Vpn_client .cube arn

rodinux · January 11, 2021, 4:17pm

Mon serveur YunoHost

Matériel: Raspberry Pi à la maison /
Version de YunoHost: 4.1.4.4
J’ai accès à mon serveur : En SSH | Par la webadmin | En direct avec un clavier/écran |

Êtes-vous dans un contexte particulier ou avez-vous effectué des modificiations particulières sur votre instance ? : non

Passage à un VPN de arn

Bonjour,
j’ai un besoin urgent de configurer un vpn du fournisseur arn sur le serveur. Nous avons utiliser le fichier .cube pour générer le vpn et rediriger le nom de domaine vers les Ipv4 et IPv6 du fournisseur VPN, mais pour l’instant, Vpn_client plante en ce lançant, voici les logs:

Journalctl

-- Logs begin at Mon 2021-01-11 15:45:33 CET, end at Mon 2021-01-11 17:00:02 CET. --
janv. 11 16:58:28 ntpd[16849]: Listen normally on 9 wlan0 [2a00:5881:8100:100::42]:123
janv. 11 16:58:28 ntpd[16849]: Listen normally on 10 wlan0 [fe80::5632:b529:40f6:eeac%3]:123
janv. 11 16:58:28 ntpd[16849]: Listening on routing socket on fd #27 for interface updates
janv. 11 16:58:29 ntpd[16849]: Soliciting pool server XXX.XXX.XX.XX
janv. 11 16:58:30 ntpd[16849]: Soliciting pool server XXX.XXX.XX.XX
janv. 11 16:58:30 ntpd[16849]: Soliciting pool server XXX.XX.XX.XXX
[......]
janv. 11 16:58:36 ntpd[16849]: ntpd: time slew +0.004136 s
janv. 11 16:58:36 ynh-vpnclient[16653]: [INFO] Preparing openvpn configuration...
janv. 11 16:58:36 ynh-vpnclient[16653]: [INFO] Now actually starting OpenVPN client...
janv. 11 16:58:36 ynh-vpnclient[16653]: [INFO] OpenVPN client started ... waiting for tun0 interface to show up
janv. 11 16:58:58 ynh-vpnclient[16653]: [FAIL] Tun0 interface did not show up ... most likely an issue happening in OpenVPN client ... below is an extract of the log that might be relevant to pinpoint the issue
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:41:52 2021 SIGTERM[soft,exit-with-notification] received, process exiting
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:42:43 2021 WARNING: file '/etc/openvpn/keys/user.key' is group or others accessible
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:42:43 2021 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:42:43 2021 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:42:43 2021 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:42:43 2021 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a00:5881:8100:1002::1:1194
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:42:43 2021 Socket Buffers: R=[180224->180224] S=[180224->180224]
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:42:43 2021 UDPv6 link local: (not bound)
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:42:43 2021 UDPv6 link remote: [AF_INET6]2a00:5881:8100:1002::1:1194
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:43:05 2021 event_wait : Interrupted system call (code=4)
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:43:05 2021 SIGTERM received, sending exit notification to peer
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:43:06 2021 SIGTERM[soft,exit-with-notification] received, process exiting
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:58:36 2021 WARNING: file '/etc/openvpn/keys/user.key' is group or others accessible
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:58:36 2021 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:58:36 2021 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:58:36 2021 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:58:36 2021 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a00:5881:8100:1002::1:1194
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:58:36 2021 Socket Buffers: R=[180224->180224] S=[180224->180224]
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:58:36 2021 UDPv6 link local: (not bound)
janv. 11 16:58:58 ynh-vpnclient[16653]: Mon Jan 11 16:58:36 2021 UDPv6 link remote: [AF_INET6]2a00:5881:8100:1002::1:1194
janv. 11 16:58:58 ynh-vpnclient[16653]: [INFO] Stopping OpenVPN service
janv. 11 16:58:59 ynh-vpnclient[16653]: [CRIT] Failed to start OpenVPN client : tun0 interface did not show up
janv. 11 16:58:59 systemd[1]: ynh-vpnclient.service: Main process exited, code=exited, status=1/FAILURE
janv. 11 16:58:59 systemd[1]: ynh-vpnclient.service: Failed with result 'exit-code'.
janv. 11 16:58:59 systemd[1]: Failed to start YunoHost VPN Client..

