LINUX.ORG.RU
ФорумAdmin

Проблема с openvpn + OBFSPROXY

 ,


0

1

Привет всем!!! Прошу помочь разобраться. По факту VPS-ка c белым ip (ens3), установлен openvpn + obfsproxy Я вообще пока с трудом вкуриваю тему маршрутизации. Что надо прописать в правилах чтоб заработало.Всяких примеров с правилами пробовал, ничего не работает. 

obfsproxy --log-min-severity=info obfs3 --dest 127.0.0.1:1194 server ip_ens3:443

client.opvn

client
dev tun
proto tcp
remote xx.xx.xx.xx 443
resolv-retry infinite
nobind
comp-lzo no
ca ca.crt
cert client.crt
key client.key
dh dh2048.pem
cipher AES-256-CBC
remote-cert-tls server
sndbuf 100000
rcvbuf 100000
tls-client
tls-auth ta.key 1
ns-cert-type server
keepalive 10 120
persist-key
persist-tun
verb 3
script-security 2

server.conf

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
cipher AES-256-CBC
tun-mtu 1500
;tun-mtu-extra 32
mssfix 1432
;txqueuelen 2048
;tcp-queue-limit 1024
;tcp-nodelay
server 10.48.9.0 255.255.255.0
daemon
;writepid /etc/openvpn/pid/openvpn.pid
ifconfig-pool-persist /etc/openvpn/tmp/ipp.txt
client-config-dir ccd
push "route 10.48.9.0 255.255.255.0"
keepalive 5 30
comp-lzo no
#user nobody
#group nobody
persist-key
persist-tun
status /etc/openvpn/log/openvpn-status.log
status /etc/openvpn/log/tcp-server-tcp.log
log /etc/openvpn/log/openvpn.log
verb 5
script-security 3
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"

Это Log obfspoxy

[WARNING] Obfsproxy (version: 0.2.13) starting up.
[INFO] StaticDestinationServerFactory starting on 443
[INFO] Starting factory <obfsproxy.network.network.StaticDestinationServerFactory instance at 0x7f29c69ea950>
[INFO] Launched 'server' listener at '[scrubbed]:443' for transport 'obfs2'.
[INFO] Starting factory <obfsproxy.network.network.StaticDestinationClientFactory instance at 0x7f29c69f33b0>
[INFO] Stopping factory <obfsproxy.network.network.StaticDestinationClientFactory instance at 0x7f29c69f33b0>
[INFO] Starting factory <obfsproxy.network.network.StaticDestinationClientFactory instance at 0x7f29c69f3950>

Это лог клиента openvpn

Socket Buffers: R=[8192->100000] S=[8192->100000]
Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:443 [nonblock]
MANAGEMENT: >STATE:1476350579,TCP_CONNECT,,,
TCP connection established with [AF_INET]xx.xx.xx.xx:443
TCPv4_CLIENT link local: [undef]
TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:443
MANAGEMENT: >STATE:1476350580,WAIT,,,
WARNING: Bad encapsulated packet length from peer (12198), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Connection reset, restarting [0]
SIGUSR1[soft,connection-reset] received, process restarting
MANAGEMENT: >STATE:1476350580,RECONNECTING,connection-reset,,
Restart pause, 5 second(s)

Это Log openvpn.log на сервере

us=821607 MULTI: multi_create_instance called
us=821686 Re-using SSL/TLS context
us=821724 LZO compression initialized
us=821811 Control Channel MTU parms [ L:1560 D:1182 EF:68 EB:0 ET:0 EL:3 ]
us=821838 Data Channel MTU parms [ L:1560 D:1432 EF:60 EB:143 ET:0 EL:3 AF:3/1 ]
us=821879 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
us=821892 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
us=821912 Local Options hash (VER=V4): '9915e4a2'
us=821928 Expected Remote Options hash (VER=V4): '2f2c6498'
us=821957 TCP connection established with [AF_INET]127.0.0.1:60242
us=821971 TCPv4_SERVER link local: [undef]
us=821983 TCPv4_SERVER link remote: [AF_INET]127.0.0.1:60242
us=774609 127.0.0.1:60242 Connection reset, restarting [0]
us=774675 127.0.0.1:60242 SIGUSR1[soft,connection-reset] received, client-instance restarting
us=774741 TCP/UDP: Closing socket


Последнее исправление: Falcon-peregrinus (всего исправлений: 3)
DD-WRT. Редирект PXE-запросов на сторонний tftp-server
Vesta отвечает на все имена, а хотелось бы ошибки 404

Дабавил эти правила

iptables -A INPUT -i ens3 -m state --state NEW -p tcp --dport 1194 -j ACCEPT

iptables -A INPUT -i tun0 -j ACCEPT

iptables -A FORWARD -i tun0 -j ACCEPT

iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i ens3 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE

alexbalkan
() автор топика
Ответ на: комментарий от alexbalkan

и получил следующее MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340

Need hold release from management interface, waiting...

MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340

MANAGEMENT: CMD 'state on'

MANAGEMENT: CMD 'log all on'

MANAGEMENT: CMD 'hold off'

MANAGEMENT: CMD 'hold release'

Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Socket Buffers: R=[8192->100000] S=[8192->100000]

Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:443 [nonblock]

MANAGEMENT: >STATE:1476354529,TCP_CONNECT,,,

TCP connection established with [AF_INET]xx.xx.xx.xx:443

TCPv4_CLIENT link local: [undef]

TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:443

MANAGEMENT: >STATE:1476354530,WAIT,,,

WARNING: Bad encapsulated packet length from peer (17990), which must be > 0 and <= 1563 — please ensure that --tun-mtu or --link-mtu is equal on both peers — this condition could also indicate a possible active attack on the TCP link — [Attempting restart...]

Connection reset, restarting [0]

SIGUSR1[soft,connection-reset] received, process restarting

MANAGEMENT: >STATE:1476354530,RECONNECTING,connection-reset,, Restart pause, 5 second(s)

alexbalkan
() автор топика
Ответ на: комментарий от alexbalkan

iptables -A INPUT -i ens3 -m state --state NEW -p udp --dport 1194 -j ACCEPT Погуглил, вроде чет нашел, неработает, потому как не знаю как правильно применять и строить чего хочу iptables -A INPUT -i tun0 -j ACCEPT

iptables -A FORWARD -i tun0 -j ACCEPT

iptables -A FORWARD -i tun0 -o ens3 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i ens3 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.48.9.0/24 -o ens3 -j MASQUERADE

iptables -A OUTPUT -o tun0 -j ACCEPT

выхлоп 1194 23:34:13.818821 IP localhost.60678 > localhost.openvpn: Flags , seq 99085980, win 43690, options [mss 65495,sackOK,TS val 31726933 ecr 0,nop,wscale 7], length 0 23:34:13.818845 IP localhost.openvpn > localhost.60678: Flags [S.], seq 2317335044, ack 99085981, win 43690, options [mss 65495,sackOK,TS val 31726933 ecr 31726933,nop,wscale 7], length 0 23:34:13.818861 IP localhost.60678 > localhost.openvpn: Flags [.], ack 1, win 342, options [nop,nop,TS val 31726933 ecr 31726933], length 0 23:34:14.781217 IP localhost.60678 > localhost.openvpn: Flags [F.], seq 1, ack 1, win 342, options [nop,nop,TS val 31727174 ecr 31726933], length 0 23:34:14.781574 IP localhost.openvpn > localhost.60678: Flags [F.], seq 1, ack 2, win 342, options [nop,nop,TS val 31727174 ecr 31727174], length 0 23:34:14.781602 IP localhost.60678 > localhost.openvpn: Flags [.], ack 2, win 342, options [nop,nop,TS val 31727174 ecr 31727174], length 0 23:34:19.888759 IP localhost.60680 > localhost.openvpn: Flags , seq 411593577, win 43690, options [mss 65495,sackOK,TS val 31728451 ecr 0,nop,wscale 7], length 0 23:34:19.888786 IP localhost.openvpn > localhost.60680: Flags [S.], seq 392839067, ack 411593578, win 43690, options [mss 65495,sackOK,TS val 31728451 ecr 31728451,nop,wscale 7], length 0 23:34:19.888814 IP localhost.60680 > localhost.openvpn: Flags [.], ack 1, win 342, options [nop,nop,TS val 31728451 ecr 31728451], length 0 23:34:20.848362 IP localhost.60680 > localhost.openvpn: Flags [F.], seq 1, ack 1, win 342, options [nop,nop,TS val 31728690 ecr 31728451], length 0 23:34:20.848538 IP localhost.openvpn > localhost.60680: Flags [.], ack 2, win 342, options [nop,nop,TS val 31728691 ecr 31728690], length 0 23:34:20.848993 IP localhost.openvpn > localhost.60680: Flags [F.], seq 1, ack 2, win 342, options [nop,nop,TS val 31728691 ecr 31728690], length 0 23:34:20.849029 IP localhost.60680 > localhost.openvpn: Flags [.], ack 2, win 342, options [nop,nop,TS val 31728691 ecr 31728691], length 0 23:34:25.952132 IP localhost.60682 > localhost.openvpn: Flags , seq 1096491333, win 43690, options [mss 65495,sackOK,TS val 31729966 ecr 0,nop,wscale 7], length 0 23:34:25.952151 IP localhost.openvpn > localhost.60682: Flags [S.], seq 482676487, ack 1096491334, win 43690, options [mss 65495,sackOK,TS val 31729966 ecr 31729966,nop,wscale 7], length 0 23:34:25.952167 IP localhost.60682 > localhost.openvpn: Flags [.], ack 1, win 342, options [nop,nop,TS val 31729966 ecr 31729966], length 0 23:34:26.910580 IP localhost.60682 > localhost.openvpn: Flags [F.], seq 1, ack 1, win 342, options [nop,nop,TS val 31730206 ecr 31729966], length 0 23:34:26.911006 IP localhost.openvpn > localhost.60682: Flags [F.], seq 1, ack 2, win 342, options [nop,nop,TS val 31730206 ecr 31730206], length 0 23:34:26.911036 IP localhost.60682 > localhost.openvpn: Flags [.], ack 2, win 342, options [nop,nop,TS val 31730206 ecr 31730206], length 0

