Íàñòðîéêà êëèåíòà è ñåðâåðà OpenVPN íà ðîóòåðå

[walkera]

Ïåðå÷èòàë âñå âåòêè ïî openvpn íà ôîðóìå...
Óáèë êó÷ó âðåìåíè íî òàê è íè÷åãî íå âûõîäèò...

ïðîáûâàë ðàçíûå ðîóòèíãè íî íè÷åãî íå âûøëî..
ïîìîãèòå..

[root@WL-0022152B6042 openvpn]$ /opt/sbin/openvpn --config /opt/etc/openvpn/mz.ovpn --script-security 3
Fri Sep 25 18:38:39 2009 OpenVPN 2.1_rc15 mipsel-linux [SSL] [LZO1] [EPOLL] built on Feb 23 2009
Fri Sep 25 18:38:39 2009 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Sep 25 18:38:39 2009 WARNING: file '/opt/etc/openvpn/Luxemburg-Switzerland.key' is group or others accessible
Fri Sep 25 18:38:39 2009 Control Channel MTU parms [ L:1573 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Sep 25 18:38:39 2009 Data Channel MTU parms [ L:1573 D:1450 EF:41 EB:4 ET:32 EL:0 ]
Fri Sep 25 18:38:39 2009 Local Options hash (VER=V4): '2c50bd2c'
Fri Sep 25 18:38:39 2009 Expected Remote Options hash (VER=V4): '0ddbb6e3'
Fri Sep 25 18:38:39 2009 Socket Buffers: R=[65535->131070] S=[65535->131070]
Fri Sep 25 18:38:39 2009 UDPv4 link local: [undef]
Fri Sep 25 18:38:39 2009 UDPv4 link remote: 212.123.170.162:1195
Fri Sep 25 18:38:39 2009 TLS: Initial packet from 212.123.170.162:1195, sid=b5331490 f7703835
Fri Sep 25 18:38:39 2009 VERIFY OK: depth=1, /C=NA/ST=NA/L=NA/O=vpn-service/CN=vpn-service_CA/emailAddress=admin@vpn.com
Fri Sep 25 18:38:39 2009 VERIFY OK: nsCertType=SERVER
Fri Sep 25 18:38:39 2009 VERIFY OK: depth=0, /C=NA/ST=NA/L=NA/O=vpn-service/CN=server/emailAddress=admin@vpn-service.us
Fri Sep 25 18:38:41 2009 WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
Fri Sep 25 18:38:41 2009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1446'
Fri Sep 25 18:38:41 2009 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1400'
Fri Sep 25 18:38:41 2009 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Fri Sep 25 18:38:41 2009 WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
Fri Sep 25 18:38:41 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 25 18:38:41 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 25 18:38:41 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 25 18:38:41 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 25 18:38:41 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 25 18:38:41 2009 [server] Peer Connection Initiated with 212.117.170.162:1195
Fri Sep 25 18:38:42 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Sep 25 18:38:42 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.35.255.254,dhcp-option DNS 10.35.255.254,dhcp-option DNS 85.117.143.192,route-delay 2,redirect-gateway def1 bypass-dhcp,topology subnet,ping 30,ping-restart 120,ifconfig 10.35.0.74 255.255.0.0'
Fri Sep 25 18:38:42 2009 OPTIONS IMPORT: timers and/or timeouts modified
Fri Sep 25 18:38:42 2009 OPTIONS IMPORT: --ifconfig/up options modified
Fri Sep 25 18:38:42 2009 OPTIONS IMPORT: route options modified
Fri Sep 25 18:38:42 2009 OPTIONS IMPORT: route-related options modified
Fri Sep 25 18:38:42 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Sep 25 18:38:42 2009 ROUTE default_gateway=192.168.0.1
Fri Sep 25 18:38:42 2009 TUN/TAP device tap0 opened
Fri Sep 25 18:38:42 2009 TUN/TAP TX queue length set to 100
Fri Sep 25 18:38:42 2009 /sbin/ifconfig tap0 10.35.0.74 netmask 255.255.0.0 mtu 1500 broadcast 10.35.255.255
Fri Sep 25 18:38:44 2009 /sbin/route add -net 212.117.170.162 netmask 255.255.255.255 gw 192.168.0.1
Fri Sep 25 18:38:44 2009 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.35.255.254
Fri Sep 25 18:38:44 2009 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.35.255.254
Fri Sep 25 18:38:44 2009 Initialization Sequence Completed


âïí óñòàíàâëèâàåòñÿ , ïîñëå ÷åãî ïðîïàäàåò ñðàçó èíåò...
ïîäñêàæèòå êóäà ñìîòðåòü?

