View previous topic :: View next topic |
Author |
Message |
pti-rem Guru
Joined: 14 Oct 2011 Posts: 490
|
Posted: Thu May 27, 2021 5:56 pm Post subject: [nm-openvpn] connexion VPN avec un .ovpn (cipher) |
|
|
Bonjour,
J'ai obtenu d'un prestataire un fichier en .ovpn pour établir une connexion VPN pour mon poste de travail.
Je croyais que cela pouvait se faire facilement.
J'ai travaillé en mode CLI avec nmcli pour l'installer :
Code: | $ sudo nmcli connection import type openvpn file maco.ovpn |
Ensuite, pour lancer la connexion, ça se gâte.
Code: | sudo nmcli con up maco |
/var/log/messages: | May 27 19:40:28 n73sm nm-openvpn[9839]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
May 27 19:40:28 n73sm nm-openvpn[9839]: OpenVPN 2.5.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 4 2021
May 27 19:40:28 n73sm nm-openvpn[9839]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
May 27 19:40:28 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 27 19:40:28 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194
May 27 19:40:28 n73sm nm-openvpn[9839]: UDP link local: (not bound)
May 27 19:40:28 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194
May 27 19:40:28 n73sm nm-openvpn[9839]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
May 27 19:40:28 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194
May 27 19:40:29 n73sm nm-openvpn[9839]: OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
May 27 19:40:29 n73sm nm-openvpn[9839]: ERROR: Failed to apply push options
May 27 19:40:29 n73sm nm-openvpn[9839]: Failed to open tun/tap interface
May 27 19:40:29 n73sm nm-openvpn[9839]: SIGUSR1[soft,process-push-msg-failed] received, process restarting
May 27 19:40:34 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 27 19:40:34 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194
May 27 19:40:34 n73sm nm-openvpn[9839]: UDP link local: (not bound)
May 27 19:40:34 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194
May 27 19:40:35 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194
May 27 19:40:36 n73sm nm-openvpn[9839]: OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
May 27 19:40:36 n73sm nm-openvpn[9839]: ERROR: Failed to apply push options
May 27 19:40:36 n73sm nm-openvpn[9839]: Failed to open tun/tap interface
May 27 19:40:36 n73sm nm-openvpn[9839]: SIGUSR1[soft,process-push-msg-failed] received, process restarting
May 27 19:40:41 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 27 19:40:41 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194
May 27 19:40:41 n73sm nm-openvpn[9839]: UDP link local: (not bound)
May 27 19:40:41 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194
May 27 19:40:41 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194
May 27 19:40:42 n73sm nm-openvpn[9839]: OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
May 27 19:40:42 n73sm nm-openvpn[9839]: ERROR: Failed to apply push options
May 27 19:40:42 n73sm nm-openvpn[9839]: Failed to open tun/tap interface
May 27 19:40:42 n73sm nm-openvpn[9839]: SIGUSR1[soft,process-push-msg-failed] received, process restarting
May 27 19:40:47 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 27 19:40:47 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194
May 27 19:40:47 n73sm nm-openvpn[9839]: UDP link local: (not bound)
May 27 19:40:47 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194
May 27 19:40:48 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194
May 27 19:40:49 n73sm nm-openvpn[9839]: OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
May 27 19:40:49 n73sm nm-openvpn[9839]: ERROR: Failed to apply push options
May 27 19:40:49 n73sm nm-openvpn[9839]: Failed to open tun/tap interface
May 27 19:40:49 n73sm nm-openvpn[9839]: SIGUSR1[soft,process-push-msg-failed] received, process restarting
May 27 19:40:54 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 27 19:40:54 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194
May 27 19:40:54 n73sm nm-openvpn[9839]: UDP link local: (not bound)
May 27 19:40:54 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194
May 27 19:40:54 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194
May 27 19:40:55 n73sm nm-openvpn[9839]: OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
May 27 19:40:55 n73sm nm-openvpn[9839]: ERROR: Failed to apply push options
May 27 19:40:55 n73sm nm-openvpn[9839]: Failed to open tun/tap interface
May 27 19:40:55 n73sm nm-openvpn[9839]: SIGUSR1[soft,process-push-msg-failed] received, process restarting
May 27 19:41:05 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 27 19:41:05 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194
May 27 19:41:05 n73sm nm-openvpn[9839]: UDP link local: (not bound)
May 27 19:41:05 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194
May 27 19:41:06 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194
May 27 19:41:07 n73sm nm-openvpn[9839]: OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
May 27 19:41:07 n73sm nm-openvpn[9839]: ERROR: Failed to apply push options
May 27 19:41:07 n73sm nm-openvpn[9839]: Failed to open tun/tap interface
May 27 19:41:07 n73sm nm-openvpn[9839]: SIGUSR1[soft,process-push-msg-failed] received, process restarting
May 27 19:41:27 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 27 19:41:27 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194
May 27 19:41:27 n73sm nm-openvpn[9839]: UDP link local: (not bound)
May 27 19:41:27 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194
May 27 19:41:27 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194
May 27 19:41:28 n73sm nm-openvpn[9839]: SIGTERM[hard,] received, process exiting
May 27 19:41:28 n73sm NetworkManager[3879]: <warn> [1622137288.3648] vpn-connection[0x5650ea200580,549a319c-6c8f-4132-8372-05359094d8e6,"maco",0]: VPN connection: connect timeout exceeded.
