Yealink Forums
OpenVPN & T28P - "connection refused" - Printable Version

+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: Configuration (/forumdisplay.php?fid=24)
+--- Thread: OpenVPN & T28P - "connection refused" (/showthread.php?tid=2203)



OpenVPN & T28P - "connection refused" - KNERD - 08-07-2014 06:06 AM

This is the contents of openvpn.log concerning the phone:

Quote:Wed Aug 6 16:54:32 2014 us=313342 192.168.5.133:1024 Re-using SSL/TLS context
Wed Aug 6 16:54:32 2014 us=313771 192.168.5.133:1024 LZO compression initialized
Wed Aug 6 16:54:32 2014 us=318080 192.168.5.133:1024 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Aug 6 16:54:32 2014 us=318498 192.168.5.133:1024 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Aug 6 16:54:32 2014 us=319522 192.168.5.133:1024 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Aug 6 16:54:32 2014 us=319603 192.168.5.133:1024 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Aug 6 16:54:32 2014 us=319867 192.168.5.133:1024 Local Options hash (VER=V4): '530fdded'
Wed Aug 6 16:54:32 2014 us=319932 192.168.5.133:1024 Expected Remote Options hash (VER=V4): '41690919'
RWed Aug 6 16:54:32 2014 us=320869 192.168.5.133:1024 TLS: Initial packet from 192.168.5.133:1024, sid=396cae71 e601aba6
WWRRWWWWRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWed Aug 6 16:54:38 2014 us=59111 192.168.5.133:1024 write UDPv4 [ECONNREFUSED]: Connection refused (code=111)
WWWed Aug 6 16:54:38 2014 us=64097 read UDPv4 [ECONNREFUSED|ECONNREFUSED]: Connection refused (code=111)
RWed Aug 6 16:54:38 2014 us=448286 192.168.5.133:1024 TLS: new session incoming connection from 192.168.5.133:1024
WRRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWed Aug 6 16:54:40 2014 us=835859 192.168.5.133:1024 TLS: new session incoming connection from 192.168.5.133:1024
WWWWWWWWWWWWWWWWRWWWWWWWWWWWWWWWWWRWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWRWWWWWWWWWWW​WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWRWWWWWWWWWWWWWWWWWWWWWWWWW​WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW


Here is my vpn.cnf:

Quote:client
nobind
dev tun
remote 192.168.5.106
proto udp
port 1194
comp-lzo


ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client.crt
key /yealink/config/openvpn/keys/client.key
verb 5


Server.conf on CentOS:

Quote:local 192.168.5.106
port 1194
proto udp
dev tun
mode server
ca ca.crt
cert server.crt
key server.key ;This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "explicit-exit-notify 3"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 20 60
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
comp-lzo
verb 5

The OpenVPN peeps are saying " Some packets are exchanged during TLS negotiation and then the far side rejects it and connects again 6 seconds later."

They say logs would help if the blasted phone had some sort of logging!


Okay so what is going on?


RE: OpenVPN & T28P - TLS Error - KNERD - 08-07-2014 09:07 AM

I finally found the phone log and this is what I am finding. I have used md5 & sha1 hash on the keys (default_md in easy rsa)