/var/log/ynh-vpnclient.log

[INFO] No IPv6/IPv4 firewall set
[FAIL] No host DNS set
[FAIL] Openvpn is not running
[INFO] Retrieving Yunohost settings... 
[ OK ] Settings retrieved
[INFO] [vpnclient] Starting...
[INFO] Cleaning vpnclient custom rules from the firewall
[INFO] Restarting yunohost firewall...
[ OK ] Firewall restarted!
[INFO] Now synchronizing time using ntp...
[INFO] Preparing openvpn configuration...
[INFO] Now actually starting OpenVPN client...
[INFO] OpenVPN client started ... waiting for tun0 interface to show up
[FAIL] Tun0 interface did not show up ... most likely an issue happening in OpenVPN client ... below is an extract of the log that might be relevant to pinpoint the issue
Mon Jan 11 16:41:52 2021 SIGTERM[soft,exit-with-notification] received, process exiting
Mon Jan 11 16:42:43 2021 WARNING: file '/etc/openvpn/keys/user.key' is group or others accessible
Mon Jan 11 16:42:43 2021 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Mon Jan 11 16:42:43 2021 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Mon Jan 11 16:42:43 2021 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Mon Jan 11 16:42:43 2021 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a00:XXXX:XXXX:XXXX::X:XXXX
Mon Jan 11 16:42:43 2021 Socket Buffers: R=[180224->180224] S=[180224->180224]
Mon Jan 11 16:42:43 2021 UDPv6 link local: (not bound)
Mon Jan 11 16:42:43 2021 UDPv6 link remote: [AF_INET6]2a00:XXXX:XXXX:XXXX::X:XXXX
Mon Jan 11 16:43:05 2021 event_wait : Interrupted system call (code=4)
Mon Jan 11 16:43:05 2021 SIGTERM received, sending exit notification to peer
Mon Jan 11 16:43:06 2021 SIGTERM[soft,exit-with-notification] received, process exiting
Mon Jan 11 16:58:36 2021 WARNING: file '/etc/openvpn/keys/user.key' is group or others accessible
Mon Jan 11 16:58:36 2021 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Mon Jan 11 16:58:36 2021 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Mon Jan 11 16:58:36 2021 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Mon Jan 11 16:58:36 2021 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a00:XXXX:XXXX:XXXX::X:XXXX
Mon Jan 11 16:58:36 2021 Socket Buffers: R=[180224->180224] S=[180224->180224]
Mon Jan 11 16:58:36 2021 UDPv6 link local: (not bound)
Mon Jan 11 16:58:36 2021 UDPv6 link remote: [AF_INET6]2a00:XXXX:XXXX:XXXX::X:XXXX
[INFO] Stopping OpenVPN service
[CRIT] Failed to start OpenVPN client : tun0 interface did not show up
[INFO] Retrieving Yunohost settings... 
[ OK ] Settings retrieved
[INFO] Autodetected internet interface: 202 (last start: 202)
[INFO] Autodetected IPv6 address for the VPN server: 2a00:XXXX:XXXX:XXXX::X XXXXt start: 2a00:XXXX:XXXX:XXXX::X)XXXXFO] IPv6 delegated prefix found
[INFO] IPv6 address computed from the delegated prefix: 2a00:XXXX:XXXX:XXXX:4X
XXXXO] Hotspot app detected
[INFO] No IPv6 address to set
[INFO] Native IPv6 detected
[INFO] Autodetected native IPv6 gateway: fe80::f6ca:e5ff:fe59:6ab2 (last start: fe80::f6ca:e5ff:fe59:6ab2)
[FAIL] No IPv6 server route set
[INFO] No IPv6/IPv4 firewall set
[FAIL] No host DNS set
[FAIL] Openvpn is not running

rodinux · January 11, 2021, 5:21pm

Du coup, l’adresse mail ne marche plus pour le serveur… En écrivant à arn, on a une réponse pour savoir si c’est bien lié à ce post. alors je confirme… même si c’est pour mon ami Luc.

