1 (edytowany przez Bieniu 2015-03-04 16:17:45)

Temat: Problem z konfiguracją serwera OpenVPN na BB

Witam
Przesiadłem się ostatnio na moim TP-Link TL-WDR4300 Z Gargoyle na najnowszy build OpenWrt Barrier Breaker 14.07 / LuCI 0.12 od Cezarego. Wszystko działa elegancko poza OpenVPN, z którym walczę bez efektu. Konfigurację robiłem na podstawie tej instrukcji http://wiki.openwrt.org/doc/howto/vpn.openvpn Klient (telefon z Androidem) się podłącza, mogę na nim pingować router 192.168.1.1 ale internetu nie mam. Nie jestem zbyt lotny w tych sprawach. Może ktoś pomoże?
Konfiguracja wygląda następująco:
/etc/config/network

config interface 'vpn'
        option ifname 'tun0'
        option proto 'none'

/etc/config/openvpn

config openvpn 'dom'
        option enabled '1'
        option dev 'tun'
        option proto 'udp'
        option log '/tmp/openvpn.log'
        option verb '3'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/dom.crt'
        option key '/etc/openvpn/dom.key'
        option server '10.8.0.0 255.255.255.0'
        option port '1194'
        option keepalive '10 120'
        option dh '/etc/openvpn/dh2048.pem'
        option push 'dhcp-option DNS 192.168.1.1'

/etc/config/firewall

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '1194'

Log z serwera:

Wed Mar  4 16:03:39 2015 XXX.XXX.XXX.XXX:1194 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=5a5d44ee e4c294ca
Wed Mar  4 16:03:41 2015 XXX.XXX.XXX.XXX:1194 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, emailAddress=me@myhost.mydomain
Wed Mar  4 16:03:41 2015 XXX.XXX.XXX.XXX:1194 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=telefon, name=EasyRSA, emailAddress=me@myhost.mydomain
Wed Mar  4 16:03:41 2015 XXX.XXX.XXX.XXX:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar  4 16:03:41 2015 XXX.XXX.XXX.XXX:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar  4 16:03:41 2015 XXX.XXX.XXX.XXX:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar  4 16:03:41 2015 XXX.XXX.XXX.XXX:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar  4 16:03:41 2015 XXX.XXX.XXX.XXX:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Mar  4 16:03:41 2015 XXX.XXX.XXX.XXX:1194 [telefon] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Wed Mar  4 16:03:41 2015 telefon/XXX.XXX.XXX.XXX:1194 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Wed Mar  4 16:03:41 2015 telefon/XXX.XXX.XXX.XXX:1194 MULTI: Learn: 10.8.0.6 -> telefon/XXX.XXX.XXX.XXX:1194
Wed Mar  4 16:03:41 2015 telefon/XXX.XXX.XXX.XXX:1194 MULTI: primary virtual IP for telefon/XXX.XXX.XXX.XXX:1194: 10.8.0.6
Wed Mar  4 16:03:43 2015 telefon/XXX.XXX.XXX.XXX:1194 PUSH: Received control message: 'PUSH_REQUEST'
Wed Mar  4 16:03:43 2015 telefon/XXX.XXX.XXX.XXX:1194 send_push_reply(): safe_cap=940
Wed Mar  4 16:03:43 2015 telefon/XXX.XXX.XXX.XXX:1194 SENT CONTROL [telefon]: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Wed Mar  4 16:11:37 2015 telefon/XXX.XXX.XXX.XXX:1194 [telefon] Inactivity timeout (--ping-restart), restarting
Wed Mar  4 16:11:37 2015 telefon/XXX.XXX.XXX.XXX:1194 SIGUSR1[soft,ping-restart] received, client-instance restarting

Log z klienta wygląda następująco:

2015-03-04 15:36:21 Działa na Nexus 4 (MAKO) google, Android API 21, wersja 0.6.29, Oficjalna kompilacja
2015-03-04 15:36:21 Dziennik wyczyszczony.
2015-03-04 16:03:34 Tworzenie konfiguracji…
2015-03-04 16:03:37 started Socket Thread
2015-03-04 16:03:37 Status sieci: CONNECTED  to WIFI "XXXXXX"
2015-03-04 16:03:37 Current Parameter Settings:
2015-03-04 16:03:37   config = '/data/data/de.blinkt.openvpn/cache/android.conf'
2015-03-04 16:03:37   mode = 0
2015-03-04 16:03:37   show_ciphers = DISABLED
2015-03-04 16:03:37   show_digests = DISABLED
2015-03-04 16:03:37   show_engines = DISABLED
2015-03-04 16:03:37   genkey = DISABLED
2015-03-04 16:03:37   key_pass_file = '[UNDEF]'
2015-03-04 16:03:37   show_tls_ciphers = DISABLED
2015-03-04 16:03:37   connect_retry_max = 5
2015-03-04 16:03:37 Connection profiles [0]:
2015-03-04 16:03:37   proto = udp
2015-03-04 16:03:37   local = '[UNDEF]'
2015-03-04 16:03:37   local_port = '1194'
2015-03-04 16:03:37   remote = 'XXX.XXX.XXX.XXX'
2015-03-04 16:03:37   remote_port = '1194'
2015-03-04 16:03:37   remote_float = DISABLED
2015-03-04 16:03:37   bind_defined = DISABLED
2015-03-04 16:03:37   bind_local = ENABLED
2015-03-04 16:03:37   bind_ipv6_only = DISABLED
2015-03-04 16:03:37   connect_retry_seconds = 5
2015-03-04 16:03:37   connect_timeout = 10
2015-03-04 16:03:37   socks_proxy_server = '[UNDEF]'
2015-03-04 16:03:37   socks_proxy_port = '[UNDEF]'
2015-03-04 16:03:37   socks_proxy_retry = DISABLED
2015-03-04 16:03:37   tun_mtu = 1500
2015-03-04 16:03:37   tun_mtu_defined = ENABLED
2015-03-04 16:03:37   link_mtu = 1500
2015-03-04 16:03:37   link_mtu_defined = DISABLED
2015-03-04 16:03:37   tun_mtu_extra = 0
2015-03-04 16:03:37   tun_mtu_extra_defined = DISABLED
2015-03-04 16:03:37   mtu_discover_type = -1
2015-03-04 16:03:37   fragment = 0
2015-03-04 16:03:37   mssfix = 1450
2015-03-04 16:03:37   explicit_exit_notification = 0
2015-03-04 16:03:37 Connection profiles END
2015-03-04 16:03:37   remote_random = DISABLED
2015-03-04 16:03:37   ipchange = '[UNDEF]'
2015-03-04 16:03:37   dev = 'tun'
2015-03-04 16:03:37   dev_type = '[UNDEF]'
2015-03-04 16:03:37   dev_node = '[UNDEF]'
2015-03-04 16:03:37   lladdr = '[UNDEF]'
2015-03-04 16:03:37   topology = 1
2015-03-04 16:03:37   tun_ipv6 = DISABLED
2015-03-04 16:03:37   ifconfig_local = '[UNDEF]'
2015-03-04 16:03:37   ifconfig_remote_netmask = '[UNDEF]'
2015-03-04 16:03:37   ifconfig_noexec = DISABLED
2015-03-04 16:03:37   ifconfig_nowarn = ENABLED
2015-03-04 16:03:37   ifconfig_ipv6_local = '[UNDEF]'
2015-03-04 16:03:37   ifconfig_ipv6_netbits = 0
2015-03-04 16:03:37   ifconfig_ipv6_remote = '[UNDEF]'
2015-03-04 16:03:37   shaper = 0
2015-03-04 16:03:37   mtu_test = 0
2015-03-04 16:03:37   mlock = DISABLED
2015-03-04 16:03:37   keepalive_ping = 0
2015-03-04 16:03:37   keepalive_timeout = 0
2015-03-04 16:03:37   inactivity_timeout = 0
2015-03-04 16:03:37   ping_send_timeout = 0
2015-03-04 16:03:37   ping_rec_timeout = 0
2015-03-04 16:03:37   ping_rec_timeout_action = 0
2015-03-04 16:03:37   ping_timer_remote = DISABLED
2015-03-04 16:03:37   remap_sigusr1 = 0
2015-03-04 16:03:37   persist_tun = DISABLED
2015-03-04 16:03:37   persist_local_ip = DISABLED
2015-03-04 16:03:37   persist_remote_ip = DISABLED
2015-03-04 16:03:37   persist_key = DISABLED
2015-03-04 16:03:37   passtos = DISABLED
2015-03-04 16:03:37   resolve_retry_seconds = 60
2015-03-04 16:03:37   resolve_in_advance = DISABLED
2015-03-04 16:03:37   username = '[UNDEF]'
2015-03-04 16:03:37   groupname = '[UNDEF]'
2015-03-04 16:03:37   chroot_dir = '[UNDEF]'
2015-03-04 16:03:37   cd_dir = '[UNDEF]'
2015-03-04 16:03:37   writepid = '[UNDEF]'
2015-03-04 16:03:37   up_script = '[UNDEF]'
2015-03-04 16:03:37   down_script = '[UNDEF]'
2015-03-04 16:03:37   down_pre = DISABLED
2015-03-04 16:03:37   up_restart = DISABLED
2015-03-04 16:03:37   up_delay = DISABLED
2015-03-04 16:03:37   daemon = DISABLED
2015-03-04 16:03:37   inetd = 0
2015-03-04 16:03:37   log = DISABLED
2015-03-04 16:03:37   suppress_timestamps = DISABLED
2015-03-04 16:03:37   machine_readable_output = ENABLED
2015-03-04 16:03:37   nice = 0
2015-03-04 16:03:37   verbosity = 4
2015-03-04 16:03:37   mute = 0
2015-03-04 16:03:37   gremlin = 0
2015-03-04 16:03:37   status_file = '[UNDEF]'
2015-03-04 16:03:37   status_file_version = 1
2015-03-04 16:03:37   status_file_update_freq = 60
2015-03-04 16:03:37   occ = ENABLED
2015-03-04 16:03:37   rcvbuf = 65536
2015-03-04 16:03:37   sndbuf = 65536
2015-03-04 16:03:37   sockflags = 0
2015-03-04 16:03:37   fast_io = DISABLED
2015-03-04 16:03:37   comp.alg = 0
2015-03-04 16:03:37   comp.flags = 0
2015-03-04 16:03:37   route_script = '[UNDEF]'
2015-03-04 16:03:37   route_default_gateway = '[UNDEF]'
2015-03-04 16:03:37   route_default_metric = 0
2015-03-04 16:03:37   route_noexec = DISABLED
2015-03-04 16:03:37   route_delay = 0
2015-03-04 16:03:37   route_delay_window = 30
2015-03-04 16:03:37   route_delay_defined = DISABLED
2015-03-04 16:03:37   route_nopull = DISABLED
2015-03-04 16:03:37   route_gateway_via_dhcp = DISABLED
2015-03-04 16:03:37   allow_pull_fqdn = DISABLED
2015-03-04 16:03:37   route 0.0.0.0/0.0.0.0/vpn_gateway/nil
2015-03-04 16:03:37   management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
2015-03-04 16:03:37   management_port = 'unix'
2015-03-04 16:03:37   management_user_pass = '[UNDEF]'
2015-03-04 16:03:37   management_log_history_cache = 250
2015-03-04 16:03:37   management_echo_buffer_size = 100
2015-03-04 16:03:37   management_write_peer_info_file = '[UNDEF]'
2015-03-04 16:03:37   management_client_user = '[UNDEF]'
2015-03-04 16:03:37   management_client_group = '[UNDEF]'
2015-03-04 16:03:37   management_flags = 4390
2015-03-04 16:03:37   shared_secret_file = '[UNDEF]'
2015-03-04 16:03:37   key_direction = 0
2015-03-04 16:03:37   ciphername_defined = ENABLED
2015-03-04 16:03:37   ciphername = 'BF-CBC'
2015-03-04 16:03:37   authname_defined = ENABLED
2015-03-04 16:03:37   authname = 'SHA1'
2015-03-04 16:03:37   prng_hash = 'SHA1'
2015-03-04 16:03:37   prng_nonce_secret_len = 16
2015-03-04 16:03:37   keysize = 0
2015-03-04 16:03:37   engine = DISABLED
2015-03-04 16:03:37   replay = ENABLED
2015-03-04 16:03:37   mute_replay_warnings = DISABLED
2015-03-04 16:03:37   replay_window = 64
2015-03-04 16:03:37   replay_time = 15
2015-03-04 16:03:37   packet_id_file = '[UNDEF]'
2015-03-04 16:03:37   use_iv = ENABLED
2015-03-04 16:03:37   test_crypto = DISABLED
2015-03-04 16:03:37   tls_server = DISABLED
2015-03-04 16:03:37   tls_client = ENABLED
2015-03-04 16:03:37   key_method = 2
2015-03-04 16:03:37   ca_file = '[[INLINE]]'
2015-03-04 16:03:37   ca_path = '[UNDEF]'
2015-03-04 16:03:37   dh_file = '[UNDEF]'
2015-03-04 16:03:37   cert_file = '[[INLINE]]'
2015-03-04 16:03:37   priv_key_file = '[[INLINE]]'
2015-03-04 16:03:37   pkcs12_file = '[UNDEF]'
2015-03-04 16:03:37   cipher_list = '[UNDEF]'
2015-03-04 16:03:37   tls_verify = '[UNDEF]'
2015-03-04 16:03:37   tls_export_cert = '[UNDEF]'
2015-03-04 16:03:37   verify_x509_type = 0
2015-03-04 16:03:37   verify_x509_name = '[UNDEF]'
2015-03-04 16:03:37   crl_file = '[UNDEF]'
2015-03-04 16:03:37   ns_cert_type = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 160
2015-03-04 16:03:37   remote_cert_ku[i] = 136
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_ku[i] = 0
2015-03-04 16:03:37   remote_cert_eku = 'TLS Web Server Authentication'
2015-03-04 16:03:37   ssl_flags = 0
2015-03-04 16:03:37   tls_timeout = 2
2015-03-04 16:03:37   renegotiate_bytes = 0
2015-03-04 16:03:37   renegotiate_packets = 0
2015-03-04 16:03:37   renegotiate_seconds = 3600
2015-03-04 16:03:37   handshake_window = 60
2015-03-04 16:03:37   transition_window = 3600
2015-03-04 16:03:37   single_session = DISABLED
2015-03-04 16:03:37   push_peer_info = DISABLED
2015-03-04 16:03:37   tls_exit = DISABLED
2015-03-04 16:03:37   tls_auth_file = '[UNDEF]'
2015-03-04 16:03:37   client = ENABLED
2015-03-04 16:03:37   pull = ENABLED
2015-03-04 16:03:37   auth_user_pass_file = '[UNDEF]'
2015-03-04 16:03:37 OpenVPN 2.4-icsopenvpn [git:icsopenvpn_629-4c6f7f0d16e1a6b3] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [SNAPPY] [LZ4] [EPOLL] [MH] [IPv6] built on Feb 24 2015
2015-03-04 16:03:37 library versions: OpenSSL 1.0.1l 15 Jan 2015, LZO 2.07
2015-03-04 16:03:37 MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
2015-03-04 16:03:37 MANAGEMENT: CMD 'hold release'
2015-03-04 16:03:37 MANAGEMENT: CMD 'bytecount 2'
2015-03-04 16:03:37 MANAGEMENT: CMD 'state on'
2015-03-04 16:03:37 MANAGEMENT: CMD 'proxy NONE'
2015-03-04 16:03:38 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:3 ]
2015-03-04 16:03:38 MANAGEMENT: >STATE:1425481418,RESOLVE,,,
2015-03-04 16:03:39 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:392 ET:0 EL:3 ]
2015-03-04 16:03:39 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2015-03-04 16:03:39 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2015-03-04 16:03:39 Local Options hash (VER=V4): '3514370b'
2015-03-04 16:03:39 Expected Remote Options hash (VER=V4): '239669a8'
2015-03-04 16:03:39 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
2015-03-04 16:03:39 Socket Buffers: R=[163840->131072] S=[163840->131072]
2015-03-04 16:03:39 Protecting socket fd 4
2015-03-04 16:03:39 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2015-03-04 16:03:39 UDP link local (bound): [AF_INET][undef]:1194
2015-03-04 16:03:39 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
2015-03-04 16:03:39 MANAGEMENT: >STATE:1425481419,WAIT,,,
2015-03-04 16:03:39 MANAGEMENT: >STATE:1425481419,AUTH,,,
2015-03-04 16:03:39 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=b9cee313 3037781a
2015-03-04 16:03:39 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, emailAddress=me@myhost.mydomain
2015-03-04 16:03:39 Validating certificate key usage
2015-03-04 16:03:39 ++ Certificate has key usage  00a0, expects 00a0
2015-03-04 16:03:39 VERIFY KU OK
2015-03-04 16:03:39 Validating certificate extended key usage
2015-03-04 16:03:39 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2015-03-04 16:03:39 VERIFY EKU OK
2015-03-04 16:03:39 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=dom, name=EasyRSA, emailAddress=me@myhost.mydomain
2015-03-04 16:03:40 NOTE: Options consistency check may be skewed by version differences
2015-03-04 16:03:40 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
2015-03-04 16:03:40 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
2015-03-04 16:03:40 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1541'
2015-03-04 16:03:40 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
2015-03-04 16:03:40 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
2015-03-04 16:03:40 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
2015-03-04 16:03:40 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 128'
2015-03-04 16:03:40 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
2015-03-04 16:03:40 WARNING: 'tls-server' is present in local config but missing in remote config, local='tls-server'
2015-03-04 16:03:40 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2015-03-04 16:03:40 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2015-03-04 16:03:40 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2015-03-04 16:03:40 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2015-03-04 16:03:40 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2015-03-04 16:03:40 [dom] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
2015-03-04 16:03:41 MANAGEMENT: >STATE:1425481421,GET_CONFIG,,,
2015-03-04 16:03:43 SENT CONTROL [dom]: 'PUSH_REQUEST' (status=1)
2015-03-04 16:03:43 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
2015-03-04 16:03:43 OPTIONS IMPORT: timers and/or timeouts modified
2015-03-04 16:03:43 OPTIONS IMPORT: --ifconfig/up options modified
2015-03-04 16:03:43 OPTIONS IMPORT: route options modified
2015-03-04 16:03:43 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2015-03-04 16:03:43 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo HWADDR=00:00:00:00:00:00
2015-03-04 16:03:43 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2015-03-04 16:03:43 MANAGEMENT: >STATE:1425481423,ASSIGN_IP,,10.8.0.6,
2015-03-04 16:03:43 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2015-03-04 16:03:43 MANAGEMENT: >STATE:1425481423,ADD_ROUTES,,,
2015-03-04 16:03:43 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2015-03-04 16:03:43 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2015-03-04 16:03:43 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2015-03-04 16:03:43 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2015-03-04 16:03:43 Otwieram interfejs tun:
2015-03-04 16:03:43 Ignoring multicast route: 224.0.0.0/3
2015-03-04 16:03:43 Lokalne IPv4: 10.8.0.6/30 IPv6: null MTU: 1500
2015-03-04 16:03:43 Serwer DNS: 192.168.1.1, Domena: null
2015-03-04 16:03:43 Routes: 0.0.0.0/0, 10.8.0.1/32, 10.8.0.4/30 
2015-03-04 16:03:43 Routes excluded: 192.168.1.105/24 
2015-03-04 16:03:43 VpnService routes installed: 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.168.0.0/24, 192.168.2.0/23, 192.168.4.0/22, 192.168.8.0/21, 192.168.16.0/20, 192.168.32.0/19, 192.168.64.0/18, 192.168.128.0/17, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3 
2015-03-04 16:03:43 Disallowed VPN apps: 
2015-03-04 16:03:43 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2015-03-04 16:03:43 Initialization Sequence Completed
2015-03-04 16:03:43 MANAGEMENT: >STATE:1425481423,CONNECTED,SUCCESS,10.8.0.6,XXX.XXX.XXX.XXX

