WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
takuya@openvpn$ sudo openvpn --config ~/Desktop/openvpn/tun0.conf --verb 6
Fri Feb 14 11:07:22 2020 us=467027 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Feb 14 11:07:22 2020 us=467785 Current Parameter Settings:
Fri Feb 14 11:07:22 2020 us=467792 config = '/Users/takuya/Desktop/openvpn/tun0.conf'
## 略
Fri Feb 14 11:07:32 2020 us=984572 Peer Connection Initiated with [AF_INET]192.168.1.1:1194
## 少し時間がかかります。
Fri Feb 14 11:07:34 2020 us=175172 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 14 11:07:34 2020 us=175256 Initialization Sequence Completed
## ping を送信してます。
Fri Feb 14 11:09:58 2020 us=450862 UDP WRITE [124] to [AF_INET]192.168.1.1:1194: DATA len=124
Fri Feb 14 11:09:58 2020 us=453078 UDP READ [124] from [AF_INET]192.168.1.1:1194: DATA len=124
root@:/etc/openvpn# openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2 --secret /etc/openvpn/secret.key
Fri Feb 14 14:34:47 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Feb 14 14:34:47 2020 OpenVPN 2.4.7 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Feb 14 14:34:47 2020 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Fri Feb 14 14:34:47 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Feb 14 14:34:47 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Feb 14 14:34:47 2020 TUN/TAP device tun1 opened
Fri Feb 14 14:35:21 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 14 14:35:21 2020 Initialization Sequence Completed
takuya@openvpn$ sudo openvpn --remote 192.168.2.1 --dev tun1 --ifconfig 10.9.8.2 10.9.8.1 --secret secret.key
Fri Feb 14 14:35:09 2020 OpenVPN 2.4.8 x86_64-apple-darwin17.7.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 1 2019
Fri Feb 14 14:35:21 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 14 14:35:21 2020 Initialization Sequence Completed
もし鍵を指定せずに接続した場合
共有鍵をなしで接続しようとしたら接続開始ができなくて止まります。
takuya@openvpn$ sudo openvpn --remote 192.168.1.1 --dev tun1 --ifconfig 10.9.8.2 10.9.8.1
Fri Feb 14 14:37:52 2020 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Fri Feb 14 14:37:52 2020 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!
Fri Feb 14 14:37:52 2020 Opened utun device utun1
Fri Feb 14 14:37:52 2020 UDP link local (bound): [AF_INET][undef]:1194
Fri Feb 14 14:37:52 2020 UDP link remote: [AF_INET]192.168.1.1:1194
## 接続試行をずっとしてる
サーバー側のログには、認証失敗のメッセージが出てきます。
root@:/etc/openvpn# openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2 --secret /etc/openvpn/secret.key
Fri Feb 14 14:35:21 2020 Initialization Sequence Completed
Fri Feb 14 14:38:02 2020 Authenticate/Decrypt packet error: missing authentication info
Fri Feb 14 14:38:12 2020 Authenticate/Decrypt packet error: missing authentication info
Fri Feb 14 14:38:22 2020 Authenticate/Decrypt packet error: missing authentication info
Fri Feb 14 14:38:33 2020 Authenticate/Decrypt packet error: missing authentication info
Fri Feb 14 14:38:43 2020 Authenticate/Decrypt packet error: missing authentication info
takuya@:~$ sudo openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2
(略
Tue Feb 18 02:42:06 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Tue Feb 18 02:42:06 2020 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!
