Temat: Problem z OpenVPN (TAP) - nie przydziela adresów IP
Witam wszystkich.
Jestem nowy na forum i chciałem prosić o pomoc w konfiguracji mojego VPNa.
Posiadam router TP-Link TL-WR1043ND V4 z zainstalowanym LEDE Reboot 17.01.4 r3560 i przydzielonym stałym publicznym IP.
Skonfigurowałem OpenVPN krok po kroku wg podręcznika: https://eko.one.pl/?p=openwrt-openvpn
Połączenie jest nawiązane jednak wyskakują ostrzeżenie, a komputerowi nie zostaje przydzielona adresacja IP.
Próbowałem na różnych łączach zarówno na GSM Orange, jak i na UPC.
Zrzut z OpenVPN klienta uruchomionego na prawach Administratora na Windows 8.1 64x:
Ostrzeżenia pogrubiłem.
[b]Sun Nov 26 19:22:16 2017 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode[/b]
Sun Nov 26 19:22:16 2017 OpenVPN 2.4.4 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sun Nov 26 19:22:16 2017 Windows version 6.2 (Windows 8 or greater) 32bit
Sun Nov 26 19:22:16 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Sun Nov 26 19:22:16 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Nov 26 19:22:16 2017 Need hold release from management interface, waiting...
Sun Nov 26 19:22:17 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Nov 26 19:22:17 2017 MANAGEMENT: CMD 'state on'
Sun Nov 26 19:22:17 2017 MANAGEMENT: CMD 'log all on'
Sun Nov 26 19:22:17 2017 MANAGEMENT: CMD 'echo all on'
Sun Nov 26 19:22:17 2017 MANAGEMENT: CMD 'hold off'
Sun Nov 26 19:22:17 2017 MANAGEMENT: CMD 'hold release'
Sun Nov 26 19:22:17 2017 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
[b]Sun Nov 26 19:22:17 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).[/b]
Sun Nov 26 19:22:17 2017 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 26 19:22:17 2017 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
[b]Sun Nov 26 19:22:17 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).[b]
Sun Nov 26 19:22:17 2017 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 26 19:22:17 2017 interactive service msg_channel=0
Sun Nov 26 19:22:17 2017 open_tun
Sun Nov 26 19:22:17 2017 TAP-WIN32 device [Połączenie lokalne] opened: \\.\Global\{D705AD05-ED86-43E5-A3FD-678CB3ED1BA5}.tap
Sun Nov 26 19:22:17 2017 TAP-Windows Driver Version 9.21
Sun Nov 26 19:22:17 2017 Successful ARP Flush on interface [17] {D705AD05-ED86-43E5-A3FD-678CB3ED1BA5}
Sun Nov 26 19:22:17 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]83.12.60.XXX:1194
Sun Nov 26 19:22:17 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Nov 26 19:22:17 2017 UDP link local: (not bound)
Sun Nov 26 19:22:17 2017 UDP link remote: [AF_INET]83.12.60.XXX:1194
Sun Nov 26 19:22:27 2017 Peer Connection Initiated with [AF_INET]83.12.60.XXX:1194
Sun Nov 26 19:22:33 2017 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
[b]Sun Nov 26 19:22:33 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this[/b]
Sun Nov 26 19:22:33 2017 Initialization Sequence Completed
Sun Nov 26 19:22:33 2017 MANAGEMENT: >STATE:1511720553,CONNECTED,SUCCESS,,83.12.60.XXX,1194,,Wyłączyłem na kliencie również comp_lzo, ale wtedy w ogóle vpn nawet nie zaczął nawiązywać połączenia - sugerowałem się https://eko.one.pl/forum/viewtopic.php?id=10275.
Poniżej zrzuty z wszystkiego co
/etc/config/network
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ip6assign '60'
option ipaddr '10.10.10.1'
option netmask '255.255.255.192'
option gateway '10.10.10.1'
option dns '10.10.10.1'/etc/openvpn/my-conf.conf
port 1194
proto udp
dev tap0
keepalive 10 120
status /tmp/openvpn-status.log
verb 3
secret /etc/openvpn/secret.keyifconfig
br-lan Link encap:Ethernet HWaddr D4:6E:0E:9F:9E:2C
inet addr:10.10.10.1 Bcast:10.10.10.63 Mask:255.255.255.192
inet6 addr: fe80::d66e:eff:fe9f:9e2c/64 Scope:Link
inet6 addr: fdc3:6fdd:6f69::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14928 errors:0 dropped:0 overruns:0 frame:0
TX packets:17931 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1521429 (1.4 MiB) TX bytes:10493159 (10.0 MiB)
eth0 Link encap:Ethernet HWaddr D4:6E:0E:9F:9E:2C
inet6 addr: fe80::d66e:eff:fe9f:9e2c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29466 errors:0 dropped:0 overruns:0 frame:0
TX packets:27938 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11406395 (10.8 MiB) TX bytes:11791170 (11.2 MiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr D4:6E:0E:9F:9E:2C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14982 errors:0 dropped:54 overruns:0 frame:0
TX packets:17931 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1531527 (1.4 MiB) TX bytes:10493159 (10.0 MiB)
eth0.2 Link encap:Ethernet HWaddr D4:6E:0E:9F:9E:2D
inet addr:83.12.60.XXX Bcast:83.12.60.231 Mask:255.255.255.248
inet6 addr: fe80::d66e:eff:fe9f:9e2d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14483 errors:0 dropped:0 overruns:0 frame:0
TX packets:9997 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9344424 (8.9 MiB) TX bytes:1185243 (1.1 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1592 (1.5 KiB) TX bytes:1592 (1.5 KiB)
wlan0 Link encap:Ethernet HWaddr D4:6E:0E:9F:9E:2C
inet6 addr: fe80::d66e:eff:fe9f:9e2c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:7485 (7.3 KiB)DHCP
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option nonwildcard '0'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option start '40'
option limit '60'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config host
option name 'samba'
option mac '00:02:44:52:ff:f8'
option ip '10.10.10.2'
option tag 'samba'
config host
option name 'ksiegowosc'
option mac '00:1c:c4:d6:6c:a1'
option ip '10.10.10.17'
option tag 'ksiegowosc'Firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option name 'ssh'
option src 'wan'
option target 'ACCEPT'
option proto 'tcp'
option dest_port '22'
config rule
option _name 'openvpn'
option src 'wan'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1194'Z góry wielkie DZIĘKUJĘ za pomoc 