2

Odp: Problem z konfiguracją serwera OpenVPN na BB

Routing All Client Traffic Through the Tunnel w tym poradniku jeszcze.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

3

Odp: Problem z konfiguracją serwera OpenVPN na BB

Routing all client traffic mam wymuszone na kliencie. Dodałem na wszelki wypadek

option push 'redirect-gateway def1'

ale w niczym to nie pomogło. Zauważyłem, że po połączeniu z serwerem z klienta nie mogę pingować ani żadnego innego komputera w sieci lokalnej ani 10.8.0.1.

4

Odp: Problem z konfiguracją serwera OpenVPN na BB

Jak wymuszony masz na kliencie? To w konfigu serwera masz zrobić.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

5

Odp: Problem z konfiguracją serwera OpenVPN na BB

Zrobiłem i bez zmian.

6

Odp: Problem z konfiguracją serwera OpenVPN na BB

Bez zmian co? Klient ustawił sobie trasę domyślną?

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

7 (edytowany przez Bieniu 2015-03-04 21:41:57)

Odp: Problem z konfiguracją serwera OpenVPN na BB

Klient w logu wyświetla:

Routes: 0.0.0.0/0, 10.8.0.1/32, 10.8.0.4/30, 192.168.1.0/24

Zainstalowałem klienta OpenVPN na laptopie z Windowsem i efekt dokładnie taki sam. Łączy się, mogę pingować 192.168.1.1 oraz 10.8.0.1 (po dodaniu trasy ten ping zaczął działać). Pingi innych maszyn w sieci lub czegokolwiek z internetu nie dostają odpowiedzi.

8

Odp: Problem z konfiguracją serwera OpenVPN na BB

@Bieniu mam ten sam router i też wg teg poradnika VPN odpalałem i wszystko hula. Poniżej fragmenty jakimi różni się mój konfig od Twojego, może to coś pomoże. BTW a przekierowałeś ruch sieciowy z vpn > wan ??

/etc/config/openvpn
option push 'redirect-gateway def1 local'



/etc/config/firewall
config rule
        option target 'ACCEPT'
        option name 'VPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'tcp udp'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn0'

config forwarding
        option src 'vpn'
        option dest 'wan'

9

Odp: Problem z konfiguracją serwera OpenVPN na BB

@copernic_us Wprowadziłem konfigurację tak jak u Ciebie i jest postęp. Po połączeniu strony się ładują ale nie mam dostępu do innych urządzeń w sieci lokalnej. Nie powinno być jeszcze tak?

config forwarding
        option src 'vpn'
        option dest 'lan'

10

Odp: Problem z konfiguracją serwera OpenVPN na BB

Mam tylko tak ustawione forwardowanie:

config forwarding
        option dest 'lan'
        option src 'wan'

config forwarding
        option dest 'wan'
        option src 'lan'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn0'

config forwarding
        option src 'vpn'
        option dest 'wan'

11

Odp: Problem z konfiguracją serwera OpenVPN na BB

I przy takich ustawieniach masz z VPNu dostęp do urządzeń w LAN?

12

Odp: Problem z konfiguracją serwera OpenVPN na BB

Widzę że trzeba będzie następny poradnik zrobić/zaktualizować smile

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

13

Odp: Problem z konfiguracją serwera OpenVPN na BB

@Cezary Popieram smile

14 (edytowany przez copernic_us 2015-03-05 10:55:42)

Odp: Problem z konfiguracją serwera OpenVPN na BB

Tak przy takich ustawieniach mam dostęp z telefonu (OpenVPN Client z PS) do LANu i mam IP routera (zewnętrzne). Łącze się przez LTE od Orange bezpośrednio do routera i wsio działa smile

Jakby trzeba było jakieś zrzuty z konfiguracji to służę wklejkami smile

15

Odp: Problem z konfiguracją serwera OpenVPN na BB

Podepnę się pod temat bo mam problem też:

root@TL-WDR3600:/mnt/sda1# cat /var/openvpn.log
Sat May  9 12:51:27 2015 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan  6 2015
Sat May  9 12:51:27 2015 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Sat May  9 12:51:27 2015 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat May  9 12:51:27 2015 Diffie-Hellman initialized with 2048 bit key
Sat May  9 12:51:27 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Sat May  9 12:51:27 2015 TUN/TAP device tun0 opened
Sat May  9 12:51:27 2015 TUN/TAP TX queue length set to 100
Sat May  9 12:51:27 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat May  9 12:51:27 2015 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sat May  9 12:51:27 2015 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sat May  9 12:51:27 2015 UDPv4 link local (bound): [undef]
Sat May  9 12:51:27 2015 UDPv4 link remote: [undef]
Sat May  9 12:51:27 2015 MULTI: multi_init called, r=256 v=256
Sat May  9 12:51:27 2015 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sat May  9 12:51:27 2015 Initialization Sequence Completed
Sat May  9 12:56:43 2015 94.254.145.130:36235 TLS: Initial packet from [AF_INET]94.254.145.130:36235, sid=f577ea0d 057ca35b
Sat May  9 12:56:49 2015 94.254.145.130:36235 TLS: new session incoming connection from [AF_INET]94.254.145.130:36235
Sat May  9 12:56:54 2015 94.254.145.130:36235 TLS: new session incoming connection from [AF_INET]94.254.145.130:36235
Sat May  9 12:57:43 2015 94.254.145.130:36235 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May  9 12:57:43 2015 94.254.145.130:36235 TLS Error: TLS handshake failed
Sat May  9 12:57:43 2015 94.254.145.130:36235 SIGUSR1[soft,tls-error] received, client-instance restarting
Sat May  9 12:57:55 2015 94.254.145.130:36235 TLS: Initial packet from [AF_INET]94.254.145.130:36235, sid=b3c6fbce 78cfdfdd
Sat May  9 12:58:00 2015 94.254.145.130:36235 TLS: new session incoming connection from [AF_INET]94.254.145.130:36235
Sat May  9 12:58:55 2015 94.254.145.130:36235 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May  9 12:58:55 2015 94.254.145.130:36235 TLS Error: TLS handshake failed
Sat May  9 12:58:55 2015 94.254.145.130:36235 SIGUSR1[soft,tls-error] received, client-instance restarting
Gateway :Topton Intel Core i3-N305 16GB RAM 6x i226-V 2.5GbE
AP: 3x Netgear WAX220

16

Odp: Problem z konfiguracją serwera OpenVPN na BB

Błąd negocjacji. Albo masz złe certyfikaty albo używasz różnych wersji openvpn.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

17

Odp: Problem z konfiguracją serwera OpenVPN na BB

A tu logi z telefonu:

2015-05-09 13:11:44 Działa na SM-N9005 (MSM8974) samsung, Android API 21, wersja 0.6.29, Oficjalna kompilacja
2015-05-09 13:11:44 Dziennik wyczyszczony.
2015-05-09 13:11:52 Tworzenie konfiguracji…
2015-05-09 13:11:54 started Socket Thread
2015-05-09 13:11:54 Status sieci: CONNECTED HSPA to MOBILE internet
2015-05-09 13:11:54 Current Parameter Settings:
2015-05-09 13:11:54   config = '/data/data/de.blinkt.openvpn/cache/android.conf'
2015-05-09 13:11:54   mode = 0
2015-05-09 13:11:54   show_ciphers = DISABLED
2015-05-09 13:11:54   show_digests = DISABLED
2015-05-09 13:11:54   show_engines = DISABLED
2015-05-09 13:11:54   genkey = DISABLED
2015-05-09 13:11:54   key_pass_file = '[UNDEF]'
2015-05-09 13:11:54   show_tls_ciphers = DISABLED
2015-05-09 13:11:54   connect_retry_max = 5
2015-05-09 13:11:54 Connection profiles [0]:
2015-05-09 13:11:54   proto = udp
2015-05-09 13:11:54   local = '[UNDEF]'
2015-05-09 13:11:54   local_port = '1194'
2015-05-09 13:11:54   remote = '176.122.236.77'
2015-05-09 13:11:54   remote_port = '1194'
2015-05-09 13:11:54   remote_float = DISABLED
2015-05-09 13:11:54   bind_defined = DISABLED
2015-05-09 13:11:54   bind_local = ENABLED
2015-05-09 13:11:54   bind_ipv6_only = DISABLED
2015-05-09 13:11:54   connect_retry_seconds = 5
2015-05-09 13:11:54   connect_timeout = 10
2015-05-09 13:11:54   socks_proxy_server = '[UNDEF]'
2015-05-09 13:11:54   socks_proxy_port = '[UNDEF]'
2015-05-09 13:11:54   socks_proxy_retry = DISABLED
2015-05-09 13:11:54   tun_mtu = 1500
2015-05-09 13:11:54   tun_mtu_defined = ENABLED
2015-05-09 13:11:54   link_mtu = 1500
2015-05-09 13:11:54   link_mtu_defined = DISABLED
2015-05-09 13:11:54   tun_mtu_extra = 0
2015-05-09 13:11:54   tun_mtu_extra_defined = DISABLED
2015-05-09 13:11:54   mtu_discover_type = -1
2015-05-09 13:11:54   fragment = 0
2015-05-09 13:11:54   mssfix = 1450
2015-05-09 13:11:54   explicit_exit_notification = 0
2015-05-09 13:11:54 Connection profiles END
2015-05-09 13:11:54   remote_random = DISABLED
2015-05-09 13:11:54   ipchange = '[UNDEF]'
2015-05-09 13:11:54   dev = 'tun'
2015-05-09 13:11:54   dev_type = '[UNDEF]'
2015-05-09 13:11:54   dev_node = '[UNDEF]'
2015-05-09 13:11:54   lladdr = '[UNDEF]'
2015-05-09 13:11:54   topology = 1
2015-05-09 13:11:54   tun_ipv6 = DISABLED
2015-05-09 13:11:54   ifconfig_local = '[UNDEF]'
2015-05-09 13:11:54   ifconfig_remote_netmask = '[UNDEF]'
2015-05-09 13:11:54   ifconfig_noexec = DISABLED
2015-05-09 13:11:54   ifconfig_nowarn = ENABLED
2015-05-09 13:11:54   ifconfig_ipv6_local = '[UNDEF]'
2015-05-09 13:11:54   ifconfig_ipv6_netbits = 0
2015-05-09 13:11:54   ifconfig_ipv6_remote = '[UNDEF]'
2015-05-09 13:11:54   shaper = 0
2015-05-09 13:11:54   mtu_test = 0
2015-05-09 13:11:54   mlock = DISABLED
2015-05-09 13:11:54   keepalive_ping = 0
2015-05-09 13:11:54   keepalive_timeout = 0
2015-05-09 13:11:54   inactivity_timeout = 0
2015-05-09 13:11:54   ping_send_timeout = 0
2015-05-09 13:11:54   ping_rec_timeout = 0
2015-05-09 13:11:54   ping_rec_timeout_action = 0
2015-05-09 13:11:54   ping_timer_remote = DISABLED
2015-05-09 13:11:54   remap_sigusr1 = 0
2015-05-09 13:11:54   persist_tun = DISABLED
2015-05-09 13:11:54   persist_local_ip = DISABLED
2015-05-09 13:11:54   persist_remote_ip = DISABLED
2015-05-09 13:11:54   persist_key = DISABLED
2015-05-09 13:11:54   passtos = DISABLED
2015-05-09 13:11:54   resolve_retry_seconds = 60
2015-05-09 13:11:54   resolve_in_advance = DISABLED
2015-05-09 13:11:54   username = '[UNDEF]'
2015-05-09 13:11:54   groupname = '[UNDEF]'
2015-05-09 13:11:54   chroot_dir = '[UNDEF]'
2015-05-09 13:11:54   cd_dir = '[UNDEF]'
2015-05-09 13:11:54   writepid = '[UNDEF]'
2015-05-09 13:11:54   up_script = '[UNDEF]'
2015-05-09 13:11:54   down_script = '[UNDEF]'
2015-05-09 13:11:54   down_pre = DISABLED
2015-05-09 13:11:54   up_restart = DISABLED
2015-05-09 13:11:54   up_delay = DISABLED
2015-05-09 13:11:54   daemon = DISABLED
2015-05-09 13:11:54   inetd = 0
2015-05-09 13:11:54   log = DISABLED
2015-05-09 13:11:54   suppress_timestamps = DISABLED
2015-05-09 13:11:54   machine_readable_output = ENABLED
2015-05-09 13:11:54   nice = 0
2015-05-09 13:11:54   verbosity = 4
2015-05-09 13:11:54   mute = 0
2015-05-09 13:11:54   gremlin = 0
2015-05-09 13:11:54   status_file = '[UNDEF]'
2015-05-09 13:11:54   status_file_version = 1
2015-05-09 13:11:54   status_file_update_freq = 60
2015-05-09 13:11:54   occ = ENABLED
2015-05-09 13:11:54   rcvbuf = 65536
2015-05-09 13:11:54   sndbuf = 65536
2015-05-09 13:11:54   sockflags = 0
2015-05-09 13:11:54   fast_io = DISABLED
2015-05-09 13:11:54   comp.alg = 0
2015-05-09 13:11:54   comp.flags = 0
2015-05-09 13:11:54   route_script = '[UNDEF]'
2015-05-09 13:11:54   route_default_gateway = '[UNDEF]'
2015-05-09 13:11:54   route_default_metric = 0
2015-05-09 13:11:54   route_noexec = DISABLED
2015-05-09 13:11:54   route_delay = 0
2015-05-09 13:11:54   route_delay_window = 30
2015-05-09 13:11:54   route_delay_defined = DISABLED
2015-05-09 13:11:54   route_nopull = DISABLED
2015-05-09 13:11:54   route_gateway_via_dhcp = DISABLED
2015-05-09 13:11:54   allow_pull_fqdn = DISABLED
2015-05-09 13:11:54   route 0.0.0.0/0.0.0.0/vpn_gateway/nil
2015-05-09 13:11:54   management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
2015-05-09 13:11:54   management_port = 'unix'
2015-05-09 13:11:54   management_user_pass = '[UNDEF]'
2015-05-09 13:11:54   management_log_history_cache = 250
2015-05-09 13:11:54   management_echo_buffer_size = 100
2015-05-09 13:11:54   management_write_peer_info_file = '[UNDEF]'
2015-05-09 13:11:54   management_client_user = '[UNDEF]'
2015-05-09 13:11:54   management_client_group = '[UNDEF]'
2015-05-09 13:11:54   management_flags = 4390
2015-05-09 13:11:54   shared_secret_file = '[UNDEF]'
2015-05-09 13:11:54   key_direction = 0
2015-05-09 13:11:54   ciphername_defined = ENABLED
2015-05-09 13:11:54   ciphername = 'BF-CBC'
2015-05-09 13:11:54   authname_defined = ENABLED
2015-05-09 13:11:54   authname = 'SHA1'
2015-05-09 13:11:54   prng_hash = 'SHA1'
2015-05-09 13:11:54   prng_nonce_secret_len = 16
2015-05-09 13:11:54   keysize = 0
2015-05-09 13:11:54   engine = DISABLED
2015-05-09 13:11:54   replay = ENABLED
2015-05-09 13:11:54   mute_replay_warnings = DISABLED
2015-05-09 13:11:54   replay_window = 64
2015-05-09 13:11:54   replay_time = 15
2015-05-09 13:11:54   packet_id_file = '[UNDEF]'
2015-05-09 13:11:54   use_iv = ENABLED
2015-05-09 13:11:54   test_crypto = DISABLED
2015-05-09 13:11:54   tls_server = DISABLED
2015-05-09 13:11:54   tls_client = ENABLED
2015-05-09 13:11:54   key_method = 2
2015-05-09 13:11:54   ca_file = '[[INLINE]]'
2015-05-09 13:11:54   ca_path = '[UNDEF]'
2015-05-09 13:11:54   dh_file = '[UNDEF]'
2015-05-09 13:11:54   cert_file = '[[INLINE]]'
2015-05-09 13:11:54   priv_key_file = '[[INLINE]]'
2015-05-09 13:11:54   pkcs12_file = '[UNDEF]'
2015-05-09 13:11:54   cipher_list = '[UNDEF]'
2015-05-09 13:11:54   tls_verify = '[UNDEF]'
2015-05-09 13:11:54   tls_export_cert = '[UNDEF]'
2015-05-09 13:11:54   verify_x509_type = 2
2015-05-09 13:11:54   verify_x509_name = '176.122.236.77'
2015-05-09 13:11:54   crl_file = '[UNDEF]'
2015-05-09 13:11:54   ns_cert_type = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_ku[i] = 0
2015-05-09 13:11:54   remote_cert_eku = '[UNDEF]'
2015-05-09 13:11:54   ssl_flags = 0
2015-05-09 13:11:54   tls_timeout = 2
2015-05-09 13:11:54   renegotiate_bytes = 0
2015-05-09 13:11:54   renegotiate_packets = 0
2015-05-09 13:11:54   renegotiate_seconds = 3600
2015-05-09 13:11:54   handshake_window = 60
2015-05-09 13:11:54   transition_window = 3600
2015-05-09 13:11:54   single_session = DISABLED
2015-05-09 13:11:54   push_peer_info = DISABLED
2015-05-09 13:11:54   tls_exit = DISABLED
2015-05-09 13:11:54   tls_auth_file = '[UNDEF]'
2015-05-09 13:11:54   client = ENABLED
2015-05-09 13:11:54   pull = ENABLED
2015-05-09 13:11:54   auth_user_pass_file = '[UNDEF]'
2015-05-09 13:11:54 OpenVPN 2.4-icsopenvpn [git:icsopenvpn_629-4c6f7f0d16e1a6b3] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [SNAPPY] [LZ4] [EPOLL] [MH] [IPv6] built on Feb 24 2015
2015-05-09 13:11:54 library versions: OpenSSL 1.0.1l 15 Jan 2015, LZO 2.07
2015-05-09 13:11:54 MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
2015-05-09 13:11:54 MANAGEMENT: CMD 'hold release'
2015-05-09 13:11:54 MANAGEMENT: CMD 'bytecount 2'
2015-05-09 13:11:54 MANAGEMENT: CMD 'state on'
2015-05-09 13:11:54 MANAGEMENT: CMD 'proxy NONE'
2015-05-09 13:11:55 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:3 ]
2015-05-09 13:11:55 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:392 ET:0 EL:3 ]
2015-05-09 13:11:55 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2015-05-09 13:11:55 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2015-05-09 13:11:55 Local Options hash (VER=V4): '3514370b'
2015-05-09 13:11:55 Expected Remote Options hash (VER=V4): '239669a8'
2015-05-09 13:11:55 TCP/UDP: Preserving recently used remote address: [AF_INET]176.122.236.77:1194
2015-05-09 13:11:55 Socket Buffers: R=[163840->131072] S=[163840->131072]
2015-05-09 13:11:55 Protecting socket fd 4
2015-05-09 13:11:55 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2015-05-09 13:11:55 UDP link local (bound): [AF_INET][undef]:1194
2015-05-09 13:11:55 UDP link remote: [AF_INET]176.122.236.77:1194
2015-05-09 13:11:55 MANAGEMENT: >STATE:1431169915,WAIT,,,
2015-05-09 13:11:56 MANAGEMENT: >STATE:1431169916,AUTH,,,
2015-05-09 13:11:56 TLS: Initial packet from [AF_INET]176.122.236.77:1194, sid=622e3015 3e815113
2015-05-09 13:11:58 VERIFY OK: depth=1, C=PL, ST=Malopolska, L=Wojnicz, O=Private, OU=DOM, CN=re-ko, name=re-ko, emailAddress=shinigami.dario@gmail.com
2015-05-09 13:11:58 VERIFY X509NAME ERROR: C=PL, ST=Malopolska, L=Wojnicz, O=Private, OU=DOM, CN=RE-KO, name=RE-KO, emailAddress=shinigami.dario@gmail.com, must be 176.122.236.77
2015-05-09 13:11:58 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2015-05-09 13:11:58 TLS_ERROR: BIO read tls_read_plaintext error
2015-05-09 13:11:58 TLS Error: TLS object -> incoming plaintext read error
2015-05-09 13:11:58 TLS Error: TLS handshake failed
2015-05-09 13:11:58 TCP/UDP: Closing socket
2015-05-09 13:11:58 SIGUSR1[soft,tls-error] received, process restarting
2015-05-09 13:11:58 MANAGEMENT: >STATE:1431169918,RECONNECTING,tls-error,,
2015-05-09 13:12:01 MANAGEMENT: CMD 'hold release'
2015-05-09 13:12:01 MANAGEMENT: CMD 'bytecount 2'
2015-05-09 13:12:01 MANAGEMENT: CMD 'state on'
2015-05-09 13:12:01 MANAGEMENT: CMD 'proxy NONE'
2015-05-09 13:12:02 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:3 ]
2015-05-09 13:12:02 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:392 ET:0 EL:3 ]
2015-05-09 13:12:02 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2015-05-09 13:12:02 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2015-05-09 13:12:02 Local Options hash (VER=V4): '3514370b'
2015-05-09 13:12:02 Expected Remote Options hash (VER=V4): '239669a8'
2015-05-09 13:12:02 TCP/UDP: Preserving recently used remote address: [AF_INET]176.122.236.77:1194
2015-05-09 13:12:02 Socket Buffers: R=[163840->131072] S=[163840->131072]
2015-05-09 13:12:02 Protecting socket fd 4
2015-05-09 13:12:02 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2015-05-09 13:12:02 UDP link local (bound): [AF_INET][undef]:1194
2015-05-09 13:12:02 UDP link remote: [AF_INET]176.122.236.77:1194
2015-05-09 13:12:02 MANAGEMENT: >STATE:1431169922,WAIT,,,
2015-05-09 13:12:02 MANAGEMENT: >STATE:1431169922,AUTH,,,
2015-05-09 13:12:02 TLS: Initial packet from [AF_INET]176.122.236.77:1194, sid=90edba99 71e58e05
2015-05-09 13:12:02 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:03 VERIFY OK: depth=1, C=PL, ST=Malopolska, L=Wojnicz, O=Private, OU=DOM, CN=re-ko, name=re-ko, emailAddress=shinigami.dario@gmail.com
2015-05-09 13:12:03 VERIFY X509NAME ERROR: C=PL, ST=Malopolska, L=Wojnicz, O=Private, OU=DOM, CN=RE-KO, name=RE-KO, emailAddress=shinigami.dario@gmail.com, must be 176.122.236.77
2015-05-09 13:12:03 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2015-05-09 13:12:03 TLS_ERROR: BIO read tls_read_plaintext error
2015-05-09 13:12:03 TLS Error: TLS object -> incoming plaintext read error
2015-05-09 13:12:03 TLS Error: TLS handshake failed
2015-05-09 13:12:03 TCP/UDP: Closing socket
2015-05-09 13:12:03 SIGUSR1[soft,tls-error] received, process restarting
2015-05-09 13:12:03 MANAGEMENT: >STATE:1431169923,RECONNECTING,tls-error,,
2015-05-09 13:12:06 MANAGEMENT: CMD 'hold release'
2015-05-09 13:12:06 MANAGEMENT: CMD 'bytecount 2'
2015-05-09 13:12:06 MANAGEMENT: CMD 'state on'
2015-05-09 13:12:06 MANAGEMENT: CMD 'proxy NONE'
2015-05-09 13:12:07 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:3 ]
2015-05-09 13:12:07 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:392 ET:0 EL:3 ]
2015-05-09 13:12:07 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2015-05-09 13:12:07 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2015-05-09 13:12:08 Local Options hash (VER=V4): '3514370b'
2015-05-09 13:12:08 Expected Remote Options hash (VER=V4): '239669a8'
2015-05-09 13:12:08 TCP/UDP: Preserving recently used remote address: [AF_INET]176.122.236.77:1194
2015-05-09 13:12:08 Socket Buffers: R=[163840->131072] S=[163840->131072]
2015-05-09 13:12:08 Protecting socket fd 4
2015-05-09 13:12:08 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2015-05-09 13:12:08 UDP link local (bound): [AF_INET][undef]:1194
2015-05-09 13:12:08 UDP link remote: [AF_INET]176.122.236.77:1194
2015-05-09 13:12:08 MANAGEMENT: >STATE:1431169927,WAIT,,,
2015-05-09 13:12:08 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:08 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:09 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:09 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_ACK_V1)
2015-05-09 13:12:10 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:11 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:12 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:13 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:13 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:13 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_ACK_V1)
2015-05-09 13:12:14 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:15 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:16 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:18 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:19 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:20 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:21 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:21 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_ACK_V1)
2015-05-09 13:12:30 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:31 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:32 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:34 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:35 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:36 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:37 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:12:38 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_ACK_V1)
2015-05-09 13:13:07 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2015-05-09 13:13:07 TLS Error: TLS handshake failed
2015-05-09 13:13:08 TCP/UDP: Closing socket
2015-05-09 13:13:08 SIGUSR1[soft,tls-error] received, process restarting
2015-05-09 13:13:08 MANAGEMENT: >STATE:1431169987,RECONNECTING,tls-error,,
2015-05-09 13:13:08 MANAGEMENT: CMD 'hold release'
2015-05-09 13:13:08 MANAGEMENT: CMD 'bytecount 2'
2015-05-09 13:13:08 MANAGEMENT: CMD 'state on'
2015-05-09 13:13:08 MANAGEMENT: CMD 'proxy NONE'
2015-05-09 13:13:09 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:3 ]
2015-05-09 13:13:09 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:392 ET:0 EL:3 ]
2015-05-09 13:13:09 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2015-05-09 13:13:09 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2015-05-09 13:13:09 Local Options hash (VER=V4): '3514370b'
2015-05-09 13:13:09 Expected Remote Options hash (VER=V4): '239669a8'
2015-05-09 13:13:09 TCP/UDP: Preserving recently used remote address: [AF_INET]176.122.236.77:1194
2015-05-09 13:13:09 Socket Buffers: R=[163840->131072] S=[163840->131072]
2015-05-09 13:13:09 Protecting socket fd 4
2015-05-09 13:13:09 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2015-05-09 13:13:09 UDP link local (bound): [AF_INET][undef]:1194
2015-05-09 13:13:09 UDP link remote: [AF_INET]176.122.236.77:1194
2015-05-09 13:13:09 MANAGEMENT: >STATE:1431169989,WAIT,,,
2015-05-09 13:13:09 MANAGEMENT: >STATE:1431169989,AUTH,,,
2015-05-09 13:13:09 TLS: Initial packet from [AF_INET]176.122.236.77:1194, sid=7458ed96 cb86846e
2015-05-09 13:13:11 VERIFY OK: depth=1, C=PL, ST=Malopolska, L=Wojnicz, O=Private, OU=DOM, CN=re-ko, name=re-ko, emailAddress=shinigami.dario@gmail.com
2015-05-09 13:13:11 VERIFY X509NAME ERROR: C=PL, ST=Malopolska, L=Wojnicz, O=Private, OU=DOM, CN=RE-KO, name=RE-KO, emailAddress=shinigami.dario@gmail.com, must be 176.122.236.77
2015-05-09 13:13:11 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2015-05-09 13:13:11 TLS_ERROR: BIO read tls_read_plaintext error
2015-05-09 13:13:11 TLS Error: TLS object -> incoming plaintext read error
2015-05-09 13:13:11 TLS Error: TLS handshake failed
2015-05-09 13:13:11 TCP/UDP: Closing socket
2015-05-09 13:13:11 SIGUSR1[soft,tls-error] received, process restarting
2015-05-09 13:13:11 MANAGEMENT: >STATE:1431169991,RECONNECTING,tls-error,,
2015-05-09 13:13:14 MANAGEMENT: CMD 'hold release'
2015-05-09 13:13:14 MANAGEMENT: CMD 'bytecount 2'
2015-05-09 13:13:14 MANAGEMENT: CMD 'state on'
2015-05-09 13:13:14 MANAGEMENT: CMD 'proxy NONE'
2015-05-09 13:13:15 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:3 ]
2015-05-09 13:13:15 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:392 ET:0 EL:3 ]
2015-05-09 13:13:15 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2015-05-09 13:13:15 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2015-05-09 13:13:15 Local Options hash (VER=V4): '3514370b'
2015-05-09 13:13:15 Expected Remote Options hash (VER=V4): '239669a8'
2015-05-09 13:13:15 TCP/UDP: Preserving recently used remote address: [AF_INET]176.122.236.77:1194
2015-05-09 13:13:15 Socket Buffers: R=[163840->131072] S=[163840->131072]
2015-05-09 13:13:15 Protecting socket fd 4
2015-05-09 13:13:15 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2015-05-09 13:13:16 UDP link local (bound): [AF_INET][undef]:1194
2015-05-09 13:13:16 UDP link remote: [AF_INET]176.122.236.77:1194
2015-05-09 13:13:16 MANAGEMENT: >STATE:1431169995,WAIT,,,
2015-05-09 13:13:16 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:13:16 MANAGEMENT: >STATE:1431169996,AUTH,,,
2015-05-09 13:13:16 TLS: Initial packet from [AF_INET]176.122.236.77:1194, sid=30b7a3e0 d916a458
2015-05-09 13:13:16 TLS Error: Unroutable control packet received from [AF_INET]176.122.236.77:1194 (si=3 op=P_CONTROL_V1)
2015-05-09 13:13:17 VERIFY OK: depth=1, C=PL, ST=Malopolska, L=Wojnicz, O=Private, OU=DOM, CN=re-ko, name=re-ko, emailAddress=shinigami.dario@gmail.com
2015-05-09 13:13:17 VERIFY X509NAME ERROR: C=PL, ST=Malopolska, L=Wojnicz, O=Private, OU=DOM, CN=RE-KO, name=RE-KO, emailAddress=shinigami.dario@gmail.com, must be 176.122.236.77
2015-05-09 13:13:17 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2015-05-09 13:13:17 TLS_ERROR: BIO read tls_read_plaintext error
2015-05-09 13:13:17 TLS Error: TLS object -> incoming plaintext read error
2015-05-09 13:13:17 TLS Error: TLS handshake failed
2015-05-09 13:13:17 TCP/UDP: Closing socket
2015-05-09 13:13:17 SIGUSR1[soft,tls-error] received, process restarting
2015-05-09 13:13:17 MANAGEMENT: >STATE:1431169997,RECONNECTING,tls-error,,
2015-05-09 13:13:20 MANAGEMENT: CMD 'hold release'
2015-05-09 13:13:20 MANAGEMENT: CMD 'bytecount 2'
2015-05-09 13:13:20 MANAGEMENT: CMD 'state on'
2015-05-09 13:13:20 MANAGEMENT: CMD 'proxy NONE'
2015-05-09 13:13:21 MGMT: Got unrecognized command>FATAL:All connections have been connect-retry-max (5) times unsuccessful, exiting
2015-05-09 13:13:21 MANAGEMENT: Client disconnected
2015-05-09 13:13:21 All connections have been connect-retry-max (5) times unsuccessful, exiting
2015-05-09 13:13:21 Exiting due to fatal error
2015-05-09 13:13:21 Process exited with exit value 1
Gateway :Topton Intel Core i3-N305 16GB RAM 6x i226-V 2.5GbE
AP: 3x Netgear WAX220

18

Odp: Problem z konfiguracją serwera OpenVPN na BB

Certyfikaty masz źle zrobione...

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

19

Odp: Problem z konfiguracją serwera OpenVPN na BB

root@TL-WDR3600:~# cat /etc/config/openvpn
config openvpn 'dom'
        option enabled '1'
        option dev 'tun'
        option proto 'udp'
        option log '/tmp/openvpn.log'
        option verb '3'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/RE-KO.crt'
        option key '/etc/openvpn/RE-KO.key'
        option server '10.8.0.0 255.255.255.0'
        option port '1194'
        option keepalive '10 120'
        option dh '/etc/openvpn/dh2048.pem'
        option push 'dhcp-option DNS 192.168.1.1'
        option push 'redirect-gateway def1 local'
root@TL-WDR3600:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd20:2c47:84ed::/48'

config interface 'vpn'
        option ifname 'tun0'
        option proto 'none'

config interface 'lan'
        option ifname 'eth0.1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.0.2'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option dns '192.168.0.1'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'

config route
root@TL-WDR3600:~# cat /etc/openvpn/openvpn.conf
mode server
tls-server

### network options
port 1194
proto udp
dev tun

### Certificate and key files
ca /etc/easy-rsa/keys/ca.crt
cert /etc/easy-rsa/keys/RE-KO.crt
key /etc/easy-rsa/keys/RE-KO.key
dh /etc/easy-rsa/keys/dh2048.pem

client-to-client
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1" # Change this to your router's LAN IP Address
push "route 192.168.1.0 255.255.255.0" # Change this to your network

### (optional) compression (Can be slow)
#comp-lzo

persist-key
persist-tun

verb 3
keepalive 10 120
log-append /var/log/openvpn/openvpn.log
...
config rule
        option name 'OpenVPN'
        option src 'wan'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '1194'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn0'

config forwarding
        option src 'vpn'
        option dest 'wan'
Cezary napisał/a:

Błąd negocjacji. Albo masz złe certyfikaty albo używasz różnych wersji openvpn.

Wiec jeszcze raz wygenerować certyfikaty i klucze ?

build-ca
build-dh
build-key-server my-server
build-key-pkcs12 my-client
Gateway :Topton Intel Core i3-N305 16GB RAM 6x i226-V 2.5GbE
AP: 3x Netgear WAX220

20

Odp: Problem z konfiguracją serwera OpenVPN na BB

Przy generowaniu kluczy dostaje się pytania i mam co niektórych wątpliwości co wpisać:

Name [EasyRSA]:

Czy tu coś wpisywać?

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

Czy hasło jest potrzebne ?

Gateway :Topton Intel Core i3-N305 16GB RAM 6x i226-V 2.5GbE
AP: 3x Netgear WAX220

21

Odp: Problem z konfiguracją serwera OpenVPN na BB

Jak nie chcesz podać go podczas uruchamiania to nie.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

22

Odp: Problem z konfiguracją serwera OpenVPN na BB

OK wygenerowałem jeszcze raz i dalej to samo sad

1. Kompresja LZO powinna być wyłączona na routerze i kliencie nie?
2. Certyfikat TLS nic nie ruszać ?
3. Trasy domyślne są w porządku skoro próbuje się łaczyć?

Co mogłem zapomnieć zmienić że nie działa?

Gateway :Topton Intel Core i3-N305 16GB RAM 6x i226-V 2.5GbE
AP: 3x Netgear WAX220

23 (edytowany przez DarioX7 2015-05-09 21:08:37)

Odp: Problem z konfiguracją serwera OpenVPN na BB

Co ciekawe klient na Windows połączył się i dostał IP lecz z błędami.

Sat May 09 21:59:48 2015 Warning: cannot open --log file: C:\Program Files\OpenVPN\log\client.log: Odmowa dostêpu.   (errno=5)
Sat May 09 21:59:48 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
Sat May 09 21:59:48 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Sat May 09 21:59:48 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat May 09 21:59:48 2015 Need hold release from management interface, waiting...
Sat May 09 21:59:48 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat May 09 21:59:48 2015 MANAGEMENT: CMD 'state on'
Sat May 09 21:59:48 2015 MANAGEMENT: CMD 'log all on'
Sat May 09 21:59:48 2015 MANAGEMENT: CMD 'hold off'
Sat May 09 21:59:48 2015 MANAGEMENT: CMD 'hold release'
Sat May 09 21:59:48 2015 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat May 09 21:59:48 2015 UDPv4 link local: [undef]
Sat May 09 21:59:48 2015 UDPv4 link remote: [AF_INET]176.122.236.77:1194
Sat May 09 21:59:48 2015 MANAGEMENT: >STATE:1431201588,WAIT,,,
Sat May 09 21:59:48 2015 MANAGEMENT: >STATE:1431201588,AUTH,,,
Sat May 09 21:59:48 2015 TLS: Initial packet from [AF_INET]176.122.236.77:1194, sid=2f444b6a df851b27
Sat May 09 21:59:50 2015 VERIFY OK: depth=1, C=PL, ST=Malopolska, L=Wojnicz, O=Private, OU=DOM, CN=DOM, name=EasyRSA, emailAddress=shinigami.dario@gmail.com
Sat May 09 21:59:50 2015 Validating certificate key usage
Sat May 09 21:59:50 2015 ++ Certificate has key usage  00a0, expects 00a0
Sat May 09 21:59:50 2015 VERIFY KU OK
Sat May 09 21:59:50 2015 Validating certificate extended key usage
Sat May 09 21:59:50 2015 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat May 09 21:59:50 2015 VERIFY EKU OK
Sat May 09 21:59:50 2015 VERIFY OK: depth=0, C=PL, ST=Malopolska, L=Wojnicz, O=Private, OU=DOM, CN=DOM, name=EasyRSA, emailAddress=shinigami.dario@gmail.com
Sat May 09 21:59:52 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat May 09 21:59:52 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May 09 21:59:52 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat May 09 21:59:52 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May 09 21:59:52 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat May 09 21:59:52 2015 [DOM] Peer Connection Initiated with [AF_INET]176.122.236.77:1194
Sat May 09 21:59:53 2015 MANAGEMENT: >STATE:1431201593,GET_CONFIG,,,
Sat May 09 21:59:54 2015 SENT CONTROL [DOM]: 'PUSH_REQUEST' (status=1)
Sat May 09 21:59:54 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 local,dhcp-option DNS 192.168.1.1,route 192.168.1.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sat May 09 21:59:54 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sat May 09 21:59:54 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sat May 09 21:59:54 2015 OPTIONS IMPORT: route options modified
Sat May 09 21:59:54 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat May 09 21:59:54 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat May 09 21:59:54 2015 MANAGEMENT: >STATE:1431201594,ASSIGN_IP,,10.8.0.6,
Sat May 09 21:59:54 2015 open_tun, tt->ipv6=0
Sat May 09 21:59:54 2015 TAP-WIN32 device [Połączenie lokalne] opened: \\.\Global\{0AC70AFA-4A0A-46C2-9C4E-4631D482AF7A}.tap
Sat May 09 21:59:54 2015 TAP-Windows Driver Version 9.9 
Sat May 09 21:59:54 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {0AC70AFA-4A0A-46C2-9C4E-4631D482AF7A} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sat May 09 21:59:54 2015 NOTE: FlushIpNetTable failed on interface [22] {0AC70AFA-4A0A-46C2-9C4E-4631D482AF7A} (status=5) : Odmowa dostêpu.  
Sat May 09 22:00:00 2015 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Sat May 09 22:00:00 2015 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Sat May 09 22:00:00 2015 ROUTE: route addition failed using CreateIpForwardEntry: Odmowa dostêpu.   [status=5 if_index=22]
Sat May 09 22:00:00 2015 Route addition via IPAPI failed [adaptive]
Sat May 09 22:00:00 2015 Route addition fallback to route.exe
Sat May 09 22:00:00 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat May 09 22:00:00 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Sat May 09 22:00:00 2015 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Sat May 09 22:00:00 2015 ROUTE: route addition failed using CreateIpForwardEntry: Odmowa dostêpu.   [status=5 if_index=22]
Sat May 09 22:00:00 2015 Route addition via IPAPI failed [adaptive]
Sat May 09 22:00:00 2015 Route addition fallback to route.exe
Sat May 09 22:00:00 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat May 09 22:00:00 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Sat May 09 22:00:00 2015 MANAGEMENT: >STATE:1431201600,ADD_ROUTES,,,
Sat May 09 22:00:00 2015 C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.0.5
Sat May 09 22:00:00 2015 ROUTE: route addition failed using CreateIpForwardEntry: Odmowa dostêpu.   [status=5 if_index=22]
Sat May 09 22:00:00 2015 Route addition via IPAPI failed [adaptive]
Sat May 09 22:00:00 2015 Route addition fallback to route.exe
Sat May 09 22:00:00 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat May 09 22:00:00 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Sat May 09 22:00:00 2015 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
Sat May 09 22:00:00 2015 ROUTE: route addition failed using CreateIpForwardEntry: Odmowa dostêpu.   [status=5 if_index=22]
Sat May 09 22:00:00 2015 Route addition via IPAPI failed [adaptive]
Sat May 09 22:00:00 2015 Route addition fallback to route.exe
Sat May 09 22:00:00 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat May 09 22:00:00 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Sat May 09 22:00:00 2015 Initialization Sequence Completed
Sat May 09 22:00:00 2015 MANAGEMENT: >STATE:1431201600,CONNECTED,SUCCESS,10.8.0.6,176.122.236.77
Sat May 09 22:00:15 2015 write to TUN/TAP  [State=AT?c Err=[c:\users\samuli\tap-windows-github\src\tapdrvr.c/2475] #O=2 Tx=[56,0] Rx=[0,2] IrpQ=[1,1,16] PktQ=[0,6,64] InjQ=[0,1,16]]: Obszar danych przekazany do wywo³ania systemowego jest za ma³y.   (code=122)
Sat May 09 22:00:24 2015 write to TUN/TAP  [State=AT?c Err=[c:\users\samuli\tap-windows-github\src\tapdrvr.c/2475] #O=2 Tx=[58,0] Rx=[0,3] IrpQ=[1,1,16] PktQ=[0,6,64] InjQ=[0,1,16]]: Obszar danych przekazany do wywo³ania systemowego jest za ma³y.   (code=122)

