29 Marca 2024 02:32:43
Nawigacja
· Strona Główna
· Forum

· Tomato by Shibby
· FreshTomato


Wątki na forum
Najnowsze dyskusje
· [Howto] Xpenology na...
· [MOD] Tomato64 (x86-64)
· [MOD] FreshTomato-AR...
· Optware na CIFS
· RT-AX56U - Status kl...
· Asus TUF-AX3000_V2 p...
· [MOD] FreshTomato-MI...
· Multiroom N z wykorz...
· [S] Asus RT-AC68U E1
· [S] ASUS RT-AC68U
· Rozłączanie klient...
· serwer VPN za wan'em
· Przejscie z dyndns f...
· WDR3600 i problem z WAN
· Jaki USB hub do syno...
· [S] Karta sieciowa Q...
· Asus rt-n18u port fo...
· Netflix dzielenie ko...
· Nextcloud konfigurac...
· Netgear WNR3500L
Najpopularniejsze obecnie wątki
· [MOD] FreshTomato... [869]
· [MOD] Tomato64 (x... [27]
· [Howto] Xpenology... [14]
Ankieta
Jaki procesor posiada twój router?

Broadcom MIPSEL
Broadcom MIPSEL
36% [151 głosów]

Broadcom ARM
Broadcom ARM
52% [216 głosów]

Atheros
Atheros
5% [22 głosów]

Marvell
Marvell
1% [4 głosów]

Ralink
Ralink
1% [3 głosów]

Intel/AMD/VIA
Intel/AMD/VIA
1% [5 głosów]

Żaden z powyższych
Żaden z powyższych
4% [15 głosów]

Ogółem głosów: 416
Musisz zalogować się, aby móc zagłosować.
Rozpoczęto: 02/02/2015 09:38
Twoje IP
54.208.238.160
Zobacz wątek
OpenLinksys » :: OPROGRAMOWANIE :: » Tomato - firmware
 Drukuj wątek
[MOD] Tomato by kille72
kille72

Cytat

skupi napisał(a):

kille72 jest możliwość dodać jakąś opcję, aby lte gdy jest ustawione jako failover czyli Load Balance Weight = 0, aby reguły z MultiWAN Routing działały. Aktualnie mimo aktywowania reguły, nie działają dopóki nie ustawię load balance weight co najmniej na 1, jednak wtedy port wan2 używany jest przez wszystkie komputery. Chodzi o to, że nie chcę, aby wan2 był używany, ale chcę, aby zgodnie z regułą którą stworzyłem i aktywowałem dany komputer mógł go wykorzystywać mimo, że ustawiony jest jako failover.


To jest pytanie do @Shibby.
 
qrs

Cytat

kille72 napisał(a):
Wydaje mi sie ze wygenerowales za "slabe" klucze lub ustawiles za slabe szyfrowanie "Encryption cipher". Wklej ustawienia.


Chyba znalazłem odp.

https://community.openvpn.net/openvpn...ki/SWEET32

Wygeneruje raz jeszcze klucze i certyfikaty i będzie dobrze Wink

ps

Cytat

# openvpn --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN. Each cipher shown below may be use as a
parameter to the --cipher option. The default key size is
shown as well as whether or not it can be changed with the
--keysize directive. Using a CBC or GCM mode is recommended.
In static key mode only CBC mode is allowed.

AES-128-CBC (128 bit key, 128 bit block)
AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC (192 bit key, 128 bit block)
AES-192-CFB (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1 (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8 (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC (256 bit key, 128 bit block)
AES-256-CFB (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1 (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8 (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB (256 bit key, 128 bit block, TLS client/server mode only)

The following ciphers have a block size of less than 128 bits,
and are therefore deprecated. Do not use unless you have to.

