Первый раз пытаюсь настроить OpenVPN.
Сервер установлен на asus wl500gp в режиме точки доступа, т.е. никаких дополнительных служб типа DHCP, IPTABLES нет.
С ADSL модема (соединение по PPPoE) проброшен UDP порт 8123 на wl500gp (порт, на котором висит openvpn). IP у wl500gp - 10.0.0.4.
старт openvpn на wl500gp (поскипано слегка)
Code:
#!/bin/sh
mkdir -m 755 /dev/net
mknod /dev/net/tun c 10 200
nsmod tun.o
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
openvpn --daemon --cd /opt/etc/openvpn --log-append /opt/var/log/openvpb.log --config openvpn.conf
Конфиг (слегка поскипанный) сервера
Code:
proto udp
dev tap0
tls-server
server-bridge 10.0.0.4 255.255.255.0 10.0.0.50 10.0.0.60
push "route 10.0.0.0 255.255.255.0"
<ключи>
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
port 8123
persist-tun
persist-key
verb 3
comp-lzo
max-clients 10
status openvpn-status.log
verb 3
tun-mtu 1500
fragment 1400
mssfix
Клиент winxp sp2 за NAT с конфигом
Code:
tls-client
dev tap
proto udp
remote <внешний ip "сервера"> 8123
resolv-retry infinite
nobind
comp-lzo
verb 3
<ключи>
mute 20
tun-mtu 1500
fragment 1400
mssfix
Вроде бы соединение происходит - на сервере
Code:
Jan 23 10:54:24 openvpn[183]: MULTI: multi_create_instance called
Jan 23 10:54:24 openvpn[183]: <внеш. ip клиента за NAT>:1333 Re-using SSL/TLS context
Jan 23 10:54:24 openvpn[183]: <внеш. ip клиента за NAT>:1333 LZO compression initialized
Jan 23 10:54:24 openvpn[183]: <внеш. ip клиента за NAT>:1333 Control Channel MTU parms [ L:1578 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jan 23 10:54:24 openvpn[183]: <внеш. ip клиента за NAT>:1333 Data Channel MTU parms [ L:1578 D:1400 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Jan 23 10:54:24 openvpn[183]: <внеш. ip клиента за NAT>:1333 Fragmentation MTU parms [ L:1578 D:1400 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Jan 23 10:54:24 openvpn[183]: <внеш. ip клиента за NAT>:1333 Local Options hash (VER=V4): 'e2a912d8'
Jan 23 10:54:24 openvpn[183]: <внеш. ip клиента за NAT>:1333 Expected Remote Options hash (VER=V4): '9a22532e'
Jan 23 10:54:24 openvpn[183]: <внеш. ip клиента за NAT>:1333 TLS: Initial packet from <внеш. ip клиента за NAT>:1333, sid=0f04de14 33de8716
Jan 23 10:54:25 openvpn[183]: <внеш. ip клиента за NAT>:1333 VERIFY OK: depth=1, /C=RU/ST=CA/L=Moscow/O=Poles/CN=asus/emailAddress=zyxmon@poles.org
Jan 23 10:54:25 openvpn[183]: <внеш. ip клиента за NAT>:1333 VERIFY OK: depth=0, /C=RU/ST=CA/O=Poles/CN=client1/emailAddress=zyxmon@poles.org
Jan 23 10:54:26 openvpn[183]: <внеш. ip клиента за NAT>:1333 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 23 10:54:26 openvpn[183]: <внеш. ip клиента за NAT>:1333 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 23 10:54:26 openvpn[183]: <внеш. ip клиента за NAT>:1333 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 23 10:54:26 openvpn[183]: <внеш. ip клиента за NAT>:1333 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 23 10:54:26 openvpn[183]: <внеш. ip клиента за NAT>:1333 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jan 23 10:54:26 openvpn[183]: <внеш. ip клиента за NAT>:1333 [client1] Peer Connection Initiated with <внеш. ip клиента за NAT>:1333
Jan 23 10:54:26 openvpn[183]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to
Jan 23 10:54:27 openvpn[183]: client1/<внеш. ip клиента за NAT>:1333 MULTI: Learn: 00:ff:ab:19:e9:b9 -> client1/<внеш. ip клиента за NAT>:1333
Jan 23 10:58:32 openvpn[183]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Jan 23 10:58:41 openvpn[183]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Jan 23 10:58:51 openvpn[183]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Jan 23 10:58:52 openvpn[183]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Jan 23 10:59:02 openvpn[183]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Jan 23 10:59:13 openvpn[183]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Jan 23 10:59:23 openvpn[183]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Со стороны клиента
Code:
Wed Jan 23 11:49:11 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Wed Jan 23 11:49:11 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jan 23 11:49:11 2008 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Jan 23 11:49:11 2008 LZO compression initialized
Wed Jan 23 11:49:11 2008 Control Channel MTU parms [ L:1578 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jan 23 11:49:11 2008 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{AB19E9B9-FA5E-4AD6-8BC8-C48161BD69B2}.tap
Wed Jan 23 11:49:11 2008 TAP-Win32 Driver Version 8.4
Wed Jan 23 11:49:11 2008 TAP-Win32 MTU=1500
Wed Jan 23 11:49:11 2008 Successful ARP Flush on interface [3] {AB19E9B9-FA5E-4AD6-8BC8-C48161BD69B2}
Wed Jan 23 11:49:11 2008 Data Channel MTU parms [ L:1578 D:1400 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Jan 23 11:49:11 2008 Fragmentation MTU parms [ L:1578 D:1400 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Wed Jan 23 11:49:11 2008 Local Options hash (VER=V4): '9a22532e'
Wed Jan 23 11:49:11 2008 Expected Remote Options hash (VER=V4): 'e2a912d8'
Wed Jan 23 11:49:11 2008 UDPv4 link local: [undef]
Wed Jan 23 11:49:11 2008 UDPv4 link remote: 85.141.163.242:8123
Wed Jan 23 11:49:11 2008 TLS: Initial packet from 85.141.163.242:8123, sid=a46784b2 9c5b4c02
Wed Jan 23 11:49:12 2008 VERIFY OK: depth=1, /C=RU/ST=CA/L=Moscow/O=Poles/CN=asus/emailAddress=zyxmon@poles.org
Wed Jan 23 11:49:12 2008 VERIFY OK: depth=0, /C=RU/ST=CA/O=Poles/CN=asus/emailAddress=zyxmon@poles.org
Wed Jan 23 11:49:13 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jan 23 11:49:13 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 23 11:49:13 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jan 23 11:49:13 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 23 11:49:13 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jan 23 11:49:13 2008 [asus] Peer Connection Initiated with <внешний ip за asus ???>:8123
Wed Jan 23 11:49:15 2008 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Wed Jan 23 11:49:15 2008 Route: Waiting for TUN/TAP interface to come up...
.....
много раз
......
Wed Jan 23 11:49:45 2008 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
Wed Jan 23 11:51:54 2008 TCP/UDP: Closing socket
Wed Jan 23 11:51:54 2008 Closing TUN/TAP interface
Клиент из 10.0.0.0/24 ip не получает. Служба DHCP client в winxp sp2 (клиент) запущена, файрволы отключены.
Вопросы:
1. Насколько понимаю с ключами все нормально? Не промахнулся?
2. Куда копать - клиента или сервера?
3. Или идея неправильная, нельзя на точке доступа сбриджевать tap0? (стоит на ней для LAN Samba3, vsftpd, dropbear - сейчас проброшен наружу)