goldeneye59
(Olivier Français)
November 20, 2024, 10:42am
1
Hi,
Since few days, I’m not able to connect openvpn using pcks11 and yubikey.
2024-11-20 11:34:24 Note: --data-ciphers-fallback with cipher ‘AES-256-CBC’ disables data channel offload.
2024-11-20 11:34:24 OpenVPN 2.6.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-11-20 11:34:24 library versions: OpenSSL 3.2.2 4 Jun 2024, LZO 2.10
2024-11-20 11:34:24 DCO version: N/A
2024-11-20 11:34:24 PKCS#11: Adding PKCS#11 provider ‘/usr/lib64/opensc-pkcs11.so’
2024-11-20 11:34:24 WARNING: No server certificate verification method has been enabled. See Guide To Set Up & Configure OpenVPN Client/Server VPN | OpenVPN for more info.
2024-11-20 11:34:24 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-11-20 11:34:24 TCP/UDP: Preserving recently used remote address: [AF_INET]1.2.3.4:1194
2024-11-20 11:34:24 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-11-20 11:34:24 UDPv4 link local: (not bound)
2024-11-20 11:34:24 UDPv4 link remote: [AF_INET]1.2.3.4:1194
2024-11-20 11:34:24 TLS: Initial packet from [AF_INET]1.2.3.4:1194, sid=0a0b0a15 e386f07a
2024-11-20 11:34:24 VERIFY OK: depth=1, C=FR, ST=France, L=XXX, O=XXX, CN=CA XXX
2024-11-20 11:34:24 VERIFY OK: depth=0, C=FR, ST=France, L=XXX, O=XXX, OU=R&D, CN=XXX, emailAddress=XXX
Connection stuck on this step, and restart in a loop. I tried on ubuntu with same Yubikey, same config file and it work.
I can’t found what’s wrong and why it doesn’t work on F41.
Openvpn version :
OpenVPN 2.6.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.2.2 4 Jun 2024, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no
vgaetera
(Vladislav Grigoryev)
November 20, 2024, 11:36am
2
goldeneye59
(Olivier Français)
November 20, 2024, 1:30pm
3
I switched to update-crypto-policies --set LEGACY
already (and reboot) but I have the same issue.
Here the output with verb 5 :
2024-11-20 14:21:28 us=260752 Note: --data-ciphers-fallback with cipher 'AES-256-CBC' disables data channel offload.
2024-11-20 14:21:28 us=260900 Current Parameter Settings:
2024-11-20 14:21:28 us=260910 config = 'test.ovpn'
2024-11-20 14:21:28 us=260915 mode = 0
2024-11-20 14:21:28 us=260920 persist_config = DISABLED
2024-11-20 14:21:28 us=260924 persist_mode = 1
2024-11-20 14:21:28 us=260928 show_ciphers = DISABLED
2024-11-20 14:21:28 us=260932 show_digests = DISABLED
2024-11-20 14:21:28 us=260937 show_engines = DISABLED
2024-11-20 14:21:28 us=260941 genkey = DISABLED
2024-11-20 14:21:28 us=260945 genkey_filename = '[UNDEF]'
2024-11-20 14:21:28 us=260949 key_pass_file = '[UNDEF]'
2024-11-20 14:21:28 us=260954 show_tls_ciphers = DISABLED
2024-11-20 14:21:28 us=260959 connect_retry_max = 0
2024-11-20 14:21:28 us=260964 Connection profiles [0]:
2024-11-20 14:21:28 us=260971 proto = udp
2024-11-20 14:21:28 us=260975 local = '[UNDEF]'
2024-11-20 14:21:28 us=260980 local_port = '[UNDEF]'
2024-11-20 14:21:28 us=260985 remote = '1.2.3.4'
2024-11-20 14:21:28 us=260990 remote_port = '1194'
2024-11-20 14:21:28 us=260995 remote_float = DISABLED
2024-11-20 14:21:28 us=260999 bind_defined = DISABLED
2024-11-20 14:21:28 us=261004 bind_local = DISABLED
2024-11-20 14:21:28 us=261008 bind_ipv6_only = DISABLED
2024-11-20 14:21:28 us=261013 connect_retry_seconds = 1
2024-11-20 14:21:28 us=261018 connect_timeout = 120
2024-11-20 14:21:28 us=261023 socks_proxy_server = '[UNDEF]'
2024-11-20 14:21:28 us=261028 socks_proxy_port = '[UNDEF]'
2024-11-20 14:21:28 us=261032 tun_mtu = 1500
2024-11-20 14:21:28 us=261037 tun_mtu_defined = ENABLED