A tu logi z routera:

root@TL-WDR3600:~# cat /var/log/openvpn.log
Sat May  9 19:35:36 2015 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan  6 2015
Sat May  9 19:35:36 2015 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Sat May  9 19:35:36 2015 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat May  9 19:35:37 2015 Diffie-Hellman initialized with 2048 bit key
Sat May  9 19:35:37 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Sat May  9 19:35:37 2015 TUN/TAP device tun0 opened
Sat May  9 19:35:37 2015 TUN/TAP TX queue length set to 100
Sat May  9 19:35:37 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat May  9 19:35:37 2015 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sat May  9 19:35:37 2015 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sat May  9 19:35:37 2015 UDPv4 link local (bound): [undef]
Sat May  9 19:35:37 2015 UDPv4 link remote: [undef]
Sat May  9 19:35:37 2015 MULTI: multi_init called, r=256 v=256
Sat May  9 19:35:37 2015 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sat May  9 19:35:37 2015 IFCONFIG POOL LIST
Sat May  9 19:35:37 2015 Initialization Sequence Completed
Sat May  9 19:36:23 2015 94.254.145.48:5691 TLS: Initial packet from [AF_INET]94.254.145.48:5691, sid=d2c3fc74 c7654fd9
Sat May  9 19:36:26 2015 94.254.145.48:5691 TLS: new session incoming connection from [AF_INET]94.254.145.48:5691
Sat May  9 19:36:31 2015 94.254.145.48:5691 TLS: new session incoming connection from [AF_INET]94.254.145.48:5691
Sat May  9 19:37:23 2015 94.254.145.48:5691 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May  9 19:37:23 2015 94.254.145.48:5691 TLS Error: TLS handshake failed
Sat May  9 19:37:23 2015 94.254.145.48:5691 SIGUSR1[soft,tls-error] received, client-instance restarting
Sat May  9 19:37:34 2015 94.254.145.48:5691 TLS: Initial packet from [AF_INET]94.254.145.48:5691, sid=818fb0a2 38d734e3
Sat May  9 19:37:39 2015 94.254.145.48:5691 TLS: new session incoming connection from [AF_INET]94.254.145.48:5691
Sat May  9 19:38:34 2015 94.254.145.48:5691 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May  9 19:38:34 2015 94.254.145.48:5691 TLS Error: TLS handshake failed
Sat May  9 19:38:34 2015 94.254.145.48:5691 SIGUSR1[soft,tls-error] received, client-instance restarting
Sat May  9 21:59:48 2015 94.254.144.50:61942 TLS: Initial packet from [AF_INET]94.254.144.50:61942, sid=57ea900a f57282e9
Sat May  9 21:59:51 2015 94.254.144.50:61942 VERIFY OK: depth=1, C=PL, ST=Malopolska, L=Wojnicz, O=Private, OU=DOM, CN=DOM, name=EasyRSA, emailAddress=shinigami.dario@gmail.com
Sat May  9 21:59:51 2015 94.254.144.50:61942 VERIFY OK: depth=0, C=PL, ST=Malopolska, L=Wojnicz, O=Private, OU=DOM, CN=SM-N9005, name=EasyRSA, emailAddress=shinigami.dario@gmail.com
Sat May  9 21:59:51 2015 94.254.144.50:61942 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat May  9 21:59:51 2015 94.254.144.50:61942 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May  9 21:59:51 2015 94.254.144.50:61942 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat May  9 21:59:51 2015 94.254.144.50:61942 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May  9 21:59:52 2015 94.254.144.50:61942 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat May  9 21:59:52 2015 94.254.144.50:61942 [SM-N9005] Peer Connection Initiated with [AF_INET]94.254.144.50:61942
Sat May  9 21:59:52 2015 SM-N9005/94.254.144.50:61942 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sat May  9 21:59:52 2015 SM-N9005/94.254.144.50:61942 MULTI: Learn: 10.8.0.6 -> SM-N9005/94.254.144.50:61942
Sat May  9 21:59:52 2015 SM-N9005/94.254.144.50:61942 MULTI: primary virtual IP for SM-N9005/94.254.144.50:61942: 10.8.0.6
Sat May  9 21:59:54 2015 SM-N9005/94.254.144.50:61942 PUSH: Received control message: 'PUSH_REQUEST'
Sat May  9 21:59:54 2015 SM-N9005/94.254.144.50:61942 send_push_reply(): safe_cap=940
Sat May  9 21:59:54 2015 SM-N9005/94.254.144.50:61942 SENT CONTROL [SM-N9005]: 'PUSH_REPLY,redirect-gateway def1 local,dhcp-option DNS 192.168.1.1,route 192.168.1.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Sat May  9 22:03:55 2015 SM-N9005/94.254.144.50:61942 [SM-N9005] Inactivity timeout (--ping-restart), restarting
Sat May  9 22:03:55 2015 SM-N9005/94.254.144.50:61942 SIGUSR1[soft,ping-restart] received, client-instance restarting

Użyłem tych samych plików co na smartphonie.

Gateway :Topton Intel Core i3-N305 16GB RAM 6x i226-V 2.5GbE
AP: 3x Netgear WAX220

24 (edytowany przez DarioX7 2015-05-10 10:31:20)

Odp: Problem z konfiguracją serwera OpenVPN na BB

@Cezary czy na OpenWRT, openvpn generuje pliki *.ovpn ?

Gateway :Topton Intel Core i3-N305 16GB RAM 6x i226-V 2.5GbE
AP: 3x Netgear WAX220

25

Odp: Problem z konfiguracją serwera OpenVPN na BB

Nie ma czegoś takiego, nic się nie generuje z automatu. Gargoyle ma bo zostało to oprogrogramowane, normalnie robisz to ręcznie we własnym zakresie.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.