òàêèì îáðàçîì òîæå ïðîáûâàë:
/opt/sbin/openvpn --mktun --dev tap0
ifconfig tap0 0.0.0.0 promisc up
/sbin/udhcpc -i tap0 -p /var/run/udhcpc1.pid -s /tmp/udhcpc -b
ðåçóëüòàò íóëåâîé.

â ïîñòáóòå ñëåäóþùåå:
# Make device if not present (not devfs)
if ( [ ! -c /dev/net/tun ] ) then
# Make /dev/net directory if needed
if ( [ ! -d /dev/net ] ) then
mkdir -m 755 /dev/net
fi
mknod /dev/net/tun c 10 200
fi

# Make sure the tunnel driver is loaded
if ( !(lsmod | grep -q "^tun") ); then
insmod tun.o
fi

[OlegaVB]

À ÷òî Âû õîòèòå? Îòêóäà, â êàêóþ ñåòü? Êîíôèãóðàöèþ ñåòè îïèøèòå. È êîíôèã OpenVPN òîæå.

[walkera]

õî÷ó ÷òîáû êëèåíòû WL500 øëè â ñåòü óæå ïîä âïíîì.
äëÿ ñîêðûòèÿ ñâîåãî ðåàëüíîãî àéïè.

êîíô:

client
dev tap0
proto udp
remote 212.117.XX.XX
port 1195

verb 3
nobind
ca /opt/etc/openvpn/ca.crt
cert /opt/etc/openvpn/1.crt
key /opt/etc/openvpn/1.key
persist-key
persist-tun
ns-cert-type server

[OlegaVB]

À âîò ýòî îòêóäà áåðåòñÿ:

Fri Sep 25 18:38:44 2009 /sbin/route add -net 212.117.170.162 netmask 255.255.255.255 gw 192.168.0.1
Fri Sep 25 18:38:44 2009 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.35.255.254
Fri Sep 25 18:38:44 2009 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.35.255.254

Êîíôèã ñåðâåðà äàâàéòå. tap0 äîëæåí áûòü øëþçîì ïî óìîë÷àíèþ äëÿ êëèåíòà.

[walkera]

ñàì openvpn âûäàåò....

äåëî â òîì ÷òî ýòî VPN ñåðâèñ êóïëåíûé...

è êîíôèãà ñåðâåðà ó ìåíÿ íåò...

äà è ýòè ðîóòèíãè ìîæíî óäàëèòü ïðè æåëàíèè... ùàñ ïîïðîáóþ...

èòàê.. çàïóñòèë openvpn... ïîñëå ÷åãî ñäåëàë:
route del -net 212.117.170.162 netmask 255.255.255.255 gw 192.168.0.1
route del -net 0.0.0.0 netmask 128.0.0.0 gw 10.35.255.254
route del -net 128.0.0.0 netmask 128.0.0.0 gw 10.35.255.254

ñàì Open Îòâàëèëñÿ... èíåò çàðàáîòàë.. íî áåç âïíà åñòåñòâåííî...
Fri Sep 25 19:30:04 2009 Initialization Sequence Completed
Fri Sep 25 19:30:20 2009 read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=148)
Fri Sep 25 19:30:26 2009 read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=148)
Fri Sep 25 19:30:29 2009 read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=148)
Fri Sep 25 19:30:32 2009 read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=148)
Fri Sep 25 19:30:35 2009 read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=148)
Fri Sep 25 19:30:38 2009 read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=148)

[walkera]

Òàáëèöà ðîóòèíãà äî çàïóñêà openvpn:

192.168.0.1 * 255.255.255.255 UH 0 0 0 WAN eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 LAN br0
192.168.0.0 * 255.255.255.0 U 0 0 0 WAN eth1
default 192.168.0.1 0.0.0.0 UG 0 0 0 WAN eth1

(èíåò ïîäõâàòûâàåòñÿ ñ äðóãîé òî÷êè äîñòóïà)

Òàáëèöà ïîñëå çàïóñêà Open'a:

192.168.0.1 * 255.255.255.255 UH 0 0 0 WAN eth1
212.117.170.162 192.168.0.1 255.255.255.255 UGH 0 0 0 WAN eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 LAN br0
192.168.0.0 * 255.255.255.0 U 0 0 0 WAN eth1
10.35.0.0 * 255.255.0.0 U 0 0 0 WAN tap0
default 10.35.255.254 128.0.0.0 UG 0 0 0 WAN tap0
128.0.0.0 10.35.255.254 128.0.0.0 UG 0 0 0 WAN tap0
default 192.168.0.1 0.0.0.0 UG 0 0 0 WAN eth1

[OlegaVB]

Åñëè

ñàì openvpn âûäàåò....

äåëî â òîì ÷òî ýòî VPN ñåðâèñ êóïëåíûé...

Òàê ïîïðîñèòå ó íèõ ïðàâèëüíûé êîíôèã äëÿ êëèåíòà.

[walkera]

Åñëè
Òàê ïîïðîñèòå ó íèõ ïðàâèëüíûé êîíôèã äëÿ êëèåíòà.

À ÷åì îí íåïðàâèëüíûé? Ñ êîìïüþòåðà ðàáîòàåò ïðåêðàñíî âñå..

[OlegaVB]

À ÷åì îí íåïðàâèëüíûé? Ñ êîìïüþòåðà ðàáîòàåò ïðåêðàñíî âñå..

Òîãäà è ñ ðîóòåðà äîëæåí ðàáîòàòü. Îí è ðàáîòàåò - ñîåäèíåíèå æå óñòàíàâëèâàåòñÿ.
Îïèøèòå êîíêðåòíåå ÷òî Âû õîòèòå.
×òî çíà÷èò

âïí óñòàíàâëèâàåòñÿ , ïîñëå ÷åãî ïðîïàäàåò ñðàçó èíåò...

Ïèíã ñ ðîóòåðà íà ya.ru ïðîõîäèò?

[Power]

1. Âû íå ïðîáîâàëè îáðàòèòü âíèìàíèå íà ñëåäóþùèå ïðåäóïðåæäåíèÿ è èçìåíèòü ñâîé êîíôèã ñîîòâåòñòâåííî?

Fri Sep 25 18:38:41 2009 WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
Fri Sep 25 18:38:41 2009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1446'
Fri Sep 25 18:38:41 2009 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1400'
Fri Sep 25 18:38:41 2009 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Fri Sep 25 18:38:41 2009 WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'

2.

Òàáëèöà ðîóòèíãà äî çàïóñêà openvpn:

Code:

192.168.0.1     *               255.255.255.255 UH    0      0        0 WAN eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 LAN br0
192.168.0.0     *               255.255.255.0   U     0      0        0 WAN eth1
default         192.168.0.1     0.0.0.0         UG    0      0        0 WAN eth1

(èíåò ïîäõâàòûâàåòñÿ ñ äðóãîé òî÷êè äîñòóïà)

Òàáëèöà ïîñëå çàïóñêà Open'a:

Code:

192.168.0.1     *               255.255.255.255 UH    0      0        0 WAN eth1
212.117.170.162 192.168.0.1     255.255.255.255 UGH   0      0        0 WAN eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 LAN br0
192.168.0.0     *               255.255.255.0   U     0      0        0 WAN eth1
10.35.0.0       *               255.255.0.0     U     0      0        0 WAN tap0
default         10.35.255.254   128.0.0.0       UG    0      0        0 WAN tap0
128.0.0.0       10.35.255.254   128.0.0.0       UG    0      0        0 WAN tap0
default         192.168.0.1     0.0.0.0         UG    0      0        0 WAN eth1

Ìàðøðóòû âðîäå íîðìàëüíûå (òå, ÷òî äîáàâëÿåò openvpn - íóæíû, ýòî êàê ðàç øëþç ïî óìîë÷àíèþ è ìàðøðóò äî ñåðâåðà â îáõîä íîâîãî øëþçà). Òîëüêî ìíå êàæóòòñÿ ñòðàííûìè äâà ìàðøðóòà

Code:

192.168.0.0     *               255.255.255.0   U     0      0        0 LAN br0
192.168.0.0     *               255.255.255.0   U     0      0        0 WAN eth1

Ïîëó÷àåòñÿ, ó âàñ ñåòü 192.168.0.0/24 âèñèò íà äâóõ èíòåðôåéñàõ.

3. Âîçìîæíî, ó âàñ ïðîáëåìû ñ ÄÍÑ. ïîïðîáóéòå ïîïèíãîâàòü ÷òî-íèáóäü ïî IP-àäðåñó.

4. Âîçìîæíî, íóæíî íàñòðîèòü iptables (íàïðèìåð, NAT). Ïîêàæèòå, ÷òî âûâîäèò "iptables-save" ïðè óñòàíîâëåííîì openvpn-ñîåäèíåíèè.

[walkera]

×òî êàñàåòñÿ ÄÍÑîâ ïîõîæå âñå âïîðÿäêå:

[root@WL-0022152B6042 root]$ ping ya.ru
PING ya.ru (77.88.21.8): 56 data bytes

--- ya.ru ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss
[root@WL-0022152B6042 root]$


Äàëåå âûâîä ip-tables... 192.168.0.111 ip ñàìîãî ðîóòåðà ïðè ïîäêëþ÷åíèè ê äðóãîìó âàéôàé ðîóòåðó.

