I found a little mistake in the howto. In openvpn-2.3.13_1, which is recent when installing via pkg one need to specify auth sha256 in server AND client config.
Now to my problem: I can't connect to my emby jail through vpn. It drives me crazy for a few days now. I recently updated from freenas 9.3 to freenas 9.10. Thought I delete my old openvpn jail to start over and put in latest security features. I had a backup from my old (working) server.conf and just added some things later on.
I know I need to push route to my home network, maybe also allow client-to-client.
Route seems to be fine.
Code:
OpenVPN CLIENT LIST
Updated,Mon Dec 12 05:56:37 2016
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
me.me,2.2.2.2:17001,6911,6201,Mon Dec 12 05:56:19 2016
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,me.me,2.2.2.2:17001,Mon Dec 12 05:56:26 2016
GLOBAL STATS
Max bcast/mcast queue length,0
END
Code:
2016-12-12 04:55:32 Generiere OpenVPN-Konfiguration…
2016-12-12 04:55:32 started Socket Thread
2016-12-12 04:55:33 Current Parameter Settings:
2016-12-12 04:55:33 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2016-12-12 04:55:33 mode = 0
2016-12-12 04:55:33 show_ciphers = DISABLED
2016-12-12 04:55:33 show_digests = DISABLED
2016-12-12 04:55:33 show_engines = DISABLED
2016-12-12 04:55:33 genkey = DISABLED
2016-12-12 04:55:33 key_pass_file = '[UNDEF]'
2016-12-12 04:55:33 show_tls_ciphers = DISABLED
2016-12-12 04:55:33 connect_retry_max = 0
2016-12-12 04:55:33 Connection profiles [0]:
2016-12-12 04:55:33 proto = udp
2016-12-12 04:55:33 local = '[UNDEF]'
2016-12-12 04:55:33 local_port = '[UNDEF]'
2016-12-12 04:55:33 remote = 'my.ddns.com'
2016-12-12 04:55:33 remote_port = '443'
2016-12-12 04:55:33 remote_float = DISABLED
2016-12-12 04:55:33 bind_defined = DISABLED
2016-12-12 04:55:33 bind_local = DISABLED
2016-12-12 04:55:33 bind_ipv6_only = DISABLED
2016-12-12 04:55:33 connect_retry_seconds = 2
2016-12-12 04:55:33 connect_timeout = 120
2016-12-12 04:55:33 socks_proxy_server = '[UNDEF]'
2016-12-12 04:55:33 socks_proxy_port = '[UNDEF]'
2016-12-12 04:55:33 tun_mtu = 1500
2016-12-12 04:55:33 tun_mtu_defined = ENABLED
2016-12-12 04:55:33 link_mtu = 1500
2016-12-12 04:55:33 link_mtu_defined = DISABLED
2016-12-12 04:55:33 tun_mtu_extra = 0
2016-12-12 04:55:33 tun_mtu_extra_defined = DISABLED
2016-12-12 04:55:33 mtu_discover_type = -1
2016-12-12 04:55:33 fragment = 0
2016-12-12 04:55:33 mssfix = 1450
2016-12-12 04:55:33 explicit_exit_notification = 0
2016-12-12 04:55:33 Connection profiles END
2016-12-12 04:55:33 remote_random = DISABLED
2016-12-12 04:55:33 ipchange = '[UNDEF]'
2016-12-12 04:55:33 dev = 'tun'
2016-12-12 04:55:33 dev_type = '[UNDEF]'
2016-12-12 04:55:33 dev_node = '[UNDEF]'
2016-12-12 04:55:33 lladdr = '[UNDEF]'
2016-12-12 04:55:33 topology = 1
2016-12-12 04:55:33 ifconfig_local = '[UNDEF]'
2016-12-12 04:55:33 ifconfig_remote_netmask = '[UNDEF]'
2016-12-12 04:55:33 ifconfig_noexec = DISABLED
2016-12-12 04:55:33 ifconfig_nowarn = ENABLED
2016-12-12 04:55:33 ifconfig_ipv6_local = '[UNDEF]'
2016-12-12 04:55:33 ifconfig_ipv6_netbits = 0
2016-12-12 04:55:33 ifconfig_ipv6_remote = '[UNDEF]'
2016-12-12 04:55:33 shaper = 0
2016-12-12 04:55:33 mtu_test = 0
2016-12-12 04:55:33 mlock = DISABLED
2016-12-12 04:55:33 keepalive_ping = 0
2016-12-12 04:55:33 keepalive_timeout = 0
2016-12-12 04:55:33 inactivity_timeout = 0
2016-12-12 04:55:33 ping_send_timeout = 0
2016-12-12 04:55:33 ping_rec_timeout = 0
2016-12-12 04:55:33 ping_rec_timeout_action = 0
2016-12-12 04:55:33 ping_timer_remote = DISABLED
2016-12-12 04:55:33 remap_sigusr1 = 0
2016-12-12 04:55:33 persist_tun = ENABLED
2016-12-12 04:55:33 persist_local_ip = DISABLED
2016-12-12 04:55:33 persist_remote_ip = DISABLED
2016-12-12 04:55:33 persist_key = DISABLED
2016-12-12 04:55:33 passtos = DISABLED
2016-12-12 04:55:33 resolve_retry_seconds = 1000000000
2016-12-12 04:55:33 resolve_in_advance = ENABLED
2016-12-12 04:55:33 username = '[UNDEF]'
2016-12-12 04:55:33 groupname = '[UNDEF]'
2016-12-12 04:55:33 chroot_dir = '[UNDEF]'
2016-12-12 04:55:33 cd_dir = '[UNDEF]'
2016-12-12 04:55:33 writepid = '[UNDEF]'
2016-12-12 04:55:33 up_script = '[UNDEF]'
2016-12-12 04:55:33 down_script = '[UNDEF]'
2016-12-12 04:55:33 down_pre = DISABLED
2016-12-12 04:55:33 up_restart = DISABLED
2016-12-12 04:55:33 up_delay = DISABLED
2016-12-12 04:55:33 daemon = DISABLED
2016-12-12 04:55:33 inetd = 0
2016-12-12 04:55:33 log = DISABLED
2016-12-12 04:55:33 suppress_timestamps = DISABLED
2016-12-12 04:55:33 machine_readable_output = ENABLED
2016-12-12 04:55:33 nice = 0
2016-12-12 04:55:33 verbosity = 4
2016-12-12 04:55:33 mute = 0
2016-12-12 04:55:33 gremlin = 0
2016-12-12 04:55:33 status_file = '[UNDEF]'
2016-12-12 04:55:33 status_file_version = 1
2016-12-12 04:55:33 status_file_update_freq = 60
2016-12-12 04:55:33 occ = ENABLED
2016-12-12 04:55:33 rcvbuf = 0
2016-12-12 04:55:33 sndbuf = 0
2016-12-12 04:55:33 sockflags = 0
2016-12-12 04:55:33 fast_io = DISABLED
2016-12-12 04:55:33 comp.alg = 2
2016-12-12 04:55:33 comp.flags = 1
2016-12-12 04:55:33 route_script = '[UNDEF]'
2016-12-12 04:55:33 route_default_gateway = '[UNDEF]'
2016-12-12 04:55:33 route_default_metric = 0
2016-12-12 04:55:33 route_noexec = DISABLED
2016-12-12 04:55:33 route_delay = 0
2016-12-12 04:55:33 route_delay_window = 30
2016-12-12 04:55:33 route_delay_defined = DISABLED
2016-12-12 04:55:33 route_nopull = DISABLED
2016-12-12 04:55:33 route_gateway_via_dhcp = DISABLED
2016-12-12 04:55:33 allow_pull_fqdn = DISABLED
2016-12-12 04:55:33 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2016-12-12 04:55:33 management_port = 'unix'
2016-12-12 04:55:33 management_user_pass = '[UNDEF]'
2016-12-12 04:55:33 management_log_history_cache = 250
2016-12-12 04:55:33 management_echo_buffer_size = 100
2016-12-12 04:55:33 management_write_peer_info_file = '[UNDEF]'
2016-12-12 04:55:33 management_client_user = '[UNDEF]'
2016-12-12 04:55:33 management_client_group = '[UNDEF]'
2016-12-12 04:55:33 management_flags = 4390
2016-12-12 04:55:33 shared_secret_file = '[UNDEF]'
2016-12-12 04:55:33 key_direction = 2
2016-12-12 04:55:33 ciphername = 'AES-256-CBC'
2016-12-12 04:55:33 authname = 'SHA512'
2016-12-12 04:55:33 prng_hash = 'SHA1'
2016-12-12 04:55:33 prng_nonce_secret_len = 16
2016-12-12 04:55:33 keysize = 0
2016-12-12 04:55:33 engine = DISABLED
2016-12-12 04:55:33 replay = ENABLED
2016-12-12 04:55:33 mute_replay_warnings = ENABLED
2016-12-12 04:55:33 replay_window = 64
2016-12-12 04:55:33 replay_time = 15
2016-12-12 04:55:33 packet_id_file = '[UNDEF]'
2016-12-12 04:55:33 use_iv = ENABLED
2016-12-12 04:55:33 test_crypto = DISABLED
2016-12-12 04:55:33 tls_server = DISABLED
2016-12-12 04:55:33 tls_client = ENABLED
2016-12-12 04:55:33 key_method = 2
2016-12-12 04:55:33 ca_file = '[[INLINE]]'
2016-12-12 04:55:33 ca_path = '[UNDEF]'
2016-12-12 04:55:33 dh_file = '[UNDEF]'
2016-12-12 04:55:33 cert_file = '[[INLINE]]'
2016-12-12 04:55:33 extra_certs_file = '[UNDEF]'
2016-12-12 04:55:33 priv_key_file = '[[INLINE]]'
2016-12-12 04:55:33 pkcs12_file = '[UNDEF]'
2016-12-12 04:55:33 cipher_list = 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
2016-12-12 04:55:33 tls_verify = '[UNDEF]'
2016-12-12 04:55:33 tls_export_cert = '[UNDEF]'
2016-12-12 04:55:33 verify_x509_type = 0
2016-12-12 04:55:33 verify_x509_name = '[UNDEF]'
2016-12-12 04:55:33 crl_file = '[UNDEF]'
2016-12-12 04:55:33 ns_cert_type = 0
2016-12-12 04:55:33 remote_cert_ku = 160
2016-12-12 04:55:33 remote_cert_ku = 136
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_ku = 0
2016-12-12 04:55:33 remote_cert_eku = 'TLS Web Server Authentication'
2016-12-12 04:55:33 ssl_flags = 0
2016-12-12 04:55:33 tls_timeout = 2
2016-12-12 04:55:33 renegotiate_bytes = 0
2016-12-12 04:55:33 renegotiate_packets = 0
2016-12-12 04:55:33 renegotiate_seconds = 3600
2016-12-12 04:55:33 handshake_window = 60
2016-12-12 04:55:33 transition_window = 3600
2016-12-12 04:55:33 single_session = DISABLED
2016-12-12 04:55:33 push_peer_info = DISABLED
2016-12-12 04:55:33 tls_exit = DISABLED
2016-12-12 04:55:33 tls_auth_file = '[[INLINE]]'
2016-12-12 04:55:33 client = ENABLED
2016-12-12 04:55:33 pull = ENABLED
2016-12-12 04:55:33 auth_user_pass_file = '[UNDEF]'
2016-12-12 04:55:33 OpenVPN 2.4-icsopenvpn [git:HEAD-9d8801b6185d7453] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [IPv6] built on Oct 13 2016
2016-12-12 04:55:33 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
2016-12-12 04:55:33 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2016-12-12 04:55:33 MANAGEMENT: CMD 'hold release'
2016-12-12 04:55:34 MANAGEMENT: CMD 'bytecount 2'
2016-12-12 04:55:34 MANAGEMENT: CMD 'proxy NONE'
2016-12-12 04:55:34 MANAGEMENT: CMD 'state on'
2016-12-12 04:55:34 Netzwerkstatus: CONNECTED HSDPA to MOBILE internet.q.de
2016-12-12 04:55:35 MANAGEMENT: CMD 'password [...]'
2016-12-12 04:55:35 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-AES256-GCM-SHA384', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-AES256-SHA256', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA256'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-AES128-GCM-SHA256', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-AES128-SHA256', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-CAMELLIA256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-CAMELLIA128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-AES128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'CAMELLIA256-SHA', please use IANA name 'TLS-RSA-WITH-CAMELLIA-256-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'CAMELLIA128-SHA', please use IANA name 'TLS-RSA-WITH-CAMELLIA-128-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'AES128-SHA', please use IANA name 'TLS-RSA-WITH-AES-128-CBC-SHA'
2016-12-12 04:55:35 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2016-12-12 04:55:35 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2016-12-12 04:55:35 LZO compression initializing
2016-12-12 04:55:35 Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
2016-12-12 04:55:35 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2016-12-12 04:55:35 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
2016-12-12 04:55:35 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
2016-12-12 04:55:35 TCP/UDP: Preserving recently used remote address: [AF_INET]1.1.1.1:443
2016-12-12 04:55:35 Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-12-12 04:55:35 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2016-12-12 04:55:35 UDP link local: (not bound)
2016-12-12 04:55:35 UDP link remote: [AF_INET]1.1.1.1:443
2016-12-12 04:55:35 MANAGEMENT: >STATE:1481514935,WAIT,,,,,,
2016-12-12 04:55:36 MANAGEMENT: >STATE:1481514936,AUTH,,,,,,
2016-12-12 04:55:36 TLS: Initial packet from [AF_INET]1.1.1.1:443, sid=244492b2 35563393
2016-12-12 04:55:36 PID_ERR replay-window backtrack occurred [2] [TLS_AUTH-0] [00_00] 1481514937:5 1481514937:3 t=1481514936[0] r=[0,64,15,2,1] sl=[59,5,64,272]
2016-12-12 04:55:36 VERIFY OK: depth=1, CN=Easy-RSA CA
2016-12-12 04:55:36 Validating certificate key usage
2016-12-12 04:55:36 ++ Certificate has key usage 00a0, expects 00a0
2016-12-12 04:55:36 VERIFY KU OK
2016-12-12 04:55:36 Validating certificate extended key usage
2016-12-12 04:55:36 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2016-12-12 04:55:36 VERIFY EKU OK
2016-12-12 04:55:36 VERIFY OK: depth=0, CN=OVPN
2016-12-12 04:55:37 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
2016-12-12 04:55:37 [OVPN] Peer Connection Initiated with [AF_INET]1.1.1.1:443
2016-12-12 04:55:39 MANAGEMENT: >STATE:1481514939,GET_CONFIG,,,,,,
2016-12-12 04:55:39 SENT CONTROL [OVPN]: 'PUSH_REQUEST' (status=1)
2016-12-12 04:55:39 PUSH: Received control message: 'PUSH_REPLY,route 192.168.20.0 255.255.255.0,redirect-gateway,dhcp-option DNS 208.67.222.222,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
2016-12-12 04:55:39 OPTIONS IMPORT: timers and/or timeouts modified
2016-12-12 04:55:39 OPTIONS IMPORT: --ifconfig/up options modified
2016-12-12 04:55:39 OPTIONS IMPORT: route options modified
2016-12-12 04:55:39 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2016-12-12 04:55:39 Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:406 ET:0 EL:3 ]
2016-12-12 04:55:39 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-12-12 04:55:39 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
2016-12-12 04:55:39 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-12-12 04:55:39 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
2016-12-12 04:55:39 GDG: SIOCGIFHWADDR(lo) failed
2016-12-12 04:55:39 ROUTE_GATEWAY 127.2.2.2/255.0.0.0 IFACE=lo
2016-12-12 04:55:39 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2016-12-12 04:55:39 MANAGEMENT: >STATE:1481514939,ASSIGN_IP,,10.8.0.6,,,,
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-12-12 04:55:39 MANAGEMENT: >STATE:1481514939,ADD_ROUTES,,,,,,
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2016-12-12 04:55:39 Tun-Netzwerkinterface wird geöffnet:
2016-12-12 04:55:39 Lokale IPv4: 10.8.0.6/30 IPv6: null MTU: 1500
2016-12-12 04:55:39 DNS-Server: 208.67.222.222, Domäne: null
2016-12-12 04:55:39 Routen: 0.0.0.0/0, 10.8.0.0/24, 10.8.0.4/30, 192.168.20.0/24
2016-12-12 04:55:39 Ausgeschlossene Routen:
2016-12-12 04:55:39 Installierte VpnService-Routen: 0.0.0.0/0
2016-12-12 04:55:39 Nicht zugelassene Apps für das VPN:
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2016-12-12 04:55:39 Initialization Sequence Completed
2016-12-12 04:55:39 MANAGEMENT: >STATE:1481514939,CONNECTED,SUCCESS,10.8.0.6,1.1.1.1,443,,
2016-12-12 04:55:39 Netzwerkstatus: CONNECTED HSPA+ to MOBILE internet.q.de
2016-12-12 05:19:45 MANAGEMENT: CMD 'signal SIGINT'
2016-12-12 05:19:45 Local IP address unset and received. Neither pushed server config nor local config specifies an IP addresses. Opening tun device is most likely going to fail.
2016-12-12 05:19:45 TCP/UDP: Closing socket
2016-12-12 05:19:45 Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
2016-12-12 05:19:45 Closing TUN/TAP interface
2016-12-12 05:19:46 SIGINT[hard,] received, process exiting
2016-12-12 05:19:46 MANAGEMENT: >STATE:1481516386,EXITING,SIGINT,,,,,
2016-12-12 05:19:46 Connection to OpenVPN closed (socket closed)