May 27 19:41:28 n73sm NetworkManager[3879]: <warn> [1622137288.3689] vpn-connection[0x5650ea200580,549a319c-6c8f-4132-8372-05359094d8e6,"maco",0]: VPN plugin: failed: connect-failed (1)
May 27 19:41:28 n73sm NetworkManager[3879]: <info> [1622137288.3691] vpn-connection[0x5650ea200580,549a319c-6c8f-4132-8372-05359094d8e6,"maco",0]: VPN plugin: state changed: stopping (5)
May 27 19:41:28 n73sm NetworkManager[3879]: <info> [1622137288.3692] vpn-connection[0x5650ea200580,549a319c-6c8f-4132-8372-05359094d8e6,"maco",0]: VPN plugin: state changed: stopped (6)
May 27 19:41:28 n73sm NetworkManager[3879]: <info> [1622137288.3721] vpn-connection[0x5650ea200580,549a319c-6c8f-4132-8372-05359094d8e6,"maco",0]: VPN service disappeared |
Code: | n73sm ~ # emerge -pv openvpn
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] net-vpn/openvpn-2.5.2::gentoo USE="examples lz4 lzo openssl pam plugins -down-root -inotify -iproute2 -mbedtls -pkcs11 (-selinux) -systemd -test" 0 KiB
Total: 1 package (1 reinstall), Size of downloads: 0 KiB
n73sm ~ # |
J'ai besoin d'aide pour comprendre ces :
- UDP link local: (not bound)
- ERROR: Failed to apply push options
- Failed to open tun/tap interface
Et la cerise :
- Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
Merci d'avance
Je suis paumé
J'ai pas trouvé de bonnes docs...
Last edited by pti-rem on Tue Jun 01, 2021 5:47 pm; edited 2 times in total |
|
Back to top |
|
|
netfab Veteran
Joined: 03 Mar 2005 Posts: 1960 Location: 127.0.0.1
|
Posted: Thu May 27, 2021 6:32 pm Post subject: Re: [nm-openvpn] connexion VPN avec un .ovpn (difficile) |
|
|
Salut,
pti-rem wrote: |
Et la cerise :
- Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
|
Jette un oeil ici. Les autres erreurs ne sont (peut-être) que des erreurs en cascade.
Quote: |
In order to solve this, I’ve added the following line of code in .opvn configuration file:
ncp-ciphers "BF-CBC"
|
|
|
Back to top |
|
|
pti-rem Guru
Joined: 14 Oct 2011 Posts: 490
|
Posted: Thu May 27, 2021 7:13 pm Post subject: |
|
|
Merci netfab
Pour le moment, c'est pareil.
Je n'oublie pas d'effacer ma connexion avant de modifier maco.ovpn et de la recréer ensuite.
J'ai un entête du maco.ovpn :
Code: | client
dev tun
proto udp
remote 11.22.33.44 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3 |
Je ne sais pas trop où placer « ncp-ciphers 'BF-CBC' »
Avec de simples quotes, des guillemets ou rien du tout ?
Ce « UDP link local: (not bound) » semble intervenir en amont.
