Доброго времени суток. Возникла следующая проблема с сервером OpenVPN. Поднимаю его на свежеустановленной Ubuntu 14.04 на сервере в интернете. Поднял без проблем, всё заработало по части сервера. С клиентом начались пляски. При соединении всё идёт нормально.
Mon Apr 21 18:27:44 2014 OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014
Mon Apr 21 18:27:44 2014 WARNING: file 'client.key' is group or others accessible
Mon Apr 21 18:27:44 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Mon Apr 21 18:27:44 2014 Attempting to establish TCP connection with [AF_INET]31.131.16.254:1194 [nonblock]
Mon Apr 21 18:27:45 2014 TCP connection established with [AF_INET]31.131.16.254:1194
Mon Apr 21 18:27:45 2014 TCPv4_CLIENT link local: [undef]
Mon Apr 21 18:27:45 2014 TCPv4_CLIENT link remote: [AF_INET]31.131.16.254:1194
Mon Apr 21 18:27:45 2014 TLS: Initial packet from [AF_INET]31.131.16.254:1194, sid=c28b1324 0cbbf0ce
Mon Apr 21 18:27:47 2014 VERIFY OK: depth=1, C=BY, ST=Belarus, L=Brest, O=PRO-WEB NetWork, OU=PROWEB, CN=PRO-WEB NetWork CA, name=EasyRSA, emailAddress=brif@mail.by
Mon Apr 21 18:27:47 2014 VERIFY OK: nsCertType=SERVER
Mon Apr 21 18:27:47 2014 VERIFY OK: depth=0, C=BY, ST=Belarus, L=Brest, O=PRO-WEB NetWork, OU=PROWEB, CN=server, name=EasyRSA, emailAddress=brif@mail.by
Mon Apr 21 18:27:52 2014 WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
Mon Apr 21 18:27:52 2014 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1576', remote='link-mtu 1544'
Mon Apr 21 18:27:52 2014 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Mon Apr 21 18:27:52 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 21 18:27:52 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 21 18:27:52 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 21 18:27:52 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 21 18:27:52 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Apr 21 18:27:52 2014 [server] Peer Connection Initiated with [AF_INET]31.131.16.254:1194
Mon Apr 21 18:27:54 2014 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Apr 21 18:27:54 2014 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Mon Apr 21 18:27:54 2014 OPTIONS IMPORT: timers and/or timeouts modified
Mon Apr 21 18:27:54 2014 OPTIONS IMPORT: --ifconfig/up options modified
Mon Apr 21 18:27:54 2014 OPTIONS IMPORT: route options modified
Mon Apr 21 18:27:54 2014 WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)
Mon Apr 21 18:27:54 2014 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=00:13:d4:5e:58:ab
Mon Apr 21 18:27:54 2014 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Mon Apr 21 18:27:54 2014 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.8.0.0
Mon Apr 21 18:27:54 2014 TUN/TAP device tap0 opened
Mon Apr 21 18:27:54 2014 TUN/TAP TX queue length set to 100
Mon Apr 21 18:27:54 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Apr 21 18:27:54 2014 /sbin/ip link set dev tap0 up mtu 1500
Mon Apr 21 18:27:54 2014 /sbin/ip addr add dev tap0 10.8.0.6/5 broadcast 255.255.255.254
Mon Apr 21 18:27:54 2014 Initialization Sequence Completed
При попытке пинга сервера 10.8.0.1 указывается, что хост недоступен. Ответ идёт от локального компа (то есть если при подключении получаем ip 10.8.0.6, то и ответ идёт от этого компа.) Между клиентами тоже пинга нет. Опция client-to-client включена, дубликация разрешена.
Конфигурация сервера:
;local a.b.c.d
port 1194
proto tcp
;proto udp;dev tap
dev tun;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secretdh dh2048.pem
server 10.8.0.0 255.255.255.0
;ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push «route 192.168.10.0 255.255.255.0»
;push «route 192.168.20.0 255.255.255.0»;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script;push «redirect-gateway def1 bypass-dhcp»
;push «dhcp-option DNS 208.67.222.222»
;push «dhcp-option DNS 208.67.220.220»client-to-client
duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DEScomp-lzo
;max-clients 100
;user nobody
;group nogrouppersist-key
persist-tunstatus openvpn-status.log
;log openvpn.log
;log-append openvpn.logverb 3
;mute 20
Конфигурация клиента:
client
dev tap
proto tcp
remote server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
log /var/log/openvpn.log
verb 3
Проверялось на windows и на linux. Картина везде одинакова. Если понадобится - скину лог подключения от клиента windows. Буду рад любой помощи и совету.
PS не понятно, теги здесь обрабатываются при оформлении новости? Публикую впервые.