FAQ o OpenWrt | Sprzedam różne routery | Oddam

khain · 2017-01-28 12:39:26

khain
Użytkownik
Nieaktywny

Zarejestrowany: 2013-09-15
Posty: 325

Odp: Konfiguracja openvpn

Według mnie ustawienie Debiana jako routera jest bezcelowe - trudniej będzie Ci to ogarnąć nie wspominając o większym zużyciu prądu.
Tak w skrócie: routing zarządza przez jaki interfejs pakiet ma zostać wysłany, aby trafił do danej podsieci (stosowanie słowa przekierowanie jest tu błędne). Firewall czyli m.in itpables zezwala na określony ruch pakietów pomiędzy interfejsami. Trzeba pamiętać, że interfejs może być fizyczny lub wirtualny. Reasumując trzeba wykonać poprawny routing oraz ustawienia firewalla, aby pakiet wiedział jak dotrzeć (routing) oraz miał pozwolenie na dotarciem tam (firewall).
2a. WRT160NL ma informację o podsieci 192.168.1.0/24, bo jest to sieć podłączona bezpośrednio do niego.
2b. Jeśli jesteś połączony przez vpn to nie musisz przekierowywać, ani otwierać pojedynczych portów.
2c. tak, VPS powinien mieć w swojej tablicy routingu wpis jak dostać się do podsieci 192.168.1.0/24, która jest za klientem WRT160NL i to masz zrobione poprzez opcję w konfigu serwera

 route 192.168.1.0 255.255.255.0 172.16.0.2

Możesz to sprawdzić na VPSie za pomocą route -n, gdy klient WRT160NL będzie podłączony.
3. Jeśli nie masz wjazdu z VPSa do podsieci 192.168.1.0/24 to kwestia leży w firewallu. Dodaj ten wpis w pliku /etc/config/firewall na WRT160NL

config forwarding
        option dest 'vpn'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'vpn'

Należy jeszcze sprawdzić czy taki wpis jest dodany w /etc/config/network, jeśli nie to dodać

config interface 'vpn'
        option ifname 'tun0'
        option proto 'none'

Zakładając, że tun0 to interfejs vpna.
Na końcu zrób restart 2 daemonów

/etc/init.d/firewall restart
/etc/init.d/network restart

TP-Link TL-WDR3600 v1.5 - OpenWrt Chaos Calmer 15.05.1 with Luci +Microsoft LifeCam VX-3000
RaspberryPi 2 - OMV Stone Burner 2.0.15 +Creative SB Play +Medion OR24V +DVB-T Media-Tech MT4163 +MP00202AC +3xDS18B20 +HIH-4000-002 +MPXHZ6115A +Samsung SPF-85H +D-Link DUB-H7

telewy · 2017-01-28 14:46:24

telewy
Użytkownik
Nieaktywny

Zarejestrowany: 2009-09-24
Posty: 184

Odp: Konfiguracja openvpn

Dzięki za rzeczowe i sensowne wyjaśnienie. Dokonfigurowałem ustawienia na WRT160NL zgodnie z powyższym, nie mniej efektu nie ma, tzn. brak pingów do 192.168.1.XXX z np. 172.16.0.1. Nie wiem czy to może być przyczyna ale widzę w logu klienta vpn na WRT160NL jakieś błędy:

root@OpenWrt:~# cat /tmp/openvpn.log
Sat Jan 28 12:46:38 2017 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan  6 2015
Sat Jan 28 12:46:38 2017 library versions: OpenSSL 1.0.2f  28 Jan 2016, LZO 2.08
Sat Jan 28 12:46:38 2017 Control Channel Authentication: using '/etc/openvpn/tls-auth.key' as a OpenVPN static key file
Sat Jan 28 12:46:38 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 28 12:46:38 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 28 12:46:38 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Sat Jan 28 12:46:38 2017 UDPv4 link local (bound): [undef]
Sat Jan 28 12:46:38 2017 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jan 28 12:46:38 2017 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=b99f458b 74e8c27a
Sat Jan 28 12:46:59 2017 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Sat Jan 28 12:46:59 2017 Validating certificate key usage
Sat Jan 28 12:46:59 2017 ++ Certificate has key usage  00a0, expects 00a0
Sat Jan 28 12:46:59 2017 VERIFY KU OK
Sat Jan 28 12:46:59 2017 Validating certificate extended key usage
Sat Jan 28 12:46:59 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jan 28 12:46:59 2017 VERIFY EKU OK
Sat Jan 28 12:46:59 2017 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=server, name=server, emailAddress=tomasz.lewandowski@mail.com
Sat Jan 28 12:47:11 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Jan 28 12:47:11 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 28 12:47:11 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Jan 28 12:47:11 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 28 12:47:11 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Jan 28 12:47:11 2017 [server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jan 28 12:47:13 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jan 28 12:47:19 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jan 28 12:47:19 2017 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 172.16.0.2,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 172.16.0.1,redirect-gateway def1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.2 255.255.255.0'
Sat Jan 28 12:47:19 2017 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Sat Jan 28 12:47:19 2017 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Sat Jan 28 12:47:19 2017 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Sat Jan 28 12:47:19 2017 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Sat Jan 28 12:47:19 2017 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jan 28 12:47:19 2017 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jan 28 12:47:19 2017 OPTIONS IMPORT: route-related options modified
Sat Jan 28 12:47:19 2017 TUN/TAP device tun0 opened
Sat Jan 28 12:47:19 2017 TUN/TAP TX queue length set to 100
Sat Jan 28 12:47:19 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jan 28 12:47:19 2017 /sbin/ifconfig tun0 172.16.0.2 netmask 255.255.255.0 mtu 1500 broadcast 172.16.0.255
Sat Jan 28 12:47:19 2017 Initialization Sequence Completed

Co prawda z Twojego postu
WDR4300 OpenVPN Server & Client wnioskuję, że to działanie prawidłowe.

Zauważyłem, że w pliku /etc/config/firewall brak zone vpn, dodałem więc wpis:

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn'
        option masq '1'

ale to sytuacji w dalszym ciągu nie naprawiło

khain · 2017-01-28 18:40:59

khain
Użytkownik
Nieaktywny

Zarejestrowany: 2013-09-15
Posty: 325

Odp: Konfiguracja openvpn

Tak, te błędy są dlatego, że stosujesz opcję route-nopull w konfigu klienta.
Nie ma potrzeby nakładania natu na interfejsie vpn w kliencie - należy go nałożyć tylko na tun na serwerze (opisał to Gr4nd0)
Czy dodałeś na VPSie ACCEPT dla interfejsu tun dla łańucha FORWARD, INPUT oraz OUTPUT?

TP-Link TL-WDR3600 v1.5 - OpenWrt Chaos Calmer 15.05.1 with Luci +Microsoft LifeCam VX-3000
RaspberryPi 2 - OMV Stone Burner 2.0.15 +Creative SB Play +Medion OR24V +DVB-T Media-Tech MT4163 +MP00202AC +3xDS18B20 +HIH-4000-002 +MPXHZ6115A +Samsung SPF-85H +D-Link DUB-H7

telewy · 2017-01-31 11:16:06

telewy
Użytkownik
Nieaktywny

Zarejestrowany: 2009-09-24
Posty: 184

Odp: Konfiguracja openvpn

khain napisał/a:

Tak, te błędy są dlatego, że stosujesz opcję route-nopull w konfigu klienta.
Nie ma potrzeby nakładania natu na interfejsie vpn w kliencie - należy go nałożyć tylko na tun na serwerze (opisał to Gr4nd0)
Czy dodałeś na VPSie ACCEPT dla interfejsu tun dla łańucha FORWARD, INPUT oraz OUTPUT?

Khain, walaczę cały czas. Dodałem takie komendy:
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
Dla łańcucha OUTPUT wywala mi błąd " Can't use -i with OUTPUT". Powiem szczerze, tak jak w miarę rozumiem ideę iptables, tak samo narzędzie dla mnie to czarna magia. Te wszystkie maskarady i inne opcje przyprawiają mnie o ból głowy.

Nie mniej powoli posuwam się do przodu i powoli są efekty. Jednak gdzieś jeszcze coś jest popitolone w konfiguracji firewalla, tak mi się wydaje. Najlepiej to wyczyściłbym całą konfigurację firewalla spróbował zrobić to od zera. Mam pełno wpisów w iptables (iptables –L), które średnio rozumie, po drodze jeszzce doinstalowałem ufw.
Generalnie w tej chwili mam tak, że jestem w stanie dostać się do swojego lan’u z zewnątrz, a więc mamy sukces Nie mniej to połączenie umiera co jakiś czas i nie mogę dojść przyczyny. Wczoraj sporo siedziałem nad tym i zauważyłem, że uruchomienie klienta na androidzie powoduje, że tracę połączenie do lanu, tzn. ping z przykładowo 172.16.0.3 do 192.168.1.1 przestaje odpowiadać w momencie kiedy klient vpn z androida uzyskuje połączenie. Zauważyłem też, że uruchomienie komendy

service openvpn restart

po wcześniejszym rozłączeniu androida, naprawia tą sytuację. Nie wiem czy to normalne ale nie następuje to od razu, ale po jakiejś chwili, nie mniej pingi wracają. Samo połączenie do serwera vpn jest stabilne, wczoraj zostawiłem laptopa na noc połączonego do vpn’a i można było go pingać do dzisiaj. Postaram się dzisiaj nie łączyć się z androida i zobaczyć, czy połączenie do lanu się nie zerwie z jakiejś innej przyczyny. W załączniku wrzucam log z serwera vpn, który był zrzucany w scenariuszu: połączenie aktywne do lanu -> połączenia z klienta z androida -> połączenie zerwane -> restart srevera vpn -> przywrócone połączenie. Moment zerwania połączenia i jego powrotu zaznaczyłem komentarzem. W tym logu mam 3 klientów vpn: tomek_vostro (172.16.0.3-windows), tomek_an1 (172.16.0.4-android), tomek_itm (172.16.0.5-widows).
Dodatkow, po połączeniu się z androida mam dostęp do adresów 172.16.0.XXX, ale nie do adresów 192.168.1.1. W logu klienta vpn na androidzie zauważyłem taki błąd: tun_prop_route_error: route destinations other than vpn_gateway or net_gateway are not supported android. Trochę poczytałem I zmodyfikowałem plik /etc/openvpn/ccd/tomek_an1:

root@debian:/etc/openvpn/ccd# cat tomek_an1
ifconfig-push 172.16.0.4 255.255.255.0
push "route 192.168.1.0 255.255.255.0 172.16.0.1"
iroute 192.168.1.0 255.255.255.0

Bez tej linii push nie łączył mi się nawet z 172.16.0.XXX. Poza tym w logu servera cały czas widać komunikaty:

Tue Jan 31 10:13:09 2017 us=546808 tomek_itm/77.112.5.102:52045 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped

log z servera openvpn:

Tue Jan 31 00:15:21 2017 us=946603 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:15:22 2017 us=149547 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:15:22 2017 us=559523 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:15:23 2017 us=9507 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:16:33 2017 us=892783 tomek_vostro/94.254.128.244:39616 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:16:34 2017 us=292230 tomek_vostro/94.254.128.244:39616 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:17:01 2017 us=977647 MULTI: multi_create_instance called
Tue Jan 31 00:17:01 2017 us=977735 94.254.128.244:39618 Re-using SSL/TLS context
Tue Jan 31 00:17:01 2017 us=977779 94.254.128.244:39618 LZO compression initialized
Tue Jan 31 00:17:01 2017 us=977893 94.254.128.244:39618 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Jan 31 00:17:01 2017 us=977910 94.254.128.244:39618 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan 31 00:17:01 2017 us=977941 94.254.128.244:39618 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Jan 31 00:17:01 2017 us=977952 94.254.128.244:39618 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Jan 31 00:17:01 2017 us=977971 94.254.128.244:39618 Local Options hash (VER=V4): '0b024030'
Tue Jan 31 00:17:01 2017 us=977985 94.254.128.244:39618 Expected Remote Options hash (VER=V4): '5b243d85'
Tue Jan 31 00:17:01 2017 us=978019 94.254.128.244:39618 TLS: Initial packet from [AF_INET]94.254.128.244:39618, sid=539814ae 39892105
Tue Jan 31 00:17:02 2017 us=14848 94.254.128.244:39618 PID_ERR replay-window backtrack occurred [1] [TLS_AUTH-0] [0_1] 1485818220:3 1485818220:2 t=1485818222[0] r=[-1,64,15,1,1] sl=[61,3,64,528]
Tue Jan 31 00:17:02 2017 us=696089 94.254.128.244:39618 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Jan 31 00:17:02 2017 us=696332 94.254.128.244:39618 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=tomek_an1, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Jan 31 00:17:02 2017 us=733904 94.254.128.244:39618 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 00:17:02 2017 us=733968 94.254.128.244:39618 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 00:17:02 2017 us=733988 94.254.128.244:39618 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 00:17:02 2017 us=734008 94.254.128.244:39618 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 00:17:02 2017 us=760319 94.254.128.244:39618 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
Tue Jan 31 00:17:02 2017 us=760371 94.254.128.244:39618 [tomek_an1] Peer Connection Initiated with [AF_INET]94.254.128.244:39618
Tue Jan 31 00:17:02 2017 us=760436 tomek_an1/94.254.128.244:39618 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/tomek_an1
Tue Jan 31 00:17:02 2017 us=760616 tomek_an1/94.254.128.244:39618 MULTI: Learn: 172.16.0.4 -> tomek_an1/94.254.128.244:39618
Tue Jan 31 00:17:02 2017 us=760641 tomek_an1/94.254.128.244:39618 MULTI: primary virtual IP for tomek_an1/94.254.128.244:39618: 172.16.0.4
Tue Jan 31 00:17:02 2017 us=760661 tomek_an1/94.254.128.244:39618 MULTI: internal route 192.168.1.0/24 -> tomek_an1/94.254.128.244:39618
Tue Jan 31 00:17:02 2017 us=760684 tomek_an1/94.254.128.244:39618 MULTI: Learn: 192.168.1.0/24 -> tomek_an1/94.254.128.244:39618
Tue Jan 31 00:17:02 2017 us=772537 tomek_an1/94.254.128.244:39618 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jan 31 00:17:02 2017 us=772568 tomek_an1/94.254.128.244:39618 send_push_reply(): safe_cap=940
Tue Jan 31 00:17:02 2017 us=772644 tomek_an1/94.254.128.244:39618 SENT CONTROL [tomek_an1]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 172.16.0.2,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 172.16.0.1,redirect-gateway def1,topology subnet,ping 10,ping-restart 120,route 192.168.1.0 255.255.255.0 172.16.0.1,ifconfig 172.16.0.4 255.255.255.0' (status=1)
Tue Jan 31 00:17:02 2017 us=865018 MULTI: Learn: 192.168.1.2 -> tomek_an1/94.254.128.244:39618
Tue Jan 31 00:17:03 2017 us=230673 MULTI: Learn: 192.168.1.1 -> tomek_an1/94.254.128.244:39618
//tutaj ping do 192.168.1.1 z tomek_vostro (172.16.0.3) przestał działać
Tue Jan 31 00:17:14 2017 us=740603 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:15 2017 us=20999 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:15 2017 us=304778 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:15 2017 us=900381 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:17 2017 us=81262 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:19 2017 us=408499 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:20 2017 us=920299 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:21 2017 us=240423 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:21 2017 us=540679 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:22 2017 us=140596 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:23 2017 us=360681 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:24 2017 us=100554 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:25 2017 us=791446 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:33 2017 us=870243 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:33 2017 us=870310 tomek_an1/94.254.128.244:39618 SIGTERM[soft,remote-exit] received, client-instance exiting
Tue Jan 31 00:17:33 2017 us=870736 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:40 2017 us=428732 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:52 2017 us=228988 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:17:54 2017 us=147253 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:17:55 2017 us=147154 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:17:57 2017 us=155228 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:17:59 2017 us=891324 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:18:01 2017 us=147096 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:18:09 2017 us=147148 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:18:25 2017 us=148052 tomek_itm/77.112.5.102:56118 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:18:29 2017 us=715622 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped
Tue Jan 31 00:18:38 2017 us=948795 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped

Tue Jan 31 00:22:12 2017 us=363510 tomek_vostro/94.254.128.244:39639 PID_ERR replay-window backtrack occurred [1] [SSL-0] [0_00000000000000000000000000000000000001111111111111111111111111] 0:169 0:168 t=1485818532[0] r=[-4,64,15,1,1] sl=[23,64,64,528]
Tue Jan 31 00:22:12 2017 us=405637 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=405692 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=419309 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=490325 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=524997 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=639643 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=642971 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=818254 MULTI: multi_create_instance called
Tue Jan 31 00:22:12 2017 us=818363 77.112.5.102:52014 Re-using SSL/TLS context
Tue Jan 31 00:22:12 2017 us=818415 77.112.5.102:52014 LZO compression initialized
Tue Jan 31 00:22:12 2017 us=818598 77.112.5.102:52014 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Jan 31 00:22:12 2017 us=818630 77.112.5.102:52014 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan 31 00:22:12 2017 us=818677 77.112.5.102:52014 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Jan 31 00:22:12 2017 us=818713 77.112.5.102:52014 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Jan 31 00:22:12 2017 us=818743 77.112.5.102:52014 Local Options hash (VER=V4): '0b024030'
Tue Jan 31 00:22:12 2017 us=818767 77.112.5.102:52014 Expected Remote Options hash (VER=V4): '5b243d85'
Tue Jan 31 00:22:12 2017 us=818811 77.112.5.102:52014 TLS: Initial packet from [AF_INET]77.112.5.102:52014, sid=1382462e 4e7f4780
Tue Jan 31 00:22:12 2017 us=829385 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=832164 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=832214 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=893597 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=893676 tomek_vostro/94.254.128.244:39639 PID_ERR replay-window backtrack occurred [2] [SSL-0] [00_0000000000000000000000000000000000000000000000000000000000000] 0:196 0:194 t=1485818532[0] r=[-4,64,15,2,1] sl=[60,64,64,528]
Tue Jan 31 00:22:12 2017 us=899529 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:12 2017 us=899576 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:13 2017 us=32710 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:13 2017 us=50090 MULTI: Learn: 192.168.1.1 -> tomek_vostro/94.254.128.244:39639
Tue Jan 31 00:22:13 2017 us=138534 MULTI: Learn: 192.168.1.2 -> tomek_vostro/94.254.128.244:39639
Tue Jan 31 00:22:13 2017 us=268012 77.112.5.102:52014 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Jan 31 00:22:13 2017 us=268412 77.112.5.102:52014 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=tomek_itm, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Jan 31 00:22:13 2017 us=326490 77.112.5.102:52014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 00:22:13 2017 us=326550 77.112.5.102:52014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 00:22:13 2017 us=326570 77.112.5.102:52014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 00:22:13 2017 us=326589 77.112.5.102:52014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 00:22:13 2017 us=329011 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:13 2017 us=365139 77.112.5.102:52014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Jan 31 00:22:13 2017 us=365217 77.112.5.102:52014 [tomek_itm] Peer Connection Initiated with [AF_INET]77.112.5.102:52014
Tue Jan 31 00:22:13 2017 us=365282 tomek_itm/77.112.5.102:52014 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/tomek_itm
Tue Jan 31 00:22:13 2017 us=365449 tomek_itm/77.112.5.102:52014 MULTI: Learn: 172.16.0.5 -> tomek_itm/77.112.5.102:52014
Tue Jan 31 00:22:13 2017 us=365473 tomek_itm/77.112.5.102:52014 MULTI: primary virtual IP for tomek_itm/77.112.5.102:52014: 172.16.0.5
Tue Jan 31 00:22:13 2017 us=365493 tomek_itm/77.112.5.102:52014 MULTI: internal route 192.168.1.0/24 -> tomek_itm/77.112.5.102:52014
Tue Jan 31 00:22:13 2017 us=365533 tomek_itm/77.112.5.102:52014 MULTI: Learn: 192.168.1.0/24 -> tomek_itm/77.112.5.102:52014
Tue Jan 31 00:22:13 2017 us=388173 tomek_itm/77.112.5.102:52014 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jan 31 00:22:13 2017 us=388208 tomek_itm/77.112.5.102:52014 send_push_reply(): safe_cap=940
Tue Jan 31 00:22:13 2017 us=388248 tomek_itm/77.112.5.102:52014 SENT CONTROL [tomek_itm]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 172.16.0.2,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 172.16.0.1,redirect-gateway def1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.5 255.255.255.0' (status=1)
Tue Jan 31 00:22:13 2017 us=391386 MULTI: Learn: 192.168.1.2 -> tomek_itm/77.112.5.102:52014
Tue Jan 31 00:22:14 2017 us=677245 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:14 2017 us=677343 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:18 2017 us=49612 MULTI: Learn: 192.168.1.1 -> tomek_itm/77.112.5.102:52014
Tue Jan 31 00:22:20 2017 us=24243 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:20 2017 us=24286 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:20 2017 us=24418 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:34 2017 us=918304 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
//tutaj ping do 192.168.1.1 z tomek_vostro (172.16.0.3) zaczął działać
Tue Jan 31 00:22:42 2017 us=190973 94.254.162.175:15344 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Jan 31 00:22:42 2017 us=191313 94.254.162.175:15344 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=telewy, CN=tomek, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Jan 31 00:22:42 2017 us=253313 94.254.162.175:15344 NOTE: Options consistency check may be skewed by version differences
Tue Jan 31 00:22:42 2017 us=253390 94.254.162.175:15344 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Tue Jan 31 00:22:42 2017 us=253414 94.254.162.175:15344 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Tue Jan 31 00:22:42 2017 us=253434 94.254.162.175:15344 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1558'
Tue Jan 31 00:22:42 2017 us=253454 94.254.162.175:15344 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Tue Jan 31 00:22:42 2017 us=253473 94.254.162.175:15344 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Tue Jan 31 00:22:42 2017 us=253493 94.254.162.175:15344 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
Tue Jan 31 00:22:42 2017 us=253512 94.254.162.175:15344 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Tue Jan 31 00:22:42 2017 us=253531 94.254.162.175:15344 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 256'
Tue Jan 31 00:22:42 2017 us=253551 94.254.162.175:15344 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'
Tue Jan 31 00:22:42 2017 us=253570 94.254.162.175:15344 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Tue Jan 31 00:22:42 2017 us=253590 94.254.162.175:15344 WARNING: 'tls-client' is present in local config but missing in remote config, local='tls-client'
Tue Jan 31 00:22:42 2017 us=253722 94.254.162.175:15344 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 00:22:42 2017 us=253768 94.254.162.175:15344 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 00:22:42 2017 us=253788 94.254.162.175:15344 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 31 00:22:42 2017 us=253806 94.254.162.175:15344 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 31 00:22:42 2017 us=277197 94.254.162.175:15344 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Jan 31 00:22:42 2017 us=277254 94.254.162.175:15344 [tomek] Peer Connection Initiated with [AF_INET]94.254.162.175:15344
Tue Jan 31 00:22:42 2017 us=277318 tomek/94.254.162.175:15344 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/tomek
Tue Jan 31 00:22:42 2017 us=277482 tomek/94.254.162.175:15344 MULTI: Learn: 172.16.0.2 -> tomek/94.254.162.175:15344
Tue Jan 31 00:22:42 2017 us=277506 tomek/94.254.162.175:15344 MULTI: primary virtual IP for tomek/94.254.162.175:15344: 172.16.0.2
Tue Jan 31 00:22:42 2017 us=277527 tomek/94.254.162.175:15344 MULTI: internal route 192.168.1.0/24 -> tomek/94.254.162.175:15344
Tue Jan 31 00:22:42 2017 us=277548 tomek/94.254.162.175:15344 MULTI: Learn: 192.168.1.0/24 -> tomek/94.254.162.175:15344
Tue Jan 31 00:22:42 2017 us=868267 MULTI: Learn: 192.168.1.2 -> tomek/94.254.162.175:15344
Tue Jan 31 00:22:43 2017 us=49233 MULTI: Learn: 192.168.1.1 -> tomek/94.254.162.175:15344
Tue Jan 31 00:22:44 2017 us=427238 tomek/94.254.162.175:15344 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jan 31 00:22:44 2017 us=427312 tomek/94.254.162.175:15344 send_push_reply(): safe_cap=940
Tue Jan 31 00:22:44 2017 us=427355 tomek/94.254.162.175:15344 SENT CONTROL [tomek]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 172.16.0.2,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 172.16.0.1,redirect-gateway def1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.2 255.255.255.0' (status=1)
Tue Jan 31 00:22:48 2017 us=585852 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:48 2017 us=617917 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:48 2017 us=624936 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:48 2017 us=905994 tomek/94.254.162.175:15344 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jan 31 00:22:49 2017 us=27853 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:49 2017 us=58012 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:51 2017 us=284137 tomek_itm/77.112.5.102:52014 PID_ERR replay-window backtrack occurred [2] [SSL-0] [00_0000001111111111111111112222222222222222222222222222222222222] 0:180 0:178 t=1485818571[0] r=[-4,64,15,2,1] sl=[12,64,64,528]
Tue Jan 31 00:22:51 2017 us=909215 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:52 2017 us=329354 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:22:54 2017 us=294967 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:57 2017 us=686847 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:58 2017 us=781921 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:58 2017 us=926880 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:59 2017 us=166918 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:22:59 2017 us=614795 tomek_itm/77.112.5.102:52014 MULTI: bad source address from client [fe80::945:a361:76f2:fd9e], packet dropped
Tue Jan 31 00:23:04 2017 us=48849 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=68259 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=81376 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=509210 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=538743 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=915757 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=935838 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:04 2017 us=935899 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:05 2017 us=29000 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:05 2017 us=349288 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
Tue Jan 31 00:23:06 2017 us=907924 tomek_vostro/94.254.128.244:39639 MULTI: bad source address from client [fe80::b0c7:1c51:ceb8:b41f], packet dropped
root@debian:/etc/openvpn#

Pozdr

telewy · 2017-01-31 12:14:12

telewy
Użytkownik
Nieaktywny

Zarejestrowany: 2009-09-24
Posty: 184

Odp: Konfiguracja openvpn

I krótkie uzupełnienie. Laptop tomek_itm (172.16.0.5) musiałem zrestartować. Po restarcie brak pinga do 192.168.1.1. Przeładowanie serwera opnvpn naprawiło sytuację.

Potestuję dalej to w domu, dzisiaj wieczorem.

Gr4nd0 · 2017-01-31 13:21:31

Gr4nd0
Użytkownik
Nieaktywny

Skąd: Swarzędz
Zarejestrowany: 2016-10-06
Posty: 276

Odp: Konfiguracja openvpn

khain napisał/a:

Nie ma potrzeby nakładania natu na interfejsie vpn w kliencie - należy go nałożyć tylko na tun na serwerze (opisał to Gr4nd0)

Nie na interface tylko na IP celu. I tylko dla tych IP, które nie mają możliwości ustawienia routingu statycznego

GUI jest przereklamowane

ASUS WL-500gP v2, TP-Link TL-MR3420 v2, TP-Link TL-WR1043ND v3, TP-Link TL-WDR4300 v1, D-Link DWR-921 C3,
Netgear R6220

telewy · 2017-01-31 16:35:34

telewy
Użytkownik
Nieaktywny

Zarejestrowany: 2009-09-24
Posty: 184

Odp: Konfiguracja openvpn

A czy ja mam takie IP, dla których nie mogę ustawić routingu statycznego? U mnie sieć jest prosta i chyba raczej nie.

Gr4nd0 · 2017-01-31 19:46:46

Gr4nd0
Użytkownik
Nieaktywny

Skąd: Swarzędz
Zarejestrowany: 2016-10-06
Posty: 276

Odp: Konfiguracja openvpn

telewy napisał/a:

A czy ja mam takie IP, dla których nie mogę ustawić routingu statycznego? U mnie sieć jest prosta i chyba raczej nie.

Patrząc na schemat twojej sieci to nie widzę.
Ja miałem taki problem z tp-linkiem z oryginalnym firmware, który w mojej sieci robił tylko za AP i switch.
Był podpięty do reszty tylko po LAN i miał dostęp tylko do sieci 192.168.1.x. Resztę chciał przepychać przez nie podłączony WAN. Wymuszenie DNAT na routerze z DEST_IP = IP tp-linka rozwiązało problem.

GUI jest przereklamowane

ASUS WL-500gP v2, TP-Link TL-MR3420 v2, TP-Link TL-WR1043ND v3, TP-Link TL-WDR4300 v1, D-Link DWR-921 C3,
Netgear R6220

khain · 2017-01-31 20:59:19

khain
Użytkownik
Nieaktywny

Zarejestrowany: 2013-09-15
Posty: 325

Odp: Konfiguracja openvpn

@telewy Dziś pobawiłem się openvpn na Debianie zgodnie z tym opisem https://community.openvpn.net/openvpn/w … AndRouting
Podsumowując powinieneś wykonać takie polecenia na VPSie:
Pozwolenie na "odbieranie i nadawanie" pakietów:

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

oraz taki wpis, odnośnie natu

iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

oraz zezwolić na forward pakietów

echo 1 > /proc/sys/net/ipv4/ip_forward

Ten log świadczy o złym ustawieniu routingu (gdzieś masz literówkę?)

Tue Jan 31 00:17:14 2017 us=740603 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped

Utrata połączenia pierwszego klienta przy podłączeniu drugiego może być z wielu przyczyn, np. używasz te same klucze lub takie samo Common Name lub nadajesz ten sam adres IP dla tych klientów.

TP-Link TL-WDR3600 v1.5 - OpenWrt Chaos Calmer 15.05.1 with Luci +Microsoft LifeCam VX-3000
RaspberryPi 2 - OMV Stone Burner 2.0.15 +Creative SB Play +Medion OR24V +DVB-T Media-Tech MT4163 +MP00202AC +3xDS18B20 +HIH-4000-002 +MPXHZ6115A +Samsung SPF-85H +D-Link DUB-H7

telewy · 2017-02-03 10:51:56

telewy
Użytkownik
Nieaktywny

Zarejestrowany: 2009-09-24
Posty: 184

Odp: Konfiguracja openvpn

khain napisał/a:

@telewy Dziś pobawiłem się openvpn na Debianie zgodnie z tym opisem https://community.openvpn.net/openvpn/w … AndRouting
Podsumowując powinieneś wykonać takie polecenia na VPSie:
Pozwolenie na "odbieranie i nadawanie" pakietów:
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT
oraz taki wpis, odnośnie natu
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
oraz zezwolić na forward pakietów
echo 1 > /proc/sys/net/ipv4/ip_forward

Kolego khain, pełny szacun dla Ciebie za pomoc i zaangażowanie w rozwiązanie problemu. Dodałem brakujące wpisy do iptables, pozostałe rzeczy miałem ustawione. Generalnie działa jak ta lala . Wielkie dzięki. To forum po raz kolejny mnie nie zawiodło.

khain napisał/a:

Ten log świadczy o złym ustawieniu routingu (gdzieś masz literówkę?)
Tue Jan 31 00:17:14 2017 us=740603 tomek/94.254.162.175:15344 MULTI: bad source address from client [192.168.1.2], packet dropped

Byłem poza domem i nie bardzo miałem czas na dogłębną analizę, nie mniej popatrzyłem na swoje routingi i nie znalazłem błędu, ale w weekend przyjrzę się temu dokładniej.

khain napisał/a:

Utrata połączenia pierwszego klienta przy podłączeniu drugiego może być z wielu przyczyn, np. używasz te same klucze lub takie samo Common Name lub nadajesz ten sam adres IP dla tych klientów.

Ten problem ciągle u mnie występuje. Od nowa pokonfigurowałem wszystkich klientów vpn i wydaje mi się, że nie występuje żaden z wymienionych przez Ciebie powodów (klucze generowałem na każde urządzenie, CN każdy ma swoje własne, IP każde urządzenie dostaje inne). Pliki konfiguruję tak jak jest opisane np. tutaj Konfiguracja OpenVPN. Nie wiem gdzie szukać problemu. Czy na serwerze openvpn 172.16.0.1, czy też na tym kliencie vpn'a 172.16.0.2 (192.168.1.1). Na tych obudwu maszynach zrzuciłem logi:

iptables -L
iptables -t nat -L -n
netstat -pln
ip route show
ip rule list
ifconfig -a
ip route list table local

w momencie kiedy miałem ping z 172.16.0.1 na 192.168.1.1 oraz po zerwaniu tego połączenia. Pliki nie wykazały żadnych różnic. Trochę kończą i się pomysły gdzie szukać problemu.

khain · 2017-02-03 21:55:56

khain
Użytkownik
Nieaktywny

Zarejestrowany: 2013-09-15
Posty: 325

Odp: Konfiguracja openvpn

Być może problem leży w utracie pakietów, spróbuj przełączyć się na tcp oraz zmniejszyć cipher na AES-128-CBC.

TP-Link TL-WDR3600 v1.5 - OpenWrt Chaos Calmer 15.05.1 with Luci +Microsoft LifeCam VX-3000
RaspberryPi 2 - OMV Stone Burner 2.0.15 +Creative SB Play +Medion OR24V +DVB-T Media-Tech MT4163 +MP00202AC +3xDS18B20 +HIH-4000-002 +MPXHZ6115A +Samsung SPF-85H +D-Link DUB-H7

telewy · 2017-02-04 11:23:41

telewy
Użytkownik
Nieaktywny

Zarejestrowany: 2009-09-24
Posty: 184

Odp: Konfiguracja openvpn

khain napisał/a:

Być może problem leży w utracie pakietów, spróbuj przełączyć się na tcp oraz zmniejszyć cipher na AES-128-CBC.

Niestety, powyższe nic nie zmienia. Trochę potestowałem i wygląda to następująco:
1. podłączenie się dowolnym klientem do vpn powoduje odcięcie sieci 192.168.1.0 od sieci 172.16.0.0
2. jeśli przy podłączonych klientach na serwerze wykonuję

service openvpn restart

to wszystko zaczyna działać prawidłowo i jest przejście z dowolnego klienta do mojej sieci lan.
Tak jak obserwuję start klienta ewidentnie coś zmienia i to chyba po stronie serwera vpn, co powoduje zerwanie połączenia do lanu. Mogę zrobić czysta instalację na serwerze vpn, bo nic innego nie przychodzi mi do głowy.

telewy · 2017-02-06 12:16:23

telewy
Użytkownik
Nieaktywny

Zarejestrowany: 2009-09-24
Posty: 184

Odp: Konfiguracja openvpn

Zrobiłem czystą instalację na VPS'ie, ale efektu nie ma żadnego. Wszystko działa poza tym, że po podłączeniu się klientem znika połączenie z sieci vpn 172.16.0.0 do mojej sieci lan, czyli tak naprawdę to na czym mi najbardziej zależy.

khain · 2017-02-06 15:07:38

khain
Użytkownik
Nieaktywny

Zarejestrowany: 2013-09-15
Posty: 325

Odp: Konfiguracja openvpn

Widocznie wywala Ci się daemon openvpn po podłączeniu klienta - sprawdź czy on żyje. W logach systemu też coś powinno być.

TP-Link TL-WDR3600 v1.5 - OpenWrt Chaos Calmer 15.05.1 with Luci +Microsoft LifeCam VX-3000
RaspberryPi 2 - OMV Stone Burner 2.0.15 +Creative SB Play +Medion OR24V +DVB-T Media-Tech MT4163 +MP00202AC +3xDS18B20 +HIH-4000-002 +MPXHZ6115A +Samsung SPF-85H +D-Link DUB-H7

telewy · 2017-02-06 15:58:51

telewy
Użytkownik
Nieaktywny

Zarejestrowany: 2009-09-24
Posty: 184

Odp: Konfiguracja openvpn

deamon openvpn się nie wywala, bo w tym samym czasie cały czas chodzą mi pingi ale tylk po sieci vpn, tzn. z drugiego komputera podłączonego do vpn (172.16.0.5) do 172.16.0.2 (klient vpn z openwrt).

khain · 2017-02-06 22:38:15

khain
Użytkownik
Nieaktywny

Zarejestrowany: 2013-09-15
Posty: 325

Odp: Konfiguracja openvpn

To jeśli daemon się nie wywala to przyczyna musisz być w logach openvpn.

TP-Link TL-WDR3600 v1.5 - OpenWrt Chaos Calmer 15.05.1 with Luci +Microsoft LifeCam VX-3000
RaspberryPi 2 - OMV Stone Burner 2.0.15 +Creative SB Play +Medion OR24V +DVB-T Media-Tech MT4163 +MP00202AC +3xDS18B20 +HIH-4000-002 +MPXHZ6115A +Samsung SPF-85H +D-Link DUB-H7

telewy · 2017-02-07 02:29:12

telewy
Użytkownik
Nieaktywny

Zarejestrowany: 2009-09-24
Posty: 184

Odp: Konfiguracja openvpn

Patrzę na te logi, poniżej zrzut z serwera, zerwanie nastąpiła za linią:

Tue Feb  7 01:06:44 2017 us=85495 MULTI: Learn: 192.168.1.2 -> tomek_wrt160nl/94.254.227.198:19854

Do tego momentu ping z 172.16.0.1 (server vpn) chodził mi do 192.168.1.2. Niestety ja ww tym logu nic nie widzę co by mogło mi coś podpowiedzieć. W logu dla klienta vpn z routera wrt160nl nie ma nic z tym związanego

serwer log

Tue Feb  7 01:02:09 2017 us=988217 Current Parameter Settings:
Tue Feb  7 01:02:09 2017 us=988285   config = '/etc/openvpn/server.conf'
Tue Feb  7 01:02:09 2017 us=988298   mode = 1
Tue Feb  7 01:02:09 2017 us=988307   persist_config = DISABLED
Tue Feb  7 01:02:09 2017 us=988316   persist_mode = 1
Tue Feb  7 01:02:09 2017 us=988325   show_ciphers = DISABLED
Tue Feb  7 01:02:09 2017 us=988334   show_digests = DISABLED
Tue Feb  7 01:02:09 2017 us=988343   show_engines = DISABLED
Tue Feb  7 01:02:09 2017 us=988352   genkey = DISABLED
Tue Feb  7 01:02:09 2017 us=988361   key_pass_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988371   show_tls_ciphers = DISABLED
Tue Feb  7 01:02:09 2017 us=988380   connect_retry_max = 0
Tue Feb  7 01:02:09 2017 us=988389 Connection profiles [0]:
Tue Feb  7 01:02:09 2017 us=988399   proto = udp
Tue Feb  7 01:02:09 2017 us=988408   local = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988417   local_port = '1194'
Tue Feb  7 01:02:09 2017 us=988426   remote = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988435   remote_port = '1194'
Tue Feb  7 01:02:09 2017 us=988444   remote_float = DISABLED
Tue Feb  7 01:02:09 2017 us=988458   bind_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=988469   bind_local = ENABLED
Tue Feb  7 01:02:09 2017 us=988478   bind_ipv6_only = DISABLED
Tue Feb  7 01:02:09 2017 us=988487   connect_retry_seconds = 5
Tue Feb  7 01:02:09 2017 us=988496   connect_timeout = 120
Tue Feb  7 01:02:09 2017 us=988505   socks_proxy_server = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988514   socks_proxy_port = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988523   tun_mtu = 1500
Tue Feb  7 01:02:09 2017 us=988532   tun_mtu_defined = ENABLED
Tue Feb  7 01:02:09 2017 us=988541   link_mtu = 1500
Tue Feb  7 01:02:09 2017 us=988550   link_mtu_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=988559   tun_mtu_extra = 0
Tue Feb  7 01:02:09 2017 us=988568   tun_mtu_extra_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=988578   mtu_discover_type = -1
Tue Feb  7 01:02:09 2017 us=988587   fragment = 0
Tue Feb  7 01:02:09 2017 us=988596   mssfix = 1450
Tue Feb  7 01:02:09 2017 us=988605   explicit_exit_notification = 0
Tue Feb  7 01:02:09 2017 us=988614 Connection profiles END
Tue Feb  7 01:02:09 2017 us=988624   remote_random = DISABLED
Tue Feb  7 01:02:09 2017 us=988633   ipchange = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988642   dev = 'tun'
Tue Feb  7 01:02:09 2017 us=988651   dev_type = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988660   dev_node = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988669   lladdr = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988678   topology = 3
Tue Feb  7 01:02:09 2017 us=988687   ifconfig_local = '172.16.0.1'
Tue Feb  7 01:02:09 2017 us=988697   ifconfig_remote_netmask = '255.255.255.0'
Tue Feb  7 01:02:09 2017 us=988706   ifconfig_noexec = DISABLED
Tue Feb  7 01:02:09 2017 us=988715   ifconfig_nowarn = DISABLED
Tue Feb  7 01:02:09 2017 us=988724   ifconfig_ipv6_local = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988733   ifconfig_ipv6_netbits = 0
Tue Feb  7 01:02:09 2017 us=988742   ifconfig_ipv6_remote = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988752   shaper = 0
Tue Feb  7 01:02:09 2017 us=988761   mtu_test = 0
Tue Feb  7 01:02:09 2017 us=988770   mlock = DISABLED
Tue Feb  7 01:02:09 2017 us=988779   keepalive_ping = 10
Tue Feb  7 01:02:09 2017 us=988788   keepalive_timeout = 120
Tue Feb  7 01:02:09 2017 us=988798   inactivity_timeout = 0
Tue Feb  7 01:02:09 2017 us=988807   ping_send_timeout = 10
Tue Feb  7 01:02:09 2017 us=988816   ping_rec_timeout = 240
Tue Feb  7 01:02:09 2017 us=988825   ping_rec_timeout_action = 2
Tue Feb  7 01:02:09 2017 us=988834   ping_timer_remote = DISABLED
Tue Feb  7 01:02:09 2017 us=988844   remap_sigusr1 = 0
Tue Feb  7 01:02:09 2017 us=988853   persist_tun = ENABLED
Tue Feb  7 01:02:09 2017 us=988862   persist_local_ip = DISABLED
Tue Feb  7 01:02:09 2017 us=988871   persist_remote_ip = DISABLED
Tue Feb  7 01:02:09 2017 us=988880   persist_key = ENABLED
Tue Feb  7 01:02:09 2017 us=988889   passtos = DISABLED
Tue Feb  7 01:02:09 2017 us=988899   resolve_retry_seconds = 1000000000
Tue Feb  7 01:02:09 2017 us=988908   resolve_in_advance = DISABLED
Tue Feb  7 01:02:09 2017 us=988924   username = 'nobody'
Tue Feb  7 01:02:09 2017 us=988933   groupname = 'nogroup'
Tue Feb  7 01:02:09 2017 us=988943   chroot_dir = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988952   cd_dir = '/etc/openvpn'
Tue Feb  7 01:02:09 2017 us=988961   writepid = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988970   up_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988979   down_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=988988   down_pre = DISABLED
Tue Feb  7 01:02:09 2017 us=988997   up_restart = DISABLED
Tue Feb  7 01:02:09 2017 us=989006   up_delay = DISABLED
Tue Feb  7 01:02:09 2017 us=989015   daemon = ENABLED
Tue Feb  7 01:02:09 2017 us=989024   inetd = 0
Tue Feb  7 01:02:09 2017 us=989033   log = ENABLED
Tue Feb  7 01:02:09 2017 us=989042   suppress_timestamps = DISABLED
Tue Feb  7 01:02:09 2017 us=989051   machine_readable_output = DISABLED
Tue Feb  7 01:02:09 2017 us=989061   nice = 0
Tue Feb  7 01:02:09 2017 us=989070   verbosity = 4
Tue Feb  7 01:02:09 2017 us=989079   mute = 0
Tue Feb  7 01:02:09 2017 us=989088   gremlin = 0
Tue Feb  7 01:02:09 2017 us=989097   status_file = '/etc/openvpn/openvpn-status.log'
Tue Feb  7 01:02:09 2017 us=989106   status_file_version = 1
Tue Feb  7 01:02:09 2017 us=989116   status_file_update_freq = 10
Tue Feb  7 01:02:09 2017 us=989125   occ = ENABLED
Tue Feb  7 01:02:09 2017 us=989134   rcvbuf = 0
Tue Feb  7 01:02:09 2017 us=989143   sndbuf = 0
Tue Feb  7 01:02:09 2017 us=989152   mark = 0
Tue Feb  7 01:02:09 2017 us=989161   sockflags = 0
Tue Feb  7 01:02:09 2017 us=989170   fast_io = DISABLED
Tue Feb  7 01:02:09 2017 us=989179   comp.alg = 2
Tue Feb  7 01:02:09 2017 us=989188   comp.flags = 0
Tue Feb  7 01:02:09 2017 us=989198   route_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989207   route_default_gateway = '172.16.0.2'
Tue Feb  7 01:02:09 2017 us=989216   route_default_metric = 0
Tue Feb  7 01:02:09 2017 us=989225   route_noexec = DISABLED
Tue Feb  7 01:02:09 2017 us=989235   route_delay = 0
Tue Feb  7 01:02:09 2017 us=989244   route_delay_window = 30
Tue Feb  7 01:02:09 2017 us=989253   route_delay_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=989263   route_nopull = DISABLED
Tue Feb  7 01:02:09 2017 us=989272   route_gateway_via_dhcp = DISABLED
Tue Feb  7 01:02:09 2017 us=989281   allow_pull_fqdn = DISABLED
Tue Feb  7 01:02:09 2017 us=989291   route 192.168.1.0/255.255.255.0/default (not set)/default (not set)
Tue Feb  7 01:02:09 2017 us=989300   management_addr = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989310   management_port = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989323   management_user_pass = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989333   management_log_history_cache = 250
Tue Feb  7 01:02:09 2017 us=989343   management_echo_buffer_size = 100
Tue Feb  7 01:02:09 2017 us=989353   management_write_peer_info_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989362   management_client_user = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989372   management_client_group = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989381   management_flags = 0
Tue Feb  7 01:02:09 2017 us=989391   shared_secret_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989401   key_direction = 0
Tue Feb  7 01:02:09 2017 us=989410   ciphername = 'AES-256-CBC'
Tue Feb  7 01:02:09 2017 us=989420   ncp_enabled = ENABLED
Tue Feb  7 01:02:09 2017 us=989430   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Tue Feb  7 01:02:09 2017 us=989439   authname = 'SHA1'
Tue Feb  7 01:02:09 2017 us=989449   prng_hash = 'SHA1'
Tue Feb  7 01:02:09 2017 us=989462   prng_nonce_secret_len = 16
Tue Feb  7 01:02:09 2017 us=989471   keysize = 0
Tue Feb  7 01:02:09 2017 us=989480   engine = DISABLED
Tue Feb  7 01:02:09 2017 us=989489   replay = ENABLED
Tue Feb  7 01:02:09 2017 us=989498   mute_replay_warnings = DISABLED
Tue Feb  7 01:02:09 2017 us=989507   replay_window = 64
Tue Feb  7 01:02:09 2017 us=989516   replay_time = 15
Tue Feb  7 01:02:09 2017 us=989525   packet_id_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989534   use_iv = ENABLED
Tue Feb  7 01:02:09 2017 us=989543   test_crypto = DISABLED
Tue Feb  7 01:02:09 2017 us=989560   tls_server = ENABLED
Tue Feb  7 01:02:09 2017 us=989569   tls_client = DISABLED
Tue Feb  7 01:02:09 2017 us=989579   key_method = 2
Tue Feb  7 01:02:09 2017 us=989588   ca_file = '/etc/openvpn/ca.crt'
Tue Feb  7 01:02:09 2017 us=989597   ca_path = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989610   dh_file = '/etc/openvpn/dh2048.pem'
Tue Feb  7 01:02:09 2017 us=989620   cert_file = '/etc/openvpn/server.crt'
Tue Feb  7 01:02:09 2017 us=989629   extra_certs_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989639   priv_key_file = '/etc/openvpn/server.key'
Tue Feb  7 01:02:09 2017 us=989649   pkcs12_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989659   cipher_list = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989668   tls_verify = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989681   tls_export_cert = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989690   verify_x509_type = 0
Tue Feb  7 01:02:09 2017 us=989699   verify_x509_name = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989708   crl_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989717   ns_cert_type = 0
Tue Feb  7 01:02:09 2017 us=989726   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989735   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989744   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989753   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989762   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989771   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989780   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989788   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989797   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989806   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989815   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989824   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989833   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989842   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989851   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989860   remote_cert_ku[i] = 0
Tue Feb  7 01:02:09 2017 us=989869   remote_cert_eku = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989878   ssl_flags = 0
Tue Feb  7 01:02:09 2017 us=989887   tls_timeout = 2
Tue Feb  7 01:02:09 2017 us=989896   renegotiate_bytes = -1
Tue Feb  7 01:02:09 2017 us=989905   renegotiate_packets = 0
Tue Feb  7 01:02:09 2017 us=989914   renegotiate_seconds = 3600
Tue Feb  7 01:02:09 2017 us=989923   handshake_window = 60
Tue Feb  7 01:02:09 2017 us=989932   transition_window = 3600
Tue Feb  7 01:02:09 2017 us=989942   single_session = DISABLED
Tue Feb  7 01:02:09 2017 us=989951   push_peer_info = DISABLED
Tue Feb  7 01:02:09 2017 us=989960   tls_exit = DISABLED
Tue Feb  7 01:02:09 2017 us=989969   tls_auth_file = '/etc/openvpn/ta.key'
Tue Feb  7 01:02:09 2017 us=989978   tls_crypt_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=989989   server_network = 172.16.0.0
Tue Feb  7 01:02:09 2017 us=989999   server_netmask = 255.255.255.0
Tue Feb  7 01:02:09 2017 us=990011   server_network_ipv6 = ::
Tue Feb  7 01:02:09 2017 us=990021   server_netbits_ipv6 = 0
Tue Feb  7 01:02:09 2017 us=990031   server_bridge_ip = 0.0.0.0
Tue Feb  7 01:02:09 2017 us=990047   server_bridge_netmask = 0.0.0.0
Tue Feb  7 01:02:09 2017 us=990058   server_bridge_pool_start = 0.0.0.0
Tue Feb  7 01:02:09 2017 us=990068   server_bridge_pool_end = 0.0.0.0
Tue Feb  7 01:02:09 2017 us=990077   push_entry = 'route 192.168.1.0 255.255.255.0'
Tue Feb  7 01:02:09 2017 us=990086   push_entry = 'dhcp-option DNS 208.67.222.222'
Tue Feb  7 01:02:09 2017 us=990096   push_entry = 'dhcp-option DNS 208.67.220.220'
Tue Feb  7 01:02:09 2017 us=990105   push_entry = 'topology subnet'
Tue Feb  7 01:02:09 2017 us=990114   push_entry = 'route-gateway 172.16.0.1'
Tue Feb  7 01:02:09 2017 us=990123   push_entry = 'topology subnet'
Tue Feb  7 01:02:09 2017 us=990132   push_entry = 'ping 10'
Tue Feb  7 01:02:09 2017 us=990142   push_entry = 'ping-restart 120'
Tue Feb  7 01:02:09 2017 us=990151   ifconfig_pool_defined = ENABLED
Tue Feb  7 01:02:09 2017 us=990161   ifconfig_pool_start = 172.16.0.2
Tue Feb  7 01:02:09 2017 us=990176   ifconfig_pool_end = 172.16.0.253
Tue Feb  7 01:02:09 2017 us=990186   ifconfig_pool_netmask = 255.255.255.0
Tue Feb  7 01:02:09 2017 us=990196   ifconfig_pool_persist_filename = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990205   ifconfig_pool_persist_refresh_freq = 600
Tue Feb  7 01:02:09 2017 us=990214   ifconfig_ipv6_pool_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=990224   ifconfig_ipv6_pool_base = ::
Tue Feb  7 01:02:09 2017 us=990233   ifconfig_ipv6_pool_netbits = 0
Tue Feb  7 01:02:09 2017 us=990243   n_bcast_buf = 256
Tue Feb  7 01:02:09 2017 us=990252   tcp_queue_limit = 64
Tue Feb  7 01:02:09 2017 us=990261   real_hash_size = 256
Tue Feb  7 01:02:09 2017 us=990270   virtual_hash_size = 256
Tue Feb  7 01:02:09 2017 us=990279   client_connect_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990289   learn_address_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990298   client_disconnect_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990307   client_config_dir = '/etc/openvpn/ccd'
Tue Feb  7 01:02:09 2017 us=990316   ccd_exclusive = DISABLED
Tue Feb  7 01:02:09 2017 us=990325   tmp_dir = '/tmp'
Tue Feb  7 01:02:09 2017 us=990334   push_ifconfig_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=990345   push_ifconfig_local = 0.0.0.0
Tue Feb  7 01:02:09 2017 us=990354   push_ifconfig_remote_netmask = 0.0.0.0
Tue Feb  7 01:02:09 2017 us=990364   push_ifconfig_ipv6_defined = DISABLED
Tue Feb  7 01:02:09 2017 us=990373   push_ifconfig_ipv6_local = ::/0
Tue Feb  7 01:02:09 2017 us=990383   push_ifconfig_ipv6_remote = ::
Tue Feb  7 01:02:09 2017 us=990392   enable_c2c = DISABLED
Tue Feb  7 01:02:09 2017 us=990402   duplicate_cn = DISABLED
Tue Feb  7 01:02:09 2017 us=990411   cf_max = 0
Tue Feb  7 01:02:09 2017 us=990420   cf_per = 0
Tue Feb  7 01:02:09 2017 us=990429   max_clients = 1024
Tue Feb  7 01:02:09 2017 us=990439   max_routes_per_client = 256
Tue Feb  7 01:02:09 2017 us=990448   auth_user_pass_verify_script = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990457   auth_user_pass_verify_script_via_file = DISABLED
Tue Feb  7 01:02:09 2017 us=990466   auth_token_generate = DISABLED
Tue Feb  7 01:02:09 2017 us=990475   auth_token_lifetime = 0
Tue Feb  7 01:02:09 2017 us=990485   port_share_host = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990494   port_share_port = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990503   client = DISABLED
Tue Feb  7 01:02:09 2017 us=990512   pull = DISABLED
Tue Feb  7 01:02:09 2017 us=990521   auth_user_pass_file = '[UNDEF]'
Tue Feb  7 01:02:09 2017 us=990531 OpenVPN 2.4.0 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  6 2017
Tue Feb  7 01:02:09 2017 us=990552 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Tue Feb  7 01:02:09 2017 us=992374 Diffie-Hellman initialized with 2048 bit key
Tue Feb  7 01:02:09 2017 us=992931 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Tue Feb  7 01:02:09 2017 us=992955 ECDH curve secp384r1 added
Tue Feb  7 01:02:09 2017 us=993107 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  7 01:02:09 2017 us=993124 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  7 01:02:09 2017 us=993138 TLS-Auth MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Tue Feb  7 01:02:09 2017 us=993411 ROUTE_GATEWAY XXX.XXX.XXX.1/255.255.255.0 IFACE=eth0 HWADDR=e6:fe:a9:df:58:bc
Tue Feb  7 01:02:09 2017 us=993642 TUN/TAP device tun0 opened
Tue Feb  7 01:02:09 2017 us=993667 TUN/TAP TX queue length set to 100
Tue Feb  7 01:02:09 2017 us=993685 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Feb  7 01:02:09 2017 us=993703 /sbin/ifconfig tun0 172.16.0.1 netmask 255.255.255.0 mtu 1500 broadcast 172.16.0.255
Tue Feb  7 01:02:10 2017 us=56482 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.16.0.2
Tue Feb  7 01:02:10 2017 us=59094 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Feb  7 01:02:10 2017 us=59924 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Feb  7 01:02:10 2017 us=59990 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Feb  7 01:02:10 2017 us=60024 UDPv4 link local (bound): [AF_INET][undef]:1194
Tue Feb  7 01:02:10 2017 us=60042 UDPv4 link remote: [AF_UNSPEC]
Tue Feb  7 01:02:10 2017 us=60062 GID set to nogroup
Tue Feb  7 01:02:10 2017 us=60086 UID set to nobody
Tue Feb  7 01:02:10 2017 us=60110 MULTI: multi_init called, r=256 v=256
Tue Feb  7 01:02:10 2017 us=60181 IFCONFIG POOL: base=172.16.0.2 size=252, ipv6=0
Tue Feb  7 01:02:10 2017 us=60252 Initialization Sequence Completed
Tue Feb  7 01:04:08 2017 us=137041 MULTI: multi_create_instance called
Tue Feb  7 01:04:08 2017 us=137185 94.254.227.198:19854 Re-using SSL/TLS context
Tue Feb  7 01:04:08 2017 us=137221 94.254.227.198:19854 LZO compression initializing
Tue Feb  7 01:04:08 2017 us=137493 94.254.227.198:19854 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Tue Feb  7 01:04:08 2017 us=137520 94.254.227.198:19854 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Feb  7 01:04:08 2017 us=137578 94.254.227.198:19854 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Feb  7 01:04:08 2017 us=137598 94.254.227.198:19854 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Feb  7 01:04:08 2017 us=137650 94.254.227.198:19854 TLS: Initial packet from [AF_INET]94.254.227.198:19854, sid=b38d0d80 84709d7a
Tue Feb  7 01:04:09 2017 us=624363 MULTI: multi_create_instance called
Tue Feb  7 01:04:09 2017 us=624449 77.114.12.156:59867 Re-using SSL/TLS context
Tue Feb  7 01:04:09 2017 us=624487 77.114.12.156:59867 LZO compression initializing
Tue Feb  7 01:04:09 2017 us=624711 77.114.12.156:59867 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Tue Feb  7 01:04:09 2017 us=624737 77.114.12.156:59867 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Feb  7 01:04:09 2017 us=624784 77.114.12.156:59867 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Feb  7 01:04:09 2017 us=624802 77.114.12.156:59867 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Feb  7 01:04:09 2017 us=624850 77.114.12.156:59867 TLS: Initial packet from [AF_INET]77.114.12.156:59867, sid=028cffa9 5e356ebc
Tue Feb  7 01:04:09 2017 us=830127 77.114.12.156:59867 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=TomaszLewandowski, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Feb  7 01:04:09 2017 us=830553 77.114.12.156:59867 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=TomaszLewandowski, CN=tomek_itm, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Feb  7 01:04:09 2017 us=951399 77.114.12.156:59867 peer info: IV_VER=2.4.0
Tue Feb  7 01:04:09 2017 us=951466 77.114.12.156:59867 peer info: IV_PLAT=win
Tue Feb  7 01:04:09 2017 us=951485 77.114.12.156:59867 peer info: IV_PROTO=2
Tue Feb  7 01:04:09 2017 us=951502 77.114.12.156:59867 peer info: IV_NCP=2
Tue Feb  7 01:04:09 2017 us=951519 77.114.12.156:59867 peer info: IV_LZ4=1
Tue Feb  7 01:04:09 2017 us=951535 77.114.12.156:59867 peer info: IV_LZ4v2=1
Tue Feb  7 01:04:09 2017 us=951552 77.114.12.156:59867 peer info: IV_LZO=1
Tue Feb  7 01:04:09 2017 us=951569 77.114.12.156:59867 peer info: IV_COMP_STUB=1
Tue Feb  7 01:04:09 2017 us=951586 77.114.12.156:59867 peer info: IV_COMP_STUBv2=1
Tue Feb  7 01:04:09 2017 us=951603 77.114.12.156:59867 peer info: IV_TCPNL=1
