[SOLVED] OpenVPN: клиент не ходит в инет
HellKnight 1 марта, 2011 - 20:07
На десктопе Gentoo стоит VirtualBox, в нем гостевухи Gentoo и Windows 2003
На гостевой Gentoo поднял OpenVPN, клиентом которого должна быть Windows. Все находятся в сети 192.168.0.0
За основу взял следующий мануал.
Конфиг сервера:
cat /etc/openvpn/server.conf
daemon openvpn writepid /var/openvpn/pid status /var/openvpn/status 10 local 192.168.0.104 port 1194 proto udp dev tun0 comp-lzo tls-auth /etc/openvpn/keys/ta.key 0 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem server 192.168.3.0 255.255.255.0 push "route 192.168.0.0 255.255.255.0" keepalive 10 120 auth SHA1 cipher AES-256-CBC max-clients 10 log-append /var/log/openvpn.log verb 3 mute 20 user _openvpn group _openvpn persist-key persist-tun chroot /var/empty script-security 3
Все ключи и сертификаты созданы и лежат в папках, которые указаны в конфиге.
Конфиг клиента:
c:\Program Files\OpenVPN\config\client1.ovpn
client dev tun remote 192.168.0.104 1194 proto udp resolv-retry infinite nobind pull comp-lzo persist-key persist-tun verb 3 ca "c:\\client1\\ca.crt" cert "c:\\client1\\client1.crt" key "c:\\client1\\client1.key" tls-auth "c:\\client1\\ta.key" 1 ns-cert-type server auth SHA1 cipher AES-256-CBC
Стартую сервер.
ifconfig -a
eth0 Link encap:Ethernet HWaddr 08:00:27:6c:e4:4f
inet addr:192.168.0.104 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe6c:e44f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11520 errors:0 dropped:0 overruns:0 frame:0
TX packets:9161 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1128856 (1.0 MiB) TX bytes:1725300 (1.6 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.3.1 P-t-P:192.168.3.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:252 (252.0 B)
В Windows в OpenVPN GUI жму Connect, вот лог:
Tue Mar 01 17:50:52 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Tue Mar 01 17:50:52 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Mar 01 17:50:52 2011 Control Channel Authentication: using 'c:\client1\ta.key' as a OpenVPN static key file
Tue Mar 01 17:50:52 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 01 17:50:52 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 01 17:50:52 2011 LZO compression initialized
Tue Mar 01 17:50:52 2011 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Mar 01 17:50:52 2011 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 01 17:50:52 2011 Local Options hash (VER=V4): '9e7066d2'
Tue Mar 01 17:50:52 2011 Expected Remote Options hash (VER=V4): '162b04de'
Tue Mar 01 17:50:52 2011 UDPv4 link local: [undef]
Tue Mar 01 17:50:52 2011 UDPv4 link remote: 192.168.0.104:1194
Tue Mar 01 17:50:52 2011 TLS: Initial packet from 192.168.0.104:1194, sid=6e53f442 19e198a4
Tue Mar 01 17:50:52 2011 VERIFY OK: depth=1, /C=UA/ST=KH/L=Kharkov/O=BMW/CN=pitbull/name=alex/emailAddress=pitbull1988@mail.ru
Tue Mar 01 17:50:52 2011 VERIFY OK: nsCertType=SERVER
Tue Mar 01 17:50:52 2011 VERIFY OK: depth=0, /C=UA/ST=KH/L=Kharkov/O=BMW/CN=server/name=alex/emailAddress=pitbull1988@mail.ru
Tue Mar 01 17:50:52 2011 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Mar 01 17:50:52 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 01 17:50:52 2011 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Mar 01 17:50:52 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 01 17:50:52 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Mar 01 17:50:52 2011 [server] Peer Connection Initiated with 192.168.0.104:1194
Tue Mar 01 17:50:53 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Mar 01 17:50:53 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.3.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.3.6 192.168.3.5'
Tue Mar 01 17:50:53 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: topology (2.0.9)
Tue Mar 01 17:50:53 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 01 17:50:53 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 01 17:50:53 2011 OPTIONS IMPORT: route options modified
Tue Mar 01 17:50:53 2011 TAP-WIN32 device [Подключение по локальной сети] opened: \\.\Global\{522B4864-D2AC-478C-81AB-B6ECAECDE396}.tap
Tue Mar 01 17:50:53 2011 TAP-Win32 Driver Version 8.4