BF-CBC (128 bit key by default, 64 bit block)
BF-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC (128 bit key by default, 64 bit block)
CAST5-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC (64 bit key, 64 bit block)
DES-CFB (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1 (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8 (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC (128 bit key, 64 bit block)
DES-EDE-CFB (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC (192 bit key, 64 bit block)
DES-EDE3-CFB (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1 (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8 (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC (192 bit key, 64 bit block)
IDEA-CBC (128 bit key, 64 bit block)
IDEA-CFB (128 bit key, 64 bit block, TLS client/server mode only)
IDEA-OFB (128 bit key, 64 bit block, TLS client/server mode only)
RC2-40-CBC (40 bit key by default, 64 bit block)
RC2-64-CBC (64 bit key by default, 64 bit block)
RC2-CBC (128 bit key by default, 64 bit block)
RC2-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC5-CBC (128 bit key by default, 64 bit block)
RC5-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC5-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)

Edytowany przez qrs dnia 12-02-2017 18:18
---
Netgear R7000Netgear WNR3500L v2MikroTik hAP ac^2TP-LINK M7650
 
kille72
Ja w mojej kompilacji zmienilem 2 defaultowe ustawienia w OpenVPN http://pastebin.com/U4nXGi1Z:
- OpenVPN: default port for server 2 changed to 1195, so both servers on default settings can be started at the same time
- OpenVPN: Change the "default" sever Encryption cipher from BF-CBC to more secure AES-128-CBC

Bylo BF-CBC (128 bit key by default, 64 bit block) jako standard. https://bitbucket.org/kille72/tomato-...bb3203e28d

A sam używam AES-256-CBC.
 
qrs
Lepiej generować klucze na routerze czy na laptopie (MacOS) korzystając z easyrsa?

Cytat

./easyrsa build-ca
...

---
Netgear R7000Netgear WNR3500L v2MikroTik hAP ac^2TP-LINK M7650
 
kille72
Nigdy nie generowałem na routerze, robiłem to ostatnio na Windows.

Wedlug tego:
https://community.openvpn.net/openvpn...dows_Guide

dh1024 zmienilem na dh2048

W custom config mam tak:

ca /opt/etc/openvpn/vpnkey/ca.crt
cert /opt/etc/openvpn/vpnkey/server.crt
key /opt/etc/openvpn/vpnkey/server.key
dh /opt/etc/openvpn/vpnkey/dh2048.pem
auth SHA256

Encryption cipher AES-256-CBC, mocne szyfrowanie pogarsza szybkosc, AES-128-CBC wystarcza.
 
qrs

Cytat

auth SHA256


to jest konieczne? czy to nie powinno wynikać ze sposobu wygenerowanych kluczy?
---
Netgear R7000Netgear WNR3500L v2MikroTik hAP ac^2TP-LINK M7650
 
kille72
Add an auth line to select the HMAC message digest algorithm. For this, SHA256 is a good choice:
auth SHA256

Jak tego nie dodasz to będzie chyba jakiś warn ze możesz mieć lepsze szyfrowanie.
 
qrs

Cytat

kille72 napisał(a):

Jak tego nie dodasz to będzie chyba jakiś warn ze możesz mieć lepsze szyfrowanie.



racja, przy obecnych ustawieniach po dodaniu auth SHA256 mam



Feb 12 19:55:14 R7000 openvpn: 37.47.x.24 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1554', remote='link-mtu 1542'
Feb 12 19:55:14 R7000 openvpn: 37.47.x.24 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'


Połączony z 13 luty 2017 08:00:20:
OK

jak podczas tworzenia kluczy wymusić aby generowanie było w oparciu o AES-256-GCM z SHA256?

w paczce OpenVPN 2.4.0 (https://swupdate.openvpn.org/communit...-2.4.0.zip) nie ma EasyRSA - mam jakąś poprzednią wersję EasyRSA 3.0.1 a ta chyba nie jest najnowsza więc w niej muszę wymusić AES-256-GCM - chyba że nie mogę zlokalizować nowszej paczki.
Edytowany przez qrs dnia 13-02-2017 08:00
---
Netgear R7000Netgear WNR3500L v2MikroTik hAP ac^2TP-LINK M7650
 
kille72
Zrob tak jak napisalem:
https://openlinksys.info/forum/viewth...ost_161145

Tak wygląda u mnie w logu jak ktoś się łączy, nie wiem czy może być lepiej? Robiłem według tego poradnika, dh1024 zmieniłem na dh2048.