ljf · January 11, 2021, 5:23pm

Vous êtes sûr d’avoir utilisé le .cube , parce que normalement le .cube contact le vpn via le port 443 et pas 1194…

rodinux · January 11, 2021, 5:30pm

Ok, @ljf, en effet in a cru comprendre qu’il fallait mettre le port 1194, je garde le fichier tel qu’il est proposé au départ ?

Voici a quoi ressemble le .cube

{ 
  "server_name": "vpn.arn-fai.net",
  "server_port": "1194",
  "server_proto": "udp",
  "ip6_net": "2a00:XXXX:XXXX:XXX::XX",
  "ip4_addr": "XX.XXX.XXX.XX",
  "crt_server_ca": "-----BEGIN CERTIFICATE-----|MIIEPzCCAyegAwIBAgIJAJzlDP4UwAIOMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV|BAYTAkZSMQ8wDQYDVQQIEwZBbHNhY2UxEzARBgNVBAcTClN0cmFzYm91cmcxDDAK|BgNVBAoTA0FSTjEPMA0GA1UEAxMGQUMgVlBOMR4wHAYJKoZIhvcNAQkBFg92cG5A|YXJuLWZhaS5uZXQwHhcNMTQwNzAxMTc1MjA0WhcNMjQwNjI4MTc1MjA0WjByMQsw|CQYDVQQGEwJGUjEPMA0GA1UECBMGQWxzYWNlMRMwEQYDVQQHEwpTdHJhc2JvdXJn|MQwwCgYDVQQKEwNBUk4xDzANBgNVBAMTBkFDIFZQTjEeMBwGCSqGSIb3DQEJARYP|dnBuQGFybi1mYWkubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA|0vsQrBt8hCPzyinlTC2Xc/eje3jWEdj4fjJpiYmNr/DbHgF4+Lxzxi+Alsn8RQuG|+wFkgyOkzOEoca2qc0eHaWlXt8qcCWBpQUPQXTgS3blspZl839ne4nwBdQQQDsHn|wHxOQ/Jm7dX/mCUh8d5F8JiT24IgQW2xUK5JM3GprTIOqT23ORKDs2zPtWl/VuoB|tOrUn/kqUhYKw13HKuRYCv4pVXApGQ+xbvC90lnvmnjPIQ57AdE4gPBdptk2aGVu|2kvBPbcvi94iyp5H3VKhGpmniYknYeDOoi5o7y4Tsj262xT14oxSXznFFyDSW4NQ|SjjH4W6pPsRSjFbLwY0dfwIDAQABo4HXMIHUMB0GA1UdDgQWBBThtjgo+fpoezmZ|Lw0NxpXJRab+VTCBpAYDVR0jBIGcMIGZgBThtjgo+fpoezmZLw0NxpXJRab+VaF2|pHQwcjELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkFsc2FjZTETMBEGA1UEBxMKU3Ry|YXNib3VyZzEMMAoGA1UEChMDQVJOMQ8wDQYDVQQDEwZBQyBWUE4xHjAcBgkqhkiG|9w0BCQEWD3ZwbkBhcm4tZmFpLm5ldIIJAJzlDP4UwAIOMAwGA1UdEwQFMAMBAf8w|DQYJKoZIhvcNAQELBQADggEBAE1w8TsTV2nEKOGVk5c97OdcW80PH5am+dy8EI/r|nebFgTKOb4AnipAMDCvD2MSymUIuCmwDTwy13lgyqAWlbjyx4ogW4VH2nq2TIzpB|lVP00YcHW7TWF2/cbGClwCQppUX0fFULFGhP4GktrfE9Js1w+bBRGpSKS4c0vIet|sdT5IYJXwe7357TgcPqwE3iPa4wQOT07gTtkUMRZMoRY2Q6XpWvU2UWIbq9iSSGg|6/I7YxPwhk0GBX+PA7G6FMo3JajCT3tuDtC/509H9qGscHkZTOIFZwBZ5peISOe0|HXapcikfzY2uU2DifClRNK5iqU2QdnSrHeF/gDcXVlQHZ40=|-----END CERTIFICATE-----",
  "crt_client": "-----BEGIN CERTIFICATE-----|balbalbalbala=blabla|-----END CERTIFICATE-----",
  "crt_client_key": "-----BEGIN PRIVATE KEY-----|balbala=balblabla|-----END PRIVATE KEY-----",
  "crt_client_ta": "",
  "login_user": "",
  "login_passphrase": "",
  "dns0": "89.234.141.66",
  "dns1": "2a00:5881:8100:1000::3",
  "openvpn_rm": [
    ""
  ],
  "openvpn_add": [ 
    "fragment 1300 ",
    "mssfix"
  ]
}