Ça devrait se faire presque tout seul ce genre de connexion, non ? |
|
Back to top |
|
|
pti-rem Guru
Joined: 14 Oct 2011 Posts: 490
|
Posted: Thu May 27, 2021 7:49 pm Post subject: |
|
|
J'ai trouvé ça : https://forums.openvpn.net/viewtopic.php?t=24381
J'en ai fait ça de l'entête de maco :
Code: | client
dev tun
proto udp
remote 33.112.88.32 1194
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-256-CBC
cipher BF-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3 |
/var/log/messages: | May 27 21:38:38 n73sm NetworkManager[3879]: <info> [1622144318.5656] device (tun0): state change: activated -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')
May 27 21:39:05 n73sm NetworkManager[3879]: <info> [1622144345.9306] audit: op="connection-activate" uuid="db4e1dbd-beb6-435c-b2af-b9e42ece1e3c" name="maco" pid=4543 uid=1000 result="success"
May 27 21:39:05 n73sm NetworkManager[3879]: <info> [1622144345.9354] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",0]: Started the VPN service, PID 15509
May 27 21:39:05 n73sm NetworkManager[3879]: <info> [1622144345.9444] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",0]: Saw the service appear; activating connection
May 27 21:39:05 n73sm NetworkManager[3879]: <info> [1622144345.9662] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",0]: VPN plugin: state changed: starting (3)
May 27 21:39:05 n73sm NetworkManager[3879]: <info> [1622144345.9665] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",0]: VPN connection: (ConnectInteractive) reply received
May 27 21:39:05 n73sm nm-openvpn[15513]: DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.
May 27 21:39:05 n73sm nm-openvpn[15513]: OpenVPN 2.5.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 4 2021
May 27 21:39:05 n73sm nm-openvpn[15513]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
May 27 21:39:05 n73sm nm-openvpn[15513]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 27 21:39:05 n73sm nm-openvpn[15513]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
May 27 21:39:05 n73sm nm-openvpn[15513]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194
May 27 21:39:05 n73sm nm-openvpn[15513]: UDP link local: (not bound)
May 27 21:39:05 n73sm nm-openvpn[15513]: UDP link remote: [AF_INET]11.22.33.44:1194
May 27 21:39:05 n73sm nm-openvpn[15513]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
May 27 21:39:06 n73sm nm-openvpn[15513]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194
May 27 21:39:07 n73sm nm-openvpn[15513]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
May 27 21:39:07 n73sm nm-openvpn[15513]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
May 27 21:39:07 n73sm nm-openvpn[15513]: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
May 27 21:39:07 n73sm nm-openvpn[15513]: TUN/TAP device tun0 opened
May 27 21:39:07 n73sm nm-openvpn[15513]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 15509 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_25 --tun -- tun0 1500 1622 10.8.0.34 255.255.255.0 init
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5235] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/7)
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5355] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",0]: VPN connection: (IP Config Get) reply received.
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5393] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: VPN connection: (IP4 Config Get) reply received
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5398] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: VPN Gateway: 11.22.33.44
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5398] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: Tunnel Device: "tun0"
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5398] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: IPv4 configuration:
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5398] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: Internal Gateway: 10.8.0.1
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5398] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: Internal Address: 10.8.0.34
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: Internal Prefix: 24
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: Internal Point-to-Point Address: 10.8.0.34
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: Static Route: 0.0.0.0/0 Next Hop: 10.8.0.1
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: Static Route: 10.8.0.34/32 Next Hop: 0.0.0.0
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: Static Route: 10.8.0.0/24 Next Hop: 0.0.0.0
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: Internal DNS: 55.66.78.90
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: Internal DNS: 55.66.78.91
May 27 21:39:07 n73sm nm-openvpn[15513]: GID set to nm-openvpn
May 27 21:39:07 n73sm nm-openvpn[15513]: UID set to nm-openvpn
May 27 21:39:07 n73sm nm-openvpn[15513]: Initialization Sequence Completed
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5401] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: DNS Domain: '(none)'
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5406] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: No IPv6 configuration
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5407] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: VPN plugin: state changed: started (4)
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5416] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: VPN connection: (IP Config Get) complete
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5454] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
May 27 21:39:07 n73sm dbus-daemon[3817]: [system] Activating service name='org.freedesktop.nm_dispatcher' requested by ':1.0' (uid=0 pid=3879 comm="/usr/sbin/NetworkManager --pid-file /run/NetworkMa" label="kernel") (using servicehelper)
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5488] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5496] device (tun0): Activation: starting connection 'tun0' (57f7adcf-1d63-4330-b7c4-8ec338fc93f3)
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5497] device (tun0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5506] device (tun0): state change: prepare -> config (reason 'none', sys-iface-state: 'external')
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5509] device (tun0): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5511] device (tun0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')
May 27 21:39:07 n73sm dbus-daemon[3817]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5667] policy: set 'maco' (tun0) as default for IPv4 routing and DNS
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5885] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5891] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
May 27 21:39:07 n73sm NetworkManager[3879]: <info> [1622144347.5918] device (tun0): Activation: successful, device activated. |
C'est une de ces tambouilles !
