OpenVPN keine Verbindung mehr

rooki

New Member
Hallo,
ich habe einen OpenVPN-Server der auf einem Raspberry läuft. Seit 5 Jahren absolut stabil. Mein Problem ist, seit ca. 2 Wochen bekomme ich mit meinem Handy als Client keine Verbindung mehr hin. Ich habe auf dem Handy OpenVPN von Arne Schwabe installiert.

Mein Dyddns Account ist erreichbar, die richtige IP wird übermittelt. Ich weiß nicht mehr weiter....

Könnte sich jemand das Logfile ansehen?
2021-10-30 12:28:19 offizielle Version 0.7.16 läuft auf samsung SM-G985F (exynos990), Android 11 (RP1A.200720.012) API 30, ABI arm64-v8a, (samsung/y2seea/y2s:11/RP1A.200720.012/G985FXXUBDUI5:user/release-keys)
2021-10-30 12:28:19 Generiere OpenVPN-Konfiguration…
2021-10-30 12:28:19 MANAGEMENT: CMD 'signal SIGINT'
2021-10-30 12:28:19 SIGINT[hard,init_instance] received, process exiting
2021-10-30 12:28:19 MANAGEMENT: >STATE:1635589699,EXITING,init_instance,,,,,
2021-10-30 12:28:21 started Socket Thread
2021-10-30 12:28:21 Netzwerkstatus: CONNECTED to WIFI
2021-10-30 12:28:21 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2021-10-30 12:28:21 P:WARNING: linker: Warning: "/data/app/~~sHjABR7kgOvaK4UUtSSQOQ==/de.blinkt.openvpn-Zbh_Pe3V8MQBeyBjBy3qCA==/lib/arm64/libovpnexec.so" is not a directory (ignoring)
2021-10-30 12:28:21 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2021-10-30 12:28:21 WARNING: Compression enabled, Compression has been used in the past to break encryption. Enabling decompression of received packet only. Sent packets are not compressed.
2021-10-30 12:28:21 Current Parameter Settings:
2021-10-30 12:28:21 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2021-10-30 12:28:21 mode = 0
2021-10-30 12:28:21 show_ciphers = DISABLED
2021-10-30 12:28:21 show_digests = DISABLED
2021-10-30 12:28:21 show_engines = DISABLED
2021-10-30 12:28:21 genkey = DISABLED
2021-10-30 12:28:21 genkey_filename = '[UNDEF]'
2021-10-30 12:28:21 key_pass_file = '[UNDEF]'
2021-10-30 12:28:21 show_tls_ciphers = DISABLED
2021-10-30 12:28:21 connect_retry_max = 0
2021-10-30 12:28:21 Connection profiles [0]:
2021-10-30 12:28:21 proto = udp
2021-10-30 12:28:21 local = '[UNDEF]'
2021-10-30 12:28:21 local_port = '[UNDEF]'
2021-10-30 12:28:21 remote = 'xxx.dyndns.org'
2021-10-30 12:28:21 remote_port = '443'
2021-10-30 12:28:21 remote_float = DISABLED
2021-10-30 12:28:21 bind_defined = DISABLED
2021-10-30 12:28:21 bind_local = DISABLED
2021-10-30 12:28:21 bind_ipv6_only = DISABLED
2021-10-30 12:28:21 connect_retry_seconds = 2
2021-10-30 12:28:21 connect_timeout = 120
2021-10-30 12:28:21 socks_proxy_server = '[UNDEF]'
2021-10-30 12:28:21 socks_proxy_port = '[UNDEF]'
2021-10-30 12:28:21 tun_mtu = 1500
2021-10-30 12:28:21 tun_mtu_defined = ENABLED
2021-10-30 12:28:21 link_mtu = 1500
2021-10-30 12:28:21 link_mtu_defined = DISABLED
2021-10-30 12:28:21 tun_mtu_extra = 0
2021-10-30 12:28:21 tun_mtu_extra_defined = DISABLED
2021-10-30 12:28:21 mtu_discover_type = -1
2021-10-30 12:28:21 fragment = 0
2021-10-30 12:28:21 mssfix = 1450
2021-10-30 12:28:21 explicit_exit_notification = 0
2021-10-30 12:28:21 tls_auth_file = '[UNDEF]'
2021-10-30 12:28:21 key_direction = not set
2021-10-30 12:28:21 tls_crypt_file = '[UNDEF]'
2021-10-30 12:28:21 tls_crypt_v2_file = '[UNDEF]'
2021-10-30 12:28:21 Connection profiles END
2021-10-30 12:28:21 remote_random = DISABLED
2021-10-30 12:28:21 ipchange = '[UNDEF]'
2021-10-30 12:28:21 Warte 0s Sekunden zwischen zwei Verbindungsversuchen
2021-10-30 12:28:21 dev = 'tun'
2021-10-30 12:28:21 dev_type = '[UNDEF]'