2024-11-20 14:21:28 us=261042 link_mtu = 1500
2024-11-20 14:21:28 us=261046 link_mtu_defined = DISABLED
2024-11-20 14:21:28 us=261051 tun_mtu_extra = 0
2024-11-20 14:21:28 us=261055 tun_mtu_extra_defined = DISABLED
2024-11-20 14:21:28 us=261060 tls_mtu = 1250
2024-11-20 14:21:28 us=261065 mtu_discover_type = -1
2024-11-20 14:21:28 us=261070 fragment = 0
2024-11-20 14:21:28 us=261074 mssfix = 1492
2024-11-20 14:21:28 us=261079 mssfix_encap = ENABLED
2024-11-20 14:21:28 us=261084 mssfix_fixed = DISABLED
2024-11-20 14:21:28 us=261091 explicit_exit_notification = 0
2024-11-20 14:21:28 us=261096 tls_auth_file = '[INLINE]'
2024-11-20 14:21:28 us=261101 key_direction = 1
2024-11-20 14:21:28 us=261106 tls_crypt_file = '[UNDEF]'
2024-11-20 14:21:28 us=261110 tls_crypt_v2_file = '[UNDEF]'
2024-11-20 14:21:28 us=261115 Connection profiles END
2024-11-20 14:21:28 us=261120 remote_random = DISABLED
2024-11-20 14:21:28 us=261125 ipchange = '[UNDEF]'
2024-11-20 14:21:28 us=261130 dev = 'tun'
2024-11-20 14:21:28 us=261135 dev_type = '[UNDEF]'
2024-11-20 14:21:28 us=261140 dev_node = '[UNDEF]'
2024-11-20 14:21:28 us=261144 tuntap_options.disable_dco = ENABLED
2024-11-20 14:21:28 us=261149 lladdr = '[UNDEF]'
2024-11-20 14:21:28 us=261154 topology = 1
2024-11-20 14:21:28 us=261159 ifconfig_local = '[UNDEF]'
2024-11-20 14:21:28 us=261163 ifconfig_remote_netmask = '[UNDEF]'
2024-11-20 14:21:28 us=261168 ifconfig_noexec = DISABLED
2024-11-20 14:21:28 us=261173 ifconfig_nowarn = DISABLED
2024-11-20 14:21:28 us=261177 ifconfig_ipv6_local = '[UNDEF]'
2024-11-20 14:21:28 us=261182 ifconfig_ipv6_netbits = 0
2024-11-20 14:21:28 us=261187 ifconfig_ipv6_remote = '[UNDEF]'
2024-11-20 14:21:28 us=261192 shaper = 0
2024-11-20 14:21:28 us=261196 mtu_test = 0
2024-11-20 14:21:28 us=261201 mlock = DISABLED
2024-11-20 14:21:28 us=261206 keepalive_ping = 0
2024-11-20 14:21:28 us=261210 keepalive_timeout = 0
2024-11-20 14:21:28 us=261215 inactivity_timeout = 0
2024-11-20 14:21:28 us=261220 session_timeout = 0
2024-11-20 14:21:28 us=261224 inactivity_minimum_bytes = 0
2024-11-20 14:21:28 us=261229 ping_send_timeout = 0
2024-11-20 14:21:28 us=261234 ping_rec_timeout = 0
2024-11-20 14:21:28 us=261238 ping_rec_timeout_action = 0
2024-11-20 14:21:28 us=261243 ping_timer_remote = DISABLED
2024-11-20 14:21:28 us=261248 remap_sigusr1 = 0
2024-11-20 14:21:28 us=261253 persist_tun = ENABLED
2024-11-20 14:21:28 us=261257 persist_local_ip = DISABLED
2024-11-20 14:21:28 us=261262 persist_remote_ip = DISABLED
2024-11-20 14:21:28 us=261267 persist_key = ENABLED
2024-11-20 14:21:28 us=261271 passtos = DISABLED
2024-11-20 14:21:28 us=261276 resolve_retry_seconds = 1000000000
2024-11-20 14:21:28 us=261281 resolve_in_advance = DISABLED
2024-11-20 14:21:28 us=261286 username = '[UNDEF]'
2024-11-20 14:21:28 us=261290 groupname = '[UNDEF]'
2024-11-20 14:21:28 us=261295 chroot_dir = '[UNDEF]'
2024-11-20 14:21:28 us=261300 cd_dir = '[UNDEF]'
2024-11-20 14:21:28 us=261304 selinux_context = '[UNDEF]'
2024-11-20 14:21:28 us=261309 writepid = '[UNDEF]'
2024-11-20 14:21:28 us=261313 up_script = '/etc/openvpn/update-resolv-conf'
2024-11-20 14:21:28 us=261318 down_script = '/etc/openvpn/update-resolv-conf'
2024-11-20 14:21:28 us=261323 down_pre = ENABLED
2024-11-20 14:21:28 us=261327 up_restart = ENABLED
2024-11-20 14:21:28 us=261332 up_delay = DISABLED
2024-11-20 14:21:28 us=261337 daemon = DISABLED
2024-11-20 14:21:28 us=261341 log = DISABLED
2024-11-20 14:21:28 us=261346 suppress_timestamps = DISABLED