Feb 13 17:47:29 Asus daemon.notice openvpn[27835]: 83.185.x.227 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Feb 13 17:47:30 Asus daemon.notice openvpn[27835]: lg/83.185.x.227 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 13 17:47:30 Asus daemon.notice openvpn[27835]: lg/83.185.x.227 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
 
qrs
ehhh... niechętnie wróciłem do Windowsa, pobrałem co trzeba z https://openvpn.net/index.php/open-so...loads.html wg https://community.openvpn.net/openvpn...ingOpenVPN, odpalam ścieżkę

Cytat

C:\Program Files\OpenVPN\easy-rsa

a tu okazuje się, że nie ma easy-rsa Sad

Jak żyć?
---
Netgear R7000Netgear WNR3500L v2MikroTik hAP ac^2TP-LINK M7650
 
kille72
Przy instalacji o ile dobrze pamiętam musisz wybrać advanced i dodać easy-rsa.
 
qrs
poszło raz - dwa Smile

po pracy sprawdzę w domu jak to działa i jak wygląda w logach

kille72dzięki za podpowiedź

Połączony z 14 luty 2017 19:13:45:
wygenerowane pary kluczy działają w R7000 ale w iPhone już nie Sad
qrs załączono następujące plik:
Nie masz uprawnień, by zobaczyć załączniki w tym wątku.

Edytowany przez qrs dnia 14-02-2017 19:13
---
Netgear R7000Netgear WNR3500L v2MikroTik hAP ac^2TP-LINK M7650
 
kille72
Polacy preferują ST-GUI Smile Linksys nie popularny.

s4.postimg.org/s0o5b7gy5/anon.png

Połączony z 15 luty 2017 18:09:36:

Cytat

qrs napisał(a):

wygenerowane pary kluczy działają w R7000 ale w iPhone już nie Sad


I jak Ci idzie?
Edytowany przez kille72 dnia 15-02-2017 18:09
 
jurekk
I jakie wnioski z tego Wink szukajac przyczyn slabosci wifi r6400 natknalem sie na info ze linksysy maja obecnie wzorem asusow blokowane firmware, dwa nawet tu dalem o tym info linksysy arm maja cfe dzielone na pol i jak trzecie firmware przekracza 32kb nvram to jest powrot do softu linksysa , dlatego ludziom linksysy arm warjuja na alternatynym sofcie, problem rozgryzl Xvortex podmieniajac cfe jak widzialem podobnym sposobem jak u nas Staszek podrasowywal swojego asusa
ea6500v2 @Ac66u_B1 @1000 Aimesh
ea6700v cfe (custom) @AC66u_B1 node
node Aimesh,
 
qrs

Cytat

kille72 napisał(a):
I jak Ci idzie?


skoro już pytasz ;)

przygotowałem sie, no ale to po kolei:
- dla kluczy wygenerowanych w Windowsie mam błędy - odpuszczam sobie
- klucze wygenerowanie na MacOS działają poprawnie - jestem skazany na MacOS :)

wygenerowałem set kluczy i certyfikatów przy użyciu EasyRSA 3.0.1 w następujący sposób:

Cytat

./easyrsa clean-all
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-crl
./easyrsa build-server-full server1 nopass
./easyrsa build-client-full client1 nopass
./easyrsa build-client-full client2 nopass
./easyrsa build-client-full client3 nopass
openssl dhparam 2048 -out dh2048.pem


zawartość VARS

Cytat

set_var EASYRSA_REQ_COUNTRY "PL"
set_var EASYRSA_REQ_CITY "PL"
set_var EASYRSA_REQ_PROVINCE "PL"
set_var EASYRSA_REQ_ORG "qrs"
set_var EASYRSA_REQ_OU "qrs"
set_var EASYRSA_REQ_EMAIL "qrs@qrs.pl"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_DIGEST "sha256"


