Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#1762 - 18.06.1 openvpn (mbedtls and openssl) write to TUN/TAP : Invalid argument (code=22) #6637

Closed
openwrt-bot opened this issue Aug 10, 2018 · 11 comments
Labels

Comments

@openwrt-bot
Copy link

pmelange:

I have tested this with a tl-wr842n-v3 (ar71xx/generic) and MikroTik rb750gr3 (ramips/mt7621). The problem seems to be architecture independant. This setup works fine with 17.05.1

There is already an issue filed with freifunk-berlin freifunk-berlin/firmware#580

With 18.06.1 I have tested with openvpn-mbedtls and openvpn-openssl. With 17.01.5 I tested with openvpn-mbedtls. Attached are pcapng files for both the wan interface (host filtered) and the ffuplink (vpn) interface. On the ffuplink interface I simply ran a "ping -I ffuplink".

Attached is also an example log from 18.06.1 and the configuration for openvpn on the router.

Also worth noting is that there are crc errors being reported which I run tcpdump directly on the router

~# tcpdump -nvvi br-wan host 217.197.83.193
tcpdump: listening on br-wan, link-type EN10MB (Ethernet), capture size 262144 bytes
22:50:56.042355 IP (tos 0x0, ttl 64, id 3801, offset 0, flags [DF], proto UDP (17), length 136)
192.168.200.3.1194 > 217.197.83.193.1194: [bad udp cksum 0xb6b8 -> 0x8450!] UDP, length 108
22:50:57.050206 IP (tos 0x0, ttl 64, id 3838, offset 0, flags [DF], proto UDP (17), length 136)
192.168.200.3.1194 > 217.197.83.193.1194: [bad udp cksum 0xb6b8 -> 0xcf66!] UDP, length 108
22:50:57.059920 IP (tos 0x0, ttl 59, id 62922, offset 0, flags [DF], proto UDP (17), length 66)
217.197.83.193.1194 > 192.168.200.3.1194: [udp sum ok] UDP, length 38
22:50:58.058255 IP (tos 0x0, ttl 64, id 3859, offset 0, flags [DF], proto UDP (17), length 136)
192.168.200.3.1194 > 217.197.83.193.1194: [bad udp cksum 0xb6b8 -> 0x0c0a!] UDP, length 108
22:50:59.066179 IP (tos 0x0, ttl 64, id 3941, offset 0, flags [DF], proto UDP (17), length 136)
192.168.200.3.1194 > 217.197.83.193.1194: [bad udp cksum 0xb6b8 -> 0x3675!] UDP, length 108
22:51:00.074120 IP (tos 0x0, ttl 64, id 3973, offset 0, flags [DF], proto UDP (17), length 136)
192.168.200.3.1194 > 217.197.83.193.1194: [bad udp cksum 0xb6b8 -> 0x8ba0!] UDP, length 108
22:51:01.082085 IP (tos 0x0, ttl 64, id 4039, offset 0, flags [DF], proto UDP (17), length 136)
192.168.200.3.1194 > 217.197.83.193.1194: [bad udp cksum 0xb6b8 -> 0x0392!] UDP, length 108

I unfortunately can not be of much help with debugging this issue before the beginning of Sept (traveling). If anyone wants to test with the same server, you can apply for a freifunk-berlin tunnel cert at http://tunnel.berlin.freifunk.net (hopefully the cert will get approved quickly). To get the extra data files in the /etc/openvpn diretory, please temporarily install berlin-freifunk's Hedy-1.0.1 firmware (tunnel-berlin version).

I unfortunately don't have acces to the vpn server (217.197.83.193) so I cannot post the server config. A similar config from a peer server is attached.

@openwrt-bot
Copy link
Author

jow-:

Please provide the output of opkg list_installed kernel; opkg list_installed kmod-tun; opkg depends kmod-tun.

Also see if removing the "option comp_lzo no" option in OpenVPN helps.

@openwrt-bot
Copy link
Author

pmelange:

root@OpenWrt:~# opkg list_installed kernel; opkg list_installed kmod-tun; opkg depends kmod-tun kernel - 4.14.54-1-582c8de664525562eab4782d5d680421 kmod-tun - 4.14.54-1 kmod-tun depends on: kernel (= 4.14.54-1-582c8de664525562eab4782d5d680421)

Removing "option comp_lzo no" from the client config didn't make any difference.

