On 12/12/23 16:06, Gert Doering wrote:
I guess that this is a multihome-vs-dco thing.FreeBSD 14 supports kernel level OpenVPN (DCO) and so does 2.6.x - but on a server with multiple IP addresses, this does not (always?) work correctly - we have an open bug for that, but nobody had time to really closely look into it yet. Can you try adding "disable-dco" and "multihome" to your server config? ("multihome" should be there already if the server has multiple IP addresses, but "disable-dco" would be new)
Thanks for your respone. But with added two options "disable-dco" and "multihome", problem still exists.
First, I tried to restart server. Only client from LAN able to connect (Outside WAN failed to connect)
From client Windows 10 inside LAN (SERVER LOG) (SUCCESSFUL): [...]2023-12-12 18:05:19 us=766899 OpenVPN 2.6.8 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO] 2023-12-12 18:05:19 us=766905 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10 2023-12-12 18:05:19 us=766919 DCO version: FreeBSD 14.0-RELEASE-p2 #0: Tue Dec 5 00:31:31 UTC 2023 r...@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC 2023-12-12 18:05:19 us=767278 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:5555
2023-12-12 18:05:19 us=767721 GDG: problem writing to routing socket 2023-12-12 18:05:19 us=769301 Diffie-Hellman initialized with 2048 bit key2023-12-12 18:05:19 us=771927 CRL: loaded 1 CRLs from file /usr/local/etc/openvpn/easy-rsa/pki/crl.pem 2023-12-12 18:05:19 us=772221 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2023-12-12 18:05:19 us=772233 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2023-12-12 18:05:19 us=772424 TLS-Auth MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2023-12-12 18:05:19 us=772552 TUN/TAP device /dev/tun1 opened 2023-12-12 18:05:19 us=772561 do_ifconfig, ipv4=1, ipv6=0 2023-12-12 18:05:19 us=772570 /sbin/ifconfig tun1 10.20.30.1/26 mtu 1500 up2023-12-12 18:05:19 us=773791 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ] 2023-12-12 18:05:19 us=773959 Could not determine IPv4/IPv6 protocol. Using AF_INET6 2023-12-12 18:05:19 us=773972 Socket Buffers: R=[42080->42080] S=[9216->9216]
2023-12-12 18:05:19 us=773976 setsockopt(IPV6_V6ONLY=0)2023-12-12 18:05:19 us=773989 UDPv6 link local (bound): [AF_INET6][undef]:5276
2023-12-12 18:05:19 us=773994 UDPv6 link remote: [AF_UNSPEC] 2023-12-12 18:05:19 us=774009 GID set to openvpn 2023-12-12 18:05:19 us=774017 UID set to openvpn 2023-12-12 18:05:19 us=774028 MULTI: multi_init called, r=256 v=256 2023-12-12 18:05:19 us=774047 IFCONFIG POOL IPv4: base=10.20.30.2 size=61 2023-12-12 18:05:19 us=774078 Initialization Sequence Completed2023-12-12 18:05:35 us=47125 Connection Attempt MULTI: multi_create_instance called
2023-12-12 18:05:35 us=47152 192.168.99.15:55593 Re-using SSL/TLS context2023-12-12 18:05:35 us=47204 192.168.99.15:55593 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2023-12-12 18:05:35 us=47212 192.168.99.15:55593 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2023-12-12 18:05:35 us=47773 192.168.99.15:55593 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ] 2023-12-12 18:05:35 us=47780 192.168.99.15:55593 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ] 2023-12-12 18:05:35 us=55101 192.168.99.15:55593 VERIFY OK: depth=1, CN=STUDIO FAMILY KARAOKE (CAV-X7)
2023-12-12 18:05:35 us=55205 192.168.99.15:55593 VERIFY KU OK2023-12-12 18:05:35 us=55212 192.168.99.15:55593 Validating certificate extended key usage 2023-12-12 18:05:35 us=55216 192.168.99.15:55593 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2023-12-12 18:05:35 us=55219 192.168.99.15:55593 VERIFY EKU OK2023-12-12 18:05:35 us=55223 192.168.99.15:55593 VERIFY OK: depth=0, CN=KOSAMBI-PARK
2023-12-12 18:05:35 us=55432 192.168.99.15:55593 peer info: IV_VER=2.6.8 2023-12-12 18:05:35 us=55439 192.168.99.15:55593 peer info: IV_PLAT=win 2023-12-12 18:05:35 us=55442 192.168.99.15:55593 peer info: IV_TCPNL=1 2023-12-12 18:05:35 us=55445 192.168.99.15:55593 peer info: IV_MTU=1600 2023-12-12 18:05:35 us=55448 192.168.99.15:55593 peer info: IV_NCP=22023-12-12 18:05:35 us=55451 192.168.99.15:55593 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-12-12 18:05:35 us=55454 192.168.99.15:55593 peer info: IV_PROTO=990 2023-12-12 18:05:35 us=55457 192.168.99.15:55593 peer info: IV_LZO_STUB=1 2023-12-12 18:05:35 us=55459 192.168.99.15:55593 peer info: IV_COMP_STUB=1 2023-12-12 18:05:35 us=55462 192.168.99.15:55593 peer info: IV_COMP_STUBv2=12023-12-12 18:05:35 us=55465 192.168.99.15:55593 peer info: IV_GUI_VER=OpenVPN_GUI_11.46.0.0 2023-12-12 18:05:35 us=55470 192.168.99.15:55593 peer info: IV_SSO=openurl,webauth,crtext 2023-12-12 18:05:35 us=55523 192.168.99.15:55593 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 2023-12-12 18:05:35 us=55558 192.168.99.15:55593 TLS: tls_multi_process: initial untrusted session promoted to trusted 2023-12-12 18:05:35 us=56382 192.168.99.15:55593 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519 2023-12-12 18:05:35 us=56411 