Есть рабочий сервер OpenVPN на debian, на котором я случайно удалил ca.key, пришлось заново генерировать все ключи и сертификаты. Конфиги не менялись. До удаления всё работало: весь трафик от клиента уходил в тоннель, доступ к локальным ресурсам был, инет работал. Теперь же ошибки (*** — это я затёр):
Fri Dec 4 09:37:02 2015 us=451600 MULTI: multi_create_instance called
Fri Dec 4 09:37:02 2015 us=451653 80.83.239.3:19993 Re-using SSL/TLS context
Fri Dec 4 09:37:02 2015 us=451679 80.83.239.3:19993 LZO compression initialized
Fri Dec 4 09:37:02 2015 us=451797 80.83.239.3:19993 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec 4 09:37:02 2015 us=451807 80.83.239.3:19993 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Dec 4 09:37:02 2015 us=451832 80.83.239.3:19993 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Dec 4 09:37:02 2015 us=451840 80.83.239.3:19993 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Dec 4 09:37:02 2015 us=451860 80.83.239.3:19993 Local Options hash (VER=V4): '14168603'
Fri Dec 4 09:37:02 2015 us=451870 80.83.239.3:19993 Expected Remote Options hash (VER=V4): '504e774e'
Fri Dec 4 09:37:02 2015 us=451903 80.83.239.3:19993 TLS: Initial packet from [AF_INET]80.83.239.3:19993, sid=75cc9312 4169b740
Fri Dec 4 09:37:02 2015 us=939147 80.83.239.3:19993 Replay-window backtrack occurred [1]
Fri Dec 4 09:37:03 2015 us=467729 80.83.239.3:19993 CRL CHECK OK: /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***_CA/emailAddress=***
Fri Dec 4 09:37:03 2015 us=467764 80.83.239.3:19993 VERIFY OK: depth=1, /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***_CA/emailAddress=***
Fri Dec 4 09:37:03 2015 us=467977 80.83.239.3:19993 CRL CHECK OK: /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***/emailAddress=***
Fri Dec 4 09:37:03 2015 us=468002 80.83.239.3:19993 VERIFY OK: depth=0, /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***/emailAddress=***
Fri Dec 4 09:37:03 2015 us=644990 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec 4 09:37:03 2015 us=645032 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:52870
Fri Dec 4 09:37:03 2015 us=875912 80.83.239.3:19993 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Dec 4 09:37:03 2015 us=875931 80.83.239.3:19993 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 4 09:37:03 2015 us=875975 80.83.239.3:19993 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Dec 4 09:37:03 2015 us=875982 80.83.239.3:19993 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 4 09:37:03 2015 us=996430 80.83.239.3:19993 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Dec 4 09:37:03 2015 us=996454 80.83.239.3:19993 [***] Peer Connection Initiated with [AF_INET]80.83.239.3:19993
Fri Dec 4 09:37:03 2015 us=996491 ***/80.83.239.3:19993 MULTI: Learn: 10.8.0.6 -> ***/80.83.239.3:19993
Fri Dec 4 09:37:03 2015 us=996500 ***/80.83.239.3:19993 MULTI: primary virtual IP for ***/80.83.239.3:19993: 10.8.0.6
Fri Dec 4 09:37:03 2015 us=996534 ***/80.83.239.3:19993 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec 4 09:37:03 2015 us=996559 ***/80.83.239.3:19993 SENT CONTROL [***]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 192.168.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Fri Dec 4 09:37:04 2015 us=958542 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec 4 09:37:04 2015 us=958587 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:56645
Fri Dec 4 09:37:06 2015 us=948582 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec 4 09:37:06 2015 us=948632 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:56645
Fri Dec 4 09:37:09 2015 us=42578 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec 4 09:37:09 2015 us=42623 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:56645
Fri Dec 4 09:37:10 2015 us=952470 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec 4 09:37:10 2015 us=952521 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:56645
Fri Dec 4 09:37:13 2015 us=40570 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec 4 09:37:13 2015 us=40618 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:56645
Fri Dec 4 09:37:14 2015 us=956498 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec 4 09:37:14 2015 us=956545 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:38505
Fri Dec 4 09:37:15 2015 us=893514 ***/80.83.239.3:19993 Replay-window backtrack occurred [2]
Fri Dec 4 09:37:17 2015 us=36547 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec 4 09:37:17 2015 us=36592 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:38505
Fri Dec 4 09:37:18 2015 us=954559 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Dec 4 09:37:18 2015 us=954605 TLS Error: incoming packet authentication failed from [AF_INET]176.59.141.149:38505
Fri Dec 4 09:52:43 2015 us=280758 MULTI: multi_create_instance called
Fri Dec 4 09:52:43 2015 us=280820 141.105.52.211:57131 Re-using SSL/TLS context
Fri Dec 4 09:52:43 2015 us=280831 141.105.52.211:57131 LZO compression initialized
Fri Dec 4 09:52:43 2015 us=280880 141.105.52.211:57131 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec 4 09:52:43 2015 us=280889 141.105.52.211:57131 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Dec 4 09:52:43 2015 us=280911 141.105.52.211:57131 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Dec 4 09:52:43 2015 us=280917 141.105.52.211:57131 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Dec 4 09:52:43 2015 us=280929 141.105.52.211:57131 Local Options hash (VER=V4): '14168603'
Fri Dec 4 09:52:43 2015 us=280939 141.105.52.211:57131 Expected Remote Options hash (VER=V4): '504e774e'
Fri Dec 4 09:52:43 2015 us=280957 141.105.52.211:57131 TLS: Initial packet from [AF_INET]141.105.52.211:57131, sid=df89b666 812af5c9
Fri Dec 4 09:52:44 2015 us=711086 141.105.52.211:57131 CRL CHECK OK: /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***_CA/emailAddress=***
Fri Dec 4 09:52:44 2015 us=711119 141.105.52.211:57131 VERIFY OK: depth=1, /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***d_CA/emailAddress=***
Fri Dec 4 09:52:44 2015 us=711283 141.105.52.211:57131 CRL CHECK OK: /C=RU/ST=Irkutskaya/L=Irkutsk/O=***/CN=***/emailAddress=***
Fri Dec 4 09:52:44 2015 us=711302 141.105.52.211:57131 VERIFY OK: depth=0, /C=RU/ST=Irkutskaya/L=Irkutsk/O=**/CN=***/emailAddress=***
Fri Dec 4 09:52:44 2015 us=863804 141.105.52.211:57131 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Dec 4 09:52:44 2015 us=863823 141.105.52.211:57131 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 4 09:52:44 2015 us=863867 141.105.52.211:57131 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Dec 4 09:52:44 2015 us=863881 141.105.52.211:57131 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 4 09:52:45 2015 us=16141 141.105.52.211:57131 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Dec 4 09:52:45 2015 us=16183 141.105.52.211:57131 [***] Peer Connection Initiated with [AF_INET]141.105.52.211:57131
Fri Dec 4 09:52:45 2015 us=16266 MULTI: new connection by client '***' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Fri Dec 4 09:52:45 2015 us=16298 MULTI: Learn: 10.8.0.6 -> ***/141.105.52.211:57131
Fri Dec 4 09:52:45 2015 us=16307 MULTI: primary virtual IP for ***/141.105.52.211:57131: 10.8.0.6
Fri Dec 4 09:52:45 2015 us=19702 ***/141.105.52.211:57131 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec 4 09:52:45 2015 us=19732 ***/141.105.52.211:57131 SENT CONTROL [***]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 192.168.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Fri Dec 4 09:52:46 2015 us=559266 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec 4 09:52:47 2015 us=842681 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec 4 09:52:48 2015 us=25371 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec 4 09:52:48 2015 us=183303 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec 4 09:52:48 2015 us=856514 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec 4 09:52:50 2015 us=212621 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec 4 09:52:50 2015 us=970231 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
Fri Dec 4 09:52:52 2015 us=912591 ***/141.105.52.211:57131 MULTI: bad source address from client [192.168.0.105], packet dropped
С мобильных устройств работает RDP, доступ к шаре (через es explorer), инет не работает, не работает доступ к шаре через приложение (synology), с компа всё работает без проблем. Конфиги iptables и OpenVPN не менялись ни у клиента, ни на сервере.
Сервер
port 9194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
crl-verify crl.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.0.1"
keepalive 10 120
tls-auth ta.key 0
cipher BF-CBC
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 4
mute 10
Клиент
client
dev tun
proto udp
remote xx.xx.xx.xx 9194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert support.crt
key support.key
ns-cert-type server
tls-client
tls-timeout 120
tls-auth ta.key 1
cipher BF-CBC
comp-lzo
verb 3
iptables
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -s 10.8.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source xx.xx.xx.xx
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
gateway.irkcity * 255.255.255.255 UH 0 0 0 ppp0
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default * 0.0.0.0 U 0 0 0 ppp0