1. ПЕРВЫЙ ОФИС. Роутер D-Link DIR-615 поднимает инет соединение (адрес роутера 192.168.1.1)
2. Машина на Debian выступает в качестве шлюза локальной сети, имеет два сетевых интерфейса: eth0=192.168.1.11 и eth1=192.168.0.1 (все компьютеры в сети имеют адрес 192.168.0.х)
3. На этой же машине установлен OpenVPN сервер, согласно инструкции: http://debian-help.ru/articles/ustanovka-nastroika-openvpn-servera-debian-6/
Конфиг сервера:
push "route 192.168.0.0 255.255.255.0"
tls-auth ta.key 0
cipher DES-EDE3-CBC
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3
/etc/init.d/openvpn startПередаю ключи и сертификаты клиенту (кстати говоря файлы *.key не хотели даже открываться, но chmod 777 вроде решил данную проблему), создаю конфиг клиента:
client
port 1194
proto udp
dev tun
dev-node "VPN"
remote 78.85.32.29 1194
remote-cert-tls server
ca ca.crt
cert user.crt
key user.key
tls-auth ta.key 1
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping-restart 60
ping 10
comp-lzo
persist-key
persist-tun
cipher DES-EDE3-CBC
status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"
log "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 3
mute 20
Лог клиента:
Thu Feb 04 19:42:21 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Feb 1 2016
Thu Feb 04 19:42:21 2016 Windows version 6.2 (Windows 8 or greater)
Thu Feb 04 19:42:21 2016 library versions: OpenSSL 1.0.1r 28 Jan 2016, LZO 2.09
Thu Feb 04 19:42:21 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Feb 04 19:42:21 2016 Need hold release from management interface, waiting...
Thu Feb 04 19:42:22 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Feb 04 19:42:22 2016 MANAGEMENT: CMD 'state on'
Thu Feb 04 19:42:22 2016 MANAGEMENT: CMD 'log all on'
Thu Feb 04 19:42:22 2016 MANAGEMENT: CMD 'hold off'
Thu Feb 04 19:42:22 2016 MANAGEMENT: CMD 'hold release'
Thu Feb 04 19:42:22 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Thu Feb 04 19:42:22 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 04 19:42:22 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 04 19:42:22 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Feb 04 19:42:22 2016 UDPv4 link local (bound): [undef]
Thu Feb 04 19:42:22 2016 UDPv4 link remote: [AF_INET]78.85.32.29:1194
Thu Feb 04 19:42:22 2016 MANAGEMENT: >STATE:1454600542,WAIT,,,
Thu Feb 04 19:43:22 2016 [UNDEF] Inactivity timeout (--ping-restart), restarting
Thu Feb 04 19:43:22 2016 SIGUSR1[soft,ping-restart] received, process restarting
Thu Feb 04 19:43:22 2016 MANAGEMENT: >STATE:1454600602,RECONNECTING,ping-restart,,
Thu Feb 04 19:43:22 2016 Restart pause, 2 second(s)
Thu Feb 04 19:43:24 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Feb 04 19:43:24 2016 UDPv4 link local (bound): [undef]
Thu Feb 04 19:43:24 2016 UDPv4 link remote: [AF_INET]78.85.32.29:1194
Thu Feb 04 19:43:24 2016 MANAGEMENT: >STATE:1454600604,WAIT,,,
Fri Feb 5 01:09:29 2016 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Fri Feb 5 01:09:29 2016 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Fri Feb 5 01:09:29 2016 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Feb 5 01:09:29 2016 Diffie-Hellman initialized with 1024 bit key
Fri Feb 5 01:09:29 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Feb 5 01:09:29 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 5 01:09:29 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 5 01:09:29 2016 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Feb 5 01:09:29 2016 Socket Buffers: R=[163840->131072] S=[163840->131072]
Fri Feb 5 01:09:29 2016 ROUTE default_gateway=192.168.1.1
Fri Feb 5 01:09:29 2016 TUN/TAP device tun0 opened
Fri Feb 5 01:09:29 2016 TUN/TAP TX queue length set to 100
Fri Feb 5 01:09:29 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Feb 5 01:09:29 2016 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Feb 5 01:09:29 2016 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Feb 5 01:09:29 2016 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Feb 5 01:09:29 2016 UDPv4 link local (bound): [undef]
Fri Feb 5 01:09:29 2016 UDPv4 link remote: [undef]
Fri Feb 5 01:09:29 2016 MULTI: multi_init called, r=256 v=256
Fri Feb 5 01:09:29 2016 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Fri Feb 5 01:09:29 2016 IFCONFIG POOL LIST
Fri Feb 5 01:09:29 2016 Initialization Sequence Completed
.png)
