[ale] OpenVPN help

Alex Carver agcarver+ale at acarver.net
Sat Nov 7 19:39:11 EST 2015 

On 2015-11-07 12:45, Phil Turmel wrote:
> On 11/07/2015 02:58 PM, dev null zero two wrote:
>> did you set up routes and ip forwarding?
> 
> You'll probably also need nat in the openvpn server for any external
> traffic originating in the vpn.

Ok, the NAT worked (I didn't have iptables installed at all on this
particular machine).  Got that installed, masqueraded the VPN subnet
over to the machine's network card and can now reach the internal traffic.

Next step, trying to verify that the link is encrypted.  I've got
debugging turned up a bit and am watching the logs.  When a connection
is established I see the following:

Sat Nov  7 16:28:28 2015 us=998372 MULTI: multi_create_instance called
Sat Nov  7 16:28:29 2015 us=1250 166.170.49.84:20242 Re-using SSL/TLS
context
Sat Nov  7 16:28:29 2015 us=3046 166.170.49.84:20242 LZO compression
initialized
Sat Nov  7 16:28:29 2015 us=12627 166.170.49.84:20242 Control Channel
MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Nov  7 16:28:29 2015 us=15443 166.170.49.84:20242 Data Channel MTU
parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Nov  7 16:28:29 2015 us=17017 166.170.49.84:20242 Local Options
String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto
UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize
128,tls-auth,key-method 2,tls-server'
Sat Nov  7 16:28:29 2015 us=21830 166.170.49.84:20242 Expected Remote
Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto
UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize
128,tls-auth,key-method 2,tls-client'
Sat Nov  7 16:28:29 2015 us=24194 166.170.49.84:20242 Local Options hash
(VER=V4): '14168603'
Sat Nov  7 16:28:29 2015 us=25583 166.170.49.84:20242 Expected Remote
Options hash (VER=V4): '504e774e'
Sat Nov  7 16:28:29 2015 us=27203 166.170.49.84:20242 TLS: Initial
packet from [AF_INET]166.170.49.84:20242, sid=53399d05 59f52b6e
Sat Nov  7 16:28:37 2015 us=252588 166.170.49.84:20242
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3
/ time = (1446942506) Sat Nov  7 16:28:26 2015 ] -- see the man page
entry for --no-replay and --replay-window for more info or silence this
warning with --mute-replay-warnings


(This last set of TLS messages gets repeated a few times.)

After those get repeated I get:


Sat Nov  7 16:28:47 2015 us=176814 166.170.49.84:20242 Data Channel
Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov  7 16:28:47 2015 us=178102 166.170.49.84:20242 Data Channel
Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov  7 16:28:47 2015 us=179541 166.170.49.84:20242 Data Channel
Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov  7 16:28:47 2015 us=180685 166.170.49.84:20242 Data Channel
Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov  7 16:28:47 2015 us=253723 166.170.49.84:20242 Control Channel:
TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Nov  7 16:28:47 2015 us=255138 166.170.49.84:20242 [vpntest2] Peer
Connection Initiated with [AF_INET]166.170.49.84:20242

Is it encrypted or not?

More information about the Ale mailing list