Openvpn не работает reneg-sec
Форум — Admin
Всем доброго дня!
Помогите, пожалуйста, разобраться с проблемой, не очень понятной. Опишу ситуация как я её вижу, если что будет не понятно - спрашивайте )
Имеем openvpn сервер, freeradius отдельно. Аутентификация - сертификаты + логин и пароль.
Всё работает. В конфиге сервера присутствует параметр block-outside-dns, чтобы в момент соединения по openvpn, dns-запросы клиента ходили только через канал openvpn. Если в конфиге сервера отсутствует reneg-sec, то по прошествии 3600 секунд прозрачная renegotiation не может произойти (т.к. это прокатывает только с сертификтами, но не с логином и паролем), и мы получаем дропнутое соединение плюс не резолвятся никакие dns имена. Значит, надо как-то настроить reneg-sec.
Если я устанавливаю какое-либо значение в reneg-sec (например, 0 или 7200), то в syslog начинает сыпаться следующее:
May 26 14:47:16 debian kernel: [177971.248036] EDAC MC0: 1 CE Read error on unknown memory (branch:0 channel:1 slot:1 page:0x0 offset:0x0 grain:0 syndrome:0x0 - Rank=0 Bank=0 RDWR=Read RAS=4294 CAS=16, CE Err=0x2000 (Correctable Non-Mirrored Demand Data ECC)))
May 26 14:47:19 debian kernel: [177974.248053] EDAC MC0: 1 CE Read error on unknown memory (branch:0 channel:1 slot:1 page:0x0 offset:0x0 grain:0 syndrome:0x0 - Rank=0 Bank=0 RDWR=Read RAS=4102 CAS=16, CE Err=0x10000 (Correctable Patrol Data ECC)))
И плюс к этому, клиент не может присоединиться, если reneg-sec установлен. Вот лог соединения:
Wed May 25 22:43:04 2016 pkcs11_protected_authentication = DISABLED
Wed May 25 22:43:04 2016 pkcs11_protected_authentication = DISABLED
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_private_mode = 00000000
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_cert_private = DISABLED
Wed May 25 22:43:04 2016 pkcs11_pin_cache_period = -1
Wed May 25 22:43:04 2016 pkcs11_id = '[UNDEF]'
Wed May 25 22:43:04 2016 pkcs11_id_management = DISABLED
Wed May 25 22:43:04 2016 server_network = 0.0.0.0
Wed May 25 22:43:04 2016 server_netmask = 0.0.0.0
Wed May 25 22:43:04 2016 server_network_ipv6 = ::
Wed May 25 22:43:04 2016 server_netbits_ipv6 = 0
Wed May 25 22:43:04 2016 server_bridge_ip = 0.0.0.0
Wed May 25 22:43:04 2016 server_bridge_netmask = 0.0.0.0
Wed May 25 22:43:04 2016 server_bridge_pool_start = 0.0.0.0
Wed May 25 22:43:04 2016 server_bridge_pool_end = 0.0.0.0
Wed May 25 22:43:04 2016 ifconfig_pool_defined = DISABLED
Wed May 25 22:43:04 2016 ifconfig_pool_start = 0.0.0.0
Wed May 25 22:43:04 2016 ifconfig_pool_end = 0.0.0.0
Wed May 25 22:43:04 2016 ifconfig_pool_netmask = 0.0.0.0
Wed May 25 22:43:04 2016 ifconfig_pool_persist_filename = '[UNDEF]'
Wed May 25 22:43:04 2016 ifconfig_pool_persist_refresh_freq = 600
Wed May 25 22:43:04 2016 ifconfig_ipv6_pool_defined = DISABLED
Wed May 25 22:43:04 2016 ifconfig_ipv6_pool_base = ::
Wed May 25 22:43:04 2016 ifconfig_ipv6_pool_netbits = 0
Wed May 25 22:43:04 2016 n_bcast_buf = 256
Wed May 25 22:43:04 2016 tcp_queue_limit = 64
Wed May 25 22:43:04 2016 real_hash_size = 256
Wed May 25 22:43:04 2016 virtual_hash_size = 256
Wed May 25 22:43:04 2016 client_connect_script = '[UNDEF]'
Wed May 25 22:43:04 2016 learn_address_script = '[UNDEF]'
Wed May 25 22:43:04 2016 client_disconnect_script = '[UNDEF]'
Wed May 25 22:43:04 2016 client_config_dir = '[UNDEF]'
Wed May 25 22:43:04 2016 ccd_exclusive = DISABLED
Wed May 25 22:43:04 2016 tmp_dir = 'C:\Temp\'
Wed May 25 22:43:04 2016 push_ifconfig_defined = DISABLED
Wed May 25 22:43:04 2016 push_ifconfig_local = 0.0.0.0
Wed May 25 22:43:04 2016 push_ifconfig_remote_netmask = 0.0.0.0
Wed May 25 22:43:04 2016 push_ifconfig_ipv6_defined = DISABLED
Wed May 25 22:43:04 2016 push_ifconfig_ipv6_local = ::/0
Wed May 25 22:43:04 2016 push_ifconfig_ipv6_remote = ::
Wed May 25 22:43:04 2016 enable_c2c = DISABLED
Wed May 25 22:43:04 2016 duplicate_cn = DISABLED
Wed May 25 22:43:04 2016 cf_max = 0
Wed May 25 22:43:04 2016 cf_per = 0
Wed May 25 22:43:04 2016 max_clients = 1024
Wed May 25 22:43:04 2016 max_routes_per_client = 256
Wed May 25 22:43:04 2016 auth_user_pass_verify_script = '[UNDEF]'
Wed May 25 22:43:04 2016 auth_user_pass_verify_script_via_file = DISABLED
Wed May 25 22:43:04 2016 client = ENABLED
Wed May 25 22:43:04 2016 pull = ENABLED
Wed May 25 22:43:04 2016 auth_user_pass_file = 'stdin'
Wed May 25 22:43:04 2016 show_net_up = DISABLED
Wed May 25 22:43:04 2016 route_method = 0
Wed May 25 22:43:04 2016 block_outside_dns = DISABLED
Wed May 25 22:43:04 2016 ip_win32_defined = DISABLED
Wed May 25 22:43:04 2016 ip_win32_type = 3
Wed May 25 22:43:04 2016 dhcp_masq_offset = 0
Wed May 25 22:43:04 2016 dhcp_lease_time = 31536000
Wed May 25 22:43:04 2016 tap_sleep = 0
Wed May 25 22:43:04 2016 dhcp_options = DISABLED
Wed May 25 22:43:04 2016 dhcp_renew = DISABLED
Wed May 25 22:43:04 2016 dhcp_pre_release = DISABLED
Wed May 25 22:43:04 2016 dhcp_release = DISABLED
Wed May 25 22:43:04 2016 domain = '[UNDEF]'
Wed May 25 22:43:04 2016 netbios_scope = '[UNDEF]'
Wed May 25 22:43:04 2016 netbios_node_type = 0
Wed May 25 22:43:04 2016 disable_nbt = DISABLED
Wed May 25 22:43:04 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Feb 1 2016
Wed May 25 22:43:04 2016 Windows version 6.1 (Windows 7)
Wed May 25 22:43:04 2016 library versions: OpenSSL 1.0.1r 28 Jan 2016, LZO 2.09
Wed May 25 22:43:04 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed May 25 22:43:04 2016 Need hold release from management interface, waiting...
Wed May 25 22:43:04 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed May 25 22:43:04 2016 MANAGEMENT: CMD 'state on'
Wed May 25 22:43:04 2016 MANAGEMENT: CMD 'log all on'
Wed May 25 22:43:04 2016 MANAGEMENT: CMD 'hold off'
Wed May 25 22:43:04 2016 MANAGEMENT: CMD 'hold release'
Wed May 25 22:43:07 2016 MANAGEMENT: CMD 'username "Auth" "deleted"'
Wed May 25 22:43:07 2016 MANAGEMENT: CMD 'password [...]'
Wed May 25 22:43:07 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed May 25 22:43:07 2016 LZO compression initialized
Wed May 25 22:43:07 2016 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Wed May 25 22:43:07 2016 Control Channel MTU parms [ L:1444 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Wed May 25 22:43:07 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 25 22:43:07 2016 MANAGEMENT: >STATE:1464201787,RESOLVE,,,
Wed May 25 22:43:07 2016 Data Channel MTU parms [ L:1444 D:1444 EF:44 EB:143 ET:0 EL:3 AF:3/1 ]
Wed May 25 22:43:07 2016 Local Options String: 'V4,dev-type tun,link-mtu 1444,tun-mtu 1400,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed May 25 22:43:07 2016 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1444,tun-mtu 1400,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed May 25 22:43:07 2016 Local Options hash (VER=V4): '7dfc3732'
Wed May 25 22:43:07 2016 Expected Remote Options hash (VER=V4): '347277f0'
Wed May 25 22:43:07 2016 Attempting to establish TCP connection with [AF_INET]x.x.x.x:443 [nonblock]
Wed May 25 22:43:07 2016 MANAGEMENT: >STATE:1464201787,TCP_CONNECT,,,
Wed May 25 22:43:08 2016 TCP connection established with [AF_INET]x.x.x.x:443
Wed May 25 22:43:08 2016 TCPv4_CLIENT link local: [undef]
Wed May 25 22:43:08 2016 TCPv4_CLIENT link remote: [AF_INET]x.x.x.x:443
Wed May 25 22:43:08 2016 MANAGEMENT: >STATE:1464201788,WAIT,,,
Wed May 25 22:43:08 2016 TCPv4_CLIENT WRITE [14] to [AF_INET]x.x.x.x:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed May 25 22:43:10 2016 TCPv4_CLIENT WRITE [14] to [AF_INET]x.x.x.x:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed May 25 22:43:15 2016 TCPv4_CLIENT WRITE [14] to [AF_INET]x.x.x.x:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed May 25 22:43:23 2016 TCPv4_CLIENT WRITE [14] to [AF_INET]x.x.x.x:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed May 25 22:43:30 2016 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
Wed May 25 22:43:30 2016 TCPv4_CLIENT READ [0] from [AF_INET]x.x.x.x:443: DATA UNDEF len=-1
Wed May 25 22:43:30 2016 Connection reset, restarting [-1]
Wed May 25 22:43:30 2016 TCP/UDP: Closing socket
Wed May 25 22:43:30 2016 SIGUSR1[soft,connection-reset] received, process restarting
Wed May 25 22:43:30 2016 MANAGEMENT: >STATE:1464201810,RECONNECTING,connection-reset,,
Wed May 25 22:43:30 2016 Restart pause, 5 second(s)клиентский конфиг:
client
dev tun
proto tcp
remote x.x.x.x 443
nobind
persist-key
persist-tun
auth-user-pass
comp-lzo
[b]reneg-sec 0[/b]
tun-mtu 1400
verb 6
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>local x.x.x.x
port 443
proto tcp
dev tun0
ca ca.crt
cert server1.crt
key server1.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
[b]reneg-sec 0[/b]
tcp-queue-limit 256
tun-mtu 1400
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
log /etc/openvpn/openvpn.log
verb 6
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
push "block-outside-dns"