2021-10-30 12:28:21 dev_node = '[UNDEF]'
2021-10-30 12:28:21 lladdr = '[UNDEF]'
2021-10-30 12:28:21 topology = 1
2021-10-30 12:28:21 ifconfig_local = '[UNDEF]'
2021-10-30 12:28:21 ifconfig_remote_netmask = '[UNDEF]'
2021-10-30 12:28:21 ifconfig_noexec = DISABLED
2021-10-30 12:28:21 ifconfig_nowarn = ENABLED
2021-10-30 12:28:21 ifconfig_ipv6_local = '[UNDEF]'
2021-10-30 12:28:21 ifconfig_ipv6_netbits = 0
2021-10-30 12:28:21 ifconfig_ipv6_remote = '[UNDEF]'
2021-10-30 12:28:21 shaper = 0
2021-10-30 12:28:21 mtu_test = 0
2021-10-30 12:28:21 mlock = DISABLED
2021-10-30 12:28:21 keepalive_ping = 0
2021-10-30 12:28:21 keepalive_timeout = 0
2021-10-30 12:28:21 inactivity_timeout = 0
2021-10-30 12:28:21 ping_send_timeout = 0
2021-10-30 12:28:21 ping_rec_timeout = 0
2021-10-30 12:28:21 ping_rec_timeout_action = 0
2021-10-30 12:28:21 ping_timer_remote = DISABLED
2021-10-30 12:28:21 remap_sigusr1 = 0
2021-10-30 12:28:21 persist_tun = ENABLED
2021-10-30 12:28:21 persist_local_ip = DISABLED
2021-10-30 12:28:21 persist_remote_ip = DISABLED
2021-10-30 12:28:21 persist_key = DISABLED
2021-10-30 12:28:21 passtos = DISABLED
2021-10-30 12:28:21 resolve_retry_seconds = 1000000000
2021-10-30 12:28:21 resolve_in_advance = ENABLED
2021-10-30 12:28:21 username = '[UNDEF]'
2021-10-30 12:28:21 groupname = '[UNDEF]'
2021-10-30 12:28:21 chroot_dir = '[UNDEF]'
2021-10-30 12:28:21 cd_dir = '[UNDEF]'
2021-10-30 12:28:21 writepid = '[UNDEF]'
2021-10-30 12:28:21 up_script = '[UNDEF]'
2021-10-30 12:28:21 down_script = '[UNDEF]'
2021-10-30 12:28:21 down_pre = DISABLED
2021-10-30 12:28:21 up_restart = DISABLED
2021-10-30 12:28:21 up_delay = DISABLED
2021-10-30 12:28:21 daemon = DISABLED
2021-10-30 12:28:21 inetd = 0
2021-10-30 12:28:21 log = DISABLED
2021-10-30 12:28:21 suppress_timestamps = DISABLED
2021-10-30 12:28:21 machine_readable_output = ENABLED
2021-10-30 12:28:21 nice = 0
2021-10-30 12:28:21 verbosity = 4
2021-10-30 12:28:21 mute = 0
2021-10-30 12:28:21 gremlin = 0
2021-10-30 12:28:21 status_file = '[UNDEF]'
2021-10-30 12:28:21 status_file_version = 1
2021-10-30 12:28:21 status_file_update_freq = 60
2021-10-30 12:28:21 occ = ENABLED
2021-10-30 12:28:21 rcvbuf = 0
2021-10-30 12:28:21 sndbuf = 0
2021-10-30 12:28:21 sockflags = 0
2021-10-30 12:28:21 fast_io = DISABLED
2021-10-30 12:28:21 comp.alg = 2
2021-10-30 12:28:21 comp.flags = 1
2021-10-30 12:28:21 route_script = '[UNDEF]'
2021-10-30 12:28:21 route_default_gateway = '[UNDEF]'
2021-10-30 12:28:21 route_default_metric = 0
2021-10-30 12:28:21 route_noexec = DISABLED
2021-10-30 12:28:21 route_delay = 0
2021-10-30 12:28:21 route_delay_window = 30
2021-10-30 12:28:21 route_delay_defined = DISABLED
2021-10-30 12:28:21 route_nopull = DISABLED
2021-10-30 12:28:21 route_gateway_via_dhcp = DISABLED
2021-10-30 12:28:21 allow_pull_fqdn = DISABLED
2021-10-30 12:28:21 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2021-10-30 12:28:21 management_port = 'unix'
2021-10-30 12:28:21 management_user_pass = '[UNDEF]'
2021-10-30 12:28:21 management_log_history_cache = 250
2021-10-30 12:28:21 management_echo_buffer_size = 100
2021-10-30 12:28:21 management_write_peer_info_file = '[UNDEF]'
2021-10-30 12:28:21 management_client_user = '[UNDEF]'
2021-10-30 12:28:21 management_client_group = '[UNDEF]'
2021-10-30 12:28:21 management_flags = 16678
2021-10-30 12:28:21 shared_secret_file = '[UNDEF]'
2021-10-30 12:28:21 key_direction = not set
2021-10-30 12:28:21 ciphername = 'BF-CBC'
2021-10-30 12:28:21 ncp_enabled = ENABLED
