Connexion OpenVPN bridge non fonctionnelle depuis réinstallation

Tags: #<Tag:0x00007f63f019e028> #<Tag:0x00007f63f019dee8>

Bonjour,

Suite à mon problème avec PHP j’ai réinstallé Debian 12 sur mon serveur domestique sur du nouveau matériel (le serveur se faisait vieux).

Ce PC sert de serveur OpenVPN vers un second, le service OpenVPN fonctionne en mode « bridge », afin que les deux PC se retrouvent sur le même réseau.
Les configurations d’interfaces réseau, d’OpenVPN et de pare-feu ont été reprise de l’ancienne installation, seule le nom de l’interface publique à été modifié dans les règle du pare-feu, celle-ci ayant changé avec le changement de matériel.

Malgré tout, depuis la réinstallation, le connexion OpenVPN ne s’établie plus.

Les configurations du serveur distant (qui est le client OpenVPN) n’ont pas changé depuis un moment.
Les deux ordinateurs utilisent Debian 12.

Configuration du client OpenVPN
/etc/network/interfaces.d/br0 :

auto tap0
iface tap0 inet manual
        tunctl_user nobody
        up /usr/sbin/brctl addif tap0 br0
        post-up /usr/bin/ip address del 192.168.1.2/24 dev tap0

auto br0
iface br0 inet static
        address 192.168.1.2
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        bridge_ports enp1s0f1 tap0
        up /usr/sbin/brctl setageing br0 0 && /usr/sbin/brctl stp br0 off
        bridge_fd 0
        bridge_hello 2
        bridge_maxage 12
        bridge_maxwait 0
iface br0 inet6 static
        address fd00:c0:a8:1::2
        netmask 64
        dns-search zergy.lan
        dns-nameserver 127.0.0.1 ::1[/code]

/etc/openvpn/client/zergy.net.conf :

client
dev tap0
proto udp
remote vpn.zergy.net 1195
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/xul.crt
key /etc/openvpn/private/xul.key
remote-cert-tls server
tls-auth /etc/openvpn/private/ta.key 1
cipher AES-256-CBC
auth SHA512
route-noexec
comp-lzo
verb 3
mute 20
script-security 2

Journaux OpenVPN :

2023-01-21T10:39:58.168373+01:00 xul openvpn[1913]: [enalys.zergy.net] Inactivity timeout (--ping-restart), restarting
2023-01-21T10:39:58.168906+01:00 xul openvpn[1913]: SIGUSR1[soft,ping-restart] received, process restarting
2023-01-21T10:39:58.169009+01:00 xul openvpn[1913]: Restart pause, 1 second(s)
2023-01-21T10:39:59.168939+01:00 xul openvpn[1913]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-01-21T10:39:59.169064+01:00 xul openvpn[1913]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-01-21T10:39:59.169194+01:00 xul openvpn[1913]: TCP/UDP: Preserving recently used remote address: [AF_INET6]2001:910:133b:ffff::1:1195
2023-01-21T10:39:59.169310+01:00 xul openvpn[1913]: Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-01-21T10:39:59.169407+01:00 xul openvpn[1913]: UDPv6 link local: (not bound)
2023-01-21T10:39:59.169503+01:00 xul openvpn[1913]: UDPv6 link remote: [AF_INET6]2001:910:133b:ffff::1:1195
2023-01-21T10:39:59.173864+01:00 xul openvpn[1913]: TLS: Initial packet from [AF_INET6]2001:910:133b:ffff::1:1195, sid=f75548fa 0358ee25
2023-01-21T10:39:59.182998+01:00 xul openvpn[1913]: VERIFY OK: depth=1, C=FR, ST=Seine-Saint-Denis, L=Le Pre-Saint-Gervais, O=Zergy.net, OU=VPN, CN=enalys.zergy.net, name=VPNServer, emailAddress=admin@zergy.net
2023-01-21T10:39:59.183368+01:00 xul openvpn[1913]: VERIFY KU OK
2023-01-21T10:39:59.183476+01:00 xul openvpn[1913]: Validating certificate extended key usage
2023-01-21T10:39:59.183573+01:00 xul openvpn[1913]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-01-21T10:39:59.183673+01:00 xul openvpn[1913]: VERIFY EKU OK
2023-01-21T10:39:59.183778+01:00 xul openvpn[1913]: NOTE: --mute triggered...
2023-01-21T10:39:59.196504+01:00 xul openvpn[1913]: 2 variation(s) on previous 20 message(s) suppressed by --mute
2023-01-21T10:39:59.196632+01:00 xul openvpn[1913]: [enalys.zergy.net] Peer Connection Initiated with [AF_INET6]2001:910:133b:ffff::1:1195
2023-01-21T10:39:59.196742+01:00 xul openvpn[1913]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-01-21T10:39:59.196869+01:00 xul openvpn[1913]: TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-01-21T10:39:59.209293+01:00 xul openvpn[1913]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,dhcp-option DOMAIN zergy.lan,dhcp-option NTP 192.168.1.1,dhcp-option WINS 192.168.1.1,route-gateway 192.168.1.1,ping 10,ping-restart 120,ifconfig 192.168.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm,tun-mtu 1500'
2023-01-21T10:39:59.209434+01:00 xul openvpn[1913]: OPTIONS IMPORT: timers and/or timeouts modified
2023-01-21T10:39:59.209551+01:00 xul openvpn[1913]: OPTIONS IMPORT: --ifconfig/up options modified
2023-01-21T10:39:59.209649+01:00 xul openvpn[1913]: OPTIONS IMPORT: route-related options modified
2023-01-21T10:39:59.209747+01:00 xul openvpn[1913]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-01-21T10:39:59.209843+01:00 xul openvpn[1913]: OPTIONS IMPORT: peer-id set
2023-01-21T10:39:59.209946+01:00 xul openvpn[1913]: NOTE: --mute triggered...
2023-01-21T10:39:59.210035+01:00 xul openvpn[1913]: 2 variation(s) on previous 20 message(s) suppressed by --mute
2023-01-21T10:39:59.210120+01:00 xul openvpn[1913]: Preserving previous TUN/TAP instance: tap0
2023-01-21T10:39:59.210212+01:00 xul openvpn[1913]: Data Channel: using negotiated cipher 'AES-256-GCM'
2023-01-21T10:39:59.210325+01:00 xul openvpn[1913]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-21T10:39:59.210421+01:00 xul openvpn[1913]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-21T10:39:59.210525+01:00 xul openvpn[1913]: Initialization Sequence Completed

