1 Temat przez djmysia (edytowany przez djmysia 2021-01-14 23:19:42)

  • Zarejestrowany: 2014-08-04
  • Posty: 320

Temat: Openvpn działało i przestało

Przez chwilę działało super a po restarcie routera już nie działa tzn. Klient się łączy dostaje IP 10.8.0.2 ale nie mogę pingować do 192.168.1.1. Co może być przyczyną ? IP ZEW zmienione na inne.

Wersja OpenWrt SNAPSHOT, r15474-b1150de9e4


Firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config rule
    option name 'Support-UDP-Traceroute'
    option src 'wan'
    option dest_port '33434:33689'
    option proto 'udp'
    option family 'ipv4'
    option target 'REJECT'
    option enabled 'false'

config include
    option path '/etc/firewall.user'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dport '80'
    option dest 'lan'
    option dest_ip '192.168.1.1'
    option dest_port '80'
    option name 'Xiaomi'

config redirect
    option target 'DNAT'
    option name 'Tp-Link'
    option src 'wan'
    option src_dport '81'
    option dest 'lan'
    option dest_ip '192.168.1.2'
    option dest_port '81'

config redirect
    option target 'DNAT'
    option name 'Gargoyle ssh'
    option src 'wan'
    option dest 'lan'
    option dest_port '2222'
    option dest_ip '192.168.1.2'
    option src_dport '2222'

config redirect
    option target 'DNAT'
    option name 'Xiaomi ssh'
    option src 'wan'
    option src_dport '22'
    option dest 'lan'
    option dest_ip '192.168.1.1'
    option dest_port '22'

config rule
    option _name 'openvpn'
    option src 'wan'
    option target 'ACCEPT'
    option proto 'udp'
    option dest_port '1194'

config zone
    option name 'vpn'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option output 'ACCEPT'
    option network 'vpn'
    option masq '1'

config forwarding
    option src 'vpn'
    option dest 'wan'

config rule
    option name 'OpenVPN'
    option target 'ACCEPT'
    option src 'wan'
    option proto 'udp'
    option dest_port '1194'

config forwarding
    option src 'vpn'
    option dest 'lan'

Network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option packet_steering '1'
    option ula_prefix 'fd11:1fc3:d4cc::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'lan1 lan2'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config interface 'wan'
    option ifname 'wan'
    option proto 'dhcp'

config device 'wan_wan_dev'
    option name 'wan'
    option macaddr '84:16:F9:9B:A5:75'

config interface 'wan6'
    option ifname 'wan'
    option proto 'dhcpv6'

config interface 'vpn'
    option ifname 'tun0'
    option proto 'none'

Openvpn

root@OpenWrt:~# cat /etc/config/openvpn

config openvpn 'home'
    option enabled '1'
    option dev 'tun0'
    option port '1194'
    option proto 'udp'
    option log '/tmp/openvpn.log'
    option verb '3'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/serwer.crt'
    option key '/etc/openvpn/serwer.key'
    option server '10.8.0.0 255.255.255.0'
    option topology 'subnet'
    option dh '/etc/openvpn/dh.pem'
    list push 'route 192.168.1.0 255.255.255.0'
        list push 'redirect-gateway 
        option cipher 'AES-256-CBC'
        option compress 'lz4'
        option persist_key '1'
        option persist_tun '1'

Klient openvpn

 client
    dev tun0
    proto udp
    remote 46.100.120.139 1194
nobind
    remote-cert-tls server
    verb 3
    ca ca.crt
    cert malgosia.crt
    key malgosia.key
compress lz4