Wszystko działa i wygląda w miarę OK, wnioski jednak na końcu.

logi na R7000:

Cytat

Feb 15 21:10:57 R7000 kernel: tun: Universal TUN/TAP device driver, 1.6
Feb 15 21:10:57 R7000 kernel: tun: (C) 1999-2004 Max Krasnyansky
Feb 15 21:10:57 R7000 kernel: ADDRCONF(NETDEV_UP): tun21: link is not ready
Feb 15 21:10:57 R7000 kernel: device tun21 entered promiscuous mode
Feb 15 21:10:57 R7000 openvpn: WARNING: file '/opt/OpenVPN/server1.key' is group or others accessible
Feb 15 21:10:57 R7000 openvpn: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 15 21:10:57 R7000 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Feb 15 21:10:57 R7000 openvpn: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Feb 15 21:18:50 R7000 openvpn: 37.47.36.51 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1554', remote='link-mtu 1542'
Feb 15 21:18:50 R7000 openvpn: 37.47.36.51 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Feb 15 21:19:00 R7000 openvpn: 37.47.36.51 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1554', remote='link-mtu 1542'
Feb 15 21:19:00 R7000 openvpn: 37.47.36.51 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Feb 15 21:19:25 R7000 kernel: tun: Universal TUN/TAP device driver, 1.6
Feb 15 21:19:25 R7000 kernel: tun: (C) 1999-2004 Max Krasnyansky
Feb 15 21:19:25 R7000 kernel: ADDRCONF(NETDEV_UP): tun21: link is not ready
Feb 15 21:19:25 R7000 kernel: device tun21 entered promiscuous mode
Feb 15 21:19:25 R7000 openvpn: WARNING: file '/opt/OpenVPN/server1.key' is group or others accessible
Feb 15 21:19:25 R7000 openvpn: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 15 21:19:25 R7000 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Feb 15 21:19:25 R7000 openvpn: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Feb 15 21:25:15 R7000 openvpn: 37.47.36.51 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Feb 15 21:25:15 R7000 openvpn: 37.47.36.51 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Feb 15 21:25:15 R7000 openvpn: 37.47.36.51 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.


logi na MacOS - Tunnelblick 3.7.0 (build 4790) - OpenVPN 2.4.0 - LibreSSL 2.5.0:

