New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#1762 - 18.06.1 openvpn (mbedtls and openssl) write to TUN/TAP : Invalid argument (code=22) #6637
Comments
jow-: Please provide the output of Also see if removing the "option comp_lzo no" option in OpenVPN helps. |
pmelange:
root@OpenWrt:~# opkg list_installed kernel; opkg list_installed kmod-tun; opkg depends kmod-tun
kernel - 4.14.54-1-582c8de664525562eab4782d5d680421
kmod-tun - 4.14.54-1
kmod-tun depends on:
kernel (= 4.14.54-1-582c8de664525562eab4782d5d680421)
Removing "option comp_lzo no" from the client config didn't make any difference. |
pmelange: The config for the server tested above is https://github.com/freifunk-berlin/puppet-files/blob/tunnel-berlin/files/tunnel-berlin |
pmelange: Unfortunately I didn't state the correct version of openwrt in the title. It was 18.06.0 and not 18.06.1. There doesn't seem to be a way to change the title (or at lease for me). But now that there is an 18.06.01 version, I have tried it and I have the same results. So I guess that the title can stay as is. |
wvdakker: Had the same problem After replacing "option compress-lzo yes" to "option compress lzo" it worked. |
pmelange: Thanks for the tip. I tried "option compress lzo" and the openvpn connection works, but we want compression off. I have tried to give an empty value like the manpage says, but it didn't work either. |
wvdakker: Perhaps "option compress no" or 'option compress off". Empty is only for commandline as I read it. |
pmelange: I have tried the following, none worked: and if I do: There should be a way to have compress set to off for the client configs. This is extra important for the berlin freifunk firmware since we currently disable LZO and LZ4 at compile time to save space. It is possible it push no-compression from the server, but that still requires that the clients have support for LZO build-in. This will be my last post until some time early September. Hopefully there will be some progress in the meantime. |
ThomasCr: is it not possible to remove "option compress" AND "option comp_lzo" completely from config to disable compression? [[https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage|from the manual]]
so, empty will not completely disable compression But you can try |
pmelange: Thank you ThomasCr for the recommendation. I tried out "option compress ''", but it still leads to the code=22 error. Perhaps I will take a look at the init script and the uci parser to see if there is a way to change this behavior. I'll keep this thread informed if I make any progress. |
pmelange: I finally found the time to work on this issue a bit more. I modified the function append_params in /etc/init.d/openvpn
append_params() {
local p; local v; local s="$1"; shift
for p in $*; do
config_get v "$s" "$p"
IFS="$LIST_SEP"
for v in $v; do
# special case for "compress" option
[ "$p" == "compress" ] && [ "$v" == 0 ] && continue
[ "$p" == "compress" ] && [ "$v" == 1 ] && append_param "$s" "$p" && echo " " >> "/var/etc/openvpn-$s.conf" && continue
When compress is set to 1, the resulting config file /var/etc/openvpn-$s.conf correctly has the compress option with no options set in it. As far as I understand, this should work like comp-lzo=no used to work. Alas, the connection is established without code=22 errors, but I can't seem to send any packets. If I set compress 'lzo' and restart openvpn, it works. I'm not sure what the issue is now. If anyone has an idea as to what I can try next, I'm all ears. |
pmelange:
I have tested this with a tl-wr842n-v3 (ar71xx/generic) and MikroTik rb750gr3 (ramips/mt7621). The problem seems to be architecture independant. This setup works fine with 17.05.1
There is already an issue filed with freifunk-berlin freifunk-berlin/firmware#580
With 18.06.1 I have tested with openvpn-mbedtls and openvpn-openssl. With 17.01.5 I tested with openvpn-mbedtls. Attached are pcapng files for both the wan interface (host filtered) and the ffuplink (vpn) interface. On the ffuplink interface I simply ran a "ping -I ffuplink".
Attached is also an example log from 18.06.1 and the configuration for openvpn on the router.
Also worth noting is that there are crc errors being reported which I run tcpdump directly on the router
~# tcpdump -nvvi br-wan host 217.197.83.193
tcpdump: listening on br-wan, link-type EN10MB (Ethernet), capture size 262144 bytes
22:50:56.042355 IP (tos 0x0, ttl 64, id 3801, offset 0, flags [DF], proto UDP (17), length 136)
192.168.200.3.1194 > 217.197.83.193.1194: [bad udp cksum 0xb6b8 -> 0x8450!] UDP, length 108
22:50:57.050206 IP (tos 0x0, ttl 64, id 3838, offset 0, flags [DF], proto UDP (17), length 136)
192.168.200.3.1194 > 217.197.83.193.1194: [bad udp cksum 0xb6b8 -> 0xcf66!] UDP, length 108
22:50:57.059920 IP (tos 0x0, ttl 59, id 62922, offset 0, flags [DF], proto UDP (17), length 66)
217.197.83.193.1194 > 192.168.200.3.1194: [udp sum ok] UDP, length 38
22:50:58.058255 IP (tos 0x0, ttl 64, id 3859, offset 0, flags [DF], proto UDP (17), length 136)
192.168.200.3.1194 > 217.197.83.193.1194: [bad udp cksum 0xb6b8 -> 0x0c0a!] UDP, length 108
22:50:59.066179 IP (tos 0x0, ttl 64, id 3941, offset 0, flags [DF], proto UDP (17), length 136)
192.168.200.3.1194 > 217.197.83.193.1194: [bad udp cksum 0xb6b8 -> 0x3675!] UDP, length 108
22:51:00.074120 IP (tos 0x0, ttl 64, id 3973, offset 0, flags [DF], proto UDP (17), length 136)
192.168.200.3.1194 > 217.197.83.193.1194: [bad udp cksum 0xb6b8 -> 0x8ba0!] UDP, length 108
22:51:01.082085 IP (tos 0x0, ttl 64, id 4039, offset 0, flags [DF], proto UDP (17), length 136)
192.168.200.3.1194 > 217.197.83.193.1194: [bad udp cksum 0xb6b8 -> 0x0392!] UDP, length 108
I unfortunately can not be of much help with debugging this issue before the beginning of Sept (traveling). If anyone wants to test with the same server, you can apply for a freifunk-berlin tunnel cert at http://tunnel.berlin.freifunk.net (hopefully the cert will get approved quickly). To get the extra data files in the /etc/openvpn diretory, please temporarily install berlin-freifunk's Hedy-1.0.1 firmware (tunnel-berlin version).
I unfortunately don't have acces to the vpn server (217.197.83.193) so I cannot post the server config. A similar config from a peer server is attached.
The text was updated successfully, but these errors were encountered: