GELÖST - VPN via UDP geht, via TCP nicht

[Luma]

Hallo zusammen

Ich habe erfolgreich einen VPN UDP Server definiert. Klappt alles.

Client Log UDP:

Code: [Select]

Thu Apr 18 08:52:06 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Thu Apr 18 08:52:06 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Apr 18 08:52:06 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Thu Apr 18 08:52:06 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.231.4:1194
Thu Apr 18 08:52:06 2019 UDP link local (bound): [AF_INET][undef]:0
Thu Apr 18 08:52:06 2019 UDP link remote: [AF_INET]192.168.231.4:1194
Thu Apr 18 08:52:06 2019 [xxxxxx.xxx] Peer Connection Initiated with [AF_INET]192.168.231.4:1194
Thu Apr 18 08:52:07 2019 open_tun
Thu Apr 18 08:52:07 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{322A20D5-0A7D-4DAE-A181-61DA82ECA223}.tap
Thu Apr 18 08:52:07 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.235.6/255.255.255.252 on interface {322A20D5-0A7D-4DAE-A181-61DA82ECA223} [DHCP-serv: 192.168.235.5, lease-time: 31536000]
Thu Apr 18 08:52:07 2019 Successful ARP Flush on interface [5] {322A20D5-0A7D-4DAE-A181-61DA82ECA223}
Thu Apr 18 08:52:07 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Apr 18 08:52:13 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 18 08:52:13 2019 Initialization Sequence Completed
Thu Apr 18 08:52:39 2019 SIGTERM[hard,] received, process exiting

Da ich aber UDP Ports nicht vorwarden kann, brauche ich einen TCP VPN Server.

Kein Problem, dachte ich. In der Server-Konfiguration UDP auf TCP umgestellt, dasselbe bei der Client-Konfiguration. Leider kann dann keine Verbindung hergestellt werden:

Client Log TCP:

Code: [Select]

Thu Apr 18 09:05:30 2019 us=760599 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Thu Apr 18 09:05:30 2019 us=760599 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Apr 18 09:05:30 2019 us=760599 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Thu Apr 18 09:05:30 2019 us=761095 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Apr 18 09:05:30 2019 us=761095 Need hold release from management interface, waiting...
Thu Apr 18 09:05:31 2019 us=228772 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Apr 18 09:05:31 2019 us=336010 MANAGEMENT: CMD 'state on'
Thu Apr 18 09:05:31 2019 us=336405 MANAGEMENT: CMD 'log all on'
Thu Apr 18 09:05:31 2019 us=516510 MANAGEMENT: CMD 'echo all on'
Thu Apr 18 09:05:31 2019 us=517999 MANAGEMENT: CMD 'bytecount 5'
Thu Apr 18 09:05:31 2019 us=518991 MANAGEMENT: CMD 'hold off'
Thu Apr 18 09:05:31 2019 us=520479 MANAGEMENT: CMD 'hold release'
Thu Apr 18 09:05:31 2019 us=522959 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Apr 18 09:05:31 2019 us=522959 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Apr 18 09:05:31 2019 us=522959 Control Channel MTU parms [ L:1623 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Thu Apr 18 09:05:31 2019 us=522959 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Thu Apr 18 09:05:31 2019 us=523455 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Thu Apr 18 09:05:31 2019 us=523455 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Thu Apr 18 09:05:31 2019 us=523455 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.231.4:1194
Thu Apr 18 09:05:31 2019 us=523455 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Apr 18 09:05:31 2019 us=523455 Attempting to establish TCP connection with [AF_INET]192.168.231.4:1194 [nonblock]
Thu Apr 18 09:05:31 2019 us=523455 MANAGEMENT: >STATE:1555571131,TCP_CONNECT,,,,,,
Thu Apr 18 09:07:32 2019 us=669700 TCP: connect to [AF_INET]192.168.231.4:1194 failed: Unknown error
Thu Apr 18 09:07:32 2019 us=670590 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Thu Apr 18 09:07:32 2019 us=670590 MANAGEMENT: >STATE:1555571252,RECONNECTING,init_instance,,,,,
Thu Apr 18 09:07:32 2019 us=670590 Restart pause, 5 second(s)
Thu Apr 18 09:07:33 2019 us=683907 SIGTERM[hard,init_instance] received, process exiting
Thu Apr 18 09:07:33 2019 us=683907 MANAGEMENT: >STATE:1555571253,EXITING,init_instance,,,,,

Server Log TCP:

Code: [Select]

Apr 18 09:05:11 OPNsense openvpn[72934]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Apr 18 09:05:11 OPNsense openvpn[72934]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 18 09:05:11 OPNsense openvpn[72934]: Re-using SSL/TLS context
Apr 18 09:05:11 OPNsense openvpn[72934]: Control Channel MTU parms [ L:1623 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Apr 18 09:05:11 OPNsense openvpn[72934]: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Apr 18 09:05:11 OPNsense openvpn[72934]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Apr 18 09:05:11 OPNsense openvpn[72934]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Apr 18 09:05:11 OPNsense openvpn[72934]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.231.4:1194
Apr 18 09:05:11 OPNsense openvpn[72934]: Socket Buffers: R=[65228->65228] S=[65228->65228]
Apr 18 09:05:11 OPNsense openvpn[72934]: Attempting to establish TCP connection with [AF_INET]192.168.231.4:1194 [nonblock]
Apr 18 09:05:11 OPNsense openvpn[72934]: TCP connection established with [AF_INET]192.168.231.4:1194
Apr 18 09:05:11 OPNsense openvpn[72934]: TCP_CLIENT link local: (not bound)
Apr 18 09:05:11 OPNsense openvpn[72934]: TCP_CLIENT link remote: [AF_INET]192.168.231.4:1194
Apr 18 09:05:11 OPNsense openvpn[26171]: MULTI: multi_create_instance called
Apr 18 09:05:11 OPNsense openvpn[26171]: Re-using SSL/TLS context
Apr 18 09:05:11 OPNsense openvpn[26171]: Control Channel MTU parms [ L:1623 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Apr 18 09:05:11 OPNsense openvpn[26171]: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Apr 18 09:05:11 OPNsense openvpn[26171]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Apr 18 09:05:11 OPNsense openvpn[26171]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Apr 18 09:05:11 OPNsense openvpn[26171]: TCP connection established with [AF_INET]192.168.231.4:8471
Apr 18 09:05:11 OPNsense openvpn[26171]: TCPv4_SERVER link local: (not bound)
Apr 18 09:05:11 OPNsense openvpn[26171]: TCPv4_SERVER link remote: [AF_INET]192.168.231.4:8471
Apr 18 09:05:11 OPNsense openvpn[26171]: 192.168.231.4:8471 TLS: Initial packet from [AF_INET]192.168.231.4:8471, sid=6068271c e125605d
Apr 18 09:05:11 OPNsense openvpn[26171]: 192.168.231.4:8471 Authenticate/Decrypt packet error: packet HMAC authentication failed
Apr 18 09:05:11 OPNsense openvpn[26171]: 192.168.231.4:8471 TLS Error: incoming packet authentication failed from [AF_INET]192.168.231.4:8471
Apr 18 09:05:11 OPNsense openvpn[26171]: 192.168.231.4:8471 Fatal TLS error (check_tls_errors_co), restarting
Apr 18 09:05:11 OPNsense openvpn[26171]: 192.168.231.4:8471 SIGUSR1[soft,tls-error] received, client-instance restarting
Apr 18 09:05:11 OPNsense openvpn[26171]: TCP/UDP: Closing socket
Apr 18 09:05:11 OPNsense openvpn[72934]: Connection reset, restarting [0]
Apr 18 09:05:11 OPNsense openvpn[72934]: TCP/UDP: Closing socket
Apr 18 09:05:11 OPNsense openvpn[72934]: SIGUSR1[soft,connection-reset] received, process restarting
Apr 18 09:05:11 OPNsense openvpn[72934]: Restart pause, 300 second(s)

Müsste doch eigentlich klappen indem ich "nur" das Protokoll umstelle?
Was mache ich falsch?