2021-10-30 12:28:21 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2021-10-30 12:28:21 authname = 'SHA1'
2021-10-30 12:28:21 prng_hash = 'SHA1'
2021-10-30 12:28:21 prng_nonce_secret_len = 16
2021-10-30 12:28:21 keysize = 0
2021-10-30 12:28:21 engine = DISABLED
2021-10-30 12:28:21 replay = ENABLED
2021-10-30 12:28:21 mute_replay_warnings = DISABLED
2021-10-30 12:28:21 replay_window = 64
2021-10-30 12:28:21 replay_time = 15
2021-10-30 12:28:21 packet_id_file = '[UNDEF]'
2021-10-30 12:28:21 test_crypto = DISABLED
2021-10-30 12:28:21 tls_server = DISABLED
2021-10-30 12:28:21 tls_client = ENABLED
2021-10-30 12:28:21 key_method = 2
2021-10-30 12:28:21 ca_file = '[[INLINE]]'
2021-10-30 12:28:21 ca_path = '[UNDEF]'
2021-10-30 12:28:21 dh_file = '[UNDEF]'
2021-10-30 12:28:21 cert_file = '[[INLINE]]'
2021-10-30 12:28:21 extra_certs_file = '[UNDEF]'
2021-10-30 12:28:21 priv_key_file = '[[INLINE]]'
2021-10-30 12:28:21 pkcs12_file = '[UNDEF]'
2021-10-30 12:28:21 cipher_list = '[UNDEF]'
2021-10-30 12:28:21 cipher_list_tls13 = '[UNDEF]'
2021-10-30 12:28:21 tls_cert_profile = '[UNDEF]'
2021-10-30 12:28:21 tls_verify = '[UNDEF]'
2021-10-30 12:28:21 tls_export_cert = '[UNDEF]'
2021-10-30 12:28:21 verify_x509_type = 0
2021-10-30 12:28:21 verify_x509_name = '[UNDEF]'
2021-10-30 12:28:21 crl_file = '[UNDEF]'
2021-10-30 12:28:21 ns_cert_type = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_ku = 0
2021-10-30 12:28:21 remote_cert_eku = '[UNDEF]'
2021-10-30 12:28:21 ssl_flags = 0
2021-10-30 12:28:21 tls_timeout = 2
2021-10-30 12:28:21 renegotiate_bytes = -1
2021-10-30 12:28:21 renegotiate_packets = 0
2021-10-30 12:28:21 renegotiate_seconds = 3600
2021-10-30 12:28:21 handshake_window = 60
2021-10-30 12:28:21 transition_window = 3600
2021-10-30 12:28:21 single_session = DISABLED
2021-10-30 12:28:21 push_peer_info = DISABLED
2021-10-30 12:28:21 tls_exit = DISABLED
2021-10-30 12:28:21 tls_crypt_v2_metadata = '[UNDEF]'
2021-10-30 12:28:21 client = ENABLED
2021-10-30 12:28:21 pull = ENABLED
2021-10-30 12:28:21 auth_user_pass_file = '[UNDEF]'
2021-10-30 12:28:21 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.16-0-ga0ab2fa3] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 6 2020
2021-10-30 12:28:21 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
2021-10-30 12:28:21 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2021-10-30 12:28:21 MANAGEMENT: CMD 'version 3'
2021-10-30 12:28:21 MANAGEMENT: CMD 'hold release'
2021-10-30 12:28:21 MANAGEMENT: CMD 'bytecount 2'
2021-10-30 12:28:21 MANAGEMENT: CMD 'state on'
2021-10-30 12:28:21 MANAGEMENT: >STATE:1635589701,RESOLVE,,,,,,
2021-10-30 12:28:21 MANAGEMENT: CMD 'proxy NONE'
2021-10-30 12:28:22 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2021-10-30 12:28:22 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2021-10-30 12:28:22 LZO compression initializing
2021-10-30 12:28:22 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2021-10-30 12:28:22 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2021-10-30 12:28:22 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2021-10-30 12:28:22 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2021-10-30 12:28:22 TCP/UDP: Preserving recently used remote address: [AF_INET]2.202.xxx.232:443
2021-10-30 12:28:22 Socket Buffers: R=[245760->245760] S=[245760->245760]
2021-10-30 12:28:22 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2021-10-30 12:28:22 UDP link local: (not bound)
2021-10-30 12:28:22 UDP link remote: [AF_INET]2.202.xxx.232:443
2021-10-30 12:28:22 MANAGEMENT: >STATE:1635589702,WAIT,,,,,,

