[nwestfal]

Hi,

I'm trying to get OpenVPN working on my Pogo V4 (Mobile). It works fine without cryptodev, but when I try to enable cryptodev support from the link here it is not working.

Here is the output from the server side:

$this->bbcode_second_pass_code('', '
[root@alarm openvpn]# openvpn /etc/openvpn/server.conf
Tue Sep 23 07:18:51 2014 OpenVPN 2.3.4 armv5tel-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 1 2014
Tue Sep 23 07:18:51 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.08
Tue Sep 23 07:18:51 2014 Diffie-Hellman initialized with 2048 bit key
Tue Sep 23 07:18:51 2014 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Tue Sep 23 07:18:51 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 23 07:18:51 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 23 07:18:51 2014 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue Sep 23 07:18:51 2014 ROUTE_GATEWAY 172.16.77.1/255.255.255.0 IFACE=eth0 HWADDR=xx:xx:xx:xx:xx:xx
Tue Sep 23 07:18:51 2014 TUN/TAP device tun0 opened
Tue Sep 23 07:18:51 2014 TUN/TAP TX queue length set to 100
Tue Sep 23 07:18:51 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Sep 23 07:18:51 2014 /usr/bin/ip link set dev tun0 up mtu 1500
Tue Sep 23 07:18:51 2014 /usr/bin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Sep 23 07:18:51 2014 /usr/bin/ip route add 10.8.0.0/24 via 10.8.0.2
Tue Sep 23 07:18:51 2014 GID set to nobody
Tue Sep 23 07:18:51 2014 UID set to nobody
Tue Sep 23 07:18:51 2014 UDPv4 link local (bound): [undef]
Tue Sep 23 07:18:51 2014 UDPv4 link remote: [undef]
Tue Sep 23 07:18:51 2014 MULTI: multi_init called, r=256 v=256
Tue Sep 23 07:18:51 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Sep 23 07:18:51 2014 Initialization Sequence Completed
Tue Sep 23 07:19:25 2014 173.55.80.151:53079 TLS: Initial packet from [AF_INET]173.55.80.151:53079, sid=ecd9f559 01cfb84f
Tue Sep 23 07:19:25 2014 173.55.80.151:53079 VERIFY OK: depth=1, C=US, ST=CA, L=Fontana, O=Home_Lan, OU=MyOrganizationalUnit, CN=Home_Lan CA, name=EasyRSA, emailAddress=xxxx@gmail.com
Tue Sep 23 07:19:25 2014 173.55.80.151:53079 VERIFY OK: depth=0, C=US, ST=CA, L=Fontana, O=Home_Lan, OU=MyOrganizationalUnit, CN=laptop01, name=EasyRSA, emailAddress=xxxx@gmail.com
Tue Sep 23 07:19:26 2014 173.55.80.151:53079 TLS_ERROR: BIO read tls_read_plaintext error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
Tue Sep 23 07:19:26 2014 173.55.80.151:53079 TLS Error: TLS object -> incoming plaintext read error
Tue Sep 23 07:19:26 2014 173.55.80.151:53079 TLS Error: TLS handshake failed
Tue Sep 23 07:19:26 2014 173.55.80.151:53079 SIGUSR1[soft,tls-error] received, client-instance restarting
')

Client is Windows. Here is the output:

$this->bbcode_second_pass_code('', '
Tue Sep 23 07:19:23 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 7 2014
Tue Sep 23 07:19:23 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Tue Sep 23 07:19:23 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Sep 23 07:19:23 2014 Need hold release from management interface, waiting...
Tue Sep 23 07:19:23 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Sep 23 07:19:23 2014 MANAGEMENT: CMD 'state on'
Tue Sep 23 07:19:23 2014 MANAGEMENT: CMD 'log all on'
Tue Sep 23 07:19:23 2014 MANAGEMENT: CMD 'hold off'
Tue Sep 23 07:19:23 2014 MANAGEMENT: CMD 'hold release'
Tue Sep 23 07:19:24 2014 Control Channel Authentication: tls-auth using INLINE static key file
Tue Sep 23 07:19:24 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 23 07:19:24 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 23 07:19:24 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Sep 23 07:19:24 2014 MANAGEMENT: >STATE:1411481964,RESOLVE,,,
Tue Sep 23 07:19:24 2014 UDPv4 link local: [undef]
Tue Sep 23 07:19:24 2014 UDPv4 link remote: [AF_INET]173.55.80.151:45491
Tue Sep 23 07:19:24 2014 MANAGEMENT: >STATE:1411481964,WAIT,,,
Tue Sep 23 07:19:24 2014 MANAGEMENT: >STATE:1411481964,AUTH,,,
Tue Sep 23 07:19:24 2014 TLS: Initial packet from [AF_INET]173.55.80.151:45491, sid=7879c30e 2aa543bb
Tue Sep 23 07:19:24 2014 VERIFY OK: depth=1, C=US, ST=CA, L=Fontana, O=Home_Lan, OU=MyOrganizationalUnit, CN=Home_Lan CA, name=EasyRSA, emailAddress=xxxx@gmail.com
Tue Sep 23 07:19:24 2014 VERIFY OK: nsCertType=SERVER
Tue Sep 23 07:19:24 2014 VERIFY OK: depth=0, C=US, ST=CA, L=Fontana, O=Home_Lan, OU=MyOrganizationalUnit, CN=alarm, name=EasyRSA, emailAddress=xxxx@gmail.com
')