Muss noch etwas im Zusammenhang mit TLS geändert werden (TLS Fehlermeldungen)?

Im Firewall Log finde ich keinen Hinweis darauf, dass etwas geblockt wird. Alle Regeln sind Protokollunabhängig gestaltet.

Danke für Hilfe.

Gruss Luma

[micneu]

Hast du auch die Firewall Regel angepasst?


Gesendet von iPhone mit Tapatalk Pro

[Luma]

Hi micneu

Nein, habe ich nicht. Hab in den betroffenen Regeln bei Protocol überall any drin. Also eigentlich keine Anpassung nötig.

[micneu]

Die Firewall mal neugestartet?


Gesendet von iPad mit Tapatalk Pro

[Luma]

Ja, habe ich gemacht. Hat leider nichts gebracht!

[micneu]

Kannst du mal deine config posten, vielleicht sehe ich dann was.
Hier mal meine Firewall Einstellung für mein OpenVPN

Ich habe OpenVPN bei mir auf Port 443 Udo laufen


Gesendet von iPad mit Tapatalk Pro

[Luma]

Hier die server1.conf

Code: [Select]

dev ovpns1
verb 4
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 192.168.231.4
client-connect "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php server1"
tls-server
server 192.168.235.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'abcdefg.hi' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.232.0 255.255.255.0"
push "dhcp-option DOMAIN klmnop.qr"
push "dhcp-option DNS 192.168.232.20"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.2048.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float

und hier die Client Conf:

Code: [Select]

dev tun
persist-tun
persist-key
proto tcp-client
cipher AES-256-CBC
auth SHA512
client
verb 4
resolv-retry infinite
remote 192.168.231.4 1194 tcp
lport 0
verify-x509-name "C=CH, ST=Staat, L=Ort, O=abcdefg.hi, emailAddress=mein.name@abcdefg.hi, CN=abcdefg.hi" subject
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
Regeln bei den Rules-OpenVPN habe ich nur eine: PASS - IPV4 - Source: any - Destination: any

Wie schon oben bemerkt: mit UDP läuft alles einwandfrei!

[chemlud]

opnsense virtuell oder real? Irgendwelche Details zum Aufbau (Modem? Witzbox? Sonstwas?)

[micneu]

Ich hätte gerne noch die Konfiguration der opnsense gesehen, alles was du in der Firewall Einstellung hast


Gesendet von iPad mit Tapatalk Pro

[Luma]

@ chemlud:

Opnsense real.

Mit 4 Interfaces: blau (WLan), grün, orange (DMZ) und rot (LAN).

192.168.231.4 ist die rote ("WAN-") Adresse. 192.168.231.2 ist ein LTE-Router mit privater IP im Internet.

VPN Port bei UDP und TCP: 1194

Zu Testzwecken möchte ich VPN zuerst direkt an 192.168.231.4 zum laufen bringen (was mit UDP problemlos klappt, nur vie TCP nicht).

Gruss Luma

[Luma]

@ micneu:

Firewall: Settings: Advanced: folgendes ist checked:
- Allow IPv6
- Reflection for port forwards
- Automatic outbound NAT for Reflection
- Kill states
- Sticky connections
- Shared forwarding
Alles andere ist default oder nicht gechecked.

Firewall: Settings: Normalization: nichts gechecked, alles default.

Firewall: Settings: Schedules: keine Einträge

Gruss Luma

[micneu]

schick doch mal bitte bilder von der konfigurations punkten
so kann ich es besser vergleichen

[Luma]

Firewall-Settings:

[micneu]

ok, ich drücke mich halt echt schlecht aus.
bitte schicke mal die bilder deiner konfiguration von deinen eingestellten FIREWALL REGELN

[Luma]

Hast du das gemeint?

Firewall: Rules: OpenVPN: