DSM6 et OpenVPN

[jsm]

Bonjour,

depuis aujourd'hui mon NAS est passé en DSM6 et mon VPN ne marche plus.

J'ai une erreur  "CORE_ERROR embedded_packet_size_error" dans les logs.

A priori, c'est une histoire de taille de paquet. J'ai testé de mettre un "mssfix 1300" dans mon fichier de configuration, mais cela ne corrige pas le problème. J'ai recréé un certificat, un compte utilisateur et réinstallé tout cela : ca ne marche pas. Avez-vous une idée ? J'ai essayé avec un client Windows et un client iPhone IOS.

merci !!

 

log : 

Citation

2016-03-25 10:31:59 LZO-ASYM init swap=0 asym=0

 

2016-03-25 10:31:59 EVENT: RESOLVE

 

2016-03-25 10:31:59 Contacting 88.176.66.XX:443 via TCP

 

2016-03-25 10:31:59 EVENT: WAIT

 

2016-03-25 10:31:59 SetTunnelSocket returned 1

 

2016-03-25 10:31:59 Connecting to 88.176.66.XX:443 (88.176.66.XX) via TCPv4

 

2016-03-25 10:31:59 EVENT: DISCONNECTED

 

2016-03-25 10:31:59 EVENT: CORE_ERROR embedded_packet_size_error [ERR]

 

2016-03-25 10:31:59 Raw stats on disconnect:

 

  BYTES_IN : 311

 

  BYTES_OUT : 16

 

  PACKETS_IN : 1

 

  PACKETS_OUT : 1

 

2016-03-25 10:31:59 Performance stats on disconnect:

 

  CPU usage (microseconds): 6393

 

  Network bytes per CPU second: 51149

 

  Tunnel bytes per CPU second: 0

 

2016-03-25 10:31:59 EVENT: DISCONNECT_PENDING

 

2016-03-25 10:31:59 ----- OpenVPN Stop -----

 

2016-03-25 10:38:57 ----- OpenVPN Start ----- OpenVPN core 3.0 ios arm64 64-bit

 

 

EDIT : En repassant en UDP, le VPN est retombé en marche. Le passage à DSM6 aura quand même eu un impact sur OpenVPN... mais c'est réglé maintenant.

 

 

 

Modifié le 25 mars 2016 par jsm

[Fenrir]

Il y a 3 heures, jsm a dit :

EDIT : En repassant en UDP, le VPN est retombé en marche. Le passage à DSM6 aura quand même eu un impact sur OpenVPN... mais c'est réglé maintenant.

Il vaut mieux utiliser UDP pour un vpn, c'est plus léger et ça tolère mieux les micro coupure (roaming par exemple).

[waltpinkman]

Bonjour j'ai un autre soucis de mon coté lorsque j'essai de me connecter au VPN. on dirait qu'on ne peut pas ajouter la gateway du VPN: 

Extrait log connexion:

Sat Mar 26 11:56:24 2016 OpenVPN 2.3.10 armle-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar  8 2016
Sat Mar 26 11:56:24 2016 library versions: OpenSSL 1.0.2g-fips  1 Mar 2016, LZO 2.09
Sat Mar 26 11:56:24 2016 WARNING: file '/tmp/ovpn_client_up' is group or others accessible
Sat Mar 26 11:56:25 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Mar 26 11:56:25 2016 PLUGIN_INIT: POST /lib/openvpn/openvpn-down-root.so '[/lib/openvpn/openvpn-down-root.so] [/usr/syno/etc.defaults/synovpnclient/scripts/ip-down]' intercepted=PLUGIN_UP|PLUGIN_DOWN
Sat Mar 26 11:56:25 2016 Control Channel Authentication: tls-auth using INLINE static key file
Sat Mar 26 11:56:25 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 26 11:56:25 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 26 11:56:25 2016 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat Mar 26 11:56:25 2016 UDPv4 link local: [undef]
Sat Mar 26 11:56:25 2016 UDPv4 link remote: [AF_INET]185.94.29.106:1197
Sat Mar 26 11:56:25 2016 TLS: Initial packet from [AF_INET]185.94.29.106:1197, sid=89f03909 31a8c680
Sat Mar 26 11:56:25 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Mar 26 11:56:25 2016 VERIFY OK: depth=1, C=US, ST=DE, L=Wilmington, O=VpnHT, OU=VPNHT, CN=vpn.ht, name=VPNHT, emailAddress=support@vpn.ht
Sat Mar 26 11:56:25 2016 VERIFY OK: nsCertType=SERVER
Sat Mar 26 11:56:25 2016 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=me@myhost.mydomain
Sat Mar 26 11:56:27 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Mar 26 11:56:27 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 26 11:56:27 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Mar 26 11:56:27 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 26 11:56:27 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Mar 26 11:56:27 2016 [server] Peer Connection Initiated with [AF_INET]185.94.29.106:1197
Sat Mar 26 11:56:29 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Mar 26 11:56:29 2016 PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.3.0.1,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.3.0.1,explicit-exit-notify,route-gateway 10.3.0.1,topology subnet,ifconfig 10.3.0.122 255.255.0.0'
Sat Mar 26 11:56:29 2016 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:5 is ignored by previous <connection> blocks
Sat Mar 26 11:56:29 2016 OPTIONS IMPORT: explicit notify parm(s) modified
Sat Mar 26 11:56:29 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sat Mar 26 11:56:29 2016 OPTIONS IMPORT: route options modified
Sat Mar 26 11:56:29 2016 OPTIONS IMPORT: route-related options modified
Sat Mar 26 11:56:29 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Mar 26 11:56:29 2016 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=00:11:32:21:9f:df
Sat Mar 26 11:56:29 2016 TUN/TAP device tun0 opened
Sat Mar 26 11:56:29 2016 TUN/TAP TX queue length set to 100
Sat Mar 26 11:56:29 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Mar 26 11:56:29 2016 /sbin/ifconfig tun0 10.3.0.122 netmask 255.255.0.0 mtu 1500 broadcast 10.3.255.255
Sat Mar 26 11:56:29 2016 PLUGIN_CALL: POST /lib/openvpn/openvpn-down-root.so/PLUGIN_UP status=0
Sat Mar 26 11:56:29 2016 /usr/syno/etc.defaults/synovpnclient/scripts/ovpn-up tun0 1500 1590 10.3.0.122 255.255.0.0 init
Sat Mar 26 11:57:00 2016 /sbin/route add -net 185.94.29.106 netmask 255.255.255.255 gw 192.168.1.1
Sat Mar 26 11:57:00 2016 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.3.0.1
SIOCADDRT: No such process
Sat Mar 26 11:57:00 2016 ERROR: Linux route add command failed: external program exited with error status: 7
Sat Mar 26 11:57:00 2016 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.3.0.1
SIOCADDRT: No such process
Sat Mar 26 11:57:00 2016 ERROR: Linux route add command failed: external program exited with error status: 7
Sat Mar 26 11:57:01 2016 Initialization Sequence Completed
Sat Mar 26 11:57:01 2016 [server] Inactivity timeout (--ping-restart), restarting
Sat Mar 26 11:57:01 2016 SIGUSR1[soft,ping-restart] received, process restarting
Sat Mar 26 11:57:01 2016 Restart pause, 2 second(s)
Sat Mar 26 11:57:03 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Mar 26 11:57:03 2016 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat Mar 26 11:57:08 2016 UDPv4 link local: [undef]
Sat Mar 26 11:57:08 2016 UDPv4 link remote: [AF_INET]185.94.29.113:1197
Sat Mar 26 11:57:08 2016 TLS: Initial packet from [AF_INET]185.94.29.113:1197, sid=1be13198 2f15ad2a
Sat Mar 26 11:57:08 2016 VERIFY OK: depth=1, C=US, ST=DE, L=Wilmington, O=VpnHT, OU=VPNHT, CN=vpn.ht, name=VPNHT, emailAddress=support@vpn.ht
Sat Mar 26 11:57:08 2016 VERIFY OK: nsCertType=SERVER
Sat Mar 26 11:57:08 2016 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=me@myhost.mydomain
Sat Mar 26 11:57:10 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Mar 26 11:57:10 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 26 11:57:10 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Mar 26 11:57:10 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 26 11:57:10 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Mar 26 11:57:10 2016 [server] Peer Connection Initiated with [AF_INET]185.94.29.113:1197
Sat Mar 26 11:57:13 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Mar 26 11:57:13 2016 PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.3.0.1,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.3.0.1,explicit-exit-notify,route-gateway 10.3.0.1,topology subnet,ifconfig 10.3.0.121 255.255.0.0'
Sat Mar 26 11:57:13 2016 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:5 is ignored by previous <connection> blocks
Sat Mar 26 11:57:13 2016 OPTIONS IMPORT: explicit notify parm(s) modified
Sat Mar 26 11:57:13 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sat Mar 26 11:57:13 2016 OPTIONS IMPORT: route options modified
Sat Mar 26 11:57:13 2016 OPTIONS IMPORT: route-related options modified
Sat Mar 26 11:57:13 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Mar 26 11:57:13 2016 Preserving previous TUN/TAP instance: tun0
Sat Mar 26 11:57:13 2016 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Sat Mar 26 11:57:13 2016 /sbin/route del -net 185.94.29.106 netmask 255.255.255.255
Sat Mar 26 11:57:13 2016 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
SIOCDELRT: No such process
Sat Mar 26 11:57:13 2016 ERROR: Linux route delete command failed: external program exited with error status: 7
Sat Mar 26 11:57:13 2016 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
SIOCDELRT: No such process
Sat Mar 26 11:57:13 2016 ERROR: Linux route delete command failed: external program exited with error status: 7
Sat Mar 26 11:57:13 2016 Closing TUN/TAP interface
Sat Mar 26 11:57:13 2016 /sbin/ifconfig tun0 0.0.0.0

 

Merci pour votre aide à tous