2024-11-20 14:21:28 us=261351 machine_readable_output = DISABLED
2024-11-20 14:21:28 us=261356 nice = 0
2024-11-20 14:21:28 us=261361 verbosity = 5
2024-11-20 14:21:28 us=261366 mute = 0
2024-11-20 14:21:28 us=261370 gremlin = 0
2024-11-20 14:21:28 us=261375 status_file = '[UNDEF]'
2024-11-20 14:21:28 us=261380 status_file_version = 1
2024-11-20 14:21:28 us=261385 status_file_update_freq = 60
2024-11-20 14:21:28 us=261389 occ = ENABLED
2024-11-20 14:21:28 us=261394 rcvbuf = 0
2024-11-20 14:21:28 us=261399 sndbuf = 0
2024-11-20 14:21:28 us=261404 mark = 0
2024-11-20 14:21:28 us=261408 sockflags = 0
2024-11-20 14:21:28 us=261413 fast_io = DISABLED
2024-11-20 14:21:28 us=261418 comp.alg = 0
2024-11-20 14:21:28 us=261422 comp.flags = 24
2024-11-20 14:21:28 us=261427 route_script = '[UNDEF]'
2024-11-20 14:21:28 us=261432 route_default_gateway = '[UNDEF]'
2024-11-20 14:21:28 us=261437 route_default_metric = 0
2024-11-20 14:21:28 us=261441 route_noexec = DISABLED
2024-11-20 14:21:28 us=261446 route_delay = 0
2024-11-20 14:21:28 us=261451 route_delay_window = 30
2024-11-20 14:21:28 us=261455 route_delay_defined = DISABLED
2024-11-20 14:21:28 us=261460 route_nopull = DISABLED
2024-11-20 14:21:28 us=261465 route_gateway_via_dhcp = DISABLED
2024-11-20 14:21:28 us=261470 allow_pull_fqdn = DISABLED
2024-11-20 14:21:28 us=261475 management_addr = '[UNDEF]'
2024-11-20 14:21:28 us=261480 management_port = '[UNDEF]'
2024-11-20 14:21:28 us=261485 management_user_pass = '[UNDEF]'
2024-11-20 14:21:28 us=261489 management_log_history_cache = 250
2024-11-20 14:21:28 us=261494 management_echo_buffer_size = 100
2024-11-20 14:21:28 us=261499 management_client_user = '[UNDEF]'
2024-11-20 14:21:28 us=261504 management_client_group = '[UNDEF]'
2024-11-20 14:21:28 us=261509 management_flags = 0
2024-11-20 14:21:28 us=261514 shared_secret_file = '[UNDEF]'
2024-11-20 14:21:28 us=261519 key_direction = 1
2024-11-20 14:21:28 us=261524 ciphername = 'AES-256-CBC'
2024-11-20 14:21:28 us=261529 ncp_ciphers = 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305'
2024-11-20 14:21:28 us=261534 authname = 'SHA256'
2024-11-20 14:21:28 us=261539 engine = DISABLED
2024-11-20 14:21:28 us=261543 replay = ENABLED
2024-11-20 14:21:28 us=261548 mute_replay_warnings = DISABLED
2024-11-20 14:21:28 us=261553 replay_window = 64
2024-11-20 14:21:28 us=261557 replay_time = 15
2024-11-20 14:21:28 us=261562 packet_id_file = '[UNDEF]'
2024-11-20 14:21:28 us=261567 test_crypto = DISABLED
2024-11-20 14:21:28 us=261572 tls_server = DISABLED
2024-11-20 14:21:28 us=261576 tls_client = ENABLED
2024-11-20 14:21:28 us=261581 ca_file = '[INLINE]'
2024-11-20 14:21:28 us=261586 ca_path = '[UNDEF]'
2024-11-20 14:21:28 us=261591 dh_file = '[UNDEF]'
2024-11-20 14:21:28 us=261595 cert_file = '[UNDEF]'
2024-11-20 14:21:28 us=261600 extra_certs_file = '[UNDEF]'
2024-11-20 14:21:28 us=261605 priv_key_file = '[UNDEF]'
2024-11-20 14:21:28 us=261609 pkcs12_file = '[UNDEF]'
2024-11-20 14:21:28 us=261614 cipher_list = '[UNDEF]'
2024-11-20 14:21:28 us=261619 cipher_list_tls13 = '[UNDEF]'
2024-11-20 14:21:28 us=261624 tls_cert_profile = '[UNDEF]'
2024-11-20 14:21:28 us=261628 tls_verify = '[UNDEF]'
2024-11-20 14:21:28 us=261633 tls_export_peer_cert_dir = '[UNDEF]'
2024-11-20 14:21:28 us=261638 verify_x509_type = 0
2024-11-20 14:21:28 us=261643 verify_x509_name = '[UNDEF]'
2024-11-20 14:21:28 us=261647 crl_file = '[UNDEF]'
2024-11-20 14:21:28 us=261652 ns_cert_type = 0