ljf · January 11, 2021, 5:32pm

Oui il faut garder avec le fichier initial qui est logiquement fonctionnel dans le plus de cas possible. En gros il faut plutôt:

{ 
  "server_name": "89.234.141.94",
  "server_port": "443",
  "server_proto": "udp",
  "ip6_net": "2a00:XXXX:XXXX:XXX::XX",
  "ip4_addr": "XX.XXX.XXX.XX",
  "crt_server_ca": "-----BEGIN CERTIFICATE-----|MIIEPzCCAyegAwIBAgIJAJzlDP4UwAIOMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV|BAYTAkZSMQ8wDQYDVQQIEwZBbHNhY2UxEzARBgNVBAcTClN0cmFzYm91cmcxDDAK|BgNVBAoTA0FSTjEPMA0GA1UEAxMGQUMgVlBOMR4wHAYJKoZIhvcNAQkBFg92cG5A|YXJuLWZhaS5uZXQwHhcNMTQwNzAxMTc1MjA0WhcNMjQwNjI4MTc1MjA0WjByMQsw|CQYDVQQGEwJGUjEPMA0GA1UECBMGQWxzYWNlMRMwEQYDVQQHEwpTdHJhc2JvdXJn|MQwwCgYDVQQKEwNBUk4xDzANBgNVBAMTBkFDIFZQTjEeMBwGCSqGSIb3DQEJARYP|dnBuQGFybi1mYWkubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA|0vsQrBt8hCPzyinlTC2Xc/eje3jWEdj4fjJpiYmNr/DbHgF4+Lxzxi+Alsn8RQuG|+wFkgyOkzOEoca2qc0eHaWlXt8qcCWBpQUPQXTgS3blspZl839ne4nwBdQQQDsHn|wHxOQ/Jm7dX/mCUh8d5F8JiT24IgQW2xUK5JM3GprTIOqT23ORKDs2zPtWl/VuoB|tOrUn/kqUhYKw13HKuRYCv4pVXApGQ+xbvC90lnvmnjPIQ57AdE4gPBdptk2aGVu|2kvBPbcvi94iyp5H3VKhGpmniYknYeDOoi5o7y4Tsj262xT14oxSXznFFyDSW4NQ|SjjH4W6pPsRSjFbLwY0dfwIDAQABo4HXMIHUMB0GA1UdDgQWBBThtjgo+fpoezmZ|Lw0NxpXJRab+VTCBpAYDVR0jBIGcMIGZgBThtjgo+fpoezmZLw0NxpXJRab+VaF2|pHQwcjELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkFsc2FjZTETMBEGA1UEBxMKU3Ry|YXNib3VyZzEMMAoGA1UEChMDQVJOMQ8wDQYDVQQDEwZBQyBWUE4xHjAcBgkqhkiG|9w0BCQEWD3ZwbkBhcm4tZmFpLm5ldIIJAJzlDP4UwAIOMAwGA1UdEwQFMAMBAf8w|DQYJKoZIhvcNAQELBQADggEBAE1w8TsTV2nEKOGVk5c97OdcW80PH5am+dy8EI/r|nebFgTKOb4AnipAMDCvD2MSymUIuCmwDTwy13lgyqAWlbjyx4ogW4VH2nq2TIzpB|lVP00YcHW7TWF2/cbGClwCQppUX0fFULFGhP4GktrfE9Js1w+bBRGpSKS4c0vIet|sdT5IYJXwe7357TgcPqwE3iPa4wQOT07gTtkUMRZMoRY2Q6XpWvU2UWIbq9iSSGg|6/I7YxPwhk0GBX+PA7G6FMo3JajCT3tuDtC/509H9qGscHkZTOIFZwBZ5peISOe0|HXapcikfzY2uU2DifClRNK5iqU2QdnSrHeF/gDcXVlQHZ40=|-----END CERTIFICATE-----",
  "crt_client": "-----BEGIN CERTIFICATE-----|balbalbalbala=blabla|-----END CERTIFICATE-----",
  "crt_client_key": "-----BEGIN PRIVATE KEY-----|balbala=balblabla|-----END PRIVATE KEY-----",
  "crt_client_ta": "",
  "login_user": "",
  "login_passphrase": "",
  "dns0": "89.234.141.66",
  "dns1": "2a00:5881:8100:1000::3",
  "openvpn_rm": [
    ""
  ],
  "openvpn_add": [ 
    "fragment 1300 ",
    "mssfix"
  ]
}

Si la machine est en IPv6 first et que le FAI est Free, c’est normal qu’en mettant le nom de domaine ça ne marche pas. A cause de la guerre entre Free et HE (vu qu’ARN annonce l’ipv6 via HE). Je trouve bizarre qu’il y ai le nom de domaine “vpn.arn-fai.net”, normalement notre script utilise l’ip du serveur directement.

Pour le port 443 ça maximise le passage du vpn dans les milieux hostile.

rodinux · January 11, 2021, 5:36pm

D’accord, si je prends le fichier brut télécharger depuis arn, quelques petites choses changent en effet… les adresses ipv6 aussi…
Sur la page pour configurer vpn pour brique internet il me semblait qu’il fallait éditer deux 3 choses/…

ljf · January 11, 2021, 5:39pm

Ok je viens de comprendre, je corrige cette documentation obsolete. Il faut bien garder le fichier cube en l’état, tel qu’on le fournit dans la console adhérent⋅es et normalement tout roule .

rodinux · January 11, 2021, 5:41pm

Ok ! ça y est !! Yes

rodinux · January 11, 2021, 5:43pm

Plus qu’ à attendre la propagation du reverseDNS pour son nom de domaine pour déblacklisté mon ami !

ljf · January 11, 2021, 5:44pm

Pour info le tuto a été mis à jour: https://wiki.arn-fai.net/documentation:vpn#tutoriel_pour_une_brique_internet

ljf · January 11, 2021, 5:47pm

C’est fait pour le reverse DNS.

rodinux · January 11, 2021, 5:48pm

Waouw ! super merci !!

rodinux · January 11, 2021, 8:40pm

Super rapide ! Un big up pour arn…
Juste une dernière question… l’adresse email était considérée comme spam, un peu blacklistée, mais de passer à un vrai Rdns comme maintenant, suffit-il à le déblacklister ? J’imagine que oui ?

Aleks · January 11, 2021, 9:01pm

Oui, certaines blacklists blaklisent seulement à cause du reverse DNS, c’est généralement indiqué dans la raison du blacklisting

system · January 26, 2021, 9:01pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.