Mam dwa problemy.
1. Połączenie OopenWRT się zestawia, ale klient nie otrzymuje adresu z OpenWRT.
2. Skrypt w /etc/init.d/ nie uruchamia się nawet z opcją start, ale ręcznie wywoływany kod działa.
Co zrobiłem?
Jako, że modyfikuję zdalnie przez tunal SSH, a usługi SSH działa miw LAN/eth0.1 to do urządzenia, z którym chcę połączyć ma też dostęp oprócz eth0.1/LAN 192.168.10.0/24 także z eth0.2/LAN_AP 192.168.11.0/24 więc w /etc/config/network dodałem do:
config interface 'lan_ap'
option ifname 'eth0.2'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.11.1'
linię
oraz zmieniłem z configu dhcp z lan_ap -> br-lan_ap oraz odpowiednio zone w firewall. Po restarcie routera próba połączenia i
root@LEDE:~# logread |grep tap0
Mon Dec 30 19:19:26 2024 daemon.notice openvpn(myvpn)[1468]: TUN/TAP device tap0 opened
Mon Dec 30 19:34:38 2024 daemon.notice openvpn(myvpn)[1468]: TUN/TAP device tap0 opened
root@LEDE:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan_ap 7fff.54e6fcfb9a0c no eth0.2
br-lan_ha 7fff.54e6fcfb9a0c no eth0.5
wlan0
root@LEDE:~#ip a
....
....
18: tap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 100
link/ether ee:0d:7c:b4:1d:af brd ff:ff:ff:ff:ff:ff
Wychodzi na to, że skrypt nie uruchamia się, bo
root@LEDE:~# /etc/init.d/openvpn-startup start
nic nie zmienia
Ręcznie jak wywołam komendy to dodaje urządzenie tap0 do mostu
openvpn --mktun --dev tap0
brctl addif br-lan_ap tap0
ifconfig tap0 0.0.0.0 promisc up
root@LEDE:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan_ap 7fff.54e6fcfb9a0c no eth0.2
tap0
br-lan_ha 7fff.54e6fcfb9a0c no eth0.5
wlan0
Niemniej po połączeniu się OpenVPN urządzanie TAP w Windows nie otrzymuje adresu, ma 169.254.48.218 czyli jakiś losowy. W logu OpenWRT też nie widzę przypisania adresu z DHCP.
Log po zestawieniu połączenia OpenWRT:
Mon Dec 30 19:51:23 2024 daemon.notice openvpn(myvpn)[1468]: Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 30 19:51:23 2024 daemon.warn openvpn(myvpn)[1468]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Dec 30 19:51:23 2024 daemon.notice openvpn(myvpn)[1468]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 30 19:51:23 2024 daemon.notice openvpn(myvpn)[1468]: Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 30 19:51:23 2024 daemon.warn openvpn(myvpn)[1468]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Dec 30 19:51:23 2024 daemon.notice openvpn(myvpn)[1468]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 30 19:51:23 2024 kern.info kernel: [ 1078.286135] IPv6: ADDRCONF(NETDEV_CHANGE): tap0: link becomes ready
Mon Dec 30 19:51:23 2024 kern.info kernel: [ 1078.292764] br-lan_ap: port 2(tap0) entered forwarding state
Mon Dec 30 19:51:23 2024 kern.info kernel: [ 1078.298502] br-lan_ap: port 2(tap0) entered forwarding state
Mon Dec 30 19:51:23 2024 daemon.notice openvpn(myvpn)[1468]: TUN/TAP device tap0 opened
Mon Dec 30 19:51:23 2024 daemon.notice openvpn(myvpn)[1468]: TUN/TAP TX queue length set to 100
Mon Dec 30 19:51:23 2024 daemon.warn openvpn(myvpn)[1468]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Dec 30 19:51:23 2024 daemon.notice openvpn(myvpn)[1468]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Dec 30 19:51:23 2024 daemon.notice openvpn(myvpn)[1468]: UDPv4 link local (bound): [AF_INET][undef]:1195
Mon Dec 30 19:51:23 2024 daemon.notice openvpn(myvpn)[1468]: UDPv4 link remote: [AF_UNSPEC]
Mon Dec 30 19:51:25 2024 kern.info kernel: [ 1080.290311] br-lan_ap: port 2(tap0) entered forwarding state
Mon Dec 30 19:52:53 2024 daemon.notice openvpn(myvpn)[1468]: Peer Connection Initiated with [AF_INET]37.30.40.50:13362
Mon Dec 30 19:52:53 2024 daemon.warn openvpn(myvpn)[1468]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Dec 30 19:52:53 2024 daemon.notice openvpn(myvpn)[1468]: Initialization Sequence Completed
Mon Dec 30 19:52:53 2024 daemon.err openvpn(myvpn)[1468]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #10 / time = (1735584774) Mon Dec 30 19:52:54 2024 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Dec 30 19:52:53 2024 daemon.warn openvpn(myvpn)[1468]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
A przed uruchomieniem połączeniu, zaraz po restarcie routera w logach mam cały czas takie coś, ja na pewno nie próbuję się łączyć, nie wiem jak to intepretować??
Mon Dec 30 19:38:48 2024 daemon.notice openvpn(myvpn)[1468]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 30 19:38:48 2024 daemon.notice openvpn(myvpn)[1468]: TUN/TAP device tap0 opened
Mon Dec 30 19:38:48 2024 daemon.notice openvpn(myvpn)[1468]: TUN/TAP TX queue length set to 100
Mon Dec 30 19:38:48 2024 daemon.warn openvpn(myvpn)[1468]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Dec 30 19:38:48 2024 daemon.notice openvpn(myvpn)[1468]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Dec 30 19:38:48 2024 daemon.notice openvpn(myvpn)[1468]: UDPv4 link local (bound): [AF_INET][undef]:1195
Mon Dec 30 19:38:48 2024 daemon.notice openvpn(myvpn)[1468]: UDPv4 link remote: [AF_UNSPEC]
Mon Dec 30 19:40:48 2024 daemon.notice openvpn(myvpn)[1468]: Inactivity timeout (--ping-restart), restarting
Mon Dec 30 19:40:48 2024 daemon.notice openvpn(myvpn)[1468]: Closing TUN/TAP interface
Mon Dec 30 19:40:48 2024 daemon.notice openvpn(myvpn)[1468]: SIGUSR1[soft,ping-restart] received, process restarting
Mon Dec 30 19:40:48 2024 daemon.notice openvpn(myvpn)[1468]: Restart pause, 5 second(s)
Mon Dec 30 19:40:53 2024 daemon.notice openvpn(myvpn)[1468]: Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 30 19:40:53 2024 daemon.warn openvpn(myvpn)[1468]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Dec 30 19:40:53 2024 daemon.notice openvpn(myvpn)[1468]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 30 19:40:53 2024 daemon.notice openvpn(myvpn)[1468]: Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 30 19:40:53 2024 daemon.warn openvpn(myvpn)[1468]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Dec 30 19:40:53 2024 daemon.notice openvpn(myvpn)[1468]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 30 19:40:53 2024 daemon.notice openvpn(myvpn)[1468]: TUN/TAP device tap0 opened
Mon Dec 30 19:40:53 2024 daemon.notice openvpn(myvpn)[1468]: TUN/TAP TX queue length set to 100
Mon Dec 30 19:40:53 2024 daemon.warn openvpn(myvpn)[1468]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Dec 30 19:40:53 2024 daemon.notice openvpn(myvpn)[1468]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Dec 30 19:40:53 2024 daemon.notice openvpn(myvpn)[1468]: UDPv4 link local (bound): [AF_INET][undef]:1195
Mon Dec 30 19:40:53 2024 daemon.notice openvpn(myvpn)[1468]: UDPv4 link remote: [AF_UNSPEC]
Mon Dec 30 19:42:53 2024 daemon.notice openvpn(myvpn)[1468]: Inactivity timeout (--ping-restart), restarting
Mon Dec 30 19:42:53 2024 daemon.notice openvpn(myvpn)[1468]: Closing TUN/TAP interface
Mon Dec 30 19:42:53 2024 daemon.notice openvpn(myvpn)[1468]: SIGUSR1[soft,ping-restart] received, process restarting
Mon Dec 30 19:42:53 2024 daemon.notice openvpn(myvpn)[1468]: Restart pause, 10 second(s)
Mon Dec 30 19:43:03 2024 daemon.notice openvpn(myvpn)[1468]: Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 30 19:43:03 2024 daemon.warn openvpn(myvpn)[1468]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Dec 30 19:43:03 2024 daemon.notice openvpn(myvpn)[1468]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 30 19:43:03 2024 daemon.notice openvpn(myvpn)[1468]: Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 30 19:43:03 2024 daemon.warn openvpn(myvpn)[1468]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Dec 30 19:43:03 2024 daemon.notice openvpn(myvpn)[1468]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 30 19:43:03 2024 daemon.notice openvpn(myvpn)[1468]: TUN/TAP device tap0 opened
Mon Dec 30 19:43:03 2024 daemon.notice openvpn(myvpn)[1468]: TUN/TAP TX queue length set to 100
Mon Dec 30 19:43:03 2024 daemon.warn openvpn(myvpn)[1468]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Dec 30 19:43:03 2024 daemon.notice openvpn(myvpn)[1468]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Dec 30 19:43:03 2024 daemon.notice openvpn(myvpn)[1468]: UDPv4 link local (bound): [AF_INET][undef]:1195
Mon Dec 30 19:43:03 2024 daemon.notice openvpn(myvpn)[1468]: UDPv4 link remote: [AF_UNSPEC]
Mon Dec 30 19:45:03 2024 daemon.notice openvpn(myvpn)[1468]: Inactivity timeout (--ping-restart), restarting
Mon Dec 30 19:45:03 2024 daemon.notice openvpn(myvpn)[1468]: Closing TUN/TAP interface
Mon Dec 30 19:45:03 2024 daemon.notice openvpn(myvpn)[1468]: SIGUSR1[soft,ping-restart] received, process restarting
Mon Dec 30 19:45:03 2024 daemon.notice openvpn(myvpn)[1468]: Restart pause, 20 second(s)
Mon Dec 30 19:45:23 2024 daemon.notice openvpn(myvpn)[1468]: Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 30 19:45:23 2024 daemon.warn openvpn(myvpn)[1468]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Dec 30 19:45:23 2024 daemon.notice openvpn(myvpn)[1468]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 30 19:45:23 2024 daemon.notice openvpn(myvpn)[1468]: Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 30 19:45:23 2024 daemon.warn openvpn(myvpn)[1468]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Dec 30 19:45:23 2024 daemon.notice openvpn(myvpn)[1468]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 30 19:45:23 2024 daemon.notice openvpn(myvpn)[1468]: TUN/TAP device tap0 opened
Mon Dec 30 19:45:23 2024 daemon.notice openvpn(myvpn)[1468]: TUN/TAP TX queue length set to 100
Mon Dec 30 19:45:23 2024 daemon.warn openvpn(myvpn)[1468]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Dec 30 19:45:23 2024 daemon.notice openvpn(myvpn)[1468]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Dec 30 19:45:23 2024 daemon.notice openvpn(myvpn)[1468]: UDPv4 link local (bound): [AF_INET][undef]:1195
Mon Dec 30 19:45:23 2024 daemon.notice openvpn(myvpn)[1468]: UDPv4 link remote: [AF_UNSPEC]
Mon Dec 30 19:47:23 2024 daemon.notice openvpn(myvpn)[1468]: Inactivity timeout (--ping-restart), restarting
Mon Dec 30 19:47:23 2024 daemon.notice openvpn(myvpn)[1468]: Closing TUN/TAP interface
Mon Dec 30 19:47:23 2024 daemon.notice openvpn(myvpn)[1468]: SIGUSR1[soft,ping-restart] received, process restarting
Mon Dec 30 19:47:23 2024 daemon.notice openvpn(myvpn)[1468]: Restart pause, 40 second(s)
nie zmiania nić