Ïðîáëåìû ñ OpenVPN. Ïðîøó ïîìîùè!

[Lupo_Alberto]

?

Code:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

[walkera]

Ñïàñèáî áîëüøîå!! Çàðàáîòàëî!

ïîäñêàæèòå åùå ïëèç...

êàê çàðîóòèòü òàê... ÷òîáû òîëüêî ÷åðåç âïí áûë äîñòóï â èíåò âñåì þçåðàì?
à îñòàëüíîå âñå áëî÷èëîñü ÷òîáû...

äëÿ ñëó÷àåâ ðàçðûâîâ ñâÿçè ñ âïíîì õî÷ó ñäåëàòü..
÷òîáû íåáûëî âèäíî ðåàëüíûé àéïè....

?

Code:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

[bvv]

Äîáðûé äåíü.

ïîìîãèòå ðàçîáðàòüñÿ ñ ïðè÷èíîé: openvpn ïðè çàïóñêå íå èíèöèàëèçèðóåò èíòåðôåéñ tun0, â ñèñòåìíûé ëîã ïèøåòñÿ ñîîáùåíèå â ìîìåíò çàãðóçêè ìîäóëÿ tun.o èç ñòàðòîâîãî ñêðèïòà âèäà:

kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
kernel: devfs_register(net/tun): could not append to parent, err: -17

Ðîóòåð: Asus WL-500gP V2
Ïðîøèâêà: WL500gpv2-1.9.2.7-d-r1087.trx

mkdir /dev/net
mknod /dev/net/tun c 10 200
- äåëàë...

[OlegaVB]

Ó ìåíÿ â post-boot çàãðóæàåòñÿ

Code:

if ( [ ! -c /dev/net/tun ] ) then
    # Make /dev/net directory if needed
    if ( [ ! -d /dev/net ] ) then
        mkdir -m 755 /dev/net
    fi
    mknod /dev/net/tun c 10 200
fi

# Make sure the tunnel driver is loaded
if ( !(lsmod | grep -q "^tun") ); then
    insmod tun.o
fi

Ïîñìîòðåë â ëîãè, òà æå îøèáêà, íî ðàáîòàåò

Code:

Jan  1 05:00:22 kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
Jan  1 05:00:22 kernel: devfs_register(net/tun): could not append to parent, err: -17

[XpoHuk]

Äîáðûé äåíü.
Ó ìåíÿ âîçíèêëà ïðîáëåìà, âîîáùåì ÿ íàñòðîèë openVPN íà WL500gP êàê ñêàçàíî â
Óñòàíîâêà openvpn â îñíîâíóþ ïàìÿòü äëÿ ÍÎÂÈ×ÊÎÂ
Âñå âðîäå õîðîøî... âñå ðàáîòåò... âîò òîëüêî ñêîðîñòü î÷åíü íèçêàÿ ïîðÿäêà 300 - 400 kb/s
Ïîäñêàæèòå, êàê ìîæíî óâåëè÷èòü ñêîðîñòü?
Ñïàñèáî.

[Romeo9128]

Äîáðîé íî÷è, óâàæàåìûå ôîðóì÷àíå!
Çàäàëñÿ âîïðîñîì î ïîäíÿòèè OenVPN-ñåðâåðà â ðåæèìå tap (ïðåñëåäîâàë öåëü ïîäêëþ÷èòü íåñêîëüêèõ ïîëüçîâàòåëåé èç èíåòà ê ðåñóðñàì âíóòðåííèåé ëîêàëêè). Ðàíüøå äîáëñÿ ðàáîòû ñåé ñîôòèíû â ðåæèìå tun - ò.å. â ðæèìå "ðîóòåðà" (ðàáîòàëî íî òîëüêî ñ îäíèì ïîäêëþ÷¸ííûì êëèåíòîì.)
Äåëàë âñ¸ èçó÷èâ ñëåäóþùèå ìàíóàëû:
Íåñêîëüêî êëèåíòîâ ïî OpenVPN - http://wl500g.info/showthread.php?t=9784
Ïîìîãèòå îáúÿñíèòü ïîâåäåíèå OpenVPN - http://wl500g.info/showthread.php?t=...hlight=openvpn
Óñòàíîâêà openvpn â îñíîâíóþ ïàìÿòü äëÿ ÍÎÂÈ×ÊΠ- http://wl500g.info/showthread.php?t=8880&page=6
FAQ: OpenVPN (áûëî - Ïîìîãèòå íàñòðîèòü OpenVPN) ! - http://forum.ixbt.com/topic.cgi?id=14:40906

Ïîñëå äîëãèõ ìó÷åíèé è ñåðâåð è êëèåíò ïåðåñòàëè ðóãàòüñÿ íà êîíôèãè, ñåðâåð çàïóñòèëñÿ.
Êîíôèãè ñëåäóþùèå:
server.conf

Code:

dev tap0
proto tcp-server
server-bridge 10.0.0.1 255.255.255.0 10.0.0.50 10.0.0.60
client-to-client
tls-server
dh /opt/etc/openvpn/keys/dh1024.pem
ca /opt/etc/openvpn/keys/ca.crt
cert /opt/etc/openvpn/keys/server.crt
key /opt/etc/openvpn/keys/server.key
port 1194
keepalive 10 120
persist-tun
persist-key
verb 3

client.ovpn

Code:

ca ca.crt
cert client.crt
key client.key
dev tap0
tls-client
remote 192.168.1.1:1194
port 1194
proto udp
persist-tun
persist-key
verb 3

route-delay 10
route-gateway 10.8.0.2

ÍÎ!!
Ïðè çàïóñêå êëèåíòñêîãî ñîåäèíåèÿ ëîã ïîñòåïåííî çàïîëíÿåòñÿ ñîîáùåíèÿìè ñëåäóþùåãî õàðàêòåðà:
Thu May 08 00:15:17 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)

Ïîãóãëèâ âîïðîñ íàø¸ë èíôó ÷òî ýòè îøèáêè - îøèáêè ðàáîòû ñ ñîêåòîì - è âûäà¸ò èõ âèíäà.

Ëåçåì â ôàåðâîë:

Code:

[admin@(none) /]$ iptables -L -nv --line-numbers
Chain INPUT (policy ACCEPT 860 packets, 111K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
2       84  3528 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp dpt:1194
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:1194
4        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID
5     5122  745K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
6      293 17580 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          state NEW
7     2454  766K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          state NEW
8        3   156 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1        tcp dpt:80
9        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1        tcp dpt:8081
10       4   244 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
11       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:81
12       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:80
13       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22000
14       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:23
15       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21
16       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:59970
17       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:64255
18       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:39309

Chain FORWARD (policy ACCEPT 52 packets, 2664 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0
2        0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  *      *       192.168.210.10       192.168.1.10
4        0     0 ACCEPT     all  --  *      *       192.168.213.76       192.168.1.10
5        0     0 ACCEPT     all  --  *      *       192.168.211.14       192.168.1.10
6        0     0 ACCEPT     all  --  *      *       192.168.217.3        192.168.1.10
7        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
8        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID
9       80  3992 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp flags:0x16/0x02 TCPMSS clamp to PMTU
10    2351 1438K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
11      51  2624 MAC_IP     all  --  *      !br0    0.0.0.0/0            0.0.0.0/0
12       0     0 DROP       all  --  !br0   ppp0    0.0.0.0/0            0.0.0.0/0
13       0     0 DROP       all  --  !br0   vlan1   0.0.0.0/0            0.0.0.0/0
14      31  1488 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          ctstate DNAT
15       0     0 DROP       all  --  *      br0     0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 7723 packets, 1428K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0

Chain MACS (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain MAC_IP (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        9   432 RETURN     all  --  *      *       192.168.1.3          0.0.0.0/0          MAC 00:80:48:3F:7A:9F
2        0     0 RETURN     all  --  *      *       192.168.1.4          0.0.0.0/0          MAC 00:E0:4C:DD:0D:90
3       39  2036 RETURN     all  --  *      *       192.168.1.5          0.0.0.0/0          MAC 00:1C:23:0B:1C:A4
4        0     0 RETURN     all  --  *      *       192.168.1.10         0.0.0.0/0          MAC 00:17:31:96:6E:F4
5        0     0 RETURN     all  --  *      *       192.168.1.124        0.0.0.0/0          MAC 00:02:78:89:82:13
6        3   156 RETURN     all  --  *      *       192.168.1.190        0.0.0.0/0          MAC 00:1B:77:B6:55:BB
7        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SECURITY (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp flags:0x16/0x02 limit: avg 1/sec burst 5
2        0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp flags:0x17/0x04 limit: avg 1/sec burst 5
3        0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          limit: avg 5/sec burst 5
4        0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          limit: avg 5/sec burst 5
5        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logaccept (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW LOG flags 7 level 4 prefix `ACCEPT '
2        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW LOG flags 7 level 4 prefix `DROP '
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Íà ìîé âçãëÿä áëîêèðîâàòü íè÷åãî íå äîëæíî. Ïðè÷¸ì ïðè ïîïûòêå ïîäêëþ÷åíèÿ â òàáëèöå INPUT óâåëè÷èâàþòñÿ êîë-âî ïàêåòîâ è îáú¸ì äàííûõ â ïðàâèëå ¹2

Ìîæåò êòî ñòàëêèâàëñÿ ñ ïîäîáíîé ñèòóàöèåé? Ïîäñêàæèò ïîæàëóéñòî, ãäå íàêîñÿ÷èëè ìîè êðèâûå ðó÷¸íêè!

Ïðîáîâàë è ñ âîò ýòèìè ïðàâèëàìè èç îäíîãî ìàíóàëà

Code:

#!/bin/sh
iptables -D INPUT -j DROP

# enable access from WAN

iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
iptables        -I INPUT      -p udp --dport 1194 -j ACCEPT

iptables -I INPUT   -i tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -j ACCEPT

È ñ âîò ýòèìè ïðàâèëàìè èç äðóãîãî ìàíóàëà:

Code:

iptables -A INPUT -i tap0 -j ACCEPT

P.S. Íà êîìïå ñ êîòîðîãî ïûòàþñü ïîäêëþ÷èòüñÿ ôàåðâîëîâ íåò. Âèíäîâûé áðàíäìàóýð îòêëþ÷¸í. Âèíäà -XP SP2.
Çàðàíèå áëàãîäàðåí âñåì îòêëèêíóâøèìñÿ!

[Romeo9128]

Ïîìåíÿë â ïîñò-ôàåðâîëë ïðàâèëà:

Code:

iptables -D INPUT -j DROP
iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -I PREROUTING -i eth1 -p udp --dport 1194 -j DNAT --to-destination $4:1194
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 1194 -j DNAT --to-destination $4:1194
echo "post-firewall: TCP/UDP ports for OpenVPN OPENED OK ! " >> /tmp/syslog.log

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT
echo "post-firewall: Connections from tap0 OPENED OK ! " >> /tmp/syslog.log

íà

Code:

iptables -D INPUT -j DROP
iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -I PREROUTING -i eth1 -p udp --dport 1194 -j DNAT --to-destination $4:1194
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 1194 -j DNAT --to-destination $4:1194
echo "post-firewall: TCP/UDP ports for OpenVPN OPENED OK ! " >> /tmp/syslog.log

iptables -I INPUT -i tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -j ACCEPT
iptables -I FORWARD -o tap0 -j ACCEPT
iptables -I OUTPUT -o tap0 -j ACCEPT
echo "post-firewall: Connections from tap0 OPENED OK ! " >> /tmp/syslog.log

Îøèáêè ñ â òàêîì áåøåíîì êîëè÷åñòâå (WSAECONNRESET) (code=10054) ïðåêðàòèëèñü. Òåïåðü ëîã ñîåäèíåíèÿ âûãëÿäèò òàê:

Code:

Thu May 08 00:51:17 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Thu May 08 00:51:17 2008 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu May 08 00:51:17 2008 Control Channel MTU parms [ L:1573 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu May 08 00:51:17 2008 TAP-WIN32 device [Ïîäêëþ÷åíèå ïî ëîêàëüíîé ñåòè 4] opened: \\.\Global\{3801AE01-AD71-435A-9B1C-62E3F802F5C8}.tap
Thu May 08 00:51:17 2008 TAP-Win32 Driver Version 8.4 
Thu May 08 00:51:17 2008 TAP-Win32 MTU=1500
Thu May 08 00:51:17 2008 Successful ARP Flush on interface [19] {3801AE01-AD71-435A-9B1C-62E3F802F5C8}
Thu May 08 00:51:17 2008 Data Channel MTU parms [ L:1573 D:1450 EF:41 EB:4 ET:32 EL:0 ]
Thu May 08 00:51:17 2008 Local Options hash (VER=V4): '2c50bd2c'
Thu May 08 00:51:17 2008 Expected Remote Options hash (VER=V4): '0ddbb6e3'
Thu May 08 00:51:17 2008 UDPv4 link local (bound): [undef]:1194
Thu May 08 00:51:17 2008 UDPv4 link remote: 62.140.252.29:1194

òóò ñîåäèåíèå êàê-áû ïîäâèñàåò íà 60 ñåêóíä è âûäà¸òñÿ ñëåäóþùàÿ îøèáêà:

Thu May 08 00:51:21 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Thu May 08 00:52:18 2008 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu May 08 00:52:18 2008 TLS Error: TLS handshake failed
Thu May 08 00:52:18 2008 TCP/UDP: Closing socket
Thu May 08 00:52:18 2008 SIGUSR1[soft,tls-error] received, process restarting
Thu May 08 00:52:18 2008 Restart pause, 2 second(s)

â ÷¸ì ÿ íàêîñÿ÷èë? ïîäñêàæèòå ïîäàëóéñòî!