Cytat

*Tunnelblick: OS X 10.12.3; Tunnelblick 3.7.0 (build 4790); prior version 3.6.10 (build 4760)
2017-02-16 19:51:25 *Tunnelblick: Attempting connection with client1 using shadow copy; Set nameserver = 769; monitoring connection
2017-02-16 19:51:25 *Tunnelblick: openvpnstart start client1.tblk 1337 769 0 1 0 1065264 -ptADGNWradsgnw 2.4.0-libressl-2.5.0
2017-02-16 19:51:25 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.0-libressl-2.5.0/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Slocalhost-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient1.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1065264.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/localhost/client1.tblk/Contents/Resources
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/localhost/client1.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/localhost/client1.tblk/Contents/Resources
--management
127.0.0.1
1337
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2017-02-16 19:51:25 OpenVPN 2.4.0 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jan 28 2017
2017-02-16 19:51:25 library versions: LibreSSL 2.5.0, LZO 2.09
2017-02-16 19:51:25 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2017-02-16 19:51:25 Need hold release from management interface, waiting...
2017-02-16 19:51:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-02-16 19:51:25 *Tunnelblick: openvpnstart starting OpenVPN
2017-02-16 19:51:25 *Tunnelblick: Established communication with OpenVPN
2017-02-16 19:51:25 MANAGEMENT: CMD 'pid'
2017-02-16 19:51:25 MANAGEMENT: CMD 'state on'
2017-02-16 19:51:25 MANAGEMENT: CMD 'state'
2017-02-16 19:51:25 MANAGEMENT: CMD 'bytecount 1'
2017-02-16 19:51:25 MANAGEMENT: CMD 'hold release'
2017-02-16 19:51:25 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2017-02-16 19:51:25 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-02-16 19:51:25 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.10:1194
2017-02-16 19:51:25 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-02-16 19:51:25 UDP link local: (not bound)
2017-02-16 19:51:25 UDP link remote: [AF_INET]192.168.0.10:1194
2017-02-16 19:51:25 MANAGEMENT: >STATE:1487271085,WAIT,,,,,,
2017-02-16 19:51:26 MANAGEMENT: >STATE:1487271086,AUTH,,,,,,
2017-02-16 19:51:26 TLS: Initial packet from [AF_INET]192.168.0.10:1194, sid=e6506887 b1b75842
2017-02-16 19:51:26 VERIFY OK: depth=1, CN=localhost
2017-02-16 19:51:26 VERIFY OK: depth=0, CN=server1
2017-02-16 19:51:26 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-02-16 19:51:26 [server1] Peer Connection Initiated with [AF_INET]192.168.0.10:1194
2017-02-16 19:51:27 MANAGEMENT: >STATE:1487271087,GET_CONFIG,,,,,,
2017-02-16 19:51:27 SENT CONTROL [server1]: 'PUSH_REQUEST' (status=1)
2017-02-16 19:51:27 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.10,redirect-gateway def1,route 10.8.0.1,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2017-02-16 19:51:27 OPTIONS IMPORT: timers and/or timeouts modified
2017-02-16 19:51:27 OPTIONS IMPORT: --ifconfig/up options modified
2017-02-16 19:51:27 OPTIONS IMPORT: route options modified
2017-02-16 19:51:27 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-02-16 19:51:27 OPTIONS IMPORT: peer-id set
2017-02-16 19:51:27 OPTIONS IMPORT: adjusting link_mtu to 1625
2017-02-16 19:51:27 OPTIONS IMPORT: data channel crypto options modified
2017-02-16 19:51:27 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-02-16 19:51:27 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-02-16 19:51:27 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2017-02-16 19:51:27 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2017-02-16 19:51:27 Opened utun device utun2
2017-02-16 19:51:27 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-02-16 19:51:27 MANAGEMENT: >STATE:1487271087,ASSIGN_IP,,10.8.0.6,,,,
2017-02-16 19:51:27 /sbin/ifconfig utun2 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-02-16 19:51:27 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-02-16 19:51:27 /sbin/ifconfig utun2 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
2017-02-16 19:51:27 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun2 1500 1553 10.8.0.6 10.8.0.5 init
**********************************************
Start of output from client.up.tunnelblick.sh
Disabled IPv6 for 'Wi-Fi'
Retrieved from OpenVPN: name server(s) [ 192.168.0.10 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '172.20.10.1' to '192.168.0.10'
Changed DNS SearchDomains setting from '' to 'openvpn'
Changed DNS DomainName setting from '' to 'openvpn'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of ''
DNS servers '192.168.0.10' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2017-02-16 19:51:31 *Tunnelblick: No 'connected.sh' script to execute
2017-02-16 19:51:31 /sbin/route add -net 192.168.0.10 172.20.10.1 255.255.255.255
add net 192.168.0.10: gateway 172.20.10.1
2017-02-16 19:51:31 /sbin/route add -net 0.0.0.0 10.8.0.5 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.5
2017-02-16 19:51:31 /sbin/route add -net 128.0.0.0 10.8.0.5 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.5
2017-02-16 19:51:31 MANAGEMENT: >STATE:1487271091,ADD_ROUTES,,,,,,
2017-02-16 19:51:31 /sbin/route add -net 192.168.0.0 10.8.0.5 255.255.255.0
add net 192.168.0.0: gateway 10.8.0.5
2017-02-16 19:51:31 /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255
add net 10.8.0.1: gateway 10.8.0.5
2017-02-16 19:51:31 Initialization Sequence Completed
2017-02-16 19:51:31 MANAGEMENT: >STATE:1487271091,CONNECTED,SUCCESS,10.8.0.6,192.168.0.10,1194,,


logi na iPhone:

Cytat

2017-02-16 11:42:23 ----- OpenVPN Start -----
OpenVPN core 3.1.2 ios arm64 64-bit built on Dec 5 2016 12:50:25
2017-02-16 11:42:23 Frame=512/2048/512 mssfix-ctrl=1250
2017-02-16 11:42:23 UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
12 [verb] [3]

2017-02-16 11:42:23 EVENT: RESOLVE
2017-02-16 11:42:23 Contacting 192.168.0.10:1194 via UDP
2017-02-16 11:42:23 EVENT: WAIT
2017-02-16 11:42:23 SetTunnelSocket returned 1
2017-02-16 11:42:23 Connecting to [192.168.0.10]:1194 (192.168.0.10) via UDPv4
2017-02-16 11:42:23 EVENT: CONNECTING
2017-02-16 11:42:23 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2017-02-16 11:42:23 Creds: UsernameEmpty/PasswordEmpty
2017-02-16 11:42:23 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.1.1-212
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_AUTO_SESS=1
IV_BS64DL=1

2017-02-16 11:42:24 NET Internet:ReachableViaWiFi/-R t------
2017-02-16 11:42:24 VERIFY OK: depth=1
cert. version : 3
serial number : DC:A2:A5:B5:0F:1A:AB:34
issuer name : CN=localhost
subject name : CN=localhost
issued on : 2017-02-15 20:03:28
expires on : 2027-02-13 20:03:28
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign

2017-02-16 11:42:24 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : CN=localhost
subject name : CN=server1
issued on : 2017-02-15 20:03:47
expires on : 2027-02-13 20:03:47
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication

2017-02-16 11:42:24 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2017-02-16 11:42:24 Session is ACTIVE
2017-02-16 11:42:24 EVENT: GET_CONFIG
2017-02-16 11:42:24 Sending PUSH_REQUEST to server...
2017-02-16 11:42:24 OPTIONS:
0 [route] [192.168.0.0] [255.255.255.0]
1 [dhcp-option] [DNS] [192.168.0.10]
2 [redirect-gateway] [def1]
3 [route] [10.8.0.1]
4 [topology] [net30]
5 [ping] [15]
6 [ping-restart] [60]
7 [ifconfig] [10.8.0.10] [10.8.0.9]
8 [peer-id] [0]
9 [cipher] [AES-256-GCM]

2017-02-16 11:42:24 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA1
compress: LZO
peer ID: 0
2017-02-16 11:42:24 EVENT: ASSIGN_IP
2017-02-16 11:42:24 Connected via tun
2017-02-16 11:42:24 LZO-ASYM init swap=0 asym=0
2017-02-16 11:42:24 EVENT: CONNECTED @192.168.0.10:1194 (192.168.0.10) via /UDPv4 on tun/10.8.0.10/ gw=[10.8.0.9/]
2017-02-16 11:42:24 SetStatus Connected


wnioski:
- wygenerowałem AES-256-GCM jednak Tomato nie wspiera AES-256-GCM o czym świadczy brak tego typu na liście
i.imgur.com/4PPzUDL.jpg
- na MacOS chyba nie da się póki co wygenerować nic mocniejszego niż SHA1 - źródło podam jak znajdę, pamiętam jednak że czytałem o tym
- trzeba czekać na kolejne updaty
- albo nie znam się i można to było zrobić lepiej
---
Netgear R7000Netgear WNR3500L v2MikroTik hAP ac^2TP-LINK M7650
 