2024-11-20 14:21:28 us=261657 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261662 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261667 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261671 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261676 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261680 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261685 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261690 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261694 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261699 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261704 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261709 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261713 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261718 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261722 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261727 remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261732 remote_cert_eku = '[UNDEF]'
2024-11-20 14:21:28 us=261737 ssl_flags = 192
2024-11-20 14:21:28 us=261742 tls_timeout = 2
2024-11-20 14:21:28 us=261747 renegotiate_bytes = -1
2024-11-20 14:21:28 us=261751 renegotiate_packets = 0
2024-11-20 14:21:28 us=261756 renegotiate_seconds = 0
2024-11-20 14:21:28 us=261761 handshake_window = 60
2024-11-20 14:21:28 us=261766 transition_window = 3600
2024-11-20 14:21:28 us=261771 single_session = DISABLED
2024-11-20 14:21:28 us=261776 push_peer_info = DISABLED
2024-11-20 14:21:28 us=261780 tls_exit = DISABLED
2024-11-20 14:21:28 us=261785 tls_crypt_v2_metadata = '[UNDEF]'
2024-11-20 14:21:28 us=261794 pkcs11_providers = /usr/lib64/opensc-pkcs11.so
2024-11-20 14:21:28 us=261799 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261823 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261829 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261834 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261838 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261843 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261862 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261867 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261871 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261876 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261881 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261886 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261890 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261895 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261900 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261905 pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261910 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261915 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261919 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261924 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261929 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261934 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261939 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261944 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261948 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261953 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261958 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261963 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261968 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261973 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261977 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261982 pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261987 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=261992 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=261996 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262001 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262006 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262010 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262015 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262020 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262024 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262029 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262034 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262039 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262044 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262048 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262053 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262058 pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262062 pkcs11_pin_cache_period = -1
2024-11-20 14:21:28 us=262067 pkcs11_id = 'pkcs11:model=PKCS%2315%20emulated;token=goldeneye59;manufacturer=piv_II;serial=56bd4eb7cbc2f94b;id=%01'
2024-11-20 14:21:28 us=262073 pkcs11_id_management = DISABLED
2024-11-20 14:21:28 us=262081 server_network = 0.0.0.0
2024-11-20 14:21:28 us=262087 server_netmask = 0.0.0.0
2024-11-20 14:21:28 us=262092 server_network_ipv6 = ::
2024-11-20 14:21:28 us=262097 server_netbits_ipv6 = 0
2024-11-20 14:21:28 us=262102 server_bridge_ip = 0.0.0.0
2024-11-20 14:21:28 us=262107 server_bridge_netmask = 0.0.0.0
2024-11-20 14:21:28 us=262112 server_bridge_pool_start = 0.0.0.0
2024-11-20 14:21:28 us=262118 server_bridge_pool_end = 0.0.0.0
2024-11-20 14:21:28 us=262122 ifconfig_pool_defined = DISABLED
2024-11-20 14:21:28 us=262127 ifconfig_pool_start = 0.0.0.0
2024-11-20 14:21:28 us=262133 ifconfig_pool_end = 0.0.0.0
2024-11-20 14:21:28 us=262138 ifconfig_pool_netmask = 0.0.0.0
2024-11-20 14:21:28 us=262143 ifconfig_pool_persist_filename = '[UNDEF]'
2024-11-20 14:21:28 us=262148 ifconfig_pool_persist_refresh_freq = 600
2024-11-20 14:21:28 us=262153 ifconfig_ipv6_pool_defined = DISABLED
2024-11-20 14:21:28 us=262158 ifconfig_ipv6_pool_base = ::
2024-11-20 14:21:28 us=262163 ifconfig_ipv6_pool_netbits = 0
2024-11-20 14:21:28 us=262168 n_bcast_buf = 256
2024-11-20 14:21:28 us=262173 tcp_queue_limit = 64
2024-11-20 14:21:28 us=262178 real_hash_size = 256
2024-11-20 14:21:28 us=262183 virtual_hash_size = 256
2024-11-20 14:21:28 us=262188 client_connect_script = '[UNDEF]'
2024-11-20 14:21:28 us=262194 learn_address_script = '[UNDEF]'
2024-11-20 14:21:28 us=262200 client_disconnect_script = '[UNDEF]'
2024-11-20 14:21:28 us=262204 client_crresponse_script = '[UNDEF]'
2024-11-20 14:21:28 us=262209 client_config_dir = '[UNDEF]'
2024-11-20 14:21:28 us=262214 ccd_exclusive = DISABLED
2024-11-20 14:21:28 us=262219 tmp_dir = '/tmp'
2024-11-20 14:21:28 us=262223 push_ifconfig_defined = DISABLED
2024-11-20 14:21:28 us=262228 push_ifconfig_local = 0.0.0.0
2024-11-20 14:21:28 us=262233 push_ifconfig_remote_netmask = 0.0.0.0
2024-11-20 14:21:28 us=262238 push_ifconfig_ipv6_defined = DISABLED
2024-11-20 14:21:28 us=262243 push_ifconfig_ipv6_local = ::/0
2024-11-20 14:21:28 us=262248 push_ifconfig_ipv6_remote = ::
2024-11-20 14:21:28 us=262253 enable_c2c = DISABLED
2024-11-20 14:21:28 us=262257 duplicate_cn = DISABLED
2024-11-20 14:21:28 us=262262 cf_max = 0
2024-11-20 14:21:28 us=262267 cf_per = 0
2024-11-20 14:21:28 us=262272 cf_initial_max = 100