cipher par ci data-cipher par là !
et des data-ciphers-fallback en veux-tu : en voilà..
1) Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning. |
|
Back to top |
|
|
netfab Veteran
Joined: 03 Mar 2005 Posts: 1960 Location: 127.0.0.1
|
Posted: Thu May 27, 2021 7:58 pm Post subject: |
|
|
Y'a de l'évolution
Utilise plutôt l'option :
au lieu de :
D'après ces commits : 1 2 3
L'option a été renommée à la version 2.5 d'openvpn et n'est plus activée par défaut.
pti-rem wrote: | Ça devrait se faire presque tout seul ce genre de connexion, non ? |
Et bien pas vraiment non, au contraire c'est hyper strict, raison de sécurité :p |
|
Back to top |
|
|
pti-rem Guru
Joined: 14 Oct 2011 Posts: 490
|
Posted: Thu May 27, 2021 9:33 pm Post subject: |
|
|
Je ne sais pas faire mieux que de conserver le cipher BF-CBC
Sans lui la connexion ne se fait pas.
Le serveur est en cipher BF-CBC !!
@netfab, je ne comprends pas encore bien les commits.
Code: | client
dev tun
proto udp
remote 118.15.77.43 1194
data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC
data-ciphers-fallback BF-CBC
cipher BF-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3 |
Code: | May 27 23:02:49 n73sm nm-openvpn[21059]: DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.
May 27 23:02:49 n73sm nm-openvpn[21059]: OpenVPN 2.5.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 4 2021
May 27 23:02:49 n73sm nm-openvpn[21059]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
May 27 23:02:49 n73sm nm-openvpn[21059]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 27 23:02:49 n73sm nm-openvpn[21059]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
May 27 23:02:49 n73sm nm-openvpn[21059]: TCP/UDP: Preserving recently used remote address: [AF_INET] :1194
May 27 23:02:49 n73sm nm-openvpn[21059]: UDP link local: (not bound)
May 27 23:02:49 n73sm nm-openvpn[21059]: UDP link remote: [AF_INET] :1194
May 27 23:02:49 n73sm nm-openvpn[21059]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
May 27 23:02:49 n73sm nm-openvpn[21059]: [server] Peer Connection Initiated with [AF_INET]:1194
May 27 23:02:51 n73sm nm-openvpn[21059]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
May 27 23:02:51 n73sm nm-openvpn[21059]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
May 27 23:02:51 n73sm nm-openvpn[21059]: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
May 27 23:02:51 n73sm nm-openvpn[21059]: TUN/TAP device tun0 opened |
Quote: | Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning. |
Ça ne marche pas, j'ai déjà trop essayé. Je n'y comprends plus rien ou presque.
Quote: | INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC) |
J'ai essayé le cipher AES-256-CBC et ça ne passe pas.
Je veux bien que l'on m'aide pour configurer cet ovpn.
Je ne connais pas la syntaxe ni les limitations.
Je pense que j'en mets trop. |
|
Back to top |
|
|
pti-rem Guru
Joined: 14 Oct 2011 Posts: 490
|
Posted: Tue Jun 01, 2021 5:15 pm Post subject: |
|
|
Je n'ai pas voulu de cet OpenVPN avec un cipher non sûr et exposé au danger.
Je me suis fait rembourser. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|