Steel_Rat
Ja tam generuje klucze na Windowsie i działają.
Generalnie używasz "cmd.exe". Zmieniasz katalog do "...\OpenVPN\easy-rsa".
I tutaj masz takie pliki jak

vars.bat
build-ca.bat - tworzy ca.crt
build-dh.bat - tworzy plik dh*.pem
build-key.bat - tworzy certyfikat dla klienta (build-key.bat )
build-key-pass.bat - tworzy certyfikat dla klienta z hasłem (build-key-pass.bat )
build-key-pkcs12.bat -- nie wiem :)
build-key-server.bat - tworzenie certyfikatu dla serwera (build-key-server.bat )
clean-all.bat - czyści katalog key

Wszystkie zmienne do certyfikatu są w pliku vars.bat.
Tak że na początku należy go uruchomić potem można tworzyć certyfikaty.
WRT3200ACN (WRT32X) + OpenWRT 18.06+światełko 150/150 Mb/s
Asus RT-AC68UvE1 + RMerlin + Entware
Netgear WNR3500Lv2 + DDWRT
 
kille72
A jak dasz Encryption cipher na None i dopiszesz w Custom Configuration:


cipher AES-256-GCM


Nie ma wszystkich w GUI:


# openvpn --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN.  Each cipher shown below may be use as a
parameter to the --cipher option.  The default key size is
shown as well as whether or not it can be changed with the
--keysize directive.  Using a CBC or GCM mode is recommended.
In static key mode only CBC mode is allowed.

AES-128-CBC  (128 bit key, 128 bit block)
AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC  (192 bit key, 128 bit block)
AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC  (256 bit key, 128 bit block)
AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)

The following ciphers have a block size of less than 128 bits,
and are therefore deprecated.  Do not use unless you have to.

BF-CBC  (128 bit key by default, 64 bit block)
BF-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC  (128 bit key by default, 64 bit block)
CAST5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC  (64 bit key, 64 bit block)
DES-CFB  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8  (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC  (128 bit key, 64 bit block)
DES-EDE-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC  (192 bit key, 64 bit block)
DES-EDE3-CFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB  (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC  (192 bit key, 64 bit block)
IDEA-CBC  (128 bit key, 64 bit block)
IDEA-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
IDEA-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
RC2-40-CBC  (40 bit key by default, 64 bit block)
RC2-64-CBC  (64 bit key by default, 64 bit block)
RC2-CBC  (128 bit key by default, 64 bit block)
RC2-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
RC5-CBC  (128 bit key by default, 64 bit block)
RC5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
RC5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
 
joks
widze ze nie jest to takie proste postawienie vpn a szkoda bo sam bym sobie postawil w domu serwerek i laczyl sie przez niego. jak przebrniesz qrs przez postawienie vpn na nowym tomato to jak bedziesz mial czas napisz tutorial co zrobiles to przyda sie mi i pewnie innym Wink
 
qrs
sprawdzę wieczorem cipher AES-256-GCM bo być może jest to brakujący klocek układanki

Ogólnie wszystko chodzi stabilnie i bez błędów - openvpn na Tomato jest poprawnie zaimplementowany przez kille72 Wink

Połączony z 17 luty 2017 07:57:06:
taki pomysł, a może w Tomato wspierać tylko bezpieczne szyfrowanie i wywalić te z listy uznane za złamane? Zmniejszy to wielkość źródła jakoś znacząco?
Edytowany przez qrs dnia 17-02-2017 07:57
---
Netgear R7000Netgear WNR3500L v2MikroTik hAP ac^2TP-LINK M7650
 
kille72

Cytat

qrs napisał(a):
taki pomysł, a może w Tomato wspierać tylko bezpieczne szyfrowanie i wywalić te z listy uznane za złamane? Zmniejszy to wielkość źródła jakoś znacząco?


Taki jest plan, wywalic z GUI te malo bezpieczne i tak zmienilem w mojej kompilacji default Encryption cipher BF-CBC (Blowfish) na AES-128-CBC ktory jest o wiele bardziej bezpieczny.