Tue Feb  7 01:04:09 2017 us=951620 77.114.12.156:59867 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Feb  7 01:04:10 2017 us=84360 77.114.12.156:59867 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Feb  7 01:04:10 2017 us=84478 77.114.12.156:59867 [tomek_itm] Peer Connection Initiated with [AF_INET]77.114.12.156:59867
Tue Feb  7 01:04:10 2017 us=84573 tomek_itm/77.114.12.156:59867 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/tomek_itm
Tue Feb  7 01:04:10 2017 us=84801 tomek_itm/77.114.12.156:59867 MULTI: Learn: 172.16.0.5 -> tomek_itm/77.114.12.156:59867
Tue Feb  7 01:04:10 2017 us=84827 tomek_itm/77.114.12.156:59867 MULTI: primary virtual IP for tomek_itm/77.114.12.156:59867: 172.16.0.5
Tue Feb  7 01:04:10 2017 us=84847 tomek_itm/77.114.12.156:59867 MULTI: internal route 192.168.1.0/24 -> tomek_itm/77.114.12.156:59867
Tue Feb  7 01:04:10 2017 us=84869 tomek_itm/77.114.12.156:59867 MULTI: Learn: 192.168.1.0/24 -> tomek_itm/77.114.12.156:59867
Tue Feb  7 01:04:10 2017 us=84889 tomek_itm/77.114.12.156:59867 REMOVE PUSH ROUTE: 'route 192.168.1.0 255.255.255.0'
Tue Feb  7 01:04:11 2017 us=94447 tomek_itm/77.114.12.156:59867 PUSH: Received control message: 'PUSH_REQUEST'
Tue Feb  7 01:04:11 2017 us=94557 tomek_itm/77.114.12.156:59867 SENT CONTROL [tomek_itm]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,topology subnet,route-gateway 172.16.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.5 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
Tue Feb  7 01:04:11 2017 us=94592 tomek_itm/77.114.12.156:59867 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Tue Feb  7 01:04:11 2017 us=94787 tomek_itm/77.114.12.156:59867 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb  7 01:04:11 2017 us=94825 tomek_itm/77.114.12.156:59867 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb  7 01:04:19 2017 us=210784 94.254.227.198:19854 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=TomaszLewandowski, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Feb  7 01:04:19 2017 us=211232 94.254.227.198:19854 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=TomaszLewandowski, CN=tomek_wrt160nl, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Feb  7 01:04:19 2017 us=258023 94.254.227.198:19854 peer info: IV_VER=2.3.6
Tue Feb  7 01:04:19 2017 us=258091 94.254.227.198:19854 peer info: IV_PLAT=linux
Tue Feb  7 01:04:19 2017 us=258110 94.254.227.198:19854 peer info: IV_PROTO=2
Tue Feb  7 01:04:19 2017 us=258129 94.254.227.198:19854 NOTE: Options consistency check may be skewed by version differences
Tue Feb  7 01:04:19 2017 us=258154 94.254.227.198:19854 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Tue Feb  7 01:04:19 2017 us=258174 94.254.227.198:19854 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Tue Feb  7 01:04:19 2017 us=258192 94.254.227.198:19854 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1558'
Tue Feb  7 01:04:19 2017 us=258210 94.254.227.198:19854 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Tue Feb  7 01:04:19 2017 us=258228 94.254.227.198:19854 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Tue Feb  7 01:04:19 2017 us=258246 94.254.227.198:19854 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
Tue Feb  7 01:04:19 2017 us=258264 94.254.227.198:19854 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Tue Feb  7 01:04:19 2017 us=258320 94.254.227.198:19854 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 256'
Tue Feb  7 01:04:19 2017 us=258358 94.254.227.198:19854 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'
Tue Feb  7 01:04:19 2017 us=258388 94.254.227.198:19854 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Tue Feb  7 01:04:19 2017 us=258440 94.254.227.198:19854 WARNING: 'tls-client' is present in local config but missing in remote config, local='tls-client'
Tue Feb  7 01:04:19 2017 us=258648 94.254.227.198:19854 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Feb  7 01:04:19 2017 us=258690 94.254.227.198:19854 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  7 01:04:19 2017 us=258719 94.254.227.198:19854 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Feb  7 01:04:19 2017 us=258750 94.254.227.198:19854 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  7 01:04:19 2017 us=302192 94.254.227.198:19854 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Tue Feb  7 01:04:19 2017 us=302271 94.254.227.198:19854 [tomek_wrt160nl] Peer Connection Initiated with [AF_INET]94.254.227.198:19854
Tue Feb  7 01:04:19 2017 us=302340 tomek_wrt160nl/94.254.227.198:19854 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/tomek_wrt160nl
Tue Feb  7 01:04:19 2017 us=302464 tomek_wrt160nl/94.254.227.198:19854 MULTI_sva: pool returned IPv4=172.16.0.2, IPv6=(Not enabled)
Tue Feb  7 01:04:19 2017 us=302532 tomek_wrt160nl/94.254.227.198:19854 MULTI: Learn: 172.16.0.2 -> tomek_wrt160nl/94.254.227.198:19854
Tue Feb  7 01:04:19 2017 us=302553 tomek_wrt160nl/94.254.227.198:19854 MULTI: primary virtual IP for tomek_wrt160nl/94.254.227.198:19854: 172.16.0.2
Tue Feb  7 01:04:19 2017 us=302572 tomek_wrt160nl/94.254.227.198:19854 MULTI: internal route 192.168.1.0/24 -> tomek_wrt160nl/94.254.227.198:19854
Tue Feb  7 01:04:19 2017 us=302594 tomek_wrt160nl/94.254.227.198:19854 MULTI: Learn: 192.168.1.0/24 -> tomek_wrt160nl/94.254.227.198:19854
Tue Feb  7 01:04:19 2017 us=302614 tomek_wrt160nl/94.254.227.198:19854 REMOVE PUSH ROUTE: 'route 192.168.1.0 255.255.255.0'
Tue Feb  7 01:04:21 2017 us=442313 tomek_wrt160nl/94.254.227.198:19854 PUSH: Received control message: 'PUSH_REQUEST'
Tue Feb  7 01:04:21 2017 us=599149 tomek_wrt160nl/94.254.227.198:19854 SENT CONTROL [tomek_wrt160nl]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,topology subnet,route-gateway 172.16.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.2 255.255.255.0,peer-id 0' (status=1)
Tue Feb  7 01:04:57 2017 us=616271 MULTI: Learn: 192.168.1.2 -> tomek_wrt160nl/94.254.227.198:19854
Tue Feb  7 01:06:44 2017 us=85495 MULTI: Learn: 192.168.1.2 -> tomek_wrt160nl/94.254.227.198:19854
Tue Feb  7 01:06:59 2017 us=186605 MULTI: multi_create_instance called
Tue Feb  7 01:06:59 2017 us=186713 94.254.227.101:45024 Re-using SSL/TLS context
Tue Feb  7 01:06:59 2017 us=186737 94.254.227.101:45024 LZO compression initializing
Tue Feb  7 01:06:59 2017 us=186943 94.254.227.101:45024 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Tue Feb  7 01:06:59 2017 us=186970 94.254.227.101:45024 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Feb  7 01:06:59 2017 us=187026 94.254.227.101:45024 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Feb  7 01:06:59 2017 us=187045 94.254.227.101:45024 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Feb  7 01:06:59 2017 us=187094 94.254.227.101:45024 TLS: Initial packet from [AF_INET]94.254.227.101:45024, sid=3234fead 049a5373
Tue Feb  7 01:06:59 2017 us=215260 94.254.227.101:45024 PID_ERR replay-window backtrack occurred [1] [TLS_WRAP-0] [0_0] 1486426019:3 1486426019:2 t=1486426019[0] r=[0,64,15,1,1] sl=[61,3,64,528]
Tue Feb  7 01:06:59 2017 us=385036 94.254.227.101:45024 VERIFY OK: depth=1, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=TomaszLewandowski, CN=Tomasz Lewandowski CA, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Feb  7 01:06:59 2017 us=385473 94.254.227.101:45024 VERIFY OK: depth=0, C=PL, ST=mazowieckie, L=Warsaw, O=Tomasz Lewandowski, OU=TomaszLewandowski, CN=tomek_sgcpt, name=server, emailAddress=tomasz.lewandowski@mail.com
Tue Feb  7 01:06:59 2017 us=412219 94.254.227.101:45024 peer info: IV_GUI_VER=net.openvpn.connect.android_1.1.17-76
Tue Feb  7 01:06:59 2017 us=412252 94.254.227.101:45024 peer info: IV_VER=3.0.12
Tue Feb  7 01:06:59 2017 us=412270 94.254.227.101:45024 peer info: IV_PLAT=android
Tue Feb  7 01:06:59 2017 us=412286 94.254.227.101:45024 peer info: IV_NCP=2
Tue Feb  7 01:06:59 2017 us=412303 94.254.227.101:45024 peer info: IV_TCPNL=1
Tue Feb  7 01:06:59 2017 us=412319 94.254.227.101:45024 peer info: IV_PROTO=2
Tue Feb  7 01:06:59 2017 us=412334 94.254.227.101:45024 peer info: IV_LZO=1
Tue Feb  7 01:06:59 2017 us=435478 94.254.227.101:45024 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Feb  7 01:06:59 2017 us=435526 94.254.227.101:45024 [tomek_sgcpt] Peer Connection Initiated with [AF_INET]94.254.227.101:45024
Tue Feb  7 01:06:59 2017 us=435590 tomek_sgcpt/94.254.227.101:45024 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/tomek_sgcpt
Tue Feb  7 01:06:59 2017 us=435756 tomek_sgcpt/94.254.227.101:45024 MULTI: Learn: 172.16.0.4 -> tomek_sgcpt/94.254.227.101:45024
Tue Feb  7 01:06:59 2017 us=435781 tomek_sgcpt/94.254.227.101:45024 MULTI: primary virtual IP for tomek_sgcpt/94.254.227.101:45024: 172.16.0.4
Tue Feb  7 01:06:59 2017 us=435801 tomek_sgcpt/94.254.227.101:45024 MULTI: internal route 192.168.1.0/24 -> tomek_sgcpt/94.254.227.101:45024
Tue Feb  7 01:06:59 2017 us=435823 tomek_sgcpt/94.254.227.101:45024 MULTI: Learn: 192.168.1.0/24 -> tomek_sgcpt/94.254.227.101:45024
Tue Feb  7 01:06:59 2017 us=435843 tomek_sgcpt/94.254.227.101:45024 REMOVE PUSH ROUTE: 'route 192.168.1.0 255.255.255.0'
Tue Feb  7 01:06:59 2017 us=435991 tomek_sgcpt/94.254.227.101:45024 PUSH: Received control message: 'PUSH_REQUEST'
Tue Feb  7 01:06:59 2017 us=436044 tomek_sgcpt/94.254.227.101:45024 SENT CONTROL [tomek_sgcpt]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,topology subnet,route-gateway 172.16.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.4 255.255.255.0,peer-id 2,cipher AES-256-GCM' (status=1)
Tue Feb  7 01:06:59 2017 us=436074 tomek_sgcpt/94.254.227.101:45024 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Tue Feb  7 01:06:59 2017 us=436189 tomek_sgcpt/94.254.227.101:45024 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb  7 01:06:59 2017 us=436209 tomek_sgcpt/94.254.227.101:45024 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb  7 01:07:08 2017 us=229589 MULTI: Learn: 192.168.1.2 -> tomek_sgcpt/94.254.227.101:45024
Tue Feb  7 01:07:12 2017 us=220696 tomek_sgcpt/94.254.227.101:45024 SIGTERM[soft,remote-exit] received, client-instance exiting

telewy · 2017-02-07 03:19:47

telewy
Użytkownik
Nieaktywny

Zarejestrowany: 2009-09-24
Posty: 184

Odp: Konfiguracja openvpn

Chyba rozwiązałem problem, trochę metodą prób i błędów ale w sumie oparłem się na tym manual:
OpenVPN HoTo

i wywaliłem linię iroute z plików z katalogu /etc/openvpn/ccd poza plikiem klienta vpn w lanie (tym z OpneWRT):

tomek_itm
::::::::::::::
ifconfig-push 172.16.0.5 255.255.255.0

::::::::::::::
tomek_sgcpt
::::::::::::::
ifconfig-push 172.16.0.4 255.255.255.0

::::::::::::::
tomek_vostro
::::::::::::::
ifconfig-push 172.16.0.3 255.255.255.0

::::::::::::::
tomek_wrt160nl
::::::::::::::
ifconfig-push 172.16.0.2 255.255.255.0
iroute 192.168.1.0 255.255.255.0

Dodatkowo po tej lekturze pozmieniałem też konfigi dla serwera i klienta

Konfig dla serwera:

port 1194
proto udp
dev tun
mode server
tls-server

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret
dh /etc/openvpn/dh2048.pem
tls-auth /etc/openvpn/ta.key
cipher AES-256-CBC

server 172.16.0.0 255.255.255.0
ifconfig 172.16.0.1 255.255.255.0
topology subnet
client-config-dir /etc/openvpn/ccd
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

#push "route-gateway 172.16.0.1"
#push "redirect-gateway def1"
push "topology subnet"

keepalive 10 120
comp-lzo yes
push "comp-lzo yes"
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
log /etc/openvpn/openvpn.log

verb 3

i dla klienta

config openvpn 'tomek_wrt160nl'
        option enabled '1'
        option dev 'tun'
        option proto 'udp'
        option cipher 'AES-256-CBC'
        option log '/tmp/openvpn.log'
        option verb '4'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/tomek_wrt160nl.crt'
        option key '/etc/openvpn/tomek_wrt160nl.key'
        option tls_auth '/etc/openvpn/ta.key'
        option client '1'
        option remote_cert_tls 'server'
        option remote 'XXX.XXX.XXX.XXX 1194'
        option comp_lzo 'adaptive'
        option log '/etc/openvpn/openvpn.log'

I teraz kiedy łączę się klientem vpn nie tracę połączenia do swojego lanu. Khain, jeszcze raz dziękuję Ci za wsparcie

khain · 2017-02-07 09:07:53

khain
Użytkownik
Nieaktywny

Zarejestrowany: 2013-09-15
Posty: 325

Odp: Konfiguracja openvpn

Czyli błędnie zaimplementowałeś konfigurację, którą Ci podałem. Opcję iroute dodajesz tylko do klienta, za którym znajduje się ta podsieć - nie do wszystkich klientów. Właśnie dlatego traciłeś routing do tej podsieci.

TP-Link TL-WDR3600 v1.5 - OpenWrt Chaos Calmer 15.05.1 with Luci +Microsoft LifeCam VX-3000
RaspberryPi 2 - OMV Stone Burner 2.0.15 +Creative SB Play +Medion OR24V +DVB-T Media-Tech MT4163 +MP00202AC +3xDS18B20 +HIH-4000-002 +MPXHZ6115A +Samsung SPF-85H +D-Link DUB-H7

telewy · 2017-02-07 11:19:45

telewy
Użytkownik
Nieaktywny

Zarejestrowany: 2009-09-24
Posty: 184

Odp: Konfiguracja openvpn

khain napisał/a:

Czyli błędnie zaimplementowałeś konfigurację, którą Ci podałem. Opcję iroute dodajesz tylko do klienta, za którym znajduje się ta podsieć - nie do wszystkich klientów. Właśnie dlatego traciłeś routing do tej podsieci.

Dokładnie. Najważniejsze, że w końcu ruszyło. Jak widać trzeba czytać i czytać i się nie poddawać. Wszystko jest trudne nim stanie się proste

To co jeszcze zrobię to zmienię swoją podsieć z 192.168.1.0 na coś mniej pospolitego. Osobiście polecam takie rozwiązanie jeśli ktos się łączy z internetem przez lte bez publicznego ip. Koszt vps to około 9zł na miesiąc a dzięki temu mamy stały dostęp do swoich zasobów. No i jeszcze chcę odpalić sobie ownclouda na moim debianie.

Pozdr

telewy · 2017-02-07 11:50:47

telewy
Użytkownik
Nieaktywny

Zarejestrowany: 2009-09-24
Posty: 184

Odp: Konfiguracja openvpn

Khain, mam jeszcze jedno pytanie. Wyrzuciłem opcję "route_nopull" z konfiguracji routera a ruch z lanu do internetu i tak idzie z pominięciem vpn. Tak mi się bynajmniej wydaje jak patrzę na tablicę routingu na tym routerze. Pytanie jak sprawdzić czy ruch z lanu do internetu idzie przez vpn czy bezpośrednio? traceroute zwraca mi coś takiego:

# traceroute www.onet.pl
traceroute to www.onet.pl (213.180.141.140), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.1.1)  0.373 ms  0.402 ms  0.469 ms
 2  * * *
 3  * * *
 4  89.108.200.2 (89.108.200.2)  27.748 ms  26.758 ms  28.258 ms
 5  89.108.200.83 (89.108.200.83)  28.704 ms  26.960 ms  31.789 ms
 6  onet.thinx.pl (212.91.0.86)  37.248 ms  37.194 ms  42.361 ms
 7  sdr1.m10r2.z.j.ruc-br1.link4.net.onet.pl (213.180.152.143)  43.484 ms  32.363 ms sdr1.m10r2.z.j.ruc-br1.link2.net.onet.pl (213.180.152.139)  31.373 ms
 8  * * *
 9  * * *
...
30  * * *
#

khain · 2017-02-07 12:21:29

khain
Użytkownik
Nieaktywny

Zarejestrowany: 2013-09-15
Posty: 325

Odp: Konfiguracja openvpn

Dlatego, że w konfigu serwera masz zakomentowane:

#push "route-gateway 172.16.0.1"
#push "redirect-gateway def1"

TP-Link TL-WDR3600 v1.5 - OpenWrt Chaos Calmer 15.05.1 with Luci +Microsoft LifeCam VX-3000
RaspberryPi 2 - OMV Stone Burner 2.0.15 +Creative SB Play +Medion OR24V +DVB-T Media-Tech MT4163 +MP00202AC +3xDS18B20 +HIH-4000-002 +MPXHZ6115A +Samsung SPF-85H +D-Link DUB-H7

FAQ o OpenWrt | Sprzedam różne routery | Oddam

Konfiguracja openvpn (Strona 2 z 2)

Posty: 26 do 47 z 47

26 Odpowiedź przez khain 2017-01-28 12:39:26

Odp: Konfiguracja openvpn

27 Odpowiedź przez telewy 2017-01-28 14:46:24

Odp: Konfiguracja openvpn

28 Odpowiedź przez khain 2017-01-28 18:40:59

Odp: Konfiguracja openvpn

29 Odpowiedź przez telewy 2017-01-31 11:16:06

Odp: Konfiguracja openvpn

30 Odpowiedź przez telewy 2017-01-31 12:14:12

Odp: Konfiguracja openvpn

31 Odpowiedź przez Gr4nd0 2017-01-31 13:21:31

Odp: Konfiguracja openvpn

32 Odpowiedź przez telewy 2017-01-31 16:35:34

Odp: Konfiguracja openvpn

33 Odpowiedź przez Gr4nd0 2017-01-31 19:46:46

Odp: Konfiguracja openvpn

34 Odpowiedź przez khain 2017-01-31 20:59:19 (edytowany przez khain 2017-01-31 21:00:07)

Odp: Konfiguracja openvpn

35 Odpowiedź przez telewy 2017-02-03 10:51:56

Odp: Konfiguracja openvpn

36 Odpowiedź przez khain 2017-02-03 21:55:56

Odp: Konfiguracja openvpn

37 Odpowiedź przez telewy 2017-02-04 11:23:41

Odp: Konfiguracja openvpn

38 Odpowiedź przez telewy 2017-02-06 12:16:23

Odp: Konfiguracja openvpn

39 Odpowiedź przez khain 2017-02-06 15:07:38 (edytowany przez khain 2017-02-06 15:09:20)

Odp: Konfiguracja openvpn

40 Odpowiedź przez telewy 2017-02-06 15:58:51

Odp: Konfiguracja openvpn

41 Odpowiedź przez khain 2017-02-06 22:38:15

Odp: Konfiguracja openvpn

42 Odpowiedź przez telewy 2017-02-07 02:29:12

Odp: Konfiguracja openvpn

43 Odpowiedź przez telewy 2017-02-07 03:19:47

Odp: Konfiguracja openvpn

44 Odpowiedź przez khain 2017-02-07 09:07:53 (edytowany przez khain 2017-02-07 09:15:44)

Odp: Konfiguracja openvpn

45 Odpowiedź przez telewy 2017-02-07 11:19:45

Odp: Konfiguracja openvpn

46 Odpowiedź przez telewy 2017-02-07 11:50:47

Odp: Konfiguracja openvpn

47 Odpowiedź przez khain 2017-02-07 12:21:29

Odp: Konfiguracja openvpn

Posty: 26 do 47 z 47