1

(11 odpowiedzi, napisanych Termometr)

Jak się budowałem położyłem kabli pod czujniki, już nie pamiętam ale pewnie pomiędzy 20 a 30. Do dzisiaj projekt nie ruszony dalej, może na emeryturze. Podłączyłem tylko 3 czujniki a potem dodałem opomiarowanie całej kotłowni zrobione na esp. W kotłowni mam 6 czujników podpiętych do esp. Działa bez problemów od 2 lat. Tak więc pociągnłąbym na Twoim miejscu kilka linii i na każdej z nich zrobi po kilka czujników.

2

(18 odpowiedzi, napisanych Oprogramowanie)

Też przez kilka lat mój mr3420 działał ok a potem zaczął się zachowywać "dziwnie", coś działąło, coś nie działało, czysta instalacja nie pomagała. Wydaje mi się, że po prostu coś siadło w nim i generował losowe błędy przez to.

3

(46 odpowiedzi, napisanych Oprogramowanie)

Khain, mam jeszcze jedno pytanie. Wyrzuciłem opcję "route_nopull" z konfiguracji routera a ruch z lanu do internetu i tak idzie z pominięciem vpn. Tak mi się bynajmniej wydaje jak patrzę na tablicę routingu na tym routerze. Pytanie jak sprawdzić czy ruch z lanu do internetu idzie przez vpn czy bezpośrednio? traceroute zwraca mi coś takiego:

# traceroute www.onet.pl
traceroute to www.onet.pl (213.180.141.140), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.1.1)  0.373 ms  0.402 ms  0.469 ms
 2  * * *
 3  * * *
 4  89.108.200.2 (89.108.200.2)  27.748 ms  26.758 ms  28.258 ms
 5  89.108.200.83 (89.108.200.83)  28.704 ms  26.960 ms  31.789 ms
 6  onet.thinx.pl (212.91.0.86)  37.248 ms  37.194 ms  42.361 ms
 7  sdr1.m10r2.z.j.ruc-br1.link4.net.onet.pl (213.180.152.143)  43.484 ms  32.363 ms sdr1.m10r2.z.j.ruc-br1.link2.net.onet.pl (213.180.152.139)  31.373 ms
 8  * * *
 9  * * *
...
30  * * *
#

4

(46 odpowiedzi, napisanych Oprogramowanie)

khain napisał/a:

Czyli błędnie zaimplementowałeś konfigurację, którą Ci podałem. Opcję iroute dodajesz tylko do klienta, za którym znajduje się ta podsieć - nie do wszystkich klientów. Właśnie dlatego traciłeś routing do tej podsieci.

Dokładnie. Najważniejsze, że w końcu ruszyło. Jak widać trzeba czytać i czytać i się nie poddawać. Wszystko jest trudne nim stanie się proste smile

To co jeszcze zrobię to zmienię swoją podsieć z 192.168.1.0 na coś mniej pospolitego. Osobiście polecam takie rozwiązanie jeśli ktos się łączy z internetem przez lte bez publicznego ip. Koszt vps to około 9zł na miesiąc a dzięki temu mamy stały dostęp do swoich zasobów. No i jeszcze chcę odpalić sobie ownclouda na moim debianie.

Pozdr

5

(46 odpowiedzi, napisanych Oprogramowanie)

Chyba rozwiązałem problem, trochę metodą prób i błędów ale w sumie oparłem się na tym manual:
OpenVPN HoTo

i wywaliłem linię iroute z plików z katalogu /etc/openvpn/ccd poza plikiem klienta vpn w lanie (tym z OpneWRT):

tomek_itm
::::::::::::::
ifconfig-push 172.16.0.5 255.255.255.0

::::::::::::::
tomek_sgcpt
::::::::::::::
ifconfig-push 172.16.0.4 255.255.255.0

::::::::::::::
tomek_vostro
::::::::::::::
ifconfig-push 172.16.0.3 255.255.255.0

::::::::::::::
tomek_wrt160nl
::::::::::::::
ifconfig-push 172.16.0.2 255.255.255.0
iroute 192.168.1.0 255.255.255.0

Dodatkowo po tej lekturze pozmieniałem też konfigi dla serwera i klienta

Konfig dla serwera:

port 1194
proto udp
dev tun
mode server
tls-server

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret
dh /etc/openvpn/dh2048.pem
tls-auth /etc/openvpn/ta.key
cipher AES-256-CBC

server 172.16.0.0 255.255.255.0
ifconfig 172.16.0.1 255.255.255.0
topology subnet
client-config-dir /etc/openvpn/ccd
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

#push "route-gateway 172.16.0.1"
#push "redirect-gateway def1"
push "topology subnet"

keepalive 10 120
comp-lzo yes
push "comp-lzo yes"
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
log /etc/openvpn/openvpn.log

verb 3

i dla klienta

config openvpn 'tomek_wrt160nl'
        option enabled '1'
        option dev 'tun'
        option proto 'udp'
        option cipher 'AES-256-CBC'
        option log '/tmp/openvpn.log'
        option verb '4'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/tomek_wrt160nl.crt'
        option key '/etc/openvpn/tomek_wrt160nl.key'
        option tls_auth '/etc/openvpn/ta.key'
        option client '1'
        option remote_cert_tls 'server'
        option remote 'XXX.XXX.XXX.XXX 1194'
        option comp_lzo 'adaptive'
        option log '/etc/openvpn/openvpn.log'

I teraz kiedy łączę się klientem vpn nie tracę połączenia do swojego lanu. Khain, jeszcze raz dziękuję Ci za wsparcie

6

(46 odpowiedzi, napisanych Oprogramowanie)

Patrzę na te logi, poniżej zrzut z serwera, zerwanie nastąpiła za linią:

Tue Feb  7 01:06:44 2017 us=85495 MULTI: Learn: 192.168.1.2 -> tomek_wrt160nl/94.254.227.198:19854

Do tego momentu ping z 172.16.0.1 (server vpn) chodził mi do 192.168.1.2. Niestety ja ww tym logu nic nie widzę co by mogło mi coś podpowiedzieć. W logu dla klienta vpn z routera wrt160nl nie ma nic z tym związanego

serwer log

Tue Feb  7 01:02:09 2017 us=988217 Current Parameter Settings:
Tue Feb  7 01:02:09 2017 us=988285   config = '/etc/openvpn/server.conf'
Tue Feb  7 01:02:09 2017 us=988298   mode = 1
Tue Feb  7 01:02:09 2017 us=988307   persist_config = DISABLED
Tue Feb  7 01:02:09 2017 us=988316   persist_mode = 1
Tue Feb  7 01:02:09 2017 us=988325   show_ciphers = DISABLED
Tue Feb  7 01:02:09 2017 us=988334   show_digests = DISABLED
Tue Feb  7 01:02:09 2017 us=988343   show_engines = DISABLED
Tue Feb  7 01:02:09 2017 us=988352   genkey = DISABLED
Tue Feb  7 01:02:09 2017 us=988361   key_pass_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988371   show_tls_ciphers = DISABLED
Tue Feb  7 01:02:09 2017 us=988380   connect_retry_max = 0
Tue Feb  7 01:02:09 2017 us=988389 Connection profiles [0]:
Tue Feb  7 01:02:09 2017 us=988399   proto = udp
Tue Feb  7 01:02:09 2017 us=988408   local = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988417   local_port = '1194'
Tue Feb  7 01:02:09 2017 us=988426   remote = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988435   remote_port = '1194'
Tue Feb  7 01:02:09 2017 us=988444   remote_float = DISABLED
Tue Feb  7 01:02:09 2017 us=988458   bind_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=988469   bind_local = ENABLED
Tue Feb  7 01:02:09 2017 us=988478   bind_ipv6_only = DISABLED
Tue Feb  7 01:02:09 2017 us=988487   connect_retry_seconds = 5
Tue Feb  7 01:02:09 2017 us=988496   connect_timeout = 120
Tue Feb  7 01:02:09 2017 us=988505   socks_proxy_server = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988514   socks_proxy_port = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988523   tun_mtu = 1500
Tue Feb  7 01:02:09 2017 us=988532   tun_mtu_defined = ENABLED
Tue Feb  7 01:02:09 2017 us=988541   link_mtu = 1500
Tue Feb  7 01:02:09 2017 us=988550   link_mtu_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=988559   tun_mtu_extra = 0
Tue Feb  7 01:02:09 2017 us=988568   tun_mtu_extra_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=988578   mtu_discover_type = -1
Tue Feb  7 01:02:09 2017 us=988587   fragment = 0
Tue Feb  7 01:02:09 2017 us=988596   mssfix = 1450
Tue Feb  7 01:02:09 2017 us=988605   explicit_exit_notification = 0
Tue Feb  7 01:02:09 2017 us=988614 Connection profiles END
Tue Feb  7 01:02:09 2017 us=988624   remote_random = DISABLED
Tue Feb  7 01:02:09 2017 us=988633   ipchange = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988642   dev = 'tun'
Tue Feb  7 01:02:09 2017 us=988651   dev_type = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988660   dev_node = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988669   lladdr = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988678   topology = 3
Tue Feb  7 01:02:09 2017 us=988687   ifconfig_local = '172.16.0.1'
Tue Feb  7 01:02:09 2017 us=988697   ifconfig_remote_netmask = '255.255.255.0'
Tue Feb  7 01:02:09 2017 us=988706   ifconfig_noexec = DISABLED
Tue Feb  7 01:02:09 2017 us=988715   ifconfig_nowarn = DISABLED
Tue Feb  7 01:02:09 2017 us=988724   ifconfig_ipv6_local = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988733   ifconfig_ipv6_netbits = 0
Tue Feb  7 01:02:09 2017 us=988742   ifconfig_ipv6_remote = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988752   shaper = 0
Tue Feb  7 01:02:09 2017 us=988761   mtu_test = 0
Tue Feb  7 01:02:09 2017 us=988770   mlock = DISABLED
Tue Feb  7 01:02:09 2017 us=988779   keepalive_ping = 10
Tue Feb  7 01:02:09 2017 us=988788   keepalive_timeout = 120
Tue Feb  7 01:02:09 2017 us=988798   inactivity_timeout = 0
Tue Feb  7 01:02:09 2017 us=988807   ping_send_timeout = 10
Tue Feb  7 01:02:09 2017 us=988816   ping_rec_timeout = 240
Tue Feb  7 01:02:09 2017 us=988825   ping_rec_timeout_action = 2
Tue Feb  7 01:02:09 2017 us=988834   ping_timer_remote = DISABLED
Tue Feb  7 01:02:09 2017 us=988844   remap_sigusr1 = 0
Tue Feb  7 01:02:09 2017 us=988853   persist_tun = ENABLED
Tue Feb  7 01:02:09 2017 us=988862   persist_local_ip = DISABLED
Tue Feb  7 01:02:09 2017 us=988871   persist_remote_ip = DISABLED
Tue Feb  7 01:02:09 2017 us=988880   persist_key = ENABLED
Tue Feb  7 01:02:09 2017 us=988889   passtos = DISABLED
Tue Feb  7 01:02:09 2017 us=988899   resolve_retry_seconds = 1000000000
Tue Feb  7 01:02:09 2017 us=988908   resolve_in_advance = DISABLED
Tue Feb  7 01:02:09 2017 us=988924   username = 'nobody'
Tue Feb  7 01:02:09 2017 us=988933   groupname = 'nogroup'
Tue Feb  7 01:02:09 2017 us=988943   chroot_dir = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988952   cd_dir = '/etc/openvpn'
Tue Feb  7 01:02:09 2017 us=988961   writepid = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988970   up_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988979   down_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988988   down_pre = DISABLED
Tue Feb  7 01:02:09 2017 us=988997   up_restart = DISABLED
Tue Feb  7 01:02:09 2017 us=989006   up_delay = DISABLED
Tue Feb  7 01:02:09 2017 us=989015   daemon = ENABLED
Tue Feb  7 01:02:09 2017 us=989024   inetd = 0
Tue Feb  7 01:02:09 2017 us=989033   log = ENABLED
Tue Feb  7 01:02:09 2017 us=989042   suppress_timestamps = DISABLED
Tue Feb  7 01:02:09 2017 us=989051   machine_readable_output = DISABLED
Tue Feb  7 01:02:09 2017 us=989061   nice = 0
Tue Feb  7 01:02:09 2017 us=989070   verbosity = 4
Tue Feb  7 01:02:09 2017 us=989079   mute = 0
Tue Feb  7 01:02:09 2017 us=989088   gremlin = 0
Tue Feb  7 01:02:09 2017 us=989097   status_file = '/etc/openvpn/openvpn-status.log'
Tue Feb  7 01:02:09 2017 us=989106   status_file_version = 1
Tue Feb  7 01:02:09 2017 us=989116   status_file_update_freq = 10
Tue Feb  7 01:02:09 2017 us=989125   occ = ENABLED
Tue Feb  7 01:02:09 2017 us=989134   rcvbuf = 0
Tue Feb  7 01:02:09 2017 us=989143   sndbuf = 0
Tue Feb  7 01:02:09 2017 us=989152   mark = 0
Tue Feb  7 01:02:09 2017 us=989161   sockflags = 0
Tue Feb  7 01:02:09 2017 us=989170   fast_io = DISABLED
Tue Feb  7 01:02:09 2017 us=989179   comp.alg = 2
Tue Feb  7 01:02:09 2017 us=989188   comp.flags = 0
Tue Feb  7 01:02:09 2017 us=989198   route_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989207   route_default_gateway = '172.16.0.2'
Tue Feb  7 01:02:09 2017 us=989216   route_default_metric = 0
Tue Feb  7 01:02:09 2017 us=989225   route_noexec = DISABLED
Tue Feb  7 01:02:09 2017 us=989235   route_delay = 0
Tue Feb  7 01:02:09 2017 us=989244   route_delay_window = 30
Tue Feb  7 01:02:09 2017 us=989253   route_delay_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=989263   route_nopull = DISABLED
Tue Feb  7 01:02:09 2017 us=989272   route_gateway_via_dhcp = DISABLED
Tue Feb  7 01:02:09 2017 us=989281   allow_pull_fqdn = DISABLED
Tue Feb  7 01:02:09 2017 us=989291   route 192.168.1.0/255.255.255.0/default (not set)/default (not set)
Tue Feb  7 01:02:09 2017 us=989300   management_addr = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989310   management_port = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989323   management_user_pass = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989333   management_log_history_cache = 250
Tue Feb  7 01:02:09 2017 us=989343   management_echo_buffer_size = 100
Tue Feb  7 01:02:09 2017 us=989353   management_write_peer_info_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989362   management_client_user = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989372   management_client_group = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989381   management_flags = 0
Tue Feb  7 01:02:09 2017 us=989391   shared_secret_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989401   key_direction = 0
Tue Feb  7 01:02:09 2017 us=989410   ciphername = 'AES-256-CBC'
Tue Feb  7 01:02:09 2017 us=989420   ncp_enabled = ENABLED
Tue Feb  7 01:02:09 2017 us=989430   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Tue Feb  7 01:02:09 2017 us=989439   authname = 'SHA1'
Tue Feb  7 01:02:09 2017 us=989449   prng_hash = 'SHA1'
Tue Feb  7 01:02:09 2017 us=989462   prng_nonce_secret_len = 16
Tue Feb  7 01:02:09 2017 us=989471   keysize = 0
Tue Feb  7 01:02:09 2017 us=989480   engine = DISABLED
Tue Feb  7 01:02:09 2017 us=989489   replay = ENABLED
Tue Feb  7 01:02:09 2017 us=989498   mute_replay_warnings = DISABLED
Tue Feb  7 01:02:09 2017 us=989507   replay_window = 64
Tue Feb  7 01:02:09 2017 us=989516   replay_time = 15
Tue Feb  7 01:02:09 2017 us=989525   packet_id_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989534   use_iv = ENABLED
Tue Feb  7 01:02:09 2017 us=989543   test_crypto = DISABLED
Tue Feb  7 01:02:09 2017 us=989560   tls_server = ENABLED
Tue Feb  7 01:02:09 2017 us=989569   tls_client = DISABLED
Tue Feb  7 01:02:09 2017 us=989579   key_method = 2
Tue Feb  7 01:02:09 2017 us=989588   ca_file = '/etc/openvpn/ca.crt'
Tue Feb  7 01:02:09 2017 us=989597   ca_path = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989610   dh_file = '/etc/openvpn/dh2048.pem'
Tue Feb  7 01:02:09 2017 us=989620   cert_file = '/etc/openvpn/server.crt'
Tue Feb  7 01:02:09 2017 us=989629   extra_certs_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989639   priv_key_file = '/etc/openvpn/server.key'
Tue Feb  7 01:02:09 2017 us=989649   pkcs12_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989659   cipher_list = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989668   tls_verify = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989681   tls_export_cert = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989690   verify_x509_type = 0
Tue Feb  7 01:02:09 2017 us=989699   verify_x509_name = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989708   crl_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989717   ns_cert_type = 0
Tue Feb  7 01:02:09 2017 us=989726   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989735   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989744   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989753   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989762   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989771   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989780   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989788   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989797   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989806   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989815   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989824   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989833   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989842   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989851   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989860   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989869   remote_cert_eku = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989878   ssl_flags = 0
Tue Feb  7 01:02:09 2017 us=989887   tls_timeout = 2
Tue Feb  7 01:02:09 2017 us=989896   renegotiate_bytes = -1
Tue Feb  7 01:02:09 2017 us=989905   renegotiate_packets = 0
Tue Feb  7 01:02:09 2017 us=989914   renegotiate_seconds = 3600
Tue Feb  7 01:02:09 2017 us=989923   handshake_window = 60
Tue Feb  7 01:02:09 2017 us=989932   transition_window = 3600
Tue Feb  7 01:02:09 2017 us=989942   single_session = DISABLED
Tue Feb  7 01:02:09 2017 us=989951   push_peer_info = DISABLED
Tue Feb  7 01:02:09 2017 us=989960   tls_exit = DISABLED
Tue Feb  7 01:02:09 2017 us=989969   tls_auth_file = '/etc/openvpn/ta.key'
Tue Feb  7 01:02:09 2017 us=989978   tls_crypt_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989989   server_network = 172.16.0.0
Tue Feb  7 01:02:09 2017 us=989999   server_netmask = 255.255.255.0
Tue Feb  7 01:02:09 2017 us=990011   server_network_ipv6 = ::
Tue Feb  7 01:02:09 2017 us=990021   server_netbits_ipv6 = 0
Tue Feb  7 01:02:09 2017 us=990031   server_bridge_ip = 0.0.0.0
Tue Feb  7 01:02:09 2017 us=990047   server_bridge_netmask = 0.0.0.0
Tue Feb  7 01:02:09 2017 us=990058   server_bridge_pool_start = 0.0.0.0
Tue Feb  7 01:02:09 2017 us=990068   server_bridge_pool_end = 0.0.0.0
Tue Feb  7 01:02:09 2017 us=990077   push_entry = 'route 192.168.1.0 255.255.255.0'
Tue Feb  7 01:02:09 2017 us=990086   push_entry = 'dhcp-option DNS 208.67.222.222'
Tue Feb  7 01:02:09 2017 us=990096   push_entry = 'dhcp-option DNS 208.67.220.220'
Tue Feb  7 01:02:09 2017 us=990105   push_entry = 'topology subnet'
Tue Feb  7 01:02:09 2017 us=990114   push_entry = 'route-gateway 172.16.0.1'
Tue Feb  7 01:02:09 2017 us=990123   push_entry = 'topology subnet'
Tue Feb  7 01:02:09 2017 us=990132   push_entry = 'ping 10'
Tue Feb  7 01:02:09 2017 us=990142   push_entry = 'ping-restart 120'
Tue Feb  7 01:02:09 2017 us=990151   ifconfig_pool_defined = ENABLED
Tue Feb  7 01:02:09 2017 us=990161   ifconfig_pool_start = 172.16.0.2
Tue Feb  7 01:02:09 2017 us=990176   ifconfig_pool_end = 172.16.0.253
Tue Feb  7 01:02:09 2017 us=990186   ifconfig_pool_netmask = 255.255.255.0
Tue Feb  7 01:02:09 2017 us=990196   ifconfig_pool_persist_filename = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990205   ifconfig_pool_persist_refresh_freq = 600
Tue Feb  7 01:02:09 2017 us=990214   ifconfig_ipv6_pool_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=990224   ifconfig_ipv6_pool_base = ::
Tue Feb  7 01:02:09 2017 us=990233   ifconfig_ipv6_pool_netbits = 0
Tue Feb  7 01:02:09 2017 us=990243   n_bcast_buf = 256
Tue Feb  7 01:02:09 2017 us=990252   tcp_queue_limit = 64
Tue Feb  7 01:02:09 2017 us=990261   real_hash_size = 256
Tue Feb  7 01:02:09 2017 us=990270   virtual_hash_size = 256
Tue Feb  7 01:02:09 2017 us=990279   client_connect_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990289   learn_address_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990298   client_disconnect_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990307   client_config_dir = '/etc/openvpn/ccd'
Tue Feb  7 01:02:09 2017 us=990316   ccd_exclusive = DISABLED
Tue Feb  7 01:02:09 2017 us=990325   tmp_dir = '/tmp'
Tue Feb  7 01:02:09 2017 us=990334   push_ifconfig_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=990345   push_ifconfig_local = 0.0.0.0
Tue Feb  7 01:02:09 2017 us=990354   push_ifconfig_remote_netmask = 0.0.0.0
Tue Feb  7 01:02:09 2017 us=990364   push_ifconfig_ipv6_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=990373   push_ifconfig_ipv6_local = ::/0
Tue Feb  7 01:02:09 2017 us=990383   push_ifconfig_ipv6_remote = ::
Tue Feb  7 01:02:09 2017 us=990392   enable_c2c = DISABLED
Tue Feb  7 01:02:09 2017 us=990402   duplicate_cn = DISABLED
Tue Feb  7 01:02:09 2017 us=990411   cf_max = 0
Tue Feb  7 01:02:09 2017 us=990420   cf_per = 0
Tue Feb  7 01:02:09 2017 us=990429   max_clients = 1024
Tue Feb  7 01:02:09 2017 us=990439   max_routes_per_client = 256
Tue Feb  7 01:02:09 2017 us=990448   auth_user_pass_verify_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990457   auth_user_pass_verify_script_via_file = DISABLED
Tue Feb  7 01:02:09 2017 us=990466   auth_token_generate = DISABLED
Tue Feb  7 01:02:09 2017 us=990475   auth_token_lifetime = 0
Tue Feb  7 01:02:09 2017 us=990485   port_share_host = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990494   port_share_port = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990503   client = DISABLED
Tue Feb  7 01:02:09 2017 us=990512   pull = DISABLED
Tue Feb  7 01:02:09 2017 us=990521   auth_user_pass_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990531 OpenVPN 2.4.0 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  6 2017
Tue Feb  7 01:02:09 2017 us=990552 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Tue Feb  7 01:02:09 2017 us=992374 Diffie-Hellman initialized with 2048 bit key
Tue Feb  7 01:02:09 2017 us=992931 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Tue Feb  7 01:02:09 2017 us=992955 ECDH curve secp384r1 added
Tue Feb  7 01:02:09 2017 us=993107 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  7 01:02:09 2017 us=993124 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  7 01:02:09 2017 us=993138 TLS-Auth MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Tue Feb  7 01:02:09 2017 us=993411 ROUTE_GATEWAY XXX.XXX.XXX.1/255.255.255.0 IFACE=eth0 HWADDR=e6:fe:a9:df:58:bc
Tue Feb  7 01:02:09 2017 us=993642 TUN/TAP device tun0 opened
Tue Feb  7 01:02:09 2017 us=993667 TUN/TAP TX queue length set to 100
Tue Feb  7 01:02:09 2017 us=993685 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Feb  7 01:02:09 2017 us=993703 /sbin/ifconfig tun0 172.16.0.1 netmask 255.255.255.0 mtu 1500 broadcast 172.16.0.255
Tue Feb  7 01:02:10 2017 us=56482 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.16.0.2
Tue Feb  7 01:02:10 2017 us=59094 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Feb  7 01:02:10 2017 us=59924 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Feb  7 01:02:10 2017 us=59990 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Feb  7 01:02:10 2017 us=60024 UDPv4 link local (bound): [AF_INET][undef]:1194
Tue Feb  7 01:02:10 2017 us=60042 UDPv4 link remote: [AF_UNSPEC]
Tue Feb  7 01:02:10 2017 us=60062 GID set to nogroup
Tue Feb  7 01:02:10 2017 us=60086 UID set to nobody
Tue Feb  7 01:02:10 2017 us=60110 MULTI: multi_init called, r=256 v=256
Tue Feb  7 01:02:10 2017 us=60181 IFCONFIG POOL: base=172.16.0.2 size=252, ipv6=0
Tue Feb  7 01:02:10 2017 us=60252 Initialization Sequence Completed
Tue Feb  7 01:04:08 2017 us=137041 MULTI: multi_create_instance called
Tue Feb  7 01:04:08 2017 us=137185 94.254.227.198:19854 Re-using SSL/TLS context
Tue Feb  7 01:04:08 2017 us=137221 94.254.227.198:19854 LZO compression initializing
Tue Feb  7 01:04:08 2017 us=137493 94.254.227.198:19854 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Tue Feb  7 01:04:08 2017 us=137520 94.254.227.198:19854 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Feb  7 01:04:08 2017 us=137578 94.254.227.198:19854 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Feb  7 01:04:08 2017 us=137598 94.254.227.198:19854 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Feb  7 01:04:08 2017 us=137650 94.254.227.198:19854 TLS: Initial packet from [AF_INET]94.254.227.198:19854, sid=b38d0d80 84709d7a
Tue Feb  7 01:04:09 2017 us=624363 MULTI: multi_create_instance called
Tue Feb  7 01:04:09 2017 us=624449 77.114.12.156:59867 Re-using SSL/TLS context
Tue Feb  7 01:04:09 2017 us=624487 77.114.12.156:59867 LZO compression initializing
Tue Feb  7 01:04:09 2017 us=624711 77.114.12.156:59867 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Tue Feb  7 01:04:09 2017 us=624737 77.114.12.156:59867 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Feb  7 01:04:09 2017 us=624784 77.114.12.156:59867 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Feb  7 01:04:09 2017 us=624802 77.114.12.156:59867 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Feb  7 01:04:09 2017 us=624850 77.114.12.156:59867 TLS: Initial packet from [AF_INET]77.114.12.156:59867, sid=028cffa9 5e356ebc
Tue Feb  7 01:04:09 2017 us=830127 77.114.12.156:59867 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=TomaszLewandowski, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Feb  7 01:04:09 2017 us=830553 77.114.12.156:59867 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=TomaszLewandowski, CN=tomek_itm, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Feb  7 01:04:09 2017 us=951399 77.114.12.156:59867 peer info: IV_VER=2.4.0
Tue Feb  7 01:04:09 2017 us=951466 77.114.12.156:59867 peer info: IV_PLAT=win
Tue Feb  7 01:04:09 2017 us=951485 77.114.12.156:59867 peer info: IV_PROTO=2
Tue Feb  7 01:04:09 2017 us=951502 77.114.12.156:59867 peer info: IV_NCP=2
Tue Feb  7 01:04:09 2017 us=951519 77.114.12.156:59867 peer info: IV_LZ4=1
Tue Feb  7 01:04:09 2017 us=951535 77.114.12.156:59867 peer info: IV_LZ4v2=1
Tue Feb  7 01:04:09 2017 us=951552 77.114.12.156:59867 peer info: IV_LZO=1
Tue Feb  7 01:04:09 2017 us=951569 77.114.12.156:59867 peer info: IV_COMP_STUB=1
Tue Feb  7 01:04:09 2017 us=951586 77.114.12.156:59867 peer info: IV_COMP_STUBv2=1
Tue Feb  7 01:04:09 2017 us=951603 77.114.12.156:59867 peer info: IV_TCPNL=1
Tue Feb  7 01:04:09 2017 us=951620 77.114.12.156:59867 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Feb  7 01:04:10 2017 us=84360 77.114.12.156:59867 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Feb  7 01:04:10 2017 us=84478 77.114.12.156:59867 [tomek_itm] Peer Connection Initiated with [AF_INET]77.114.12.156:59867
Tue Feb  7 01:04:10 2017 us=84573 tomek_itm/77.114.12.156:59867 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/tomek_itm
Tue Feb  7 01:04:10 2017 us=84801 tomek_itm/77.114.12.156:59867 MULTI: Learn: 172.16.0.5 -> tomek_itm/77.114.12.156:59867
Tue Feb  7 01:04:10 2017 us=84827 tomek_itm/77.114.12.156:59867 MULTI: primary virtual IP for tomek_itm/77.114.12.156:59867: 172.16.0.5
Tue Feb  7 01:04:10 2017 us=84847 tomek_itm/77.114.12.156:59867 MULTI: internal route 192.168.1.0/24 -> tomek_itm/77.114.12.156:59867
Tue Feb  7 01:04:10 2017 us=84869 tomek_itm/77.114.12.156:59867 MULTI: Learn: 192.168.1.0/24 -> tomek_itm/77.114.12.156:59867
Tue Feb  7 01:04:10 2017 us=84889 tomek_itm/77.114.12.156:59867 REMOVE PUSH ROUTE: 'route 192.168.1.0 255.255.255.0'
Tue Feb  7 01:04:11 2017 us=94447 tomek_itm/77.114.12.156:59867 PUSH: Received control message: 'PUSH_REQUEST'
Tue Feb  7 01:04:11 2017 us=94557 tomek_itm/77.114.12.156:59867 SENT CONTROL [tomek_itm]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,topology subnet,route-gateway 172.16.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.5 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
Tue Feb  7 01:04:11 2017 us=94592 tomek_itm/77.114.12.156:59867 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Tue Feb  7 01:04:11 2017 us=94787 tomek_itm/77.114.12.156:59867 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb  7 01:04:11 2017 us=94825 tomek_itm/77.114.12.156:59867 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb  7 01:04:19 2017 us=210784 94.254.227.198:19854 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=TomaszLewandowski, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Feb  7 01:04:19 2017 us=211232 94.254.227.198:19854 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=TomaszLewandowski, CN=tomek_wrt160nl, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Feb  7 01:04:19 2017 us=258023 94.254.227.198:19854 peer info: IV_VER=2.3.6
Tue Feb  7 01:04:19 2017 us=258091 94.254.227.198:19854 peer info: IV_PLAT=linux
Tue Feb  7 01:04:19 2017 us=258110 94.254.227.198:19854 peer info: IV_PROTO=2
Tue Feb  7 01:04:19 2017 us=258129 94.254.227.198:19854 NOTE: Options consistency check may be skewed by version differences
Tue Feb  7 01:04:19 2017 us=258154 94.254.227.198:19854 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Tue Feb  7 01:04:19 2017 us=258174 94.254.227.198:19854 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Tue Feb  7 01:04:19 2017 us=258192 94.254.227.198:19854 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1558'
Tue Feb  7 01:04:19 2017 us=258210 94.254.227.198:19854 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Tue Feb  7 01:04:19 2017 us=258228 94.254.227.198:19854 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Tue Feb  7 01:04:19 2017 us=258246 94.254.227.198:19854 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
Tue Feb  7 01:04:19 2017 us=258264 94.254.227.198:19854 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Tue Feb  7 01:04:19 2017 us=258320 94.254.227.198:19854 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 256'
Tue Feb  7 01:04:19 2017 us=258358 94.254.227.198:19854 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'
Tue Feb  7 01:04:19 2017 us=258388 94.254.227.198:19854 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Tue Feb  7 01:04:19 2017 us=258440 94.254.227.198:19854 WARNING: 'tls-client' is present in local config but missing in remote config, local='tls-client'
Tue Feb  7 01:04:19 2017 us=258648 94.254.227.198:19854 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Feb  7 01:04:19 2017 us=258690 94.254.227.198:19854 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  7 01:04:19 2017 us=258719 94.254.227.198:19854 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Feb  7 01:04:19 2017 us=258750 94.254.227.198:19854 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  7 01:04:19 2017 us=302192 94.254.227.198:19854 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Tue Feb  7 01:04:19 2017 us=302271 94.254.227.198:19854 [tomek_wrt160nl] Peer Connection Initiated with [AF_INET]94.254.227.198:19854
Tue Feb  7 01:04:19 2017 us=302340 tomek_wrt160nl/94.254.227.198:19854 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/tomek_wrt160nl
Tue Feb  7 01:04:19 2017 us=302464 tomek_wrt160nl/94.254.227.198:19854 MULTI_sva: pool returned IPv4=172.16.0.2, IPv6=(Not enabled)
Tue Feb  7 01:04:19 2017 us=302532 tomek_wrt160nl/94.254.227.198:19854 MULTI: Learn: 172.16.0.2 -> tomek_wrt160nl/94.254.227.198:19854
Tue Feb  7 01:04:19 2017 us=302553 tomek_wrt160nl/94.254.227.198:19854 MULTI: primary virtual IP for tomek_wrt160nl/94.254.227.198:19854: 172.16.0.2
Tue Feb  7 01:04:19 2017 us=302572 tomek_wrt160nl/94.254.227.198:19854 MULTI: internal route 192.168.1.0/24 -> tomek_wrt160nl/94.254.227.198:19854
Tue Feb  7 01:04:19 2017 us=302594 tomek_wrt160nl/94.254.227.198:19854 MULTI: Learn: 192.168.1.0/24 -> tomek_wrt160nl/94.254.227.198:19854
Tue Feb  7 01:04:19 2017 us=302614 tomek_wrt160nl/94.254.227.198:19854 REMOVE PUSH ROUTE: 'route 192.168.1.0 255.255.255.0'
Tue Feb  7 01:04:21 2017 us=442313 tomek_wrt160nl/94.254.227.198:19854 PUSH: Received control message: 'PUSH_REQUEST'
Tue Feb  7 01:04:21 2017 us=599149 tomek_wrt160nl/94.254.227.198:19854 SENT CONTROL [tomek_wrt160nl]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,topology subnet,route-gateway 172.16.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.2 255.255.255.0,peer-id 0' (status=1)
Tue Feb  7 01:04:57 2017 us=616271 MULTI: Learn: 192.168.1.2 -> tomek_wrt160nl/94.254.227.198:19854
Tue Feb  7 01:06:44 2017 us=85495 MULTI: Learn: 192.168.1.2 -> tomek_wrt160nl/94.254.227.198:19854
Tue Feb  7 01:06:59 2017 us=186605 MULTI: multi_create_instance called
Tue Feb  7 01:06:59 2017 us=186713 94.254.227.101:45024 Re-using SSL/TLS context
Tue Feb  7 01:06:59 2017 us=186737 94.254.227.101:45024 LZO compression initializing
Tue Feb  7 01:06:59 2017 us=186943 94.254.227.101:45024 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Tue Feb  7 01:06:59 2017 us=186970 94.254.227.101:45024 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Feb  7 01:06:59 2017 us=187026 94.254.227.101:45024 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Feb  7 01:06:59 2017 us=187045 94.254.227.101:45024 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Feb  7 01:06:59 2017 us=187094 94.254.227.101:45024 TLS: Initial packet from [AF_INET]94.254.227.101:45024, sid=3234fead 049a5373
Tue Feb  7 01:06:59 2017 us=215260 94.254.227.101:45024 PID_ERR replay-window backtrack occurred [1] [TLS_WRAP-0] [0_0] 1486426019:3 1486426019:2 t=1486426019[0] r=[0,64,15,1,1] sl=[61,3,64,528]
Tue Feb  7 01:06:59 2017 us=385036 94.254.227.101:45024 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=TomaszLewandowski, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Feb  7 01:06:59 2017 us=385473 94.254.227.101:45024 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=TomaszLewandowski, CN=tomek_sgcpt, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Feb  7 01:06:59 2017 us=412219 94.254.227.101:45024 peer info: IV_GUI_VER=net.openvpn.connect.android_1.1.17-76
Tue Feb  7 01:06:59 2017 us=412252 94.254.227.101:45024 peer info: IV_VER=3.0.12
Tue Feb  7 01:06:59 2017 us=412270 94.254.227.101:45024 peer info: IV_PLAT=android
Tue Feb  7 01:06:59 2017 us=412286 94.254.227.101:45024 peer info: IV_NCP=2
Tue Feb  7 01:06:59 2017 us=412303 94.254.227.101:45024 peer info: IV_TCPNL=1
Tue Feb  7 01:06:59 2017 us=412319 94.254.227.101:45024 peer info: IV_PROTO=2
Tue Feb  7 01:06:59 2017 us=412334 94.254.227.101:45024 peer info: IV_LZO=1
Tue Feb  7 01:06:59 2017 us=435478 94.254.227.101:45024 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Feb  7 01:06:59 2017 us=435526 94.254.227.101:45024 [tomek_sgcpt] Peer Connection Initiated with [AF_INET]94.254.227.101:45024
Tue Feb  7 01:06:59 2017 us=435590 tomek_sgcpt/94.254.227.101:45024 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/tomek_sgcpt
Tue Feb  7 01:06:59 2017 us=435756 tomek_sgcpt/94.254.227.101:45024 MULTI: Learn: 172.16.0.4 -> tomek_sgcpt/94.254.227.101:45024
Tue Feb  7 01:06:59 2017 us=435781 tomek_sgcpt/94.254.227.101:45024 MULTI: primary virtual IP for tomek_sgcpt/94.254.227.101:45024: 172.16.0.4
Tue Feb  7 01:06:59 2017 us=435801 tomek_sgcpt/94.254.227.101:45024 MULTI: internal route 192.168.1.0/24 -> tomek_sgcpt/94.254.227.101:45024
Tue Feb  7 01:06:59 2017 us=435823 tomek_sgcpt/94.254.227.101:45024 MULTI: Learn: 192.168.1.0/24 -> tomek_sgcpt/94.254.227.101:45024
Tue Feb  7 01:06:59 2017 us=435843 tomek_sgcpt/94.254.227.101:45024 REMOVE PUSH ROUTE: 'route 192.168.1.0 255.255.255.0'
Tue Feb  7 01:06:59 2017 us=435991 tomek_sgcpt/94.254.227.101:45024 PUSH: Received control message: 'PUSH_REQUEST'
Tue Feb  7 01:06:59 2017 us=436044 tomek_sgcpt/94.254.227.101:45024 SENT CONTROL [tomek_sgcpt]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,topology subnet,route-gateway 172.16.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.4 255.255.255.0,peer-id 2,cipher AES-256-GCM' (status=1)
Tue Feb  7 01:06:59 2017 us=436074 tomek_sgcpt/94.254.227.101:45024 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Tue Feb  7 01:06:59 2017 us=436189 tomek_sgcpt/94.254.227.101:45024 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb  7 01:06:59 2017 us=436209 tomek_sgcpt/94.254.227.101:45024 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb  7 01:07:08 2017 us=229589 MULTI: Learn: 192.168.1.2 -> tomek_sgcpt/94.254.227.101:45024
Tue Feb  7 01:07:12 2017 us=220696 tomek_sgcpt/94.254.227.101:45024 SIGTERM[soft,remote-exit] received, client-instance exiting

7

(46 odpowiedzi, napisanych Oprogramowanie)

deamon openvpn się nie wywala, bo w tym samym czasie cały czas chodzą mi pingi ale tylk po sieci vpn, tzn. z drugiego komputera podłączonego do vpn (172.16.0.5) do 172.16.0.2 (klient vpn z openwrt).

8

(46 odpowiedzi, napisanych Oprogramowanie)

Zrobiłem czystą instalację na VPS'ie, ale efektu nie ma żadnego. Wszystko działa poza tym, że po podłączeniu się klientem znika połączenie z sieci vpn 172.16.0.0 do mojej sieci lan, czyli tak naprawdę to na czym mi najbardziej zależy.

9

(46 odpowiedzi, napisanych Oprogramowanie)

khain napisał/a:

Być może problem leży w utracie pakietów, spróbuj przełączyć się na tcp oraz zmniejszyć cipher na AES-128-CBC.

Niestety, powyższe nic nie zmienia. Trochę potestowałem i wygląda to następująco:
1. podłączenie się dowolnym klientem do vpn powoduje odcięcie sieci 192.168.1.0 od sieci 172.16.0.0
2. jeśli przy podłączonych klientach na serwerze wykonuję

service openvpn restart

to wszystko zaczyna działać prawidłowo i jest przejście z dowolnego klienta do mojej sieci lan.
Tak jak obserwuję start klienta ewidentnie coś zmienia i to chyba po stronie serwera vpn, co powoduje zerwanie połączenia do lanu. Mogę zrobić czysta instalację na serwerze vpn, bo nic innego nie przychodzi mi do głowy.

10

(46 odpowiedzi, napisanych Oprogramowanie)

khain napisał/a:

@telewy Dziś pobawiłem się openvpn na Debianie zgodnie z tym opisem https://community.openvpn.net/openvpn/w … AndRouting
Podsumowując powinieneś wykonać takie polecenia na VPSie:
Pozwolenie na "odbieranie i nadawanie" pakietów:

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

oraz taki wpis, odnośnie natu

iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

oraz zezwolić na forward pakietów

echo 1 > /proc/sys/net/ipv4/ip_forward

Kolego khain, pełny szacun dla Ciebie za pomoc i zaangażowanie w rozwiązanie problemu. Dodałem brakujące wpisy do iptables, pozostałe rzeczy miałem ustawione. Generalnie działa jak ta lala smile. Wielkie dzięki. To forum po raz kolejny mnie nie zawiodło.

khain napisał/a:

Ten log świadczy o złym ustawieniu routingu (gdzieś masz literówkę?)

Tue Jan 31 00:17:14 2017 us=740603 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped

Byłem poza domem i nie bardzo miałem czas na dogłębną analizę, nie mniej popatrzyłem na swoje routingi i nie znalazłem błędu, ale w weekend przyjrzę się temu dokładniej.

khain napisał/a:
Utrata połączenia pierwszego klienta przy podłączeniu drugiego może być z wielu przyczyn, np. używasz te same klucze lub takie samo Common Name lub nadajesz ten sam adres IP dla tych klientów.

Ten problem ciągle u mnie występuje. Od nowa pokonfigurowałem wszystkich klientów vpn i wydaje mi się, że nie występuje żaden z wymienionych przez Ciebie powodów (klucze generowałem na każde urządzenie, CN każdy ma swoje własne, IP każde urządzenie dostaje inne). Pliki konfiguruję tak jak jest opisane np. tutaj Konfiguracja OpenVPN. Nie wiem gdzie szukać problemu. Czy na serwerze openvpn 172.16.0.1, czy też na tym kliencie vpn'a 172.16.0.2 (192.168.1.1). Na tych obudwu maszynach zrzuciłem logi:

iptables -L
iptables -t nat -L -n
netstat -pln
ip route show
ip rule list
ifconfig -a
ip route list table local

w momencie kiedy miałem ping z 172.16.0.1 na 192.168.1.1 oraz po zerwaniu tego połączenia. Pliki nie wykazały żadnych różnic. Trochę kończą i się pomysły gdzie szukać problemu.

11

(46 odpowiedzi, napisanych Oprogramowanie)

A czy ja mam takie IP, dla których nie mogę ustawić routingu statycznego? U mnie sieć jest prosta i chyba raczej nie.

12

(46 odpowiedzi, napisanych Oprogramowanie)

I krótkie uzupełnienie. Laptop tomek_itm (172.16.0.5) musiałem zrestartować. Po restarcie brak pinga do 192.168.1.1. Przeładowanie serwera opnvpn naprawiło sytuację.

Potestuję dalej to w domu, dzisiaj wieczorem.

13

(46 odpowiedzi, napisanych Oprogramowanie)

khain napisał/a:

Tak, te błędy są dlatego, że stosujesz opcję route-nopull w konfigu klienta.
Nie ma potrzeby nakładania natu na interfejsie vpn w kliencie - należy go nałożyć tylko na tun na serwerze (opisał to Gr4nd0)
Czy dodałeś na VPSie ACCEPT dla interfejsu tun dla łańucha FORWARD, INPUT oraz OUTPUT?

Khain, walaczę cały czas. Dodałem takie komendy:
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
Dla łańcucha OUTPUT wywala mi błąd " Can't use -i with OUTPUT". Powiem szczerze, tak jak w miarę rozumiem ideę iptables, tak samo narzędzie dla mnie to czarna magia. Te wszystkie maskarady i inne opcje przyprawiają mnie o ból głowy.

Nie mniej powoli posuwam się do przodu i powoli są efekty. Jednak gdzieś jeszcze coś jest popitolone w konfiguracji firewalla, tak mi się wydaje. Najlepiej to wyczyściłbym całą konfigurację firewalla spróbował zrobić to od zera. Mam pełno wpisów w iptables (iptables –L), które średnio rozumie, po drodze jeszzce doinstalowałem ufw.
Generalnie w tej chwili mam tak, że jestem w stanie dostać się do swojego lan’u z zewnątrz, a więc mamy sukces smile Nie mniej to połączenie umiera co jakiś czas i nie mogę dojść przyczyny. Wczoraj sporo siedziałem nad tym i zauważyłem, że uruchomienie klienta na androidzie powoduje, że tracę połączenie do lanu, tzn. ping z przykładowo 172.16.0.3 do 192.168.1.1 przestaje odpowiadać w momencie kiedy klient vpn z androida uzyskuje połączenie. Zauważyłem też, że uruchomienie komendy

service openvpn restart

po wcześniejszym rozłączeniu androida, naprawia tą sytuację. Nie wiem czy to normalne ale nie następuje to od razu, ale po jakiejś chwili, nie mniej pingi wracają. Samo połączenie do serwera vpn jest stabilne, wczoraj zostawiłem laptopa na noc połączonego do vpn’a i można było go pingać do dzisiaj. Postaram się dzisiaj nie łączyć się z androida i zobaczyć, czy połączenie do lanu się nie zerwie z jakiejś innej przyczyny. W załączniku wrzucam log z serwera vpn, który był zrzucany w scenariuszu: połączenie aktywne do lanu -> połączenia z klienta z androida -> połączenie zerwane -> restart srevera vpn -> przywrócone połączenie. Moment zerwania połączenia i jego powrotu zaznaczyłem komentarzem. W tym logu mam 3 klientów vpn: tomek_vostro (172.16.0.3-windows), tomek_an1 (172.16.0.4-android), tomek_itm (172.16.0.5-widows).
Dodatkow, po połączeniu się z androida mam dostęp do adresów 172.16.0.XXX, ale nie do adresów 192.168.1.1. W logu klienta vpn na androidzie zauważyłem taki błąd: tun_prop_route_error: route destinations other than vpn_gateway or net_gateway are not supported android. Trochę poczytałem I zmodyfikowałem plik /etc/openvpn/ccd/tomek_an1:

root@debian:/etc/openvpn/ccd# cat tomek_an1
ifconfig-push 172.16.0.4 255.255.255.0
push "route 192.168.1.0 255.255.255.0 172.16.0.1"
iroute 192.168.1.0 255.255.255.0

Bez tej linii push nie łączył mi się nawet z 172.16.0.XXX. Poza tym w logu servera cały czas widać komunikaty:

Tue Jan 31 10:13:09 2017 us=546808 tomek_itm/77.112.5.102:52045 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped

log z servera openvpn:

Tue Jan 31 00:15:21 2017 us=946603 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:15:22 2017 us=149547 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:15:22 2017 us=559523 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:15:23 2017 us=9507 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:16:33 2017 us=892783 tomek_vostro/94.254.128.244:39616 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:16:34 2017 us=292230 tomek_vostro/94.254.128.244:39616 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:17:01 2017 us=977647 MULTI: multi_create_instance called
Tue Jan 31 00:17:01 2017 us=977735 94.254.128.244:39618 Re-using SSL/TLS context
Tue Jan 31 00:17:01 2017 us=977779 94.254.128.244:39618 LZO compression initialized
Tue Jan 31 00:17:01 2017 us=977893 94.254.128.244:39618 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Jan 31 00:17:01 2017 us=977910 94.254.128.244:39618 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan 31 00:17:01 2017 us=977941 94.254.128.244:39618 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Jan 31 00:17:01 2017 us=977952 94.254.128.244:39618 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Jan 31 00:17:01 2017 us=977971 94.254.128.244:39618 Local Options hash (VER=V4): '0b024030'
Tue Jan 31 00:17:01 2017 us=977985 94.254.128.244:39618 Expected Remote Options hash (VER=V4): '5b243d85'
Tue Jan 31 00:17:01 2017 us=978019 94.254.128.244:39618 TLS: Initial packet from [AF_INET]94.254.128.244:39618, sid=539814ae 39892105
Tue Jan 31 00:17:02 2017 us=14848 94.254.128.244:39618 PID_ERR replay-window backtrack occurred [1] [TLS_AUTH-0] [0_1] 1485818220:3 1485818220:2 t=1485818222[0] r=[-1,64,15,1,1] sl=[61,3,64,528]
Tue Jan 31 00:17:02 2017 us=696089 94.254.128.244:39618 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Jan 31 00:17:02 2017 us=696332 94.254.128.244:39618 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=tomek_an1, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Jan 31 00:17:02 2017 us=733904 94.254.128.244:39618 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 00:17:02 2017 us=733968 94.254.128.244:39618 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 00:17:02 2017 us=733988 94.254.128.244:39618 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 00:17:02 2017 us=734008 94.254.128.244:39618 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 00:17:02 2017 us=760319 94.254.128.244:39618 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
Tue Jan 31 00:17:02 2017 us=760371 94.254.128.244:39618 [tomek_an1] Peer Connection Initiated with [AF_INET]94.254.128.244:39618
Tue Jan 31 00:17:02 2017 us=760436 tomek_an1/94.254.128.244:39618 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/tomek_an1
Tue Jan 31 00:17:02 2017 us=760616 tomek_an1/94.254.128.244:39618 MULTI: Learn: 172.16.0.4 -> tomek_an1/94.254.128.244:39618
Tue Jan 31 00:17:02 2017 us=760641 tomek_an1/94.254.128.244:39618 MULTI: primary virtual IP for tomek_an1/94.254.128.244:39618: 172.16.0.4
Tue Jan 31 00:17:02 2017 us=760661 tomek_an1/94.254.128.244:39618 MULTI: internal route 192.168.1.0/24 -> tomek_an1/94.254.128.244:39618
Tue Jan 31 00:17:02 2017 us=760684 tomek_an1/94.254.128.244:39618 MULTI: Learn: 192.168.1.0/24 -> tomek_an1/94.254.128.244:39618
Tue Jan 31 00:17:02 2017 us=772537 tomek_an1/94.254.128.244:39618 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jan 31 00:17:02 2017 us=772568 tomek_an1/94.254.128.244:39618 send_push_reply(): safe_cap=940
Tue Jan 31 00:17:02 2017 us=772644 tomek_an1/94.254.128.244:39618 SENT CONTROL [tomek_an1]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 172.16.0.2,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 172.16.0.1,redirect-gateway def1,topology subnet,ping 10,ping-restart 120,route 192.168.1.0 255.255.255.0 172.16.0.1,ifconfig 172.16.0.4 255.255.255.0' (status=1)
Tue Jan 31 00:17:02 2017 us=865018 MULTI: Learn: 192.168.1.2 -> tomek_an1/94.254.128.244:39618
Tue Jan 31 00:17:03 2017 us=230673 MULTI: Learn: 192.168.1.1 -> tomek_an1/94.254.128.244:39618
//tutaj ping do 192.168.1.1 z tomek_vostro (172.16.0.3) przestał działać
Tue Jan 31 00:17:14 2017 us=740603 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:15 2017 us=20999 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:15 2017 us=304778 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:15 2017 us=900381 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:17 2017 us=81262 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:19 2017 us=408499 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:20 2017 us=920299 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:21 2017 us=240423 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:21 2017 us=540679 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:22 2017 us=140596 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:23 2017 us=360681 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:24 2017 us=100554 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:25 2017 us=791446 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:33 2017 us=870243 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:33 2017 us=870310 tomek_an1/94.254.128.244:39618 SIGTERM[soft,remote-exit] received, client-instance exiting
Tue Jan 31 00:17:33 2017 us=870736 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:40 2017 us=428732 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:52 2017 us=228988 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:54 2017 us=147253 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:17:55 2017 us=147154 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:17:57 2017 us=155228 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:17:59 2017 us=891324 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:18:01 2017 us=147096 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:18:09 2017 us=147148 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:18:25 2017 us=148052 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:18:29 2017 us=715622 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:18:38 2017 us=948795 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped

Tue Jan 31 00:22:12 2017 us=363510 tomek_vostro/94.254.128.244:39639 PID_ERR replay-window backtrack occurred [1] [SSL-0] [0_00000000000000000000000000000000000001111111111111111111111111] 0:169 0:168 t=1485818532[0] r=[-4,64,15,1,1] sl=[23,64,64,528]
Tue Jan 31 00:22:12 2017 us=405637 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=405692 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=419309 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=490325 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=524997 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=639643 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=642971 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=818254 MULTI: multi_create_instance called
Tue Jan 31 00:22:12 2017 us=818363 77.112.5.102:52014 Re-using SSL/TLS context
Tue Jan 31 00:22:12 2017 us=818415 77.112.5.102:52014 LZO compression initialized
Tue Jan 31 00:22:12 2017 us=818598 77.112.5.102:52014 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Jan 31 00:22:12 2017 us=818630 77.112.5.102:52014 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan 31 00:22:12 2017 us=818677 77.112.5.102:52014 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Jan 31 00:22:12 2017 us=818713 77.112.5.102:52014 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Jan 31 00:22:12 2017 us=818743 77.112.5.102:52014 Local Options hash (VER=V4): '0b024030'
Tue Jan 31 00:22:12 2017 us=818767 77.112.5.102:52014 Expected Remote Options hash (VER=V4): '5b243d85'
Tue Jan 31 00:22:12 2017 us=818811 77.112.5.102:52014 TLS: Initial packet from [AF_INET]77.112.5.102:52014, sid=1382462e 4e7f4780
Tue Jan 31 00:22:12 2017 us=829385 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=832164 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=832214 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=893597 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=893676 tomek_vostro/94.254.128.244:39639 PID_ERR replay-window backtrack occurred [2] [SSL-0] [00_0000000000000000000000000000000000000000000000000000000000000] 0:196 0:194 t=1485818532[0] r=[-4,64,15,2,1] sl=[60,64,64,528]
Tue Jan 31 00:22:12 2017 us=899529 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=899576 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:13 2017 us=32710 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:13 2017 us=50090 MULTI: Learn: 192.168.1.1 -> tomek_vostro/94.254.128.244:39639
Tue Jan 31 00:22:13 2017 us=138534 MULTI: Learn: 192.168.1.2 -> tomek_vostro/94.254.128.244:39639
Tue Jan 31 00:22:13 2017 us=268012 77.112.5.102:52014 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Jan 31 00:22:13 2017 us=268412 77.112.5.102:52014 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=tomek_itm, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Jan 31 00:22:13 2017 us=326490 77.112.5.102:52014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 00:22:13 2017 us=326550 77.112.5.102:52014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 00:22:13 2017 us=326570 77.112.5.102:52014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 00:22:13 2017 us=326589 77.112.5.102:52014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 00:22:13 2017 us=329011 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:13 2017 us=365139 77.112.5.102:52014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Jan 31 00:22:13 2017 us=365217 77.112.5.102:52014 [tomek_itm] Peer Connection Initiated with [AF_INET]77.112.5.102:52014
Tue Jan 31 00:22:13 2017 us=365282 tomek_itm/77.112.5.102:52014 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/tomek_itm
Tue Jan 31 00:22:13 2017 us=365449 tomek_itm/77.112.5.102:52014 MULTI: Learn: 172.16.0.5 -> tomek_itm/77.112.5.102:52014
Tue Jan 31 00:22:13 2017 us=365473 tomek_itm/77.112.5.102:52014 MULTI: primary virtual IP for tomek_itm/77.112.5.102:52014: 172.16.0.5
Tue Jan 31 00:22:13 2017 us=365493 tomek_itm/77.112.5.102:52014 MULTI: internal route 192.168.1.0/24 -> tomek_itm/77.112.5.102:52014
Tue Jan 31 00:22:13 2017 us=365533 tomek_itm/77.112.5.102:52014 MULTI: Learn: 192.168.1.0/24 -> tomek_itm/77.112.5.102:52014
Tue Jan 31 00:22:13 2017 us=388173 tomek_itm/77.112.5.102:52014 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jan 31 00:22:13 2017 us=388208 tomek_itm/77.112.5.102:52014 send_push_reply(): safe_cap=940
Tue Jan 31 00:22:13 2017 us=388248 tomek_itm/77.112.5.102:52014 SENT CONTROL [tomek_itm]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 172.16.0.2,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 172.16.0.1,redirect-gateway def1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.5 255.255.255.0' (status=1)
Tue Jan 31 00:22:13 2017 us=391386 MULTI: Learn: 192.168.1.2 -> tomek_itm/77.112.5.102:52014
Tue Jan 31 00:22:14 2017 us=677245 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:14 2017 us=677343 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:18 2017 us=49612 MULTI: Learn: 192.168.1.1 -> tomek_itm/77.112.5.102:52014
Tue Jan 31 00:22:20 2017 us=24243 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:20 2017 us=24286 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:20 2017 us=24418 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:34 2017 us=918304 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
//tutaj ping do 192.168.1.1 z tomek_vostro (172.16.0.3) zaczął działać
Tue Jan 31 00:22:42 2017 us=190973 94.254.162.175:15344 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Jan 31 00:22:42 2017 us=191313 94.254.162.175:15344 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=tomek, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Jan 31 00:22:42 2017 us=253313 94.254.162.175:15344 NOTE: Options consistency check may be skewed by version differences
Tue Jan 31 00:22:42 2017 us=253390 94.254.162.175:15344 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Tue Jan 31 00:22:42 2017 us=253414 94.254.162.175:15344 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Tue Jan 31 00:22:42 2017 us=253434 94.254.162.175:15344 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1558'
Tue Jan 31 00:22:42 2017 us=253454 94.254.162.175:15344 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Tue Jan 31 00:22:42 2017 us=253473 94.254.162.175:15344 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Tue Jan 31 00:22:42 2017 us=253493 94.254.162.175:15344 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
Tue Jan 31 00:22:42 2017 us=253512 94.254.162.175:15344 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Tue Jan 31 00:22:42 2017 us=253531 94.254.162.175:15344 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 256'
Tue Jan 31 00:22:42 2017 us=253551 94.254.162.175:15344 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'
Tue Jan 31 00:22:42 2017 us=253570 94.254.162.175:15344 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Tue Jan 31 00:22:42 2017 us=253590 94.254.162.175:15344 WARNING: 'tls-client' is present in local config but missing in remote config, local='tls-client'
Tue Jan 31 00:22:42 2017 us=253722 94.254.162.175:15344 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 00:22:42 2017 us=253768 94.254.162.175:15344 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 00:22:42 2017 us=253788 94.254.162.175:15344 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 00:22:42 2017 us=253806 94.254.162.175:15344 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 00:22:42 2017 us=277197 94.254.162.175:15344 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Jan 31 00:22:42 2017 us=277254 94.254.162.175:15344 [tomek] Peer Connection Initiated with [AF_INET]94.254.162.175:15344
Tue Jan 31 00:22:42 2017 us=277318 tomek/94.254.162.175:15344 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/tomek
Tue Jan 31 00:22:42 2017 us=277482 tomek/94.254.162.175:15344 MULTI: Learn: 172.16.0.2 -> tomek/94.254.162.175:15344
Tue Jan 31 00:22:42 2017 us=277506 tomek/94.254.162.175:15344 MULTI: primary virtual IP for tomek/94.254.162.175:15344: 172.16.0.2
Tue Jan 31 00:22:42 2017 us=277527 tomek/94.254.162.175:15344 MULTI: internal route 192.168.1.0/24 -> tomek/94.254.162.175:15344
Tue Jan 31 00:22:42 2017 us=277548 tomek/94.254.162.175:15344 MULTI: Learn: 192.168.1.0/24 -> tomek/94.254.162.175:15344
Tue Jan 31 00:22:42 2017 us=868267 MULTI: Learn: 192.168.1.2 -> tomek/94.254.162.175:15344
Tue Jan 31 00:22:43 2017 us=49233 MULTI: Learn: 192.168.1.1 -> tomek/94.254.162.175:15344
Tue Jan 31 00:22:44 2017 us=427238 tomek/94.254.162.175:15344 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jan 31 00:22:44 2017 us=427312 tomek/94.254.162.175:15344 send_push_reply(): safe_cap=940
Tue Jan 31 00:22:44 2017 us=427355 tomek/94.254.162.175:15344 SENT CONTROL [tomek]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 172.16.0.2,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 172.16.0.1,redirect-gateway def1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.2 255.255.255.0' (status=1)
Tue Jan 31 00:22:48 2017 us=585852 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:48 2017 us=617917 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:48 2017 us=624936 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:48 2017 us=905994 tomek/94.254.162.175:15344 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jan 31 00:22:49 2017 us=27853 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:49 2017 us=58012 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:51 2017 us=284137 tomek_itm/77.112.5.102:52014 PID_ERR replay-window backtrack occurred [2] [SSL-0] [00_0000001111111111111111112222222222222222222222222222222222222] 0:180 0:178 t=1485818571[0] r=[-4,64,15,2,1] sl=[12,64,64,528]
Tue Jan 31 00:22:51 2017 us=909215 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:52 2017 us=329354 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:54 2017 us=294967 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:57 2017 us=686847 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:58 2017 us=781921 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:58 2017 us=926880 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:59 2017 us=166918 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:59 2017 us=614795 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:23:04 2017 us=48849 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=68259 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=81376 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=509210 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=538743 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=915757 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=935838 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=935899 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:05 2017 us=29000 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:05 2017 us=349288 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:06 2017 us=907924 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
root@debian:/etc/openvpn#

Pozdr

14

(46 odpowiedzi, napisanych Oprogramowanie)

Dzięki za rzeczowe i sensowne wyjaśnienie. Dokonfigurowałem ustawienia na WRT160NL zgodnie z powyższym, nie mniej efektu nie ma, tzn. brak pingów do 192.168.1.XXX z np. 172.16.0.1. Nie wiem czy to może być przyczyna ale widzę w logu klienta vpn na WRT160NL jakieś błędy:

root@OpenWrt:~# cat /tmp/openvpn.log
Sat Jan 28 12:46:38 2017 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan  6 2015
Sat Jan 28 12:46:38 2017 library versions: OpenSSL 1.0.2f  28 Jan 2016, LZO 2.08
Sat Jan 28 12:46:38 2017 Control Channel Authentication: using '/etc/openvpn/tls-auth.key' as a OpenVPN static key file
Sat Jan 28 12:46:38 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 28 12:46:38 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 28 12:46:38 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Sat Jan 28 12:46:38 2017 UDPv4 link local (bound): [undef]
Sat Jan 28 12:46:38 2017 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jan 28 12:46:38 2017 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=b99f458b 74e8c27a
Sat Jan 28 12:46:59 2017 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Sat Jan 28 12:46:59 2017 Validating certificate key usage
Sat Jan 28 12:46:59 2017 ++ Certificate has key usage  00a0, expects 00a0
Sat Jan 28 12:46:59 2017 VERIFY KU OK
Sat Jan 28 12:46:59 2017 Validating certificate extended key usage
Sat Jan 28 12:46:59 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jan 28 12:46:59 2017 VERIFY EKU OK
Sat Jan 28 12:46:59 2017 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=server, name=server, emailAddress=tomasz.lewandowski@mail.com
Sat Jan 28 12:47:11 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Jan 28 12:47:11 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 28 12:47:11 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Jan 28 12:47:11 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 28 12:47:11 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Jan 28 12:47:11 2017 [server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jan 28 12:47:13 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jan 28 12:47:19 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jan 28 12:47:19 2017 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 172.16.0.2,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 172.16.0.1,redirect-gateway def1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.2 255.255.255.0'
Sat Jan 28 12:47:19 2017 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Sat Jan 28 12:47:19 2017 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Sat Jan 28 12:47:19 2017 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Sat Jan 28 12:47:19 2017 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Sat Jan 28 12:47:19 2017 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jan 28 12:47:19 2017 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jan 28 12:47:19 2017 OPTIONS IMPORT: route-related options modified
Sat Jan 28 12:47:19 2017 TUN/TAP device tun0 opened
Sat Jan 28 12:47:19 2017 TUN/TAP TX queue length set to 100
Sat Jan 28 12:47:19 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jan 28 12:47:19 2017 /sbin/ifconfig tun0 172.16.0.2 netmask 255.255.255.0 mtu 1500 broadcast 172.16.0.255
Sat Jan 28 12:47:19 2017 Initialization Sequence Completed

Co prawda z Twojego postu
WDR4300 OpenVPN Server & Client wnioskuję, że to działanie prawidłowe.

Zauważyłem, że w pliku /etc/config/firewall brak zone vpn, dodałem więc wpis:

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn'
        option masq '1'

ale to sytuacji w dalszym ciągu nie naprawiło

15

(46 odpowiedzi, napisanych Oprogramowanie)

Gr4nd0 napisał/a:

A tak BTW. Skoro masz komputer z debianem, to może niech on robi też za router? Dla swojej sieci wybrałem właśnie taki wariant. TP-Linki służą mi tylko jako switche i AP. A WRD4300 to nie ma nawet interface wan smile

Skoro tak mówisz pewnie można by tak zrobić. Ja się nad tym zastanawiałem i szczerze mówiąc za cienki jestem, żeby wyczuć w takiej podmianie jakąś różnicę. Ja jak na to patrzę, to chyba musiałbym fizycznie podmienić router WRT160L z serwerem z debianem, bo inaczej jakoś nie widzę tego debiana joko routera. Dla przejrzystości załączam rysunek mojej sieci w domowa:
Moja sieć
Tak nawiasem postudiowałem dzisiaj zagadnienia konfiguracji sieci i mam tylko mętlik w głowie. W iptables mogę ustawiać przekierowania, w routingu też mogę ustawiać przekierowania, średnio to jakoś czuję. Powiedzcie mi, czy następujący mój tok myślowy jest poprawny?:
1. jak jestem w lan to na dowolnym komputerze w lanie odpalam przykładowo domoticza przez wywołanie http://192.168.1.2:8080/
2. jak jestem w internecie (komputer nr 13), łączę się przez vpn i chciałbym uruchamić domoticza poprzez wywołanie http://192.168.1.2:8080/ i wtedy
- router WRT160NL powinien mieć zdefiniowany routing dla adresów 192.168.1.XXX do sieci lan
- server vps i router WRT160NL powinny mieć otwarte porty 8080
- a może dla adresów 192.168.1.XXX powinienem zdefiniować routing już na serverze openvpn (komputer 12)?

Na chwilę obecną po vpn'ie bezpośrednio widzą się komputery oznaczone na rysunku numerami 1, 12 i 13 (pingują się)

P.S. Znalazłem dosyć fajny dokument na temat iptables IPTables, może komus się tez przyda.

16

(46 odpowiedzi, napisanych Oprogramowanie)

Dzięki, to mi sporo wyjaśnia. Z tym laptopem to raczej w ramach testów, generalnie wystarczy mi tak jak jest, tzn. mając połączenie do vpn, nie muszę mieć dostępu do zewnętrznego internetu. Powalczę teraz z routingiem aby uzyskać dostęp do innych zasobów.

17

(46 odpowiedzi, napisanych Oprogramowanie)

Konfiguracja na serwerze na 100% jest ta sama, bo wczoraj sprawdziłem linijka po linijce. Co do klienta to sprawdziłem jeszcze raz i widzę, że zjadłem jedną linijkę cipher AES-256-CBC, którą już uzupełniłem. Plik /etc/config/openvpn wygląda inaczej niż podałeś, ale wydaje mi się, że jest to samo:

config openvpn 'tomek'
        option enabled '1'
        option dev 'tun'
        option proto 'udp'
        option log '/tmp/openvpn.log'
        option verb '3'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/tomek.crt'
        option key '/etc/openvpn/tomek.key'
        option tls_auth '/etc/openvpn/tls-auth.key'
        option client '1'
        option remote_cert_tls 'server'
        option remote 'XXX.XXX.XXX.XXX 1194'
        option comp_lzo 'adaptive'
        option route_nopull '1'

Ok, zmodyfikuję iptables i dam znać.

18

(46 odpowiedzi, napisanych Oprogramowanie)

Khain, Gr4nd0, dziękuję Wam za pomoc. Wprowadziłem zmiany zgodnie z Waszymi wskazówkami i jest od razu efekt. Dodałem dodatkowe zabezpieczenie tls-auth, generalnie ruszyło smile. A konkretnie:

- uruchomiam serwer openvpn (172.16.0.1) na vps oraz uruchamiam klienta openvpn  na WRT160NL (172.16.0.2 <-> 192.168.1.1)
- sieć domowa funkcjonuje normalnie i nie traci połączenia z internetemn
- ruch z lanu odbywa się tak jak do tej pory, bynajmniej tak mi się wydaje
- jestem w stanie z internetu, po uruchomienia klienta vpn, dostać się do klienta WRT160NL (172.16.0.2)
Tak więc generalnie jest to o co mi chodziło. Dzisiaj jeszcze potestuję połączenie z komórki do lanu.

A teraz to co chciałbym jeszcze zmienić:
1. Jak odpalam klienta vpn na laptopie i łączę się z serwerem, na laptopie z klientem vpn tracę połączenie z ineternetem. Rozumiem, że muszę inaczej ustawić routing tak, aby przez server openvpn szedł ruch dla adresów 172.0.XXX.XXX a dla pozostałych IP ruch zostawić bez zmian?
2. Podobnie jak jestem w lanie i uruchamiam klienta vpn to tracę połączenie z internetem, a jednak wolałbym aby było (to w kontekście pkt.3)
3. I jeszcze jedna istotna rzecz. W lan mam serwer z debianem (192.168.1.2), serwerem www i jakimiś baczami. Co muszę zrobić, aby z zewnątrz być w stanie wejść na www wystawiane na tym serwerze. Na tym serwerze mam bacze, które w nocy wypychają mi pewne dane na serwery zewnętrzne i chciałbym to zachować tak jak jest teraz, czyli ten ruch powinien iść poza vpn’em.
4.    Czy aby dostać się do jakiegoś zasobu w lani’e muszę na nim instalować klienta vpn, czy mogę jakoś przekierowywać ruch przez tego klienta na WRT160NL?

Jeszcze raz dzięki za pomoc. Staram się doczytywać odnośnie tego co robię, ale przyznam, że wiele rzeczy jest dla mnie bardzo mgliste i nie zawsze jasne. Akurat zagadnienia sieciowe to zupełnie nie moja działka.

Pozdr

19

(46 odpowiedzi, napisanych Oprogramowanie)

Tak, oczywiście, walczę jak lew wink. Po kolei.

Do konfiguracji servera dodałem:
topology subnet
Opcji comp-lzo adaptive nie zmieniałem bo była już odkomentowana. Po restarcie jest  poprawa, mianowicie pinguje się pomiędzy klientem a serverem.
ifconfig dla servera wygląda teraz tak:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.16.0.1  P-t-P:172.16.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1750 errors:0 dropped:0 overruns:0 frame:0
          TX packets:328 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:169091 (165.1 KiB)  TX bytes:51162 (49.9 KiB)

oraz ifconfig dla klienta

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.16.0.4  P-t-P:172.16.0.4  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42639 errors:0 dropped:38078 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:60092563 (57.3 MiB)

Uruchomienie klienta vpn na openwrt (na routerze który u mnie ma ip 192.168.1.1 i do niego jest połączony model lte) powoduje, że tracę połączenie z internetem. Dodatkowo z serverem łączę się z internetu z laptopa z zainstalowanym windowsem i klientem openvpn. I tutaj ciekawostka bo na tym laptopie dostaję ip 172.16.0.4 i taki sam ip przydzielany jest na kliencie z openwrt.
Dodanie na serverze
push "route 192.168.1.0 255.255.255.0"
spowodowało, że straciłem kontakt z siecią domową (z klientem openvpn) i musiałem wchodzić na server z internetu, aby zakomentować tą liniję.

Poniżej podaję dla przejrzystości zawartość konfiga servera openvpn:

port 1194

proto udp

dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret

dh dh2048.pem

topology subnet
server 172.16.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

keepalive 10 120

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log

verb 3

klienta (tego z openwrt)

root@OpenWrt:/etc/config# cat /var/etc/openvpn-tomek.conf
client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/tomek.crt
comp-lzo yes
dev tun
key /etc/openvpn/tomek.key
log /tmp/openvpn.log
proto udp
remote XXX.XXX.XXX.XXX 1194
remote-cert-tls server
topology subnet
verb 3

20

(46 odpowiedzi, napisanych Oprogramowanie)

I jak tam koledzy, działamy coś w temacie?

21

(27 odpowiedzi, napisanych Termometr)

Trochę potestowałem i wygląda to tak:
mosquitto_pub -h 192.168.1.2 -m '{"idx" : 20, "nvalue" : 0, "svalue" : "10;2.5"}' -t 'domoticz/in'
Rain: 2.5; Rain rate 0.1
mosquitto_pub -h 192.168.1.2 -m '{"idx" : 20, "nvalue" : 0, "svalue" : "20;2.7"}' -t 'domoticz/in'
Rain: 2.7; Rain rate 0.2
mosquitto_pub -h 192.168.1.2 -m '{"idx" : 20, "nvalue" : 0, "svalue" : "40;2.8"}' -t 'domoticz/in'
Rain: 2.8; Rain rate 0.4

22

(27 odpowiedzi, napisanych Termometr)

Próbowałem już taką kombinację, nie działa. W tym wypadku domoticz nie wyświetla żadnych wartości.

23

(27 odpowiedzi, napisanych Termometr)

manguscik napisał/a:

Dla temperatury i wilgotności będzie wyglądało to tak :

mosquitto_pub -h 127.0.0.1 -m '{ "idx" : 3, "nvalue" : 0, "svalue" : "21.2;52.5;1"}' -t 'domoticz/in'

A dla temperatury wilgotności i ciśnienia atmosferycznego będzie to wyglądało tak:

mosquitto_pub -h 127.0.0.1 -m '{ "idx" : 4, "nvalue" : 0, "svalue" : "21.2;54.55;1;1010;1"}' -t 'domoticz/in'

manguscik, dzięki za wskazówki. Przerobiłem sobie zgodnie z powyższym. Przy okazji mam pytanie, bo chciałem podobnie zrobić dla deszczu i zastosować dedykowane virtual device zamiast custom. Z dokumentacji domoticza mam

/json.htm?type=command&param=udevice&idx=IDX&nvalue=0&svalue=RAINRATE;RAINCOUNTER

więc zakłądam, że dla mqtt powinno być:
mosquitto_pub -h 192.168.1.2 -m '{"idx" : 20, "nvalue" : 0, "svalue" : "3.3;4.1"}' -t 'domoticz/in'
Błędu to nie zgłasza, ale wartości jakie się wyświetlają w domoticzu są dziwne, tzn. dla podanego przykładu domoticz wyświetla:
- deszcz 2.0 mm
- rate 0 mm/h
Może masz pomysł jak to naprostować?

24

(46 odpowiedzi, napisanych Oprogramowanie)

Podsyłam plik konfiguracyjny dla servera openvpn, skonfigurowanego w moim przypadku na vps:

root@debian:~# cat /etc/openvpn/server.conf
#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.  On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh2048.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 172.16.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses.  You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         openvpn.log
;log-append  openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

25

(27 odpowiedzi, napisanych Termometr)

Na dzisiaj też tego nie umiem zrobić. W takiej sytuacji po prostu wysyłam 3 niezależne komunikaty mqtt i mam skonfigurowane 3 virtualne urządzenia: temperatura, wilgotność i ciśnienie.