Temat: Nie mogę połączyć się klientem openvpn (lede 17.01) (TL-WR1043ND V4)
Witam,
Problem wygląda następująco. Klient łączy się co na kilka sekund do serwera i zrywa połączenie.
Do serwera podłączonych jest kilka innych klientów (raspberry pi) i w ich przypadku nie ma problemu z ustanowieniem połączenia.
Przedstawiam logi:
Klient
Thu Aug 24 13:21:08 2017 daemon.notice openvpn(lede)[7632]: OpenVPN 2.4.3 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Aug 24 13:21:08 2017 daemon.notice openvpn(lede)[7632]: library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Thu Aug 24 13:21:08 2017 daemon.warn openvpn(lede)[7632]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Aug 24 13:21:08 2017 daemon.notice openvpn(lede)[7632]: TCP/UDP: Preserving recently used remote address: [AF_INET]XX.X.XXX.XXX:1194
Thu Aug 24 13:21:08 2017 daemon.notice openvpn(lede)[7632]: UDP link local: (not bound)
Thu Aug 24 13:21:08 2017 daemon.notice openvpn(lede)[7632]: UDP link remote: [AF_INET]XX.X.XXX.XXX:1194
Thu Aug 24 13:21:09 2017 daemon.notice openvpn(lede)[7632]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=server, emailAddress=me@myhost.mydomain
Thu Aug 24 13:21:09 2017 daemon.notice openvpn(lede)[7632]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
Thu Aug 24 13:21:10 2017 daemon.warn openvpn(lede)[7632]: WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 0'
Thu Aug 24 13:21:10 2017 daemon.notice openvpn(lede)[7632]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Aug 24 13:21:10 2017 daemon.notice openvpn(lede)[7632]: [server] Peer Connection Initiated with [AF_INET]XX.X.XXX.XXX:1194
Thu Aug 24 13:21:12 2017 daemon.notice openvpn(lede)[7632]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 24 13:21:12 2017 daemon.warn openvpn(lede)[7632]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Thu Aug 24 13:21:12 2017 daemon.notice openvpn(lede)[7632]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 24 13:21:12 2017 daemon.notice openvpn(lede)[7632]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 24 13:21:12 2017 daemon.warn openvpn(lede)[7632]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Thu Aug 24 13:21:12 2017 daemon.notice openvpn(lede)[7632]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 24 13:21:12 2017 daemon.warn openvpn(lede)[7632]: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Thu Aug 24 13:21:12 2017 daemon.warn openvpn(lede)[7632]: WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Thu Aug 24 13:21:12 2017 daemon.notice openvpn(lede)[7632]: TUN/TAP device tun0 opened
Thu Aug 24 13:21:12 2017 daemon.notice openvpn(lede)[7632]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Aug 24 13:21:12 2017 daemon.notice openvpn(lede)[7632]: /sbin/ifconfig tun0 10.8.0.6 pointopoint 255.255.255.0 mtu 1500
Thu Aug 24 13:21:12 2017 daemon.err openvpn(lede)[7632]: Linux ifconfig failed: external program exited with error status: 1Serwer (logi dotyczące tylko tego klienta)
Thu Aug 24 13:30:42 2017 XX.XXX.XXX.XX:62568 VERIFY OK: depth=0, C=pl, ST=mz, L=xxxxxxx, O=na, OU=na, CN=lede, name=server, emailAddress=xxxxxxx@gmail.com
Thu Aug 24 13:30:42 2017 XX.XXX.XXX.XX:62568 [lede] Peer Connection Initiated with [AF_INET]XX.XXX.XXX.XX:62568
Thu Aug 24 13:30:42 2017 MULTI: new connection by client 'lede' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Thu Aug 24 13:30:42 2017 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/staticclients/lede
Thu Aug 24 13:30:42 2017 MULTI: Learn: 10.8.0.6 -> lede/XX.XXX.XXX.XX:62568
Thu Aug 24 13:30:42 2017 MULTI: primary virtual IP for lede/XX.XXX.XXX.XX:62568: 10.8.0.6
Thu Aug 24 13:30:43 2017 lede/XX.XXX.XXX.XX:62568 PUSH: Received control message: 'PUSH_REQUEST'
Thu Aug 24 13:30:43 2017 lede/XX.XXX.XXX.XX:62568 send_push_reply(): safe_cap=940
Thu Aug 24 13:30:43 2017 lede/XX.XXX.XXX.XX:62568 SENT CONTROL [lede]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 255.255.255.0' (status=1)Konfiguracja wygląda następująco:
Serwer
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/staticclients
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 10.8.0.0 255.255.255.0"Klient
config openvpn 'lede'
option nobind '1'
option client '1'
option comp_lzo 'yes'
option dev 'tun'
option proto 'udp'
option persist_tun '1'
option persist_key '1'
option verb '2'
list remote 'XX.X.XXX.XXX 1194'
option auth_nocache '1'
option key_direction '1'
option ca '/etc/easy-rsa/keys/ca.crt'
option cert '/etc/easy-rsa/keys/lede.crt'
option key '/etc/easy-rsa/keys/lede.key'