Fri Aug 10 12:25:28 2018 daemon.notice openvpn(ffuplink)[1715]: OpenVPN 2.4.5 mipsel-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Aug 10 12:25:28 2018 daemon.notice openvpn(ffuplink)[1715]: library versions: mbed TLS 2.12.0, LZO 2.10
Fri Aug 10 12:25:28 2018 daemon.warn openvpn(ffuplink)[1715]: WARNING: failed to personalise random
Fri Aug 10 12:25:28 2018 daemon.warn openvpn(ffuplink)[1715]: ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Fri Aug 10 12:25:28 2018 daemon.notice openvpn(ffuplink)[1715]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.197.83.193:1194
Fri Aug 10 12:25:28 2018 daemon.notice openvpn(ffuplink)[1715]: UDPv4 link local (bound): [AF_INET][undef]:1194
Fri Aug 10 12:25:28 2018 daemon.notice openvpn(ffuplink)[1715]: UDPv4 link remote: [AF_INET]217.197.83.193:1194
Fri Aug 10 12:25:31 2018 daemon.warn openvpn(ffuplink)[1715]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1525', remote='link-mtu 1526'
Fri Aug 10 12:25:31 2018 daemon.warn openvpn(ffuplink)[1715]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Fri Aug 10 12:25:31 2018 daemon.notice openvpn(ffuplink)[1715]: [freifunk-gw01.in-berlin.de] Peer Connection Initiated with [AF_INET]217.197.83.193:1194
Fri Aug 10 12:25:32 2018 daemon.notice openvpn(ffuplink)[1715]: TUN/TAP device ffuplink opened
Fri Aug 10 12:25:32 2018 daemon.notice openvpn(ffuplink)[1715]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Aug 10 12:25:32 2018 daemon.notice openvpn(ffuplink)[1715]: /sbin/ifconfig ffuplink 172.31.241.48 netmask 255.255.255.0 mtu 1500 broadcast 172.31.241.255
Fri Aug 10 12:25:32 2018 daemon.notice netifd: Interface 'ffuplink' is enabled
Fri Aug 10 12:25:32 2018 daemon.notice netifd: Network device 'ffuplink' link is up
Fri Aug 10 12:25:32 2018 daemon.notice netifd: Interface 'ffuplink' has link connectivity
Fri Aug 10 12:25:32 2018 daemon.notice netifd: Interface 'ffuplink' is setting up now
Fri Aug 10 12:25:32 2018 daemon.notice netifd: Interface 'ffuplink' is now up
Fri Aug 10 12:25:32 2018 daemon.warn openvpn(ffuplink)[1715]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Aug 10 12:25:32 2018 daemon.notice openvpn(ffuplink)[1715]: Initialization Sequence Completed
Fri Aug 10 12:25:45 2018 daemon.err openvpn(ffuplink)[1715]: write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:25:55 2018 daemon.err openvpn(ffuplink)[1715]: write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:26:05 2018 daemon.err openvpn(ffuplink)[1715]: write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:26:16 2018 daemon.err openvpn(ffuplink)[1715]: write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:26:26 2018 daemon.err openvpn(ffuplink)[1715]: write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:26:36 2018 daemon.err openvpn(ffuplink)[1715]: write to TUN/TAP : Invalid argument (code=22)

@openwrt-bot
Copy link
Author

pmelange:

The config for the server tested above is https://github.com/freifunk-berlin/puppet-files/blob/tunnel-berlin/files/tunnel-berlin

@openwrt-bot
Copy link
Author

pmelange:

Unfortunately I didn't state the correct version of openwrt in the title. It was 18.06.0 and not 18.06.1. There doesn't seem to be a way to change the title (or at lease for me).

But now that there is an 18.06.01 version, I have tried it and I have the same results. So I guess that the title can stay as is.

@openwrt-bot
Copy link
Author

wvdakker:

Had the same problem

After replacing "option compress-lzo yes" to "option compress lzo" it worked.

@openwrt-bot
Copy link
Author

pmelange:

Thanks for the tip. I tried "option compress lzo" and the openvpn connection works, but we want compression off. I have tried to give an empty value like the manpage says, but it didn't work either.

@openwrt-bot
Copy link
Author

wvdakker:

Perhaps "option compress no" or 'option compress off". Empty is only for commandline as I read it.

@openwrt-bot
Copy link
Author

pmelange:

I have tried the following, none worked:
disabled
no
none
off
0

and if I do: option compress I get the same code=22 from above.

There should be a way to have compress set to off for the client configs. This is extra important for the berlin freifunk firmware since we currently disable LZO and LZ4 at compile time to save space. It is possible it push no-compression from the server, but that still requires that the clients have support for LZO build-in.

This will be my last post until some time early September. Hopefully there will be some progress in the meantime.

@openwrt-bot
Copy link
Author

ThomasCr:

is it not possible to remove "option compress" AND "option comp_lzo" completely from config to disable compression?

[[https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage|from the manual]]
--compress [algorithm]
Enable a compression algorithm.
The algorithm parameter may be "lzo", "lz4", or empty. LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with OpenVPN versions before v2.4, use "lzo" (which is identical to the older option "--comp-lzo yes").

If the algorithm parameter is empty, compression will be turned off, but the packet framing for compression will still be enabled, allowing a different setting to be pushed later.

so, empty will not completely disable compression

But you can try
option compress ''

@openwrt-bot
Copy link
Author

pmelange:

Thank you ThomasCr for the recommendation. I tried out "option compress ''", but it still leads to the code=22 error.

Perhaps I will take a look at the init script and the uci parser to see if there is a way to change this behavior.

I'll keep this thread informed if I make any progress.

@openwrt-bot
Copy link
Author

pmelange:

I finally found the time to work on this issue a bit more.

I modified the function append_params in /etc/init.d/openvpn

append_params() { local p; local v; local s="$1"; shift for p in $*; do config_get v "$s" "$p" IFS="$LIST_SEP" for v in $v; do # special case for "compress" option [ "$p" == "compress" ] && [ "$v" == 0 ] && continue [ "$p" == "compress" ] && [ "$v" == 1 ] && append_param "$s" "$p" && echo " " >> "/var/etc/openvpn-$s.conf" && continue
		[ -n "$v" ] && [ "$p" != "push" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf"
		[ -n "$v" ] && [ "$p" == "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf"
	done
	unset IFS
done

}

Of course 1 and 0 are just test values, but could easily be changed to "noop" and "none" or something else semantically understandable.

When compress is set to 1, the resulting config file /var/etc/openvpn-$s.conf correctly has the compress option with no options set in it. As far as I understand, this should work like comp-lzo=no used to work.

Alas, the connection is established without code=22 errors, but I can't seem to send any packets. If I set compress 'lzo' and restart openvpn, it works. I'm not sure what the issue is now.

If anyone has an idea as to what I can try next, I'm all ears.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant