Openvpn, стандартная конфигурация, проблема

1

1

Всем привет. Ламер. Нуждаюсь в помощи.

Проблема: не маршрутизируется трафик

пинг от клиента к серверу +

от сервера к клиенту -

Лог клиента:

Tue Sep 16 01:55:55 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun  5 2014
Tue Sep 16 01:55:55 2014 library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.05
Tue Sep 16 01:55:55 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Sep 16 01:55:55 2014 Need hold release from management interface, waiting...
Tue Sep 16 01:55:55 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Sep 16 01:55:55 2014 MANAGEMENT: CMD 'state on'
Tue Sep 16 01:55:55 2014 MANAGEMENT: CMD 'log all on'
Tue Sep 16 01:55:55 2014 MANAGEMENT: CMD 'hold off'
Tue Sep 16 01:55:55 2014 MANAGEMENT: CMD 'hold release'
Tue Sep 16 01:55:56 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Sep 16 01:55:56 2014 UDPv4 link local: [undef]
Tue Sep 16 01:55:56 2014 UDPv4 link remote: [AF_INET]217.178.249.250:1194
Tue Sep 16 01:55:56 2014 MANAGEMENT: >STATE:1410821756,WAIT,,,
Tue Sep 16 01:55:56 2014 MANAGEMENT: >STATE:1410821756,AUTH,,,
Tue Sep 16 01:55:56 2014 TLS: Initial packet from [AF_INET]217.178.249.250:1194, sid=cc79c77c 487e0a8b
Tue Sep 16 01:55:57 2014 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, emailAddress=me@myhost.mydomain
Tue Sep 16 01:55:57 2014 VERIFY OK: nsCertType=SERVER
Tue Sep 16 01:55:57 2014 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=me@myhost.mydomain
Tue Sep 16 01:55:59 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Sep 16 01:55:59 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 16 01:55:59 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Sep 16 01:55:59 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 16 01:55:59 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Sep 16 01:55:59 2014 [server] Peer Connection Initiated with [AF_INET]217.178.249.250:1194
Tue Sep 16 01:56:00 2014 MANAGEMENT: >STATE:1410821760,GET_CONFIG,,,
Tue Sep 16 01:56:02 2014 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Sep 16 01:56:02 2014 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Sep 16 01:56:02 2014 OPTIONS IMPORT: timers and/or timeouts modified
Tue Sep 16 01:56:02 2014 OPTIONS IMPORT: --ifconfig/up options modified
Tue Sep 16 01:56:02 2014 OPTIONS IMPORT: route options modified
Tue Sep 16 01:56:02 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Sep 16 01:56:02 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Sep 16 01:56:02 2014 MANAGEMENT: >STATE:1410821762,ASSIGN_IP,,10.8.0.6,
Tue Sep 16 01:56:02 2014 open_tun, tt->ipv6=0
Tue Sep 16 01:56:02 2014 TAP-WIN32 device [2] opened: \\.\Global\{331AE43D-71BB-48EC-9DB6-0552A619DA74}.tap
Tue Sep 16 01:56:02 2014 TAP-Windows Driver Version 9.9 
Tue Sep 16 01:56:02 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {331AE43D-71BB-48EC-9DB6-0552A619DA74} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Tue Sep 16 01:56:02 2014 Successful ARP Flush on interface [30] {331AE43D-71BB-48EC-9DB6-0552A619DA74}
Tue Sep 16 01:56:04 2014 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Tue Sep 16 01:56:04 2014 C:\Windows\system32\route.exe ADD 217.178.249.250 MASK 255.255.255.255 134.237.169.254
Tue Sep 16 01:56:04 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Tue Sep 16 01:56:04 2014 C:\Windows\system32\route.exe ADD 10.90.252.17 MASK 255.255.255.255 134.237.169.254
Tue Sep 16 01:56:04 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Tue Sep 16 01:56:04 2014 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Sep 16 01:56:04 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Tue Sep 16 01:56:04 2014 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Sep 16 01:56:04 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Tue Sep 16 01:56:04 2014 MANAGEMENT: >STATE:1410821764,ADD_ROUTES,,,
Tue Sep 16 01:56:04 2014 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Tue Sep 16 01:56:04 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Tue Sep 16 01:56:04 2014 Initialization Sequence Completed
Tue Sep 16 01:56:04 2014 MANAGEMENT: >STATE:1410821764,CONNECTED,SUCCESS,10.8.0.6,217.178.249.250

Лог сервера:

Mon Sep 15 15:55:33 2014 Diffie-Hellman initialized with 2048 bit key
Mon Sep 15 15:55:33 2014 Socket Buffers: R=[124928->131072] S=[124928->131072]
Mon Sep 15 15:55:33 2014 ROUTE_GATEWAY 217.178.249.249/255.255.255.248 IFACE=eth1 HWADDR=00:25:90:47:2b:b2
Mon Sep 15 15:55:33 2014 TUN/TAP device tun0 opened
Mon Sep 15 15:55:33 2014 TUN/TAP TX queue length set to 100
Mon Sep 15 15:55:33 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Sep 15 15:55:33 2014 /sbin/ip link set dev tun0 up mtu 1500
Mon Sep 15 15:55:33 2014 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Sep 15 15:55:33 2014 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Mon Sep 15 15:55:33 2014 GID set to nobody
Mon Sep 15 15:55:33 2014 UID set to nobody
Mon Sep 15 15:55:33 2014 UDPv4 link local (bound): [undef]
Mon Sep 15 15:55:33 2014 UDPv4 link remote: [undef]
Mon Sep 15 15:55:33 2014 MULTI: multi_init called, r=256 v=256
Mon Sep 15 15:55:33 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mon Sep 15 15:55:33 2014 Initialization Sequence Completed
Mon Sep 15 15:55:54 2014 134.237.169.223:52352 TLS: Initial packet from [AF_INET]134.237.169.223:52352, sid=9bf26e6f 5946ecfc
Mon Sep 15 15:55:57 2014 134.237.169.223:52352 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, emailAddress=me@myhost.mydomain
Mon Sep 15 15:55:57 2014 134.237.169.223:52352 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=client, name=EasyRSA, emailAddress=me@myhost.mydomain
Mon Sep 15 15:55:58 2014 134.237.169.223:52352 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 15 15:55:58 2014 134.237.169.223:52352 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 15 15:55:58 2014 134.237.169.223:52352 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 15 15:55:58 2014 134.237.169.223:52352 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 15 15:55:58 2014 134.237.169.223:52352 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Sep 15 15:55:58 2014 134.237.169.223:52352 [client] Peer Connection Initiated with [AF_INET]134.237.169.223:52352
Mon Sep 15 15:55:58 2014 client/134.237.169.223:52352 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Mon Sep 15 15:55:58 2014 client/134.237.169.223:52352 MULTI: Learn: 10.8.0.6 -> client/134.237.169.223:52352
Mon Sep 15 15:55:58 2014 client/134.237.169.223:52352 MULTI: primary virtual IP for client/134.237.169.223:52352: 10.8.0.6
Mon Sep 15 15:56:01 2014 client/134.237.169.223:52352 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 15 15:56:01 2014 client/134.237.169.223:52352 send_push_reply(): safe_cap=940
Mon Sep 15 15:56:01 2014 client/134.237.169.223:52352 SENT CONTROL [client]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

Конф клиента: Win 8x64 IP:10.8.0.6 Subnet mask:255.255.255.252 Gateway: -- DHCP: 10.8.0.5

client
dev tun
proto udp
remote 217.178.249.250 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key

ns-cert-type server
comp-lzo
verb 3
route-method  exe
route-delay 2

Конф сервера: Centos 6 net.ipv4.ip_forward=1

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:860 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:53579 (52.3 KiB)  TX bytes:0 (0.0 b)

port 1194
proto udp
dev tun

ca ca.crt 
cert server.crt 
key server.key
dh dh2048.pem

server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

push "redirect-gateway def1 bypass-dhcp"
log         /var/log/openvpn.log

user nobody
group nobody

Предполагаю что проблема в сетевых интерфейсах...

Ссылка

←	Процесс ядра kworker/u8:0 периодически зажирает жесткий диск. Как избежать этого?

mikrotik, vpn и fxo-sip шлюз

→

Когда я крайний раз смотрел, в десктопной венде входищие пинги по дефолту блокировались. Логи не читал.

anonymous
(16.09.14 03:54:08 MSK)

Ответ на: комментарий от anonymous 16.09.14 03:54:08 MSK

Теперь пинги идут. Серв и клиент видят друг друга. Вот только траф не маршрутизируется(

sanc
(16.09.14 23:53:22 MSK) автор топика

Ответ на: комментарий от sanc 16.09.14 23:53:22 MSK

Теперь пинги идут. Серв и клиент видят друг друга. Вот только траф не маршрутизируется(

Что значит не маршрутизируется? Какой траф, откуда идёт, куда идёт, через что идёт? ~~Имена, пароли, явки~~ айпишники, протоколы, порты. Выхлоп ip route/route.

anonymous
(16.09.14 23:59:31 MSK)

Ответ на: комментарий от anonymous 16.09.14 23:59:31 MSK

Могу выражаться неправильно... Мне нужно пустить весь трафик клиента через vpn server (выйти в сеть штоле).

Оно? (остальное осталось неизменным - в посте выше)

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
217.178.249.248 0.0.0.0         255.255.255.248 U         0 0          0 eth1
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth1
0.0.0.0         217.178.249.249 0.0.0.0         UG        0 0          0 eth1


Список интерфейсов
 30...00 ff 33 1a e4 3d ......TAP-Windows Adapter V9
 21...00 ff 5c 3f a3 0b ......TAP-Win32 Adapter OAS
 14...00 15 af f7 41 10 ......Устройства Bluetooth (личной сети)
 13...00 16 ea 7f 73 90 ......Intel(R) WiFi Link 5100 AGN
 12...00 22 15 80 12 b4 ......Контроллер семейства Realtek PCIe GBE
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 20...00 00 00 00 00 00 00 e0 Адаптер Microsoft 6to4
 23...00 00 00 00 00 00 00 e0 Адаптер Microsoft ISATAP #4
 24...00 00 00 00 00 00 00 e0 Адаптер Microsoft ISATAP #5
===========================================================================

IPv4 таблица маршрута
===========================================================================
Активные маршруты:
Сетевой адрес           Маска сети      Адрес шлюза       Интерфейс  Метрика
          0.0.0.0          0.0.0.0   134.237.169.254   134.237.169.223   20
          0.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     31
         10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6     31
         10.8.0.4  255.255.255.252         On-link          10.8.0.6    286
         10.8.0.6  255.255.255.255         On-link          10.8.0.6    286
         10.8.0.7  255.255.255.255         On-link          10.8.0.6    286
     10.90.252.17  255.255.255.255   134.237.169.254   134.237.169.223   21
     134.237.169.0    255.255.255.0         On-link    134.237.169.223  276
   134.237.169.223  255.255.255.255         On-link    134.237.169.223  276
   134.237.169.255  255.255.255.255         On-link    134.237.169.223  276
  217.178.249.250  255.255.255.255   134.237.169.254   134.237.169.223   21
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        128.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     31
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link          10.8.0.6    286
        224.0.0.0        240.0.0.0         On-link    134.237.169.223   276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link          10.8.0.6    286
  255.255.255.255  255.255.255.255         On-link    134.237.169.223   276
===========================================================================
Постоянные маршруты:
  Отсутствует

IPv6 таблица маршрута
===========================================================================
Активные маршруты:
 Метрика   Сетевой адрес            Шлюз
  1    306 ::1/128                  On-link
 20   1025 2002::/16                On-link
 20    281 2002:5ef4:a9df::5ef4:a9df/128
                                    On-link
 12    276 fe80::/64                On-link
 12    276 fe80::65b4:ee45:4364:3d59/128
                                    On-link
  1    306 ff00::/8                 On-link
 12    276 ff00::/8                 On-link
===========================================================================
Постоянные маршруты:
  Отсутствует

sanc
(17.09.14 00:37:28 MSK) автор топика

Ответ на: комментарий от sanc 17.09.14 00:37:28 MSK

На сервере так попробуй.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE

anonymous
(17.09.14 00:49:24 MSK)

Ответ на: комментарий от anonymous 17.09.14 00:49:24 MSK

Супер, оно работает.

А если мне нужно только отдельные ip перенаправлять... Это не выходит. Убираю push «redirect-gateway def1 bypass-dhcp». В конфиг сервера: push «route 188.40.74.10 255.255.255.0» При том что, вроде-бы, прописало верно:

Wed Sep 17 00:38:21 2014 MANAGEMENT: >STATE:1410903501,ADD_ROUTES,,,
Wed Sep 17 00:38:21 2014 C:\Windows\system32\route.exe ADD 188.40.74.9 MASK 255.255.255.0 10.8.0.5
Wed Sep 17 00:38:21 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Wed Sep 17 00:38:21 2014 C:\Windows\system32\route.exe ADD 188.40.74.10 MASK 255.255.255.0 10.8.0.5
Wed Sep 17 00:38:21 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Wed Sep 17 00:38:21 2014 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Sep 17 00:38:21 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Wed Sep 17 00:38:21 2014 Initialization Sequence Completed

В чем беда?

sanc
(17.09.14 01:41:19 MSK) автор топика

Ответ на: комментарий от sanc 17.09.14 01:41:19 MSK

Попробуй

push "route 188.40.74.10 255.255.255.255"

Ну и да, выхлоп route выкладывай, если что.

anonymous
(17.09.14 01:50:43 MSK)

Ответ на: комментарий от anonymous 17.09.14 01:50:43 MSK

Спасибо, хороший человек) Уйму времени мне сэкономил - я у тебя в долгу.

sanc
(17.09.14 01:58:03 MSK) автор топика

Ссылка

Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.

←	Процесс ядра kworker/u8:0 периодически зажирает жесткий диск. Как избежать этого?

Admin

mikrotik, vpn и fxo-sip шлюз

→

Похожие темы