Tue Feb 18 02:42:06 2020 TUN/TAP device tun1 opened
Tue Feb 18 02:42:26 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 18 02:42:26 2020 Initialization Sequence Completed
takuya@~$ sudo openvpn --remote 192.168.1.1 --dev tun1 --ifconfig 10.9.8.2 10.9.8.1
## 略
Fri Feb 14 09:03:02 2020 UDP link local (bound): [AF_INET][undef]:1194
Fri Feb 14 09:03:02 2020 UDP link remote: [AF_INET]192.168.1.1:1194
Fri Feb 14 09:03:12 2020 Peer Connection Initiated with [AF_INET]192.168.1.1:1194
Fri Feb 14 09:03:13 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
## コンプリートが出るまで暫く待つ
Fri Feb 14 09:03:13 2020 Initialization Sequence Completed
クライアント側がら接続して、接続が確立するまでに10秒ほどかかかりました。
接続完了後
サーバー側のtun1(クライアント接続後
root@ubuntu:~# ip addr s tun1
21: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.9.8.1 peer 10.9.8.2/32 scope global tun1
valid_lft forever preferred_lft forever
クライアント側のtun1 ( サーバーへ接続後
takuya@~$ ip addr show utun2
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.9.8.2 --> 10.9.8.1/32 utun2
takuya@openvpn$ ping 10.9.8.1
PING 10.9.8.1 (10.9.8.1): 56 data bytes
64 bytes from 10.9.8.1: icmp_seq=0 ttl=64 time=1.606 ms
64 bytes from 10.9.8.1: icmp_seq=1 ttl=64 time=1.939 ms
64 bytes from 10.9.8.1: icmp_seq=2 ttl=64 time=1.825 ms
^C
root@:~# ping 10.9.8.2
PING 10.9.8.2 (10.9.8.2): 56 data bytes
64 bytes from 10.9.8.2: seq=0 ttl=64 time=1.813 ms
64 bytes from 10.9.8.2: seq=1 ttl=64 time=2.356 ms
64 bytes from 10.9.8.2: seq=2 ttl=64 time=2.238 ms
# Cmnd alias specification
Cmnd_Alias SHUTDOWN = /sbin/shutdown,/sbin/halt,/sbin/reboot,/sbin/poweroff
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL, !SHUTDOWN
暴発防止できる。
takuya@host:~$ sudo poweroff
Sorry, user takuya is not allowed to execute '/usr/sbin/poweroff' as root on host.
root@MyOpenWRT:~# curl -LJO https://downloads.openwrt.org/releases/19.07.1/targets/x86/64/packages/kernel_4.14.167-1-e1dd7676581672f6f0bdb1363506dee1_x86_64.ipk
root@MyOpenWRT:~# ll
drwxr-xr-x 3 root root 4096 Feb 3 17:45 ./
drwxr-xr-x 19 root root 4096 Jan 21 03:06 ../
-rw------- 1 root root 12968 Feb 3 16:11 .bash_history
drwx------ 2 root root 4096 Jan 21 03:17 .ssh/
-rw------- 1 root root 15511 Feb 3 04:31 .viminfo
-rw-r--r-- 1 root root 798 Feb 3 17:45 kernel_4.14.167-1-e1dd7676581672f6f0bdb1363506dee1_x86_64.ipk
ダウンロードできたのでインストールします。
root@MyOpenWRT:~# opkg install kernel_4.14.167-1-e1dd7676581672f6f0bdb1363506dee1_x86_64.ipk
Upgrading kernel on root from 4.14.162-1-e1dd7676581672f6f0bdb1363506dee1 to 4.14.167-1-e1dd7676581672f6f0bdb1363506dee1...
Configuring kernel.
sed でただしく、書き換えられることががわかったので、このファイルをsed -i で直接更新(上書き)します。
root@MyOpenWRT:~# sed -i 's/19.07.0/19.07.1/' /etc/opkg/distfeeds.conf
これで、パッケージ取得元を変更できました。
opkg の一覧を更新して、アップデートします。
root@MyOpenWRT:~# opkg update
実行例
root@MyOpenWRT:~# opkg update
Downloading http://downloads.openwrt.org/releases/19.07.1/targets/x86/64/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading http://downloads.openwrt.org/releases/19.07.1/targets/x86/64/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/base/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/luci/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/routing/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading http://downloads.openwrt.org/releases/19.07.1/packages/x86_64/telephony/Packages.sig
Signature check passed.
takuya@host:~$ virsh
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh # console OpenWrt
Connected to domain OpenWrt
Escape character is ^]
OpenWRT login:root