Tue Mar 01 17:50:53 2011 TAP-Win32 MTU=1500
Tue Mar 01 17:50:53 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.3.6/255.255.255.252 on interface {522B4864-D2AC-478C-81AB-B6ECAECDE396} [DHCP-serv: 192.168.3.5, lease-time: 31536000]
Tue Mar 01 17:50:53 2011 Successful ARP Flush on interface [196612] {522B4864-D2AC-478C-81AB-B6ECAECDE396}
Tue Mar 01 17:50:53 2011 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Tue Mar 01 17:50:53 2011 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.3.5
Tue Mar 01 17:50:53 2011 Route addition via IPAPI succeeded
Tue Mar 01 17:50:53 2011 route ADD 192.168.3.1 MASK 255.255.255.255 192.168.3.5
Tue Mar 01 17:50:53 2011 Route addition via IPAPI succeeded
Tue Mar 01 17:50:53 2011 Initialization Sequence Completed
C:\Documents and Settings\Administrator>route print
IPv4 таблица маршрута
===========================================================================
Список интерфейсов
0x1 ........................... MS TCP Loopback interface
0x10004 ...00 ff 52 2b 48 64 ...... TAP-Win32 Adapter V8
0x20003 ...08 00 27 6c d4 b2 ...... AMD PCNET Family PCI Ethernet Adapter
===========================================================================
===========================================================================
Активные маршруты:
Сетевой адрес Маска сети Адрес шлюза Интерфейс Метрика
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.103 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.103 192.168.0.103 20
192.168.0.0 255.255.255.0 192.168.3.5 192.168.3.6 1
192.168.0.103 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.103 192.168.0.103 20
192.168.3.1 255.255.255.255 192.168.3.5 192.168.3.6 1
192.168.3.4 255.255.255.252 192.168.3.6 192.168.3.6 30
192.168.3.6 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.3.255 255.255.255.255 192.168.3.6 192.168.3.6 30
224.0.0.0 240.0.0.0 192.168.0.103 192.168.0.103 20
224.0.0.0 240.0.0.0 192.168.3.6 192.168.3.6 30
255.255.255.255 255.255.255.255 192.168.0.103 192.168.0.103 1
255.255.255.255 255.255.255.255 192.168.3.6 192.168.3.6 1
Основной шлюз: 192.168.0.1
===========================================================================
Постоянные маршруты:
Отсутствует
Жму Disconnect
Отрывок less /var/log/openvpn.log
Tue Mar 1 15:47:03 2011 client1/192.168.0.103:1501 [client1] Inactivity timeout (--ping-restart), restarting Tue Mar 1 15:47:03 2011 client1/192.168.0.103:1501 SIGUSR1[soft,ping-restart] received, client-instance restarting Tue Mar 1 15:50:45 2011 event_wait : Interrupted system call (code=4) Tue Mar 1 15:50:45 2011 TCP/UDP: Closing socket Tue Mar 1 15:50:45 2011 /sbin/route del -net 192.168.3.0 netmask 255.255.255.0 Tue Mar 1 15:50:45 2011 ERROR: Linux route delete command failed: could not execute external program Tue Mar 1 15:50:45 2011 Closing TUN/TAP interface Tue Mar 1 15:50:45 2011 /sbin/ifconfig tun0 0.0.0.0 Tue Mar 1 15:50:45 2011 Linux ip addr del failed: could not execute external program Tue Mar 1 15:50:45 2011 SIGTERM[hard,] received, process exiting Tue Mar 1 17:50:45 2011 OpenVPN 2.1.3 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Mar 1 2011 Tue Mar 1 17:50:45 2011 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Tue Mar 1 17:50:45 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Tue Mar 1 17:50:45 2011 Diffie-Hellman initialized with 1024 bit key Tue Mar 1 17:50:45 2011 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file Tue Mar 1 17:50:45 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Mar 1 17:50:45 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Mar 1 17:50:45 2011 TLS-Auth MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ] Tue Mar 1 17:50:45 2011 Socket Buffers: R=[114688->131072] S=[114688->131072] Tue Mar 1 17:50:45 2011 ROUTE default_gateway=192.168.0.1 Tue Mar 1 17:50:45 2011 TUN/TAP device tun0 opened Tue Mar 1 17:50:45 2011 TUN/TAP TX queue length set to 100 Tue Mar 1 17:50:45 2011 /sbin/ifconfig tun0 192.168.3.1 pointopoint 192.168.3.2 mtu 1500 Tue Mar 1 17:50:45 2011 /sbin/route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.2 Tue Mar 1 17:50:45 2011 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Tue Mar 1 15:50:46 2011 chroot to '/var/empty' and cd to '/' succeeded Tue Mar 1 15:50:46 2011 GID set to _openvpn Tue Mar 1 15:50:46 2011 UID set to _openvpn Tue Mar 1 15:50:46 2011 UDPv4 link local (bound): 192.168.0.104:1194 Tue Mar 1 15:50:46 2011 UDPv4 link remote: [undef] Tue Mar 1 15:50:46 2011 MULTI: multi_init called, r=256 v=256 Tue Mar 1 15:50:46 2011 IFCONFIG POOL: base=192.168.3.4 size=62 Tue Mar 1 15:50:46 2011 Initialization Sequence Completed Tue Mar 1 15:50:50 2011 MULTI: multi_create_instance called Tue Mar 1 15:50:50 2011 192.168.0.103:1520 Re-using SSL/TLS context Tue Mar 1 15:50:50 2011 192.168.0.103:1520 LZO compression initialized Tue Mar 1 15:50:50 2011 192.168.0.103:1520 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ] Tue Mar 1 15:50:50 2011 192.168.0.103:1520 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Tue Mar 1 15:50:50 2011 192.168.0.103:1520 Local Options hash (VER=V4): '162b04de' Tue Mar 1 15:50:50 2011 192.168.0.103:1520 Expected Remote Options hash (VER=V4): '9e7066d2' Tue Mar 1 15:50:50 2011 192.168.0.103:1520 TLS: Initial packet from 192.168.0.103:1520, sid=d807a18f cad64e50 Tue Mar 1 15:50:50 2011 192.168.0.103:1520 VERIFY OK: depth=1, /C=UA/ST=KH/L=Kharkov/O=BMW/CN=pitbull/name=alex/emailAddress=pitbull1988@mail.ru Tue Mar 1 15:50:50 2011 192.168.0.103:1520 VERIFY OK: depth=0, /C=UA/ST=KH/L=Kharkov/O=BMW/CN=client1/emailAddress=pitbull1988@mail.ru Tue Mar 1 15:50:50 2011 192.168.0.103:1520 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Tue Mar 1 15:50:50 2011 192.168.0.103:1520 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Mar 1 15:50:50 2011 192.168.0.103:1520 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Tue Mar 1 15:50:50 2011 192.168.0.103:1520 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Mar 1 15:50:50 2011 192.168.0.103:1520 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Tue Mar 1 15:50:50 2011 192.168.0.103:1520 [client1] Peer Connection Initiated with 192.168.0.103:1520 Tue Mar 1 15:50:50 2011 client1/192.168.0.103:1520 MULTI: Learn: 192.168.3.6 -> client1/192.168.0.103:1520 Tue Mar 1 15:50:50 2011 client1/192.168.0.103:1520 MULTI: primary virtual IP for client1/192.168.0.103:1520: 192.168.3.6 Tue Mar 1 15:50:52 2011 client1/192.168.0.103:1520 PUSH: Received control message: 'PUSH_REQUEST' Tue Mar 1 15:50:52 2011 client1/192.168.0.103:1520 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.3.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.3.6 192.168.3.5' (status=1) Tue Mar 1 15:53:03 2011 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Tue Mar 1 15:53:13 2011 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
ipconfig /all
Local Area Connection - Ethernet адаптер: DNS-суффикс этого подключения . . : Описание . . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter Физический адрес. . . . . . . . . : 08-00-27-6C-D4-B2 DHCP включен. . . . . . . . . . . : да Автонастройка включена . . . . . : да IP-адрес . . . . . . . . . . . . : 192.168.0.103 Маска подсети . . . . . . . . . . : 255.255.255.0 Основной шлюз . . . . . . . . . . : 192.168.0.1 DHCP-сервер . . . . . . . . . . . : 192.168.0.1 DNS-серверы . . . . . . . . . . . : 192.168.0.1 Аренда получена . . . . . . . . . : 1 марта 2011 г. 16:39:58 Аренда истекает . . . . . . . . . : 8 марта 2011 г. 16:39:58 Подключение по локальной сети - Ethernet адаптер: DNS-суффикс этого подключения . . : Описание . . . . . . . . . . . . : TAP-Win32 Adapter V8 Физический адрес. . . . . . . . . : 00-FF-52-2B-48-64 DHCP включен. . . . . . . . . . . : да Автонастройка включена . . . . . : да IP-адрес . . . . . . . . . . . . : 192.168.3.6 Маска подсети . . . . . . . . . . : 255.255.255.252 Основной шлюз . . . . . . . . . . : DHCP-сервер . . . . . . . . . . . : 192.168.3.5 Аренда получена . . . . . . . . . : 1 марта 2011 г. 17:37:50 Аренда истекает . . . . . . . . . : 29 февраля 2012 г. 17:37:50
ping 192.168.3.1 не идет, с Gentoo ping 192.168.3.6 также не идет.
»
- Для комментирования войдите или зарегистрируйтесь
iptable на сервере как
таблицы роутингов с обеих машин добавь
..
Заработало после добавления в конфиг сервера
push "redirect-gateway def1"
Правда, я так и не понял, что это значит. Что за def1?..