Config Server:

dev tun
proto udp
port 443
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
user nobody
group nogroup
tls-server
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

cipher AES-128-CBC
ifconfig 10.8.0.1 255.255.255.0
push "route-gateway 10.8.0.1"
push "route 192.168.178.0 255.255.255.0"
max-clients 4
mode server
route 192.168.88.0 255.255.255.0 10.8.0.150
route 192.168.87.0 255.255.255.0 10.8.0.151
push "dhcp-option DOMAIN 10.8.0.1"
push "redirect-gateway"
tun-mtu 1500
mssfix
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push "topology subnet"
topology subnet
log-append /var/log/openvpn
comp-lzo
keepalive 10 120
client-config-dir ccd
Config Client:

dev tun
#tls-client
proto udp
remote XXX.dyndns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Handy_XXX.crt
key Handy_XXX.key
tls-auth ta.key 1
secret ta.key
comp-lzo
verb 3

Vielen Dank
Gruß Rooki
 

danton

Debian User
Die interessanten Sachen fehlen: Im Log ist kein Verbindungsaufbau zu erkennen. Das Server-Log wäre auch interessant, evtl. stehen da ja weitere Infos drin. Und hast du schon geprüft, ob deine Zertifikate noch gültig sind?
 

rooki

New Member
wo finde ich das Log? wie kann ich prüfen ob die Keys noch gültig sind?

Ich habe auf dem Raspi unter var/log openvpn-status.log folgendes:

OpenVPN CLIENT LIST
Updated,Tue Nov 2 21:06:02 2021
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END
Wie kann ich evtl. einfach neue Zertifikate für server und Client erstellen, um das mal auszuprobieren?

vielen Dank

Gruß Rooki
 

danton

Debian User
Deine Zertifikate für den Server und die CA liegen unter /etc/openvpn/easy-rsa/keys/
Anzeigen lassen kannst du sie dir mit openssl x509 -in filename -text wobei filename dann durch die jeweilige crt Datei zu ersetzen ist. Du scheinst deine Zertifkate mit easy-rsa zu verwalten, da konnte ich mich aber nie so wirklich mit anfreunden, daher kann ich dir da nicht groß weiterhelfen. Wenn du aber damit die ca.crt neu erstellst, weil sie abgelaufen ist, musst du diese anschließend auf allen Clients durch die neu generierte ersetzen.
 
Top