openvpn рвет сойденение

0

1

Добрый день всем, вот стала необходимость настроить openvpn на конторе, снастраиваю в первый раз так что сильно не пинайте. После подключения клиента win 7 x64 появляются пини и ходит трассировка, но как только начинаешь пытаться открыть в броузере страницу впн уходит в реконект. сервер centos 6

конфиг сервера: Код:

port 5555
local x.x.x.x
proto tcp
dev tun0
server 192.168.120.0 255.255.255.0
cipher AES-256-CBC
user nobody
group nobody
mute 20
max-clients 30
keepalive 10 120
client-config-dir /etc/openvpn/ccd
comp-lzo
persist-key
persist-tun
push «redirect-gateway def1»
push «dhcp-option DNS 8.8.8.8»
# TLS parms
tls-server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
tls-auth /etc/openvpn/keys/ta.key 0
log-append /var/log/openvpn.log
verb 3
mute 20

ccd: Код:

ifconfig-push 192.168.120.2 192.168.120.1

лог при старте сервера: Код:

Fri Oct 28 09:53:29 2011 Linux ip addr del failed: external program exited with error status: 2
Fri Oct 28 09:53:29 2011 SIGTERM[hard,] received, process exiting
Fri Oct 28 09:53:31 2011 OpenVPN 2.2.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 12 2011
Fri Oct 28 09:53:31 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Oct 28 09:53:32 2011 Diffie-Hellman initialized with 2048 bit key
Fri Oct 28 09:53:32 2011 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Fri Oct 28 09:53:32 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 28 09:53:32 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 28 09:53:32 2011 TLS-Auth MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Fri Oct 28 09:53:32 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Fri Oct 28 09:53:32 2011 ROUTE default_gateway=х.х.х.х
Fri Oct 28 09:53:32 2011 TUN/TAP device tun0 opened
Fri Oct 28 09:53:32 2011 TUN/TAP TX queue length set to 100
Fri Oct 28 09:53:32 2011 /sbin/ip link set dev tun0 up mtu 1500
Fri Oct 28 09:53:32 2011 /sbin/ip addr add dev tun0 local 192.168.120.1 peer 192.168.120.2
Fri Oct 28 09:53:32 2011 /sbin/ip route add 192.168.120.0/24 via 192.168.120.2
Fri Oct 28 09:53:32 2011 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Oct 28 09:53:32 2011 GID set to nobody
Fri Oct 28 09:53:32 2011 UID set to nobody
Fri Oct 28 09:53:32 2011 Listening for incoming TCP connection on х.х.х.х:5555
Fri Oct 28 09:53:32 2011 TCPv4_SERVER link local (bound): х.х.х.х:5555
Fri Oct 28 09:53:32 2011 TCPv4_SERVER link remote: [undef]
Fri Oct 28 09:53:32 2011 MULTI: multi_init called, r=256 v=256
Fri Oct 28 09:53:32 2011 IFCONFIG POOL: base=192.168.120.4 size=62
Fri Oct 28 09:53:32 2011 MULTI: TCP INIT maxclients=30 maxevents=34
Fri Oct 28 09:53:32 2011 Initialization Sequence Completed

конфиг клиента: Код:

dev tun
client
remote х.х.х.х
tls-client
ca ca.crt
cert office1.crt
key office1.key
tls-auth ta.key 1
proto tcp-client
port 5555
comp-lzo
redirect-gateway
cipher AES-256-CBC
verb 4
route-method exe
route-delay 2

гол клиента (поключение и обрыв) Код:

Fri Oct 28 10:55:54 2011 us=775000 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul 1 2011
Fri Oct 28 10:55:54 2011 us=775000 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 28 10:55:54 2011 us=775000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Oct 28 10:55:54 2011 us=947000 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Oct 28 10:55:54 2011 us=947000 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 28 10:55:54 2011 us=947000 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 28 10:55:54 2011 us=947000 LZO compression initialized
Fri Oct 28 10:55:54 2011 us=947000 Control Channel MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Fri Oct 28 10:55:55 2011 us=9000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Oct 28 10:55:55 2011 us=9000 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Oct 28 10:55:55 2011 us=9000 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Fri Oct 28 10:55:55 2011 us=9000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Fri Oct 28 10:55:55 2011 us=9000 Local Options hash (VER=V4): '2f2c6498'
Fri Oct 28 10:55:55 2011 us=9000 Expected Remote Options hash (VER=V4): '9915e4a2'
Fri Oct 28 10:55:55 2011 us=9000 Attempting to establish TCP connection with х.х.х.:5555
Fri Oct 28 10:55:55 2011 us=72000 TCP connection established with х.х.х.х:5555
Fri Oct 28 10:55:55 2011 us=72000 TCPv4_CLIENT link local: [undef]
Fri Oct 28 10:55:55 2011 us=72000 TCPv4_CLIENT link remote: х.х.х.х:5555
Fri Oct 28 10:55:55 2011 us=150000 TLS: Initial packet from х.х.х.х:5555, sid=b8de6cc1 e6f98834
Fri Oct 28 10:55:56 2011 us=850000 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=server/name=changeme/emailAddress=mail@host.domain
Fri Oct 28 10:55:56 2011 us=850000 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=server/name=changeme/emailAddress=mail@host.domain
Fri Oct 28 10:56:00 2011 us=313000 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Oct 28 10:56:00 2011 us=313000 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 28 10:56:00 2011 us=313000 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Oct 28 10:56:00 2011 us=313000 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 28 10:56:00 2011 us=313000 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Oct 28 10:56:00 2011 us=313000 [server] Peer Connection Initiated with х.х.х.х:5555
Fri Oct 28 10:56:02 2011 us=326000 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Oct 28 10:56:02 2011 us=669000 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,route 192.168.120.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.120.2 192.168.120.1'
Fri Oct 28 10:56:02 2011 us=669000 OPTIONS IMPORT: timers and/or timeouts modified
Fri Oct 28 10:56:02 2011 us=669000 OPTIONS IMPORT: --ifconfig/up options modified
Fri Oct 28 10:56:02 2011 us=669000 OPTIONS IMPORT: route options modified
Fri Oct 28 10:56:02 2011 us=669000 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Oct 28 10:56:02 2011 us=684000 ROUTE default_gateway=10.0.0.254
Fri Oct 28 10:56:02 2011 us=716000 TAP-WIN32 device [Подключение по локальной сети 3] opened: \\.\Global\{123EAD97-3E54-48C1-9B82-7125D742D4B2}.tap
Fri Oct 28 10:56:02 2011 us=716000 TAP-Win32 Driver Version 9.8
Fri Oct 28 10:56:02 2011 us=716000 TAP-Win32 MTU=1500
Fri Oct 28 10:56:02 2011 us=716000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.120.2/255.255.255.252 on interface {123EAD97-3E54-48C1-9B82-7125D742D4B2} [DHCP-serv: 192.168.120.1, lease-time: 31536000]
Fri Oct 28 10:56:02 2011 us=716000 DHCP option string: 06040808 0808
Fri Oct 28 10:56:02 2011 us=716000 Successful ARP Flush on interface [28] {123EAD97-3E54-48C1-9B82-7125D742D4B2}
Fri Oct 28 10:56:04 2011 us=88000 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Fri Oct 28 10:56:04 2011 us=88000 C:\WINDOWS\system32\route.exe ADD х.х.х.х MASK 255.255.255.255 10.0.0.254
ЋЉ
Fri Oct 28 10:56:04 2011 us=135000 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.120.1
ЋЉ
Fri Oct 28 10:56:04 2011 us=166000 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.120.1
ЋЉ
Fri Oct 28 10:56:04 2011 us=213000 OpenVPN ROUTE: omitted no-op route: 192.168.120.1/255.255.255.255 -> 192.168.120.1
Fri Oct 28 10:56:04 2011 us=213000 Initialization Sequence Completed
Fri Oct 28 10:56:17 2011 us=832000 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri Oct 28 10:56:17 2011 us=832000 Fatal decryption error (process_incoming_link), restarting
Fri Oct 28 10:56:17 2011 us=832000 TCP/UDP: Closing socket
Fri Oct 28 10:56:17 2011 us=832000 C:\WINDOWS\system32\route.exe DELETE х.х.х.х MASK 255.255.255.255 10.0.0.254
ЋЉ
Fri Oct 28 10:56:17 2011 us=848000 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 192.168.120.1
ЋЉ
Fri Oct 28 10:56:17 2011 us=879000 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 192.168.120.1
ЋЉ
Fri Oct 28 10:56:17 2011 us=894000 Closing TUN/TAP interface
Fri Oct 28 10:56:17 2011 us=894000 SIGUSR1[soft,decryption-error] received, process restarting
Fri Oct 28 10:56:17 2011 us=894000 Restart pause, 5 second(s)

лог сервера в момент обрыва: Код:

Fri Oct 28 09:55:37 2011 office1/х.х.х.х:52906 Need IPv6 code in mroute_extract_addr_from_packet
Fri Oct 28 09:55:37 2011 office1/х.х.х.х:52906 Connection reset, restarting [-1]
Fri Oct 28 09:55:37 2011 office1/х.х.х.х:52906 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Oct 28 09:55:37 2011 TCP/UDP: Closing socket
Fri Oct 28 09:55:43 2011 MULTI: multi_create_instance called

Ссылка

попробуй отключить IPv6 у клиента

uspen ★★★★★
(28.10.11 13:41:54 MSK)

Ответ на: комментарий от uspen 28.10.11 13:41:54 MSK

непомогло

BuuG
(28.10.11 14:06:18 MSK) автор топика

>Authenticate/Decrypt packet error: packet HMAC authentication failed

попробуй сменить алгоритм с HMAC на что-нибудь другое?

Pinkbyte ★★★★★
(28.10.11 14:13:06 MSK)

Ответ на: комментарий от Pinkbyte 28.10.11 14:13:06 MSK

можно пример кода?

BuuG
(28.10.11 14:20:17 MSK) автор топика

Ответ на: комментарий от BuuG 28.10.11 14:20:17 MSK

убери для начала ta.key с сервера и из клиента и попробуй снова

Pinkbyte ★★★★★
(28.10.11 14:54:28 MSK)

--auth alg
     Authenticate packets with HMAC using message digest algorithm  
alg. (The default is SHA1 ). HMAC is a commonly used message  
authentication algorithm (MAC) that uses a data string, a secure hash  
algorithm, and a key, to produce a digital signature.

     OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC  
the resulting ciphertext.

     In static-key encryption mode, the HMAC key is included in the  
key file generated by --genkey. In TLS mode, the HMAC key is  
dynamically generated and shared between peers via the TLS control  
channel. If OpenVPN receives a packet with a bad HMAC it will drop  
the packet. HMAC usually adds 16 or 20 bytes per packet. Set alg=none  
to disable authentication.

     For more information on HMAC see http://www.cs.ucsd.edu/users/ 
mihir/papers/hmac.html

Взято из мана OpenVPN

Pinkbyte ★★★★★
(28.10.11 14:58:17 MSK)

Ответ на: комментарий от Pinkbyte 28.10.11 14:58:17 MSK

закоментил строки и на сервере и клиенте, результат ноль обрыв на месте tls-server tls-auth /etc/openvpn/keys/ta.key 0

BuuG
(28.10.11 15:29:43 MSK) автор топика

Ответ на: комментарий от BuuG 28.10.11 15:29:43 MSK

ты закоментил tls-client и tls-auth? Клиента из под админа запускаешь? Сервер перезапускаешь после изменения конфига?

uspen ★★★★★
(29.10.11 16:28:33 MSK)

Ответ на: комментарий от uspen 29.10.11 16:28:33 MSK

Вопрос можно снять. так как все крылось в винде, после реинстала все завилось, времени разгребать по чему и как не было.

BuuG
(01.11.11 20:48:26 MSK) автор топика

Похожие темы