    log openvpn.log

log połączenia openvpn

2021-01-14 23:15:49 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2021-01-14 23:15:49 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2021-01-14 23:15:49 OpenVPN 2.5_rc2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 30 2020
2021-01-14 23:15:49 Windows version 10.0 (Windows 10 or greater) 64bit
2021-01-14 23:15:49 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Enter Management Password:
2021-01-14 23:15:49 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2021-01-14 23:15:49 Need hold release from management interface, waiting...
2021-01-14 23:15:50 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2021-01-14 23:15:50 MANAGEMENT: CMD 'state on'
2021-01-14 23:15:50 MANAGEMENT: CMD 'log all on'
2021-01-14 23:15:50 MANAGEMENT: CMD 'echo all on'
2021-01-14 23:15:50 MANAGEMENT: CMD 'bytecount 5'
2021-01-14 23:15:50 MANAGEMENT: CMD 'hold off'
2021-01-14 23:15:50 MANAGEMENT: CMD 'hold release'
2021-01-14 23:15:50 TCP/UDP: Preserving recently used remote address: [AF_INET]41.123.137.134:1194
2021-01-14 23:15:50 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-01-14 23:15:50 UDP link local: (not bound)
2021-01-14 23:15:50 UDP link remote: [AF_INET]41.123.137.134:1194
2021-01-14 23:15:50 MANAGEMENT: >STATE:1610662550,WAIT,,,,,,
2021-01-14 23:15:50 MANAGEMENT: >STATE:1610662550,AUTH,,,,,,
2021-01-14 23:15:50 TLS: Initial packet from [AF_INET]41.123.137.134:1194, sid=71393991 79542a29
2021-01-14 23:15:50 VERIFY KU OK
2021-01-14 23:15:50 Validating certificate extended key usage
2021-01-14 23:15:50 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-01-14 23:15:50 VERIFY EKU OK
2021-01-14 23:15:50 VERIFY OK: depth=0, CN=serwer
2021-01-14 23:15:50 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
2021-01-14 23:15:50 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
2021-01-14 23:15:50 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 2048 bit RSA
2021-01-14 23:15:50 [serwer] Peer Connection Initiated with [AF_INET]41.123.137.134:1194
2021-01-14 23:15:50 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
2021-01-14 23:15:50 OPTIONS IMPORT: --ifconfig/up options modified
2021-01-14 23:15:50 OPTIONS IMPORT: route options modified
2021-01-14 23:15:50 OPTIONS IMPORT: route-related options modified
2021-01-14 23:15:50 OPTIONS IMPORT: peer-id set
2021-01-14 23:15:50 OPTIONS IMPORT: adjusting link_mtu to 1625
2021-01-14 23:15:50 OPTIONS IMPORT: data channel crypto options modified
2021-01-14 23:15:50 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-01-14 23:15:50 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-01-14 23:15:50 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-01-14 23:15:50 interactive service msg_channel=560
2021-01-14 23:15:50 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 I=16 HWADDR=68:a8:6d:33:f2:0a
2021-01-14 23:15:50 open_tun
2021-01-14 23:15:50 tap-windows6 device [OpenVPN TAP-Windows6] opened
2021-01-14 23:15:50 TAP-Windows Driver Version 9.24 
2021-01-14 23:15:50 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
2021-01-14 23:15:50 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {161E72E2-362F-480D-944F-62ABC92688C3} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
2021-01-14 23:15:50 Successful ARP Flush on interface [4] {161E72E2-362F-480D-944F-62ABC92688C3}
2021-01-14 23:15:50 MANAGEMENT: >STATE:1610662550,ASSIGN_IP,,10.8.0.2,,,,
2021-01-14 23:15:50 IPv4 MTU set to 1500 on interface 4 using service
2021-01-14 23:15:55 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
2021-01-14 23:15:55 MANAGEMENT: >STATE:1610662555,ADD_ROUTES,,,,,,
2021-01-14 23:15:55 C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.0.1
2021-01-14 23:15:55 Route addition via service succeeded
2021-01-14 23:15:55 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-01-14 23:15:55 Initialization Sequence Completed
2021-01-14 23:15:55 MANAGEMENT: >STATE:1610662555,CONNECTED,SUCCESS,10.8.0.2,41.123.137.134,1194,,
http://speedtest.ipartners.pl/control/share/431322/1

2 Odpowiedź przez djmysia

  • Zarejestrowany: 2014-08-04
  • Posty: 320

Odp: Openvpn działało i przestało

Z aktualizowałem router skonfigurowałem jeszcze raz i dalej nie działa. Co najlepsze to jak wpiszę 192.168.1.1 w przeglądarkę to zaczyna ładować się luci czyli widać "LuCI - Lua Configuration Interface" a ping nie idzie. Czy może to być powodowane że nie ma stabilnej wersji openwrt ?

http://speedtest.ipartners.pl/control/share/431322/1

3 Odpowiedź przez khain

  • khain
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2013-09-15
  • Posty: 328

Odp: Openvpn działało i przestało

1) Jaki adres ma klient z Windowsem na LANie. Jeśli również z podsieci 192.168.1.0/24 to nie będzie działać
2) Łączysz się do serwera openvpn od strony WAN?
3) Ja mam jeden więcej forwarding dodany:

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'
TP-Link TL-WDR3600 v1.5 -  OpenWrt Chaos Calmer 15.05.1 with Luci +Microsoft LifeCam VX-3000
RaspberryPi 2 - OMV Stone Burner 2.0.15 +Creative SB Play +Medion OR24V +DVB-T Media-Tech MT4163  +MP00202AC +3xDS18B20 +HIH-4000-002 +MPXHZ6115A +Samsung SPF-85H +D-Link DUB-H7

4 Odpowiedź przez djmysia (edytowany przez djmysia 2021-01-18 00:07:55)

  • Zarejestrowany: 2014-08-04
  • Posty: 320

Odp: Openvpn działało i przestało

1. 192.168.43.39
2. TAK
3. Dodam i sprawdzę i dam znać. dzięki


P.s Z aktualizowałem router i zmieniłem z udp na tcp i działa.

http://speedtest.ipartners.pl/control/share/431322/1