Configuration du client OpenVPN
/etc/network/interfaces.d/br0 :

auto tap0
iface tap0 inet manual
        tunctl_user openvpn

auto br0
iface br0 inet static
        address 192.168.1.1
        netmask 255.255.255.0
        network 192.169.1.0
        broadcast 192.168.1.255
        bridge_ports enp18s0f0 enp18s0f1 enp20s0f0 enp20s0f1 tap0
        up /usr/sbin/brctl setageing br0 0 && /usr/sbin/brctl stp br0 off
        bridge_setageing 0
        bridge_stp off
        bridge_fd 0
        bridge_hello 2
        bridge_maxage 12
        bridge_maxwait 0
iface br0 inet6 static
        address fd00:c0:a8:1::1
        netmask 64
        dns-search zergy.lan
        dns-nameserver 127.0.0.1 ::1
        up /usr/sbin/ip address add 2001:910:133b:1::1/64 dev br0[/code]

/etc/openvpn/server/zergy.net.conf :

port 1195
proto udp
proto udp6
dev tap0
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/private/server.key  # This file should be kept secret
dh /etc/openvpn/certs/dh4096.pem
topology subnet
ifconfig-pool-persist /var/lib/openvpn/ipp.txt
server-bridge 192.168.1.1 255.255.255.0 192.168.1.2 192.168.1.15
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN zergy.lan"
push "dhcp-option NTP 192.168.1.1"
push "dhcp-option WINS 192.168.1.1"
keepalive 10 120
tls-auth /etc/openvpn/private/ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
comp-lzo
max-clients 10
user openvpn
group nogroup
persist-key
persist-tun
status /var/lib/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

Journaux OpenVPN :

2023-01-21T10:34:05.696587+01:00 enalys openvpn[269147]: xul/2001:14c8:500:117:d9ae:cea0:0:43 MULTI: Learn: e2:37:6e:c0:6d:24@0 -> xul/2001:14c8:500:117:d9ae:cea0:0:43
2023-01-21T10:36:51.548009+01:00 enalys openvpn[1493]: AEAD Decrypt error: bad packet ID (may be a replay): [ #318746 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-01-21T10:38:05.288759+01:00 enalys openvpn[269147]: xul/2001:14c8:500:117:d9ae:cea0:0:43 [xul] Inactivity timeout (--ping-restart), restarting
2023-01-21T10:38:05.288847+01:00 enalys openvpn[269147]: xul/2001:14c8:500:117:d9ae:cea0:0:43 SIGUSR1[soft,ping-restart] received, client-instance restarting
2023-01-21T10:39:59.174027+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-01-21T10:39:59.183220+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-01-21T10:39:59.190604+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 VERIFY OK: depth=1, C=FR, ST=Seine-Saint-Denis, L=Le Pre-Saint-Gervais, O=Zergy.net, OU=VPN, CN=enalys.zergy.net, name=VPNServer, emailAddress=admin@zergy.net
2023-01-21T10:39:59.190669+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 VERIFY OK: depth=0, C=FR, ST=Seine-Saint-Denis, L=Saint-Ouen, O=Zergy.net, OU=VPN, CN=xul, name=VPNServer, emailAddress=admin@zergy.net
2023-01-21T10:39:59.190858+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 peer info: IV_VER=2.6_rc2
2023-01-21T10:39:59.190890+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 peer info: IV_PLAT=linux
2023-01-21T10:39:59.190931+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 peer info: IV_TCPNL=1
2023-01-21T10:39:59.190962+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 peer info: IV_MTU=1600
2023-01-21T10:39:59.190993+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 peer info: IV_NCP=2
2023-01-21T10:39:59.191024+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
2023-01-21T10:39:59.191043+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 peer info: IV_PROTO=478
2023-01-21T10:39:59.191062+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 peer info: IV_LZ4=1
2023-01-21T10:39:59.191083+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 peer info: IV_LZ4v2=1
2023-01-21T10:39:59.191102+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 peer info: IV_LZO=1
2023-01-21T10:39:59.191122+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 peer info: IV_COMP_STUB=1
2023-01-21T10:39:59.191140+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 peer info: IV_COMP_STUBv2=1
2023-01-21T10:39:59.191170+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-01-21T10:39:59.191190+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-01-21T10:39:59.196802+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-01-21T10:39:59.196856+01:00 enalys openvpn[269147]: 2001:14c8:500:117:d9ae:cea0:0:43 [xul] Peer Connection Initiated with [AF_INET6]2001:14c8:500:117:d9ae:cea0:0:43:46542
2023-01-21T10:39:59.196890+01:00 enalys openvpn[269147]: xul/2001:14c8:500:117:d9ae:cea0:0:43 MULTI_sva: pool returned IPv4=192.168.1.2, IPv6=(Not enabled)
2023-01-21T10:39:59.196943+01:00 enalys openvpn[269147]: xul/2001:14c8:500:117:d9ae:cea0:0:43 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-01-21T10:39:59.196967+01:00 enalys openvpn[269147]: xul/2001:14c8:500:117:d9ae:cea0:0:43 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-21T10:39:59.197001+01:00 enalys openvpn[269147]: xul/2001:14c8:500:117:d9ae:cea0:0:43 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-21T10:39:59.197030+01:00 enalys openvpn[269147]: xul/2001:14c8:500:117:d9ae:cea0:0:43 SENT CONTROL [xul]: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,dhcp-option DOMAIN zergy.lan,dhcp-option NTP 192.168.1.1,dhcp-option WINS 192.168.1.1,route-gateway 192.168.1.1,ping 10,ping-restart 120,ifconfig 192.168.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm,tun-mtu 1500' (status=1)
2023-01-21T10:42:17.090648+01:00 enalys openvpn[269147]: xul/2001:14c8:500:117:d9ae:cea0:0:43 MULTI: Learn: e2:37:6e:c0:6d:24@0 -> xul/2001:14c8:500:117:d9ae:cea0:0:43

J’ai recherché la signification du message « SIGUSR1[soft,ping-restart] received, client-instance restarting » qui apparait dans les journaux, pensant que ce serait le problème, cependant, les seuls explications que je trouve sur internet réfèrent à des connexions multiples au même serveur avec le même certificat, ce qui ne me concerne pas, le serveur OpenVPN n’ayant qu’un seul client avec ce certificat.

Bonjour,

Personnellement, je ne recommande pas de ponter un réseau local avec une connexion VPN.
Même, de façon générale, je déconseille de ponter deux connexions utilisant des couches physiques différentes.
Si tu as un besoin spécifique qui nécessite que les deux réseaux soient joints, il faudrait plutôt voir le besoin pour voir s’il n’est pas possible de faire autrement.

Comme ta connexion est en UDP, OVPN envoie régulièrement un ping au correspondant pour vérifier que la connexion est toujours active et/ou la maintenir active, le protocole UDP n’ayant pas de mécanisme assurant cette fonctionnalité.

Le problème s’est résolu de lui-même après réinstallation de paquets manquants, cependant, impossible de dire lequel a fait retomber le bousin en marche.