Quote:Aug 7 00:51:48 openvpn[421]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 7 00:51:48 openvpn[421]: TLS Error: TLS handshake failed
Aug 7 00:51:48 openvpn[421]: TCP/UDP: Closing socket
Aug 7 00:51:48 openvpn[421]: SIGUSR1[soft,tls-error] received, process restarting
Aug 7 00:51:48 openvpn[421]: Restart pause, 2 second(s)
Aug 7 00:51:50 openvpn[421]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 7 00:51:50 openvpn[421]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Aug 7 00:51:50 openvpn[421]: WARNING: file '/yealink/config/openvpn/keys/client.key' is group or others accessible
Aug 7 00:51:50 openvpn[421]: LZO compression initialized
Aug 7 00:51:50 openvpn[421]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Aug 7 00:51:50 openvpn[421]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Aug 7 00:51:50 openvpn[421]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Aug 7 00:51:50 openvpn[421]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug 7 00:51:50 openvpn[421]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug 7 00:51:50 openvpn[421]: Local Options hash (VER=V4): '41690919'
Aug 7 00:51:50 openvpn[421]: Expected Remote Options hash (VER=V4): '530fdded'
Aug 7 00:51:50 openvpn[421]: UDPv4 link local: [undef]
Aug 7 00:51:50 openvpn[421]: UDPv4 link remote: 192.168.5.106:1194
Aug 7 00:51:50 openvpn[421]: TLS: Initial packet from 192.168.5.106:1194, sid=917082a6 73b5394b
Aug 7 00:51:51 openvpn[421]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=CA/L=SanMateo/O=IPPBXSupport/OU=asterisk_server/CN=IPPBXSupport_CA/name=EasyRSA/emailAddress=support@ipppbxsupport.com
Aug 7 00:51:51 openvpn[421]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Aug 7 00:51:51 openvpn[421]: TLS Error: TLS object -> incoming plaintext read error
Aug 7 00:51:51 openvpn[421]: TLS Error: TLS handshake failed
Aug 7 00:51:51 openvpn[421]: TCP/UDP: Closing socket
Aug 7 00:51:51 openvpn[421]: SIGUSR1[soft,tls-error] received, process restarting
Aug 7 00:51:51 openvpn[421]: Restart pause, 2 second(s)
Aug 7 00:51:53 openvpn[421]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 7 00:51:53 openvpn[421]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Aug 7 00:51:53 openvpn[421]: WARNING: file '/yealink/config/openvpn/keys/client.key' is group or others accessible
Aug 7 00:51:53 openvpn[421]: LZO compression initialized
Aug 7 00:51:53 openvpn[421]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Aug 7 00:51:53 openvpn[421]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Aug 7 00:51:53 openvpn[421]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Aug 7 00:51:53 openvpn[421]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug 7 00:51:53 openvpn[421]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug 7 00:51:53 openvpn[421]: Local Options hash (VER=V4): '41690919'
Aug 7 00:51:53 openvpn[421]: Expected Remote Options hash (VER=V4): '530fdded'
Aug 7 00:51:53 openvpn[421]: UDPv4 link local: [undef]
Aug 7 00:51:53 openvpn[421]: UDPv4 link remote: 192.168.5.106:1194
Aug 7 00:51:53 openvpn[421]: TLS: Initial packet from 192.168.5.106:1194, sid=47e7f385 66563d38
Aug 7 00:51:53 openvpn[421]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=CA/L=SanMateo/O=IPPBXSupport/OU=asterisk_server/.......
Aug 7 00:51:53 openvpn[421]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Aug 7 00:51:53 openvpn[421]: TLS Error: TLS object -> incoming plaintext read error
Aug 7 00:51:53 openvpn[421]: TLS Error: TLS handshake failed
Aug 7 00:51:53 openvpn[421]: TCP/UDP: Closing socket
Aug 7 00:51:53 openvpn[421]: SIGUSR1[soft,tls-error] received, process restarting
Aug 7 00:51:53 openvpn[421]: Restart pause, 2 second(s)
Aug 7 00:51:55 openvpn[421]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 7 00:51:55 openvpn[421]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Aug 7 00:51:55 openvpn[421]: WARNING: file '/yealink/config/openvpn/keys/client.key' is group or others accessible
Aug 7 00:51:55 openvpn[421]: LZO compression initialized
Aug 7 00:51:55 openvpn[421]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Aug 7 00:51:55 openvpn[421]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Aug 7 00:51:55 openvpn[421]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Aug 7 00:51:55 openvpn[421]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug 7 00:51:55 openvpn[421]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug 7 00:51:55 openvpn[421]: Local Options hash (VER=V4): '41690919'
Aug 7 00:51:55 openvpn[421]: Expected Remote Options hash (VER=V4): '530fdded'
Aug 7 00:51:55 openvpn[421]: UDPv4 link local: [undef]
Aug 7 00:51:55 openvpn[421]: UDPv4 link remote: 192.168.5.106:1194