Here is my server config:
$this->bbcode_second_pass_code('', '
port 45491
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
;ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 172.16.77.0 255.255.255.0"
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 172.16.77.61"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret
cipher AES-128-CBC # AES
;comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
verb 3
mute 20
')

And my client config:
$this->bbcode_second_pass_code('', '
client
dev tun
proto udp
remote xxxx.xxxx.xxxx 45491
resolv-retry infinite
nobind
persist-key
persist-tun

;ca ca.crt
<ca>
...
</ca>

;cert laptop01.crt
<cert>
...
</cert>

;key laptop01.key
<key>
...
</key>

;tls-auth ta.key 1
key-direction 1
<tls-auth>
...
</tls-auth>

cipher AES-128-CBC # AES
;comp-lzo
verb 3
mute 20
')

uname output:
$this->bbcode_second_pass_code('', '
[root@alarm ~]# uname -a
Linux alarm 3.16.3-2-ARCH #1 PREEMPT Fri Sep 19 00:31:59 MDT 2014 armv5tel GNU/Linux
')

lsmod:
$this->bbcode_second_pass_code('', '
[root@alarm ~]# lsmod
Module Size Used by
sha512_generic 7825 0
sha256_generic 8657 0
blowfish_generic 3521 0
blowfish_common 6437 1 blowfish_generic
cryptodev 32811 2
uas 16036 0
mv_cesa 11011 62
tun 18218 2
ipv6 307472 36
')

I'm using AES (tried both 128 and 256), but don't see it listed in lsmod output above.

What am I missing?

[Socaltom]

I just set my kirkwood box up to use the AES encryption with the crptodev. I don't see AES show up in lsmod, but I do see lines in the log for both the server and the client indicating that the AES encrytion is starting. did you restart openvpn after you turned on the encryption? if you did, then I dont' see it coming on in the logs.

Try turning up the verb level in the configs to 5 or 6 to get more info.
Tom

[nwestfal]

Yes, openvpn is restarted after each attempt.

And it does work with AES without hardware acceleration. It's only after enabling cryptodev that it doesn't work.

Here are the new logs after bumping verb level up to 6. I tried to add them as attachments because I hit 60000 character limit. However I don't think the board supports attachments, at least I don't see them.

I posted the logs here:

https://www.dropbox.com/sh/mdmlry0ezbj6 ... xXlha?dl=0

This is the error that catches my attention most:
$this->bbcode_second_pass_code('', '
Tue Sep 23 13:05:15 2014 us=188491 173.55.80.151:57128 TLS_ERROR: BIO read tls_read_plaintext error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
')

I'm just not sure what to do about it.

Neal

[nwestfal]

So I installed openvpn and openssl-cryptodev on my E02 to test as a client, and this does seem to work.

I tried using my opensuse box for the client side, and had the same issues as the Windows client. So I guess client has to also use openssl-cryptodev?

[bodhi]

@Neal,

Be careful using cryptodev, other forum members have and still experienced crashes and/or data corruption. Should search the forum for their posts.

[Socaltom]

Here is what my lsmod looks like while logged in using AES-128


$this->bbcode_second_pass_code('', '[root@PogoServerV5 ~]# lsmod
Module Size Used by
sha512_generic 7825 0
sha256_generic 8657 0
blowfish_generic 3521 0
blowfish_common 6437 1 blowfish_generic
cryptodev 32811 1
iptable_filter 1124 0
ip_tables 10622 1 iptable_filter
x_tables 11787 2 ip_tables,iptable_filter
dm_mod 80459 0
md4 3142 0
hmac 2461 1
cifs 291331 2
bridge 97059 0
stp 1363 1 bridge
llc 3232 2 stp,bridge
tun 18218 4
rtc_pcf8563 2623 0
mv_cesa 11011 8
ipv6 307472 27 bridge')

[moonman]

You can file a bug report: https://github.com/cryptodev-linux/cryptodev-linux

[nwestfal]

Thanks guys.

Since there are known issues with it I've backed off from using cryptodev.

@Socaltom, you have not experienced the data corruption issues?

[Socaltom]

I haven't been using the encryption very long, but I haven't seen any issues. I'm currently running it on a NAS325 zyxel system, if that makes a difference. I tested it briefly on a V2 system, and it worked fine.
Tom

[Socaltom]

Ok, so I just did a pacman -Syu and suddenly my encrytption is broken. What is cryptsetup? and could it be the cause of this?
Tom