[tchaynik]

Âîïðîñ â ñëåäóþùåì:
Ìîæíî ëè â èìåþùóþñÿ ïðîøèâêó äîáàâèòü openVPN server?
Âíåøíþþ ôëåøêó íåîõîòà öåïëÿòü. Äà è íåòó åå ïîä ðóêîé.
À âîò openVPN äëÿ äîñòóïà âî âíóòðåííþþ ñåòü î÷åíü äàæå íóæåí
ïîëüçîâàòåëåé âïí-à ïëàíèðóåòñÿ 3-5.
Æåëåçî: wl-500gP ïðîö ðàçîãíàí äî 300. ïîòóãè äóìàþ äîëæíî õâàòèòü
Ïðîøèâêà: 1.9.2.7-7f îò Îëåãà

Ïî ïîâîäó óñòàíîâêè ïðîãðàìì â èìåþùóþñÿ ôëåø áûëà óæå âðîäå òåìà, íî îíà òàê êðàñèâî óïëûëà â ñòîðîíó äîáàâëåíèÿ îïåðàòèâêè ÷òî äàæå è íåïîíÿòíî, ñòîèò òóäà åù¸ ïèñàòü ïî ýòîìó ïîâîäó.

[n0isy]

Ìîæíî äàæå è íå âî âíóòðåííþþ... êàê õîòü íîðìàëüíî íà ôëýøêó íàñòðîèòü???

[tchaynik]

Ìîæíî äàæå è íå âî âíóòðåííþþ... êàê õîòü íîðìàëüíî íà ôëýøêó íàñòðîèòü???

Íà ôëåøêó - ÷èòàé òóò
http://wl500g.info/showthread.php?t=5495
http://wl500g.info/showthread.php?t=...hlight=openvpn

[barby]

Äîáðûé äåíü!

Ïîäñêàæèòå ïîæàëóéñòà, åñòü ëè ðåøåíèå òàêîé ïðîáëåìû:
ó ìåíÿ äîìà ñòîèò WL-500gP, ïîäêëþ÷åííûé ê èíòåðíåòó ñ âíåøíèì IP. Õîòåëîñü áû ñäåëàòü èç íåãî øèôðóþùèé ïðîêñè-ñåðâåð, âèäèìûé èçâíå, ÷òîáû ÿ ìîã ïðîïèñàòü åãî â áðàóçåðå íà ðàáîòå, êàê îáû÷íûé ïðîêñè. Ò.å. ÿ õî÷ó äîáèòüñÿ òîãî, ÷òîáû ìîé òðàôèê íå ñìîã ïîíÿòü àäìèíèñòðàòîð ðàáî÷åé ñåòè. Ïî íàãðóçêå - êà÷àòü ìíîãî íå áóäó, ëåãêèé áðàóçèíã è ïåðåïèñêà ïî ICQ.

[Mirage-net]

Äîáðûé äåíü!

Ïîäñêàæèòå ïîæàëóéñòà, åñòü ëè ðåøåíèå òàêîé ïðîáëåìû:
ó ìåíÿ äîìà ñòîèò WL-500gP, ïîäêëþ÷åííûé ê èíòåðíåòó ñ âíåøíèì IP. Õîòåëîñü áû ñäåëàòü èç íåãî øèôðóþùèé ïðîêñè-ñåðâåð, âèäèìûé èçâíå, ÷òîáû ÿ ìîã ïðîïèñàòü åãî â áðàóçåðå íà ðàáîòå, êàê îáû÷íûé ïðîêñè. Ò.å. ÿ õî÷ó äîáèòüñÿ òîãî, ÷òîáû ìîé òðàôèê íå ñìîã ïîíÿòü àäìèíèñòðàòîð ðàáî÷åé ñåòè. Ïî íàãðóçêå - êà÷àòü ìíîãî íå áóäó, ëåãêèé áðàóçèíã è ïåðåïèñêà ïî ICQ.

Ñòàâèòå íà ðîóòåðå openvpn èëè poptop ñîåäèíÿåòåñü ñ ðàáîòû è âïåðåä

[barby]

À ÷òî èç ýòîãî, èñõîäÿ èç ïðîñòîòû è áûñòðîòû íàñòðîéêè?

[Mirage-net]

À ÷òî èç ýòîãî, èñõîäÿ èç ïðîñòîòû è áûñòðîòû íàñòðîéêè?

Òðàôèê â VPN ñîåäèíåíèè øèôðóåòñÿ (ïðè÷åì ÂÅÑÜ) òîåñòü íå òîëüêî HTTP è ICQ íî è FTP SMTP POP3 è ò.ä. ... Ïðîêñè-ñåðâåð ýòîãî äåëàòü íå áóäåò

[barby]

Âîò èìåííî ÂÅÑÜ òðàôèê ìíå è íå íàäî øèôðîâàòü.

P.S. À êàê æå https?..