192.168.99.15:55593 [KOSAMBI-PARK] Peer Connection Initiated with [AF_INET6]::ffff:192.168.99.15:55593 (via ::ffff:192.168.99.100%igb1) 2023-12-12 18:05:35 us=56423 KOSAMBI-PARK/192.168.99.15:55593 MULTI_sva: pool returned IPv4=10.20.30.2, IPv6=(Not enabled) 2023-12-12 18:05:35 us=56556 KOSAMBI-PARK/192.168.99.15:55593 OPTIONS IMPORT: reading client specific options from: /usr/local/etc/openvpn/client/KOSAMBI-PARK 2023-12-12 18:05:35 us=56674 KOSAMBI-PARK/192.168.99.15:55593 MULTI: Learn: 10.20.30.4 -> KOSAMBI-PARK/192.168.99.15:55593 2023-12-12 18:05:35 us=56679 KOSAMBI-PARK/192.168.99.15:55593 MULTI: primary virtual IP for KOSAMBI-PARK/192.168.99.15:55593: 10.20.30.4 2023-12-12 18:05:35 us=56701 KOSAMBI-PARK/192.168.99.15:55593 Data Channel MTU parms [ mss_fix:1235 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ] 2023-12-12 18:05:35 us=56742 KOSAMBI-PARK/192.168.99.15:55593 Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key 2023-12-12 18:05:35 us=56755 KOSAMBI-PARK/192.168.99.15:55593 Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication 2023-12-12 18:05:35 us=56761 KOSAMBI-PARK/192.168.99.15:55593 Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key 2023-12-12 18:05:35 us=56770 KOSAMBI-PARK/192.168.99.15:55593 Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication 2023-12-12 18:05:35 us=56794 KOSAMBI-PARK/192.168.99.15:55593 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2023-12-12 18:05:35 us=56801 KOSAMBI-PARK/192.168.99.15:55593 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2023-12-12 18:05:35 us=56828 KOSAMBI-PARK/192.168.99.15:55593 SENT CONTROL [KOSAMBI-PARK]: 'PUSH_REPLY,route-gateway 10.20.30.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.20.30.4 255.255.255.192,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1) 2023-12-12 18:05:36 us=299729 KOSAMBI-PARK/192.168.99.15:55593 Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'stub' 2023-12-12 18:05:36 us=299744 KOSAMBI-PARK/192.168.99.15:55593 Timers: ping 10, ping-restart 240 2023-12-12 18:05:36 us=299749 KOSAMBI-PARK/192.168.99.15:55593 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
[...] From Linux client outside WAN with "--verb 4" -- (CLIENT LOG) (FAILED): [...]2023-12-12 18:06:33 us=514717 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ] 2023-12-12 18:06:33 us=514854 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1400 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ] 2023-12-12 18:06:33 us=515433 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:yyyy 2023-12-12 18:06:33 us=515510 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-12-12 18:06:33 us=515550 UDPv4 link local: (not bound)2023-12-12 18:06:33 us=515581 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:yyyy 2023-12-12 18:06:33 us=515633 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay 2023-12-12 18:07:33 us=684736 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2023-12-12 18:07:33 us=684823 TLS Error: TLS handshake failed 2023-12-12 18:07:33 us=685109 TCP/UDP: Closing socket2023-12-12 18:07:33 us=685209 SIGUSR1[soft,tls-error] received, process restarting
2023-12-12 18:07:33 us=685290 Restart pause, 1 second(s) 2023-12-12 18:07:34 us=685513 Re-using SSL/TLS context2023-12-12 18:07:34 us=685946 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2023-12-12 18:07:34 us=686059 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2023-12-12 18:07:34 us=686308 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ] 2023-12-12 18:07:34 us=686377 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1400 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ] 2023-12-12 18:07:34 us=686608 TCP/UDP: Preserving recently used remote address: [AF_INET]202.138.247.170:5276 2023-12-12 18:07:34 us=686721 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-12-12 18:07:34 us=686775 UDPv4 link local: (not bound)2023-12-12 18:07:34 us=686817 UDPv4 link remote: [AF_INET]202.138.247.170:5276 2023-12-12 18:08:34 us=643737 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2023-12-12 18:08:34 us=643823 TLS Error: TLS handshake failed 2023-12-12 18:08:34 us=644148 TCP/UDP: Closing socket2023-12-12 18:08:34 us=644254 SIGUSR1[soft,tls-error] received, process restarting
2023-12-12 18:08:34 us=644332 Restart pause, 1 second(s) 2023-12-12 18:08:35 us=644549 Re-using SSL/TLS context2023-12-12 18:08:35 us=645011 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2023-12-12 18:08:35 us=645121 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2023-12-12 18:08:35 us=645367 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ] 2023-12-12 18:08:35 us=645436 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1400 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
[...]Then I tried to restart daemon OpenVPN with `service openvpn restart`, client from LAN can't connect, but outside WAN able to connect. A strange problem that is very confusing. Thanks anyway.
-- Regards, Budi Janto
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users