выхлоп 443 23:35:31.912115 IP ip-228.pool-228.ms-dpc03.cpx.ru.17251 > abcdef.net.https: Flags , seq 3964491900, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 23:35:31.912224 IP abcdef.net.https > ip-228.pool-228.ms-dpc03.cpx.ru.17251: Flags [S.], seq 173196175, ack 3964491901, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 23:35:31.954529 IP ip-228.pool-228.ms-dpc03.cpx.ru.17251 > abcdef.net.https: Flags [.], ack 1, win 65535, length 0 23:35:31.963907 IP abcdef.net.https > ip-228.pool-228.ms-dpc03.cpx.ru.17251: Flags [P.], seq 1:2893, ack 1, win 229, length 2892 23:35:32.013608 IP ip-228.pool-228.ms-dpc03.cpx.ru.17251 > abcdef.net.https: Flags [.], ack 2893, win 65535, length 0 23:35:32.915020 IP ip-228.pool-228.ms-dpc03.cpx.ru.17251 > abcdef.net.https: Flags [R.], seq 1, ack 2893, win 0, length 0 23:35:37.955967 IP ip-228.pool-228.ms-dpc03.cpx.ru.27643 > abcdef.net.https: Flags , seq 3664854665, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 23:35:37.956046 IP abcdef.net.https > ip-228.pool-228.ms-dpc03.cpx.ru.27643: Flags [S.], seq 3654461060, ack 3664854666, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 23:35:37.998238 IP ip-228.pool-228.ms-dpc03.cpx.ru.27643 > abcdef.net.https: Flags [.], ack 1, win 65535, length 0 23:35:38.010450 IP abcdef.net.https > ip-228.pool-228.ms-dpc03.cpx.ru.27643: Flags [P.], seq 1:2131, ack 1, win 229, length 2130 23:35:38.053267 IP ip-228.pool-228.ms-dpc03.cpx.ru.27643 > abcdef.net.https: Flags [.], ack 2131, win 65535, length 0 23:35:38.958852 IP ip-228.pool-228.ms-dpc03.cpx.ru.27643 > abcdef.net.https: Flags [R.], seq 1, ack 2131, win 0, length 0 23:35:43.991390 IP ip-228.pool-228.ms-dpc03.cpx.ru.10926 > abcdef.net.https: Flags , seq 4050089391, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 23:35:43.991506 IP abcdef.net.https > ip-228.pool-228.ms-dpc03.cpx.ru.10926: Flags [S.], seq 1745602613, ack 4050089392, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 23:35:44.036447 IP ip-228.pool-228.ms-dpc03.cpx.ru.10926 > abcdef.net.https: Flags [.], ack 1, win 65535, length 0

alexbalkan
() автор топика
Ответ на: комментарий от alexbalkan

чувак, ну что за нечитаемое дерьмо ты тут постишь? Как ты ждешь, что тебе помогать будут, если толком даже оформить вопрос не в состоянии?

Настрой сначала просто openvpn, без этого твоего прокси, потом когда отладишь - прикручивай прокси. Ясно?

zgen ★★★★★
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
DD-WRT. Редирект PXE-запросов на сторонний tftp-server
Admin
Vesta отвечает на все имена, а хотелось бы ошибки 404