2024-11-20 14:21:28 us=262276 cf_initial_per = 10
2024-11-20 14:21:28 us=262281 max_clients = 1024
2024-11-20 14:21:28 us=262286 max_routes_per_client = 256
2024-11-20 14:21:28 us=262291 auth_user_pass_verify_script = '[UNDEF]'
2024-11-20 14:21:28 us=262295 auth_user_pass_verify_script_via_file = DISABLED
2024-11-20 14:21:28 us=262300 auth_token_generate = DISABLED
2024-11-20 14:21:28 us=262305 force_key_material_export = DISABLED
2024-11-20 14:21:28 us=262310 auth_token_lifetime = 0
2024-11-20 14:21:28 us=262315 auth_token_secret_file = '[UNDEF]'
2024-11-20 14:21:28 us=262319 port_share_host = '[UNDEF]'
2024-11-20 14:21:28 us=262324 port_share_port = '[UNDEF]'
2024-11-20 14:21:28 us=262329 vlan_tagging = DISABLED
2024-11-20 14:21:28 us=262334 vlan_accept = all
2024-11-20 14:21:28 us=262338 vlan_pvid = 1
2024-11-20 14:21:28 us=262343 client = ENABLED
2024-11-20 14:21:28 us=262347 pull = ENABLED
2024-11-20 14:21:28 us=262352 auth_user_pass_file = '[UNDEF]'
2024-11-20 14:21:28 us=262361 OpenVPN 2.6.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-11-20 14:21:28 us=262372 library versions: OpenSSL 3.2.2 4 Jun 2024, LZO 2.10
2024-11-20 14:21:28 us=262389 DCO version: N/A
2024-11-20 14:21:28 us=262435 PKCS#11: Adding PKCS#11 provider '/usr/lib64/opensc-pkcs11.so'
2024-11-20 14:21:28 us=293110 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2024-11-20 14:21:28 us=293140 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-11-20 14:21:28 us=302097 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-11-20 14:21:28 us=302118 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-11-20 14:21:28 us=302242 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2024-11-20 14:21:28 us=302267 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2024-11-20 14:21:28 us=302293 TCP/UDP: Preserving recently used remote address: [AF_INET]1.2.3.4:1194
2024-11-20 14:21:28 us=302570 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-11-20 14:21:28 us=302580 UDPv4 link local: (not bound)
2024-11-20 14:21:28 us=302586 UDPv4 link remote: [AF_INET]1.2.3.4:1194
WR2024-11-20 14:21:28 us=310616 TLS: Initial packet from [AF_INET]1.2.3.4:1194, sid=edebb44c 7a6620ab
WRWR2024-11-20 14:21:28 us=319882 VERIFY OK: depth=1, C=FR, ST=France, L=XXX, O=XXX, CN=CA XXX
2024-11-20 14:21:28 us=320045 VERIFY OK: depth=0, C=FR, ST=France, L=XXX, O=XXX, OU=XXX, CN=XXX, emailAddress=XXX
WRWWR2024-11-20 14:26:22 us=160853 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-11-20 14:22:32 us=160902 TLS Error: TLS handshake failed
2024-11-20 14:22:32 us=161257 TCP/UDP: Closing socket
2024-11-20 14:22:32 us=161339 SIGUSR1[soft,tls-error] received, process restarting
2024-11-20 14:22:32 us=161397 Restart pause, 1 second(s)
vgaetera
(Vladislav Grigoryev)
November 20, 2024, 1:46pm
4
goldeneye59
(Olivier Français)
November 20, 2024, 1:56pm
5
I already thought about it, with tcpdump, I have packets going in and out to my VPN server.
Just in case, I wiped all iptables rules, stopped docker, same issue…
On the same laptop, on a VM with ubuntu 24, it work, on fresh VM Fedora 41 : same issue.
Output of openvpn --version on ubuntu 24, same openvpn version, but different openssl version.
OpenVPN 2.6.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no
vgaetera
(Vladislav Grigoryev)
November 20, 2024, 2:06pm
6
2 Likes
goldeneye59
(Olivier Français)
November 20, 2024, 2:11pm
7
You’re my new hero !
Downgrading pkcs11 provider solved the issue
dnf install pkcs11-provider-0.5-3.fc41
1 Like