FAQ o OpenWrt | Sprzedam różne routery | Oddam

dzyndzla · 2018-10-14 16:51:08

dzyndzla
Użytkownik
Nieaktywny

Skąd: krk
Zarejestrowany: 2015-12-11
Posty: 55

Temat: OpenVPN ruch wychodzący od klienta

Cześć,

uruchomiłem VPNa w oparciu o https://eko.one.pl/?p=openwrt-openvpntun (ajakżeby inaczej :-)

z dodatkowych opcji konfiguracji dodałem dostęp do sieci lokalnej za serwerem, przekierowanie całego ruchu przez tunel i stałą adresację klientów vpn, mam także odpalony dynamic dns.

Wszystko zadziałało i mogę nawiązać połączenie klienta z serwerem, natomiast mam bardzo słaby upload, ookla na kliencie wyrzuca upload test error, nie mogę też wysyłać plików udostępnionych przez sambę, ściąganie działa.

iwinfo

tun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          inet6 addr: fe80::162a:d3f8:92fc:fc55/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:43991 errors:0 dropped:0 overruns:0 frame:0
          TX packets:78291 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:3128995 (2.9 MiB)  TX bytes:101139214 (96.4 MiB)

/etc/config/openvpn

config openvpn 'bonkowo'
    option enabled '1'
    option dev 'tun0'
    option port '1915'
    option proto 'udp'
    option log '/tmp/openvpn.log'
    option verb '3'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/skynet.crt'
    option key '/etc/openvpn/skynet.key'
    option server '10.8.0.0 255.255.255.0'
    option dh '/etc/openvpn/dh.pem'
    option client_config_dir '/etc/openvpn/ccd'
    option topology 'subnet'
    list push 'route 192.168.1.0 255.255.255.0'
    list push 'redirect-gateway def1'

/etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option name 'transmission'
    option src 'wan'
    option target 'ACCEPT'
    option proto 'tcp'
    option dest_port '55666'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '2211'
    option dest_ip '192.168.1.1'
    option dest_port '2211'
    option name 'SSH'

config zone
    option name 'vpn'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option output 'ACCEPT'
    option network 'vpn'
    option masq '1'

config forwarding
    option src 'vpn'
    option dest 'wan'

config rule
    option name 'OpenVPN'
    option target 'ACCEPT'
    option src 'wan'
    option proto 'udp'
    option dest_port '1915'

config forwarding
    option src 'vpn'
    option dest 'lan'

route -n #klient

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.1        0.0.0.0         UG    50     0        0 tun0
0.0.0.0         192.168.43.1    0.0.0.0         UG    600    0        0 wlp4s0
10.8.0.0        0.0.0.0         255.255.255.0   U     50     0        0 tun0
xxx.xxx.xxx.xxx     192.168.43.1    255.255.255.255 UGH   600    0        0 wlp4s0
192.168.1.0     10.8.0.1        255.255.255.0   UG    50     0        0 tun0
192.168.43.0    0.0.0.0         255.255.255.0   U     600    0        0 wlp4s0
192.168.43.1    0.0.0.0         255.255.255.255 UH    600    0        0 wlp4s0

config

client
ca ca.crt
cert moto.crt
dev tun0
key moto.key
proto udp
remote subdomena.domena.ovh 1915
remote-cert-tls server
verb 3

grep 10.8.0.2 /tmp/openvpn.log

Sun Oct 14 17:27:33 2018 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Sun Oct 14 17:27:33 2018 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Sun Oct 14 17:30:33 2018 moto/xxx.xxx.101.197:xxx MULTI: Learn: 10.8.0.2 -> moto/xxx.xxx.101.197:xxx
Sun Oct 14 17:30:33 2018 moto/xxx.xxx.101.197:xxx MULTI: primary virtual IP for moto/xxx.xxx.101.197:xxx: 10.8.0.2
Sun Oct 14 17:30:34 2018 moto/xxx.xxx.101.197:xxx SENT CONTROL [moto]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)

Co powinienem zmienić, żeby upload na kliencie zaczął działać? Ogólnie to jestem cienki z sieci bardzo Dzięki!

Linksys MR8300 V1.1 / Linksys WRT1200AC V2 / TP-Link Archer C7 V5

Cezary · 2018-10-14 18:22:00

Cezary
...
Nieaktywny

Skąd: Warszawa
Zarejestrowany: 2006-02-25
Posty: 115,890

Odp: OpenVPN ruch wychodzący od klienta

Wywalić openvpn a zainteresować się innym klientem vpn, np. wireguard. Lub zainwestować z jakiś router albo super mocny albo ze wspomaganiem operacji kryptograficznych.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

dzyndzla · 2018-10-14 18:34:41

dzyndzla
Użytkownik
Nieaktywny

Skąd: krk
Zarejestrowany: 2015-12-11
Posty: 55

Odp: OpenVPN ruch wychodzący od klienta

Serio? Serwer OpenVPN na WDR3600 z gargoyle radził sobie doskonale, a tutaj na OpenWrt i Linksysie nie pójdzie?

Linksys MR8300 V1.1 / Linksys WRT1200AC V2 / TP-Link Archer C7 V5

Cezary · 2018-10-14 18:35:58

Cezary
...
Nieaktywny

Skąd: Warszawa
Zarejestrowany: 2006-02-25
Posty: 115,890

Odp: OpenVPN ruch wychodzący od klienta

Skoro tam działało to tu też musi. Tyle że nie masz co zmienić "żeby upload był większy".

I tak, serio. Warto zmienić openvpn ze względu na wydajność.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

dzyndzla · 2018-10-14 18:46:04

dzyndzla
Użytkownik
Nieaktywny

Skąd: krk
Zarejestrowany: 2015-12-11
Posty: 55

Odp: OpenVPN ruch wychodzący od klienta

OK, ale wcześniej korzystając z tunelu byłem w stanie oglądać np. netflixa, a teraz nie mogę maila wysłać. Spróbuję porównać configi z gargoyle i zobaczę.

Linksys MR8300 V1.1 / Linksys WRT1200AC V2 / TP-Link Archer C7 V5

dzyndzla · 2018-10-15 20:56:50

dzyndzla
Użytkownik
Nieaktywny

Skąd: krk
Zarejestrowany: 2015-12-11
Posty: 55

Odp: OpenVPN ruch wychodzący od klienta

Odpowiem sam sobie :-)

Zmiana szyfrowania z aes-gcm-256 na aes-cbc-128 rozwiązała problem...

Linksys MR8300 V1.1 / Linksys WRT1200AC V2 / TP-Link Archer C7 V5

dzyndzla · 2018-10-20 12:52:39

dzyndzla
Użytkownik
Nieaktywny

Skąd: krk
Zarejestrowany: 2015-12-11
Posty: 55

Odp: OpenVPN ruch wychodzący od klienta

Hej, po tygodniu walki z tym tunelem udało mi się zmusić go do w miarę stabilnej pracy, ale mam kilka pytań / wątpliwości i jeden problem, który opisałem poniżej logów.
Będę wdzięczny za wszelkie odpowiedzi / sugestie.
Dzięki!
cat /tmp/openvpn.log

Sat Oct 20 12:42:21 2018 us=43940 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Oct 20 12:42:21 2018 us=44028 library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Sat Oct 20 12:42:21 2018 us=44326 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Oct 20 12:42:21 2018 us=44980 Diffie-Hellman initialized with 2048 bit key
Sat Oct 20 12:42:21 2018 us=46016 TLS-Auth MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat Oct 20 12:42:21 2018 us=52428 TUN/TAP device tun0 opened
Sat Oct 20 12:42:21 2018 us=52953 TUN/TAP TX queue length set to 100
Sat Oct 20 12:42:21 2018 us=53068 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Oct 20 12:42:21 2018 us=53168 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Sat Oct 20 12:42:21 2018 us=57691 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Oct 20 12:42:21 2018 us=57817 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Oct 20 12:42:21 2018 us=57887 [b]Listening for incoming TCP connection on [AF_INET][undef]:1915[/b]
Sat Oct 20 12:42:21 2018 us=57945 [b]TCPv4_SERVER link local (bound): [AF_INET][undef]:1915[/b]
Sat Oct 20 12:42:21 2018 us=57990 [b]TCPv4_SERVER link remote: [AF_UNSPEC][/b]
Sat Oct 20 12:42:21 2018 us=58038 MULTI: multi_init called, r=256 v=256
Sat Oct 20 12:42:21 2018 us=58120 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Sat Oct 20 12:42:21 2018 us=58202 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Oct 20 12:42:21 2018 us=58310 Initialization Sequence Completed
Sat Oct 20 12:42:46 2018 us=673821 MULTI: multi_create_instance called
Sat Oct 20 12:42:46 2018 us=673998 Re-using SSL/TLS context
Sat Oct 20 12:42:46 2018 us=674060 LZ4 compression initializing
Sat Oct 20 12:42:46 2018 us=674305 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat Oct 20 12:42:46 2018 us=674403 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Oct 20 12:42:46 2018 us=674529 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_SERVER,[b]comp-lzo[/b],cipher AES-256-GCM,[b]auth [null-digest][/b],keysize 256,key-method 2,tls-server'
Sat Oct 20 12:42:46 2018 us=674578 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_CLIENT,[b]comp-lzo[/b],cipher AES-256-GCM,[b]auth [null-digest][/b],keysize 256,key-method 2,tls-client'
Sat Oct 20 12:42:46 2018 us=674657 TCP connection established with [AF_INET]1xx.xx6.1xx.1x:62934
Sat Oct 20 12:42:46 2018 us=674704 [b]TCPv4_SERVER link local: (not bound)[/b]
Sat Oct 20 12:42:46 2018 us=674755 [b]TCPv4_SERVER link remote: [AF_INET]1xx.xx6.1xx.1x:62934[/b]
Sat Oct 20 12:42:46 2018 us=678431 [b]1xx.xx6.1xx.1x:62934 TLS: Initial packet from [AF_INET]1xx.xx6.1xx.1x:62934, sid=c4dcb4ac 15c681c4[/b]
Sat Oct 20 12:42:47 2018 us=123564 1xx.xx6.1xx.1x:62934 VERIFY OK: depth=1, CN=skynet
Sat Oct 20 12:42:47 2018 us=124703 1xx.xx6.1xx.1x:62934 VERIFY OK: depth=0, CN=moto
Sat Oct 20 12:42:47 2018 us=204869 1xx.xx6.1xx.1x:62934 peer info: IV_GUI_VER=OC30Android
Sat Oct 20 12:42:47 2018 us=204949 1xx.xx6.1xx.1x:62934 peer info: IV_VER=3.2
Sat Oct 20 12:42:47 2018 us=204999 1xx.xx6.1xx.1x:62934 peer info: IV_PLAT=android
Sat Oct 20 12:42:47 2018 us=205042 1xx.xx6.1xx.1x:62934 peer info: IV_NCP=2
Sat Oct 20 12:42:47 2018 us=205084 1xx.xx6.1xx.1x:62934 peer info: IV_TCPNL=1
Sat Oct 20 12:42:47 2018 us=205124 1xx.xx6.1xx.1x:62934 peer info: IV_PROTO=2
Sat Oct 20 12:42:47 2018 us=205165 1xx.xx6.1xx.1x:62934 peer info: IV_LZ4=1
Sat Oct 20 12:42:47 2018 us=205205 1xx.xx6.1xx.1x:62934 peer info: IV_IPv6=0
Sat Oct 20 12:42:47 2018 us=205246 1xx.xx6.1xx.1x:62934 peer info: IV_AUTO_SESS=1
Sat Oct 20 12:42:47 2018 us=205338 1xx.xx6.1xx.1x:62934 [b]WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1524'[/b]
Sat Oct 20 12:42:47 2018 us=205466 1xx.xx6.1xx.1x:62934 [b]WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA384'[/b]
Sat Oct 20 12:42:47 2018 us=274783 1xx.xx6.1xx.1x:62934 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Oct 20 12:42:47 2018 us=274885 1xx.xx6.1xx.1x:62934 [b][moto] Peer Connection Initiated with [AF_INET]1xx.xx6.1xx.1x:62934[/b]
Sat Oct 20 12:42:47 2018 us=274991 moto/1xx.xx6.1xx.1x:62934 OPTIONS IMPORT: reading client specific options from: /etc/easy-rsa/ccd/moto
Sat Oct 20 12:42:47 2018 us=275221 moto/1xx.xx6.1xx.1x:62934 MULTI: Learn: 10.8.0.3 -> moto/1xx.xx6.1xx.1x:62934
Sat Oct 20 12:42:47 2018 us=275280 moto/1xx.xx6.1xx.1x:62934 MULTI: primary virtual IP for moto/1xx.xx6.1xx.1x:62934: 10.8.0.3
Sat Oct 20 12:42:47 2018 us=284932 moto/1xx.xx6.1xx.1x:62934 PUSH: Received control message: 'PUSH_REQUEST'
Sat Oct 20 12:42:47 2018 us=285069 moto/1xx.xx6.1xx.1x:62934 SENT CONTROL [moto]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 192.168.1.1,compress lz4,persist-tun,persist-key,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 180,ifconfig 10.8.0.3 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Sat Oct 20 12:42:47 2018 us=285140 moto/1xx.xx6.1xx.1x:62934 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
Sat Oct 20 12:42:47 2018 us=285408 moto/1xx.xx6.1xx.1x:62934 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Oct 20 12:42:47 2018 us=285463 moto/1xx.xx6.1xx.1x:62934 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Log z klienta Androida

12:42:45.408 -- ----- OpenVPN Start -----
12:42:45.409 -- EVENT: CORE_THREAD_ACTIVE
12:42:45.415 -- Frame=512/2048/512 mssfix-ctrl=1250
12:42:45.416 -- EVENT: RESOLVE
12:42:45.584 -- Contacting xx.6x.xx.1x:1915 via TCP
12:42:45.586 -- EVENT: WAIT
12:42:45.654 -- Connecting to [xxx.xxx.ovh]:1915 (xx.6x.xx.1x) via TCPv4
12:42:45.733 -- EVENT: CONNECTING
12:42:45.738 -- Tunnel Options:V4,dev-type tun,link-mtu 1524,tun-mtu 1500,proto TCPv4_CLIENT,[b]comp-lzo[/b],cipher AES-256-GCM,auth SHA384,keysize 256,key-method 2,tls-client
12:42:45.739 -- Creds: UsernameEmpty/PasswordEmpty
12:42:45.741 -- Peer Info:

IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZ4=1
IV_IPv6=0
IV_AUTO_SESS=1

12:42:45.930 -- VERIFY OK : depth=0
cert. version     : 3
serial number     : 01
issuer name       : CN=skynet
subject name      : CN=skynet
issued  on        : 2018-10-19 06:03:35
expires on        : 2028-10-16 06:03:35
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication

12:42:46.254 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
12:42:46.256 -- Session is ACTIVE
12:42:46.258 -- EVENT: GET_CONFIG
12:42:46.263 -- Sending PUSH_REQUEST to server...

12:42:46.461 -- OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0]
1 [redirect-gateway] [def1]
2 [dhcp-option] [DNS] [192.168.1.1]
3 [compress] [lz4]
4 [persist-tun]
5 [persist-key]
6 [route-gateway] [10.8.0.1]
7 [topology] [subnet]
8 [ping] [10]
9 [ping-restart] [180]
10 [ifconfig] [10.8.0.3] [255.255.255.0]
11 [peer-id] [0]
12 [cipher] [AES-256-GCM]
13 [block-ipv6]

12:42:46.464 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA384
  compress: LZ4
  peer ID: 0

12:42:46.465 -- EVENT: ASSIGN_IP
12:42:46.493 -- Connected via tun
12:42:46.496 -- LZ4 init asym=0
12:42:46.498 -- EVENT: CONNECTED info='@xxx.xxx.ovh:1915 (xx.6x.xx.1x) via /TCPv4 on tun/10.8.0.3/ gw=[10.8.0.1/]' trans=TO_CONNECTED

Config klinta

client
remote          xxxx.xxxx.ovh 1915
dev             tun
proto            tcp4-client
remote-cert-tls server
compress        lz4
ca              ca.crt
cert            moto.crt
key             moto.key
cipher            aes-256-gcm
auth            sha384

Config serwera

config openvpn 'home'
        option enabled                  '1'
        option log                      '/tmp/openvpn.log'
        option client_config_dir        '/etc/easy-rsa/ccd'
        option verb                     '4'
        option dev                      'tun0'
        option port                     '1915'
        option proto                    'tcp4-server'
        option tcp_queue_limit          '256'
        option keepalive                '10 180'
        option internal_ip              '10.8.0.1'
        option internal_mask            '255.255.255.0'
        option topology                 'subnet'
        option subnet_ip                '192.168.1.0'
        option subnet_mask              '255.255.255.0'
        option ca                       '/etc/easy-rsa/pki/ca.crt'
        option dh                       '/etc/easy-rsa/pki/dh.pem'
        option cert                     '/etc/easy-rsa/pki/issued/skynet.crt'
        option key                      '/etc/easy-rsa/pki/private/skynet.key'
        option server                   '10.8.0.0 255.255.255.0'
        option cipher                   'AES-256-GCM'
        option ncp_ciphers              'AES-256-GCM:AES-256-CBC'
        option auth                     'SHA384'
        option compress                 'lz4'
        option persist_tun              '1'
        option persist_key              '1'
        list push                       'route 192.168.1.0 255.255.255.0'
        list push                       'redirect-gateway def1'
        list push                       'dhcp-option DNS 192.168.1.1'
        list push                       'compress lz4'
        list push                       'persist-tun'
        list push                       'persist-key'

I tutaj kilka pytań odnośnie setupu:

1. Dlaczego pomimo ustawionej kompresji na lz4, log z klienta i serwera pokazuje kompresję lzo:

Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_SERVER,[b]comp-lzo[/b],cipher AES-256-GCM,[b]auth [null-digest][/b],keysize 256,key-method 2,tls-server'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_CLIENT,[b]comp-lzo[/b],cipher AES-256-GCM,[b]auth [null-digest][/b],keysize 256,key-method 2,tls-client'

2. Dlaczego pomimo ustawienia auth w konfigach klienta i serwera dostaję taki warning?

1xx.xx6.1xx.1x:62934 [b]WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA384'[/b]

3. Czy tutaj w związku z AF_INET/undef/AF_UNSPEC czegoś mi nie brakuje w konfiguracji sieci / serwera vpn?
Listening for incoming TCP connection on [AF_INET][undef]:1915
TCPv4_SERVER link local (bound): [AF_INET][undef]:1915
TCPv4_SERVER link remote: [AF_UNSPEC]
4. W jaki sposób skonfigurować link-mtu / tun-mtu, żeby nie dostawać takiego warninga, próbowałem chyba wszystkich możliwych ustawień w konfigach i cały czas to ostrzeżenie:

[b]WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1524'[/b]

Pytam ponieważ klient androida co godzinę robi sobie handshake z serwerem i czasem kończy się to sukcesem, a czasem błędem:

Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
TLS: soft reset sec=0 bytes=695165/-1 pkts=2234/0
TLS ERROR: local/remote key IDs out of sync (7/1) ID:  [key#0 state=S_START id=7 sid=dabe8773 4c041287] [key#1 state=S_NORMAL_OP id=6 sid=dabe8773 4c041287] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, client-instance restarting

Będę wdzięczny za odpowiedzi i sugestie :-)
Całość loga z handshaków:

Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 VERIFY OK: depth=1, CN=skynet
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 VERIFY OK: depth=0, CN=moto
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_GUI_VER=OC30Android
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_VER=3.2
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_PLAT=android
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_NCP=2
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_TCPNL=1
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_PROTO=2
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_LZ4=1
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_IPv6=0
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_AUTO_SESS=1
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1527'
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA384'
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Oct 19 20:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 VERIFY OK: depth=1, CN=skynet
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 VERIFY OK: depth=0, CN=moto
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_GUI_VER=OC30Android
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_VER=3.2
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_PLAT=android
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_NCP=2
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_TCPNL=1
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_PROTO=2
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_LZ4=1
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_IPv6=0
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_AUTO_SESS=1
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1527'
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA384'
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Oct 19 21:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 VERIFY OK: depth=1, CN=skynet
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 VERIFY OK: depth=0, CN=moto
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_GUI_VER=OC30Android
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_VER=3.2
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_PLAT=android
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_NCP=2
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_TCPNL=1
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_PROTO=2
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_LZ4=1
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_IPv6=0
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_AUTO_SESS=1
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1527'
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA384'
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Oct 19 22:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 VERIFY OK: depth=1, CN=skynet
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 VERIFY OK: depth=0, CN=moto
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_GUI_VER=OC30Android
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_VER=3.2
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_PLAT=android
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_NCP=2
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_TCPNL=1
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_PROTO=2
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_LZ4=1
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_IPv6=0
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_AUTO_SESS=1
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1527'
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA384'
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Oct 19 23:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 VERIFY OK: depth=1, CN=skynet
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 VERIFY OK: depth=0, CN=moto
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_GUI_VER=OC30Android
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_VER=3.2
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_PLAT=android
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_NCP=2
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_TCPNL=1
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_PROTO=2
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_LZ4=1
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_IPv6=0
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_AUTO_SESS=1
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1527'
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA384'
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Oct 20 00:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 VERIFY OK: depth=1, CN=skynet
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 VERIFY OK: depth=0, CN=moto
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_GUI_VER=OC30Android
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_VER=3.2
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_PLAT=android
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_NCP=2
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_TCPNL=1
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_PROTO=2
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_LZ4=1
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_IPv6=0
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 peer info: IV_AUTO_SESS=1
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1527'
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA384'
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Oct 20 01:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Oct 20 02:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 TLS: soft reset sec=0 bytes=695165/-1 pkts=2234/0
Sat Oct 20 02:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 TLS ERROR: local/remote key IDs out of sync (7/1) ID:  [key#0 state=S_START id=7 sid=dabe8773 4c041287] [key#1 state=S_NORMAL_OP id=6 sid=dabe8773 4c041287] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Sat Oct 20 02:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 Fatal TLS error (check_tls_errors_co), restarting
Sat Oct 20 02:02:49 2018 moto/xxx.1xx.1xx.xx9:7577 SIGUSR1[soft,tls-error] received, client-instance restarting
Sat Oct 20 02:06:47 2018 TCP connection established with [AF_INET]xxx.1xx.1xx.xx9:7464
Sat Oct 20 02:06:47 2018 xxx.1xx.1xx.xx9:7464 Connection reset, restarting [0]
Sat Oct 20 02:06:47 2018 xxx.1xx.1xx.xx9:7464 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sat Oct 20 02:06:47 2018 TCP connection established with [AF_INET]xxx.1xx.1xx.xx9:7442
Sat Oct 20 02:07:47 2018 xxx.1xx.1xx.xx9:7442 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 20 02:07:47 2018 xxx.1xx.1xx.xx9:7442 TLS Error: TLS handshake failed
Sat Oct 20 02:07:47 2018 xxx.1xx.1xx.xx9:7442 Fatal TLS error (check_tls_errors_co), restarting
Sat Oct 20 02:07:47 2018 xxx.1xx.1xx.xx9:7442 SIGUSR1[soft,tls-error] received, client-instance restarting

Linksys MR8300 V1.1 / Linksys WRT1200AC V2 / TP-Link Archer C7 V5

FAQ o OpenWrt | Sprzedam różne routery | Oddam

OpenVPN ruch wychodzący od klienta

Posty: 7

1 Temat przez dzyndzla 2018-10-14 16:51:08 (edytowany przez dzyndzla 2018-10-14 17:47:51)

Temat: OpenVPN ruch wychodzący od klienta

2 Odpowiedź przez Cezary 2018-10-14 18:22:00

Odp: OpenVPN ruch wychodzący od klienta

3 Odpowiedź przez dzyndzla 2018-10-14 18:34:41

Odp: OpenVPN ruch wychodzący od klienta

4 Odpowiedź przez Cezary 2018-10-14 18:35:58

Odp: OpenVPN ruch wychodzący od klienta

5 Odpowiedź przez dzyndzla 2018-10-14 18:46:04

Odp: OpenVPN ruch wychodzący od klienta

6 Odpowiedź przez dzyndzla 2018-10-15 20:56:50 (edytowany przez dzyndzla 2018-10-15 20:57:54)

Odp: OpenVPN ruch wychodzący od klienta

7 Odpowiedź przez dzyndzla 2018-10-20 12:52:39

Odp: OpenVPN ruch wychodzący od klienta

Posty: 7