Code:

[root@WL-0022152B6042 root]$ iptables-save
# Generated by iptables-save v1.2.7a on Sat Sep 26 17:54:54 2009
*nat
:PREROUTING ACCEPT [27:3491]
:POSTROUTING ACCEPT [76:4662]
:OUTPUT ACCEPT [77:4990]
:VSERVER - [0:0]
-A PREROUTING -d 192.168.0.111 -j VSERVER
-A PREROUTING -d 192.168.0.111 -p udp -m udp --sport 6112 -j NETMAP --to 192.168.0.0/24
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 6112 -j NETMAP --to 192.168.0.111/32
-A POSTROUTING -s ! 192.168.0.111 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -o br0 -j MASQUERADE
COMMIT
# Completed on Sat Sep 26 17:54:54 2009
# Generated by iptables-save v1.2.7a on Sat Sep 26 17:54:54 2009
*mangle
:PREROUTING ACCEPT [1224:106043]
:INPUT ACCEPT [1204:103666]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1244:121406]
:POSTROUTING ACCEPT [1244:121406]
COMMIT
# Completed on Sat Sep 26 17:54:54 2009
# Generated by iptables-save v1.2.7a on Sat Sep 26 17:54:54 2009
*filter
:INPUT ACCEPT [1204:103666]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1244:121406]
COMMIT
# Completed on Sat Sep 26 17:54:54 2009

Ïðîáûâàë âñå ðàçëè÷íûå âàðèàöèè óêàçàíèÿ ip-tables êîòîðûå áûëè íà ôîðóìå íåïîìîãëî... åñëè òîëüêî ïîäñêàæèòå ÷òîòî êîíêðåòíîå...

×òî êàñàåòñÿ âàðíèíãîâ openvpn'a íî íå äóìàþ ÷òî ïðîáëåìà â ýòîì...
Ïðîñòî â ðîóòåðå âïí íåìíîãî óðåçàííûé ïîëó÷àåòñÿ.. è íå âñå îïöèè êîíôèãà ïîíèìàþ... íî íàäïèñü Peer connection initiated ñâèäåòåëüñòâóåò î òîì , ÷òî âïí ñîåäèíåíèå óñòàíîâëåíî.

×òî êàñåòñÿ ýòîãî:
192.168.0.0 * 255.255.255.0 U 0 0 0 LAN br0
192.168.0.0 * 255.255.255.0 U 0 0 0 WAN eth1

êàê ÿ ëè÷íî ïîíÿë.. òî ýòî äëÿ þçåðîâ, êîòîðûå ïîäêëþ÷àþòñÿ ê òî÷êå ÷åðåç ëàí, è ÷åðåç wan...... ìîãó îøèáàòüñÿ â ýòîì...

ñïàñèáî çà ïîìîùü.... î÷åíü õîòåëîñü áû ðàçîáðàòüñÿ â ÷åì òðàáëà òóò.

[Power]

Òîãäà ÿ äàæå íå çíàþ... Ó÷èòûâàÿ, ÷òî ÄÍÑ ó âàñ ðàáîòàåò, ìîãó ëèøü ïðåäïîëîæèòü, ÷òî ÷òî-òî íå òàê íà ñòîðîíå ñåðâåðà.

Âîò åù¸ ÷òî. Ïîïðîáóéòå òèï òóííåëÿ ñìåíèòü ñ tap íà tun.

[walkera]

Òîãäà ÿ äàæå íå çíàþ... Ó÷èòûâàÿ, ÷òî ÄÍÑ ó âàñ ðàáîòàåò, ìîãó ëèøü ïðåäïîëîæèòü, ÷òî ÷òî-òî íå òàê íà ñòîðîíå ñåðâåðà.

Âîò åù¸ ÷òî. Ïîïðîáóéòå òèï òóííåëÿ ñìåíèòü ñ tap íà tun.

ïðîáûâàë óæå.... íå ïîìîãëî...

[Kugel]

óñòàíàâëèâàþ ñîåäèíåíèå ñ MS RRAS , íî ! , îí íå ïîëó÷àåò IP,
ëîã - A connection has been established on port VPN3-12 using interface MyVPN, but no IP address was obtained.
à ïàðàìåòðîâ "remoteip" "localip",êàê â pptpd, íåòó, êàê ìîæíî ðåøèòü èëè îáîéòè ýòó ñèòóàöèþ ?

[razor]

óñòàíàâëèâàþ ñîåäèíåíèå ñ MS RRAS , íî ! , îí íå ïîëó÷àåò IP,
ëîã - A connection has been established on port VPN3-12 using interface MyVPN, but no IP address was obtained.
à ïàðàìåòðîâ "remoteip" "localip",êàê â pptpd, íåòó, êàê ìîæíî ðåøèòü èëè îáîéòè ýòó ñèòóàöèþ ?

à åñëè ñ âèíäû ïîäûìàåööà è âûäàåööà ?