20
push "dhcp-option DOMAIN xxxxxxx.local"
push "dhcp-option DNS 192.168.1.204"
push "dhcp-option DNS 8.8.8.8"
push "block-outside-dns"
dev ovpns1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 66.666.66.666
engine rdrand
tls-server
server 192.168.10.0 255.255.255.224
client-config-dir /var/etc/openvpn-csc/server1
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user SGFlbmRzY2hrZS1OUFM= false server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'owa.xxxxxxx.de' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 20
push "dhcp-option DOMAIN xxxxxxx.local"
push "dhcp-option DNS 192.168.1.204"
push "dhcp-option DNS 8.8.8.8"
push "block-outside-dns"
push "register-dns"
push "dhcp-option NTP 192.168.1.204"
push "redirect-gateway def1"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet
pfSense Log:
Feb 12 08:58:02 openvpn 9240 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Feb 12 08:57:50 openvpn 9240 12.3.456.789:5626 SIGTERM[soft,delayed-exit] received, client-instance exiting
Feb 12 08:57:44 openvpn 9240 12.3.456.789:5626 SENT CONTROL [Benutzer]: 'AUTH_FAILED' (status=1)
Feb 12 08:57:44 openvpn 9240 12.3.456.789:5626 Delayed exit in 5 seconds
Feb 12 08:57:44 openvpn 9240 12.3.456.789:5626 PUSH: Received control message: 'PUSH_REQUEST'
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 [Benutzer] Peer Connection Initiated with [AF_INET]12.3.456.789:5626
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Feb 12 08:57:43 openvpn user 'Benutzer' could not authenticate.
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 TLS: Username/Password authentication deferred for username 'Benutzer' [CN SET]
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_GUI_VER=OpenVPN_GUI_11
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_TCPNL=1
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_COMP_STUBv2=1
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_COMP_STUB=1
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_LZO=1
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_LZ4v2=1
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_LZ4=1
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_NCP=2
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_PROTO=2
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_PLAT=win
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_VER=2.4.4
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 TLS: Initial packet from [AF_INET]12.3.456.789:5626, sid=588b2104 1bcabac2
Feb 12 08:58:02 openvpn 9240 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Feb 12 08:57:50 openvpn 9240 12.3.456.789:5626 SIGTERM[soft,delayed-exit] received, client-instance exiting
Feb 12 08:57:44 openvpn 9240 12.3.456.789:5626 SENT CONTROL [Benutzer]: 'AUTH_FAILED' (status=1)
Feb 12 08:57:44 openvpn 9240 12.3.456.789:5626 Delayed exit in 5 seconds
Feb 12 08:57:44 openvpn 9240 12.3.456.789:5626 PUSH: Received control message: 'PUSH_REQUEST'
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 [Benutzer] Peer Connection Initiated with [AF_INET]12.3.456.789:5626
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Feb 12 08:57:43 openvpn user 'Benutzer' could not authenticate.
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 TLS: Username/Password authentication deferred for username 'Benutzer' [CN SET]
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_GUI_VER=OpenVPN_GUI_11
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_TCPNL=1
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_COMP_STUBv2=1
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_COMP_STUB=1
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_LZO=1
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_LZ4v2=1
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_LZ4=1
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_NCP=2
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_PROTO=2
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_PLAT=win
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 peer info: IV_VER=2.4.4
Feb 12 08:57:43 openvpn 9240 12.3.456.789:5626 TLS: Initial packet from [AF_INET]12.3.456.789:5626, sid=588b2104 1bcabac2
Hat jemand noch ne Idee? Ich hab den Spaß nicht aufgesetzt, diesen lediglich übernommen.
Für jeglichen Input bin ich sehr dankbar!
Beste Grüße,
Charlie