Nie zminiejszy wielkosci bo to bedzie tylko wywalone z GUI, OpenVPN wspiera dalej wszystkie te ponizej, nie wiem czy da rade je jakos poblokowac przed kompilacja w jakims pliku config.


# openvpn --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN.  Each cipher shown below may be use as a
parameter to the --cipher option.  The default key size is
shown as well as whether or not it can be changed with the
--keysize directive.  Using a CBC or GCM mode is recommended.
In static key mode only CBC mode is allowed.

AES-128-CBC  (128 bit key, 128 bit block)
AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC  (192 bit key, 128 bit block)
AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC  (256 bit key, 128 bit block)
AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)

The following ciphers have a block size of less than 128 bits,
and are therefore deprecated.  Do not use unless you have to.

BF-CBC  (128 bit key by default, 64 bit block)
BF-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC  (128 bit key by default, 64 bit block)
CAST5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC  (64 bit key, 64 bit block)
DES-CFB  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8  (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC  (128 bit key, 64 bit block)
DES-EDE-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC  (192 bit key, 64 bit block)
DES-EDE3-CFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB  (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC  (192 bit key, 64 bit block)
IDEA-CBC  (128 bit key, 64 bit block)
IDEA-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
IDEA-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
RC2-40-CBC  (40 bit key by default, 64 bit block)
RC2-64-CBC  (64 bit key by default, 64 bit block)
RC2-CBC  (128 bit key by default, 64 bit block)
RC2-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
RC5-CBC  (128 bit key by default, 64 bit block)
RC5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
RC5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)


Ponoc AES-256-GCM jest bezpieczniejszy od AES-256-CBC, ale AES-256-CBC bardziej popularny? Zna sie ktos na tym?
 
Przejdź do forum
Zaloguj
Wprowadź adres e-mail lub nazwę użytkownika

Hasło



Nie masz jeszcze konta? Zarejestruj się.

Zapomniałeś/aś hasła?
Aktualnie online
· Gości online: 5

· Użytkowników online: 0

· Łącznie użytkowników: 24,117
· Najnowszy użytkownik: Ja
Czat
Musisz się zalogować, aby opublikować wiadomość.

tamtosiamto
28-03-2024 23:24
tak, tak zgadza sie, ale ja pytam o wykluczenie noda na guest network w first set, i to nie dziala

Adooni
24-03-2024 13:16
Guest network is currently designed to allow the first set of each band (2.4G, 5G, 5G-1) available to the AiMesh node

tamtosiamto
24-03-2024 03:03
ale w 1 jest opcja do wyboru - dla calej sieci albo rutera only i wlasnie o tym mowie, ze nie dziala

Adooni
23-03-2024 16:31
w dokumencie asusa jest ze wlasnie dla 1 ma dzialac na nodach tez

tamtosiamto
23-03-2024 15:39
tak, ale nie zmienia to faktu, ze w pierwszej nie dziala wylaczanie aimesh dla goscinnej( a powinno), czyli jest jakis bug. Mam start soft, bo to dsl-ac68 ktory nie jest juz updateowany

Adooni
22-03-2024 18:07
nie, 1 wsza bedzie wszedzie trzeba 2ga zrobic dla kazdego pasma te nie sa przenoszone

tamtosiamto
19-03-2024 19:57
czyli jak mam jedna siec goscinna to powinno dzialac separowanie gosci od noda -a nie dziala Smile

tamtosiamto
19-03-2024 19:50
@Adooni 'Only one set is available for 1 band' i tak mam-1 set dla 2.4ghz i 1 dla 5ghz-czy czegos nie rozumiemW drugiej sieci goscinnej nie ma opcji wyboru Ruter only/ All nodes

Adooni
19-03-2024 19:14
no to przeczytaj to 2 pod - 1 stet z kazdego pasma jest dopuszczony na nody. zrob 2 siec jako goscinna na danym pasmie i wtedy sprawdz

tamtosiamto
19-03-2024 14:17
@Adooni 'Guest network on AiMesh - Router only'

70,432,993 unikalnych wizyt