GXP1625 with OpenVPN 2.x

ip-communications

#1

Could someone please help getting a GXP1625 working with an OpenVPN 2.4 server? I’m receiving errors about “duplicate-dn”, but looking deeper, I see that the GXP1625 is re-connecting shortly after the first connection attempt is made and the root cause seems to be the outdated OpenVPN client on the GXP1625 (version 1.x?) and lack of configuration options on the client side to make it talk with the OpenVPN 2.x server.

My configuration: I’m using a virgin RaspberryPi with the latest Stretch-Lite Raspbian image and the PiVPN script for setting up OpenVPN 2.4. I confirmed that the server config and routing are correct by successfully establishing a VPN connection with iOS as the OpenVPN client. I’ve also had the same results using OpenVPN server in a Docker container. The GXP1625 has the firmware version 1.0.4.55, which isn’t the latest, but I didn’t see any openvpn-relevant fixes in the newer release notes.

Following other forum posts here, I was able to resolve some of the issues (which happen to break the compatibility with iOS). I made the following modifications to /etc/openvpn/server.conf:

[tt]
#tls-version-min 1.2
tls-version-min 1.0
#tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
#cipher AES-256-CBC
cipher BF-CBC
#comp-lzo
comp-lzo no
push "ping 10"
push "ping-restart 60"
push “resolv-retry infinite”
[/tt]

When the client tries to establish the connection, the following appears in the server log:

[tt]
Sun Dec 17 07:22:48 2017 us=60565 MULTI: multi_create_instance called
Sun Dec 17 07:22:48 2017 us=61227 10.1.3.10:49123 Re-using SSL/TLS context
Sun Dec 17 07:22:48 2017 us=62386 10.1.3.10:49123 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sun Dec 17 07:22:48 2017 us=62788 10.1.3.10:49123 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sun Dec 17 07:22:48 2017 us=63327 10.1.3.10:49123 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1554,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA256,keysize 128,key-method 2,tls-server’
Sun Dec 17 07:22:48 2017 us=65842 10.1.3.10:49123 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1554,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA256,keysize 128,key-method 2,tls-client’
Sun Dec 17 07:22:48 2017 us=67712 10.1.3.10:49123 TLS: Initial packet from [AF_INET]10.1.3.10:49123, sid=fa544ea6 51fc16d3
Sun Dec 17 07:22:52 2017 us=445666 10.1.3.10:49123 VERIFY OK: depth=1, CN=ChangeMe
Sun Dec 17 07:22:52 2017 us=451183 10.1.3.10:49123 Validating certificate key usage
Sun Dec 17 07:22:52 2017 us=452488 10.1.3.10:49123 ++ Certificate has key usage 0080, expects 0080
Sun Dec 17 07:22:52 2017 us=454040 10.1.3.10:49123 VERIFY KU OK
Sun Dec 17 07:22:52 2017 us=455444 10.1.3.10:49123 Validating certificate extended key usage
Sun Dec 17 07:22:52 2017 us=457245 10.1.3.10:49123 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Sun Dec 17 07:22:52 2017 us=458758 10.1.3.10:49123 VERIFY EKU OK
Sun Dec 17 07:22:52 2017 us=460004 10.1.3.10:49123 VERIFY OK: depth=0, CN=emilygxp
Sun Dec 17 07:22:52 2017 us=658992 10.1.3.10:49123 NOTE: Options consistency check may be skewed by version differences
Sun Dec 17 07:22:52 2017 us=660397 10.1.3.10:49123 WARNING: ‘version’ is used inconsistently, local=‘version V4’, remote='version V0 UNDEF’
Sun Dec 17 07:22:52 2017 us=661695 10.1.3.10:49123 WARNING: ‘dev-type’ is present in local config but missing in remote config, local='dev-type tun’
Sun Dec 17 07:22:52 2017 us=663495 10.1.3.10:49123 WARNING: ‘link-mtu’ is present in local config but missing in remote config, local='link-mtu 1554’
Sun Dec 17 07:22:52 2017 us=665396 10.1.3.10:49123 WARNING: ‘tun-mtu’ is present in local config but missing in remote config, local='tun-mtu 1500’
Sun Dec 17 07:22:52 2017 us=666941 10.1.3.10:49123 WARNING: ‘comp-lzo’ is present in local config but missing in remote config, local='comp-lzo’
Sun Dec 17 07:22:52 2017 us=668243 10.1.3.10:49123 WARNING: ‘cipher’ is present in local config but missing in remote config, local='cipher BF-CBC’
Sun Dec 17 07:22:52 2017 us=670075 10.1.3.10:49123 WARNING: ‘auth’ is present in local config but missing in remote config, local='auth SHA256’
Sun Dec 17 07:22:52 2017 us=671467 10.1.3.10:49123 WARNING: ‘keysize’ is present in local config but missing in remote config, local='keysize 128’
Sun Dec 17 07:22:52 2017 us=673078 10.1.3.10:49123 WARNING: ‘key-method’ is present in local config but missing in remote config, local='key-method 2’
Sun Dec 17 07:22:52 2017 us=675076 10.1.3.10:49123 WARNING: ‘tls-client’ is present in local config but missing in remote config, local='tls-client’
Sun Dec 17 07:22:52 2017 us=678519 10.1.3.10:49123 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Sun Dec 17 07:22:52 2017 us=679960 10.1.3.10:49123 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sun Dec 17 07:22:52 2017 us=681307 10.1.3.10:49123 Data Channel Encrypt: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Sun Dec 17 07:22:52 2017 us=683167 10.1.3.10:49123 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Sun Dec 17 07:22:52 2017 us=685140 10.1.3.10:49123 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sun Dec 17 07:22:52 2017 us=686497 10.1.3.10:49123 Data Channel Decrypt: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Sun Dec 17 07:22:52 2017 us=688414 10.1.3.10:49123 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Sun Dec 17 07:22:52 2017 us=705007 10.1.3.10:49123 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Sun Dec 17 07:22:52 2017 us=706505 10.1.3.10:49123 [emilygxp] Peer Connection Initiated with [AF_INET]10.1.3.10:49123
Sun Dec 17 07:22:52 2017 us=708296 emilygxp/10.1.3.10:49123 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Sun Dec 17 07:22:52 2017 us=710393 emilygxp/10.1.3.10:49123 MULTI: Learn: 10.8.0.2 -> emilygxp/10.1.3.10:49123
Sun Dec 17 07:22:52 2017 us=711946 emilygxp/10.1.3.10:49123 MULTI: primary virtual IP for emilygxp/10.1.3.10:49123: 10.8.0.2
Sun Dec 17 07:22:53 2017 us=870095 emilygxp/10.1.3.10:49123 PUSH: Received control message: 'PUSH_REQUEST’
Sun Dec 17 07:22:53 2017 us=876383 emilygxp/10.1.3.10:49123 SENT CONTROL [emilygxp]: ‘PUSH_REPLY,route 10.8.0.1 255.255.255.255,route 10.8.0.0 255.255.255.0,route 10.1.1.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,ping 10,ping-restart 60,resolv-retry infinite,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0’ (status=1)
[/tt]

Based on the log output, it’s clear that the GXP1625 is using OpenVPN 1.x and according to the OpenVPN FAQ https://community.openvpn.net/openvpn/wiki/267-i-am-having-trouble-getting-openvpn-1x-to-talk-with-openvpn-20, I should add some options to the client configuration:

[tt]
port 1194
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
key-method 2
[/tt]

There is no way to set these attributes on the GXP1625, but I’m sure there’s a way to work around this on the server side configuration. Also, I don’t think it’s an MTU problem because I’m not even able to ping the client VPN IP address during (or after) the handshaking. I tried forcing the key-method to 1 in the server config, but that’s not compatible with “mode server”.

Obviously, the best solution would be for Grandstream to update the OpenVPN client–this would also fix some critical security issues. Barring that, does someone have any tips on getting it to work with the current firmware?

Best regards and many thanks,

Scott


#2

I got it working on a Raspberry Pi with PiVPN. I don’t know about versions; I didn’t see anything that complained about the wrong OpenVPN version.

I’m trying to sell these on eBay. It’s way too complicated to troubleshoot in the forums – it took me months to get it to finally work.

PM me if you’re interested in buying a CD and manual for my RPi server – it would be cheap but I can’t give it away.

-jimc


#3

Hi,I would like to open a PM with you. Kindly let me know the details, I can buy off the server file from you but only for domestic usage.


#4

could you solve the problem as I am also facing the same.


#5